Staff

It finally working again, for the first time since yesterday. Thanks! What did you do to fix the problem?

Hello!

The backend server was replying to VPN servers but incorrectly and it also had a low load. So the VPN servers assumed that the 1st backend server they queried was ok and would not try a connection to the subsequent backend server. On the contrary the primary frontend (website etc.) correctly connected to a different backend server (the backend servers have a clustered database so they are constantly "aligned").

The result was a refusal of any new connection from the VPN servers, while the website was still up. Another detrimental consequence was that the monitoring system did not detect any problem, so it did not send any urgent warning message to the techies.

Some changes have been applied on the backend server which had this problem. Since it has happened for the first time after we implemented, some months ago, a clustered database, we're still investigating to gain a deeper understanding of the issue.

Kind regards

Hello!

They are not visible on the screenshot which is pertaining to the DD-WRT web interface. You should watch at the DNS servers displayed in the leak test site. Anyway, does the dns leak site display your ISP DNS? If so, can you please post your complete iptables rules list?

Kind regards

Sorry, I tried to upload more than 1 screenshot.

Hello!

Ok, now we have all the information we need.

A rule is missing:

iptables -I OUTPUT -o ! --dst a.b.c.d -j DROP # if destination for outgoing packet on is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects

# the above line can be duplicated for as many Air servers as you wish to connect to, just insert the appropriate Air server entry-IP

This is the rule which will prevent leaks.

a.b.c.d is the entry-IP address of the Air server DD-WRT router connects to. is your router network interface (probably br0, determine its name with command "netstat -r").

Important! Please note if you use the last entry above in the firewall (iptables -I OUTPUT -o br0 ! --dst a.b.c.d -j DROP) you will lose access to the router. Thus if the tunnel goes down ...well you know. So you may want to leave this entry off the GUI and if/when you are set up properly and then run it from the telnet prompt. That way if you need router access you can reboot and be OK.

Please see also zdrifter post for more details.

Kind regards

Hello!

Can you please tell us which DNS servers are displayed by the dns leak test?

Kind regards

Before there were several dns servers listed including my isp, now only my isp.

Hello!

Ok, this new screenshot shows what you say. We should examine the iptables rules.

Kind regards

Hello!

Can you please tell us which DNS servers are displayed by the dns leak test?

Kind regards

Before there were several dns servers listed including my isp, now only my isp.

Hello!

They are not visible on the screenshot which is pertaining to the DD-WRT web interface. You should watch at the DNS servers displayed in the leak test site. Anyway, does the dns leak site display your ISP DNS? If so, can you please post your complete iptables rules list?

Kind regards

AirVPN has been working great, and for the past year I have been a paying customer, but starting yesterday, I am unable connect to any servers, and instead I receive these messages.

Sat Sep 15 12:06:33 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Sat Sep 15 12:06:33 2012 AUTH: Received AUTH_FAILED control message

Sat Sep 15 12:06:33 2012 SIGTERM received, sending exit notification to peer

Sat Sep 15 12:06:38 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Sat Sep 15 12:06:38 2012 TCP/UDP: Closing socket

Sat Sep 15 12:06:38 2012 SIGTERM[soft,exit-with-notification] received, process exiting

Hello!

Can you please try again now?

Kind regards

Hello!

We don't detect any problem anymore. Should you have any further issue, please do not hesitate to contact us.

Kind regards

Hi, I used port forwarding without issues until yesterday, but today it is just not working. I didn't touch the configuration neither of the VPN nor of my service, which is up and running listening on the correct port. Windows Firewall is disabled and I don't have any other security software installed on my machine. The issue persist connecting to any server, so really I don't know what else I could check

canyouseeme.org says that the port is closed and th AirVPN port forwarding page says "Not reachable on server IP over the external port XXXX, tcp protocol. Error : 110 - Connection timed out"

Is there any technical issue at your end?

Thank you

Hello!

We have detected a problem on Serpentis port forwarding and potentially on other servers. It is probably related to the previous backend problem (the VPN servers need to know which ports are to be dynamically forwarded to which IP address inside the VPN). While all the connections between all the servers are re-established, this problem will be solved automatically. Please let us know which server(s) you detect the problem if it's not solved within a few minutes.

Kind regards

I am the author of a new privacy book. Having reviewed many VPNs on the Internet, I can state unequivocally that AirVpn is in the top tier of VPN services, arguably the best VPN service overall.

Hello!

Thank you very much, we're very glad and proud of this review. We would love to read the whole book as well! Can you give us the coordinates to buy the book?

There are many good things that can be written about AirVPN.

But it is the little things that impress the most.

AirVPN is one of the few anonymization services, for example, that is not vulnerable to the BEAST attack. This demonstrates that the AirVPN operators are serious about security.

True, especially thanks to how OpenVPN works (if properly configured). Also, the different entry-IP and exit-IP addresses of each server prevent nasty correlation attacks against which even OpenVPN is powerless (it's not an OpenVPN fault, it's how the Internet works ).

Some suggestions:

Consider expanding the geographic reach of servers:

Switzerland

Luxembourg

Liechtenstein

Australia/New Zealand

France

Italy

You will see a constant infrastructure expansion on various countries, some of them included in your list. We are also preparing new services which will be available in the next weeks to help people connect in countries where OpenVPN connections are disrupted.

Consider adopting XTS mode over CBC mode.

Unfortunately OpenVPN does not support XTS. In the future we will evaluate a change of cypher-system, however this is a delicate operation because it will force our clients to re-download configuration files. DD-WRT users might be forced to re-flash their router with new firmwares which implement latest OpenVPN versions. Currently AES-256-CBC, RSA 2048 bit key, double certificate authentication and TLS renegotiation provide a higher-than-military degree of security on the cypher-system side, without an excessive computational burden on older CPUs.

Very Important:

Many of the AirVPN servers fail proxy tests; they appear as “networking sharing devices,”

principally due to the WIMIA test.

It's true that our servers are (also) networking sharing devices. Sharing a device is a necessary prerequisite to keep a strong anonymity layer.

The WIMIA test software is closed and undocumented. Currently, experts suggest that WIMIA maintainers also add IP addresses and IP ranges from dedicated servers providers on their database. Therefore there's no way to fool a WIMIA test if any person sends them one of our servers exit-IP addresses (they also have a form that can be used by snitches). This may become a problem if more and more web administrators will bar access from VPNs using WIMIA, however the more privacy awareness (as well as usage of NATs from ISPs) spread, the more this problem will heap only on those websites.

We're looking forward to hearing from you.

Kind regards

If the leak is confirmed, you might like to read the zdrifter post about that and more (it will prevent any leak):

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=2377&Itemid=142#2377

Kind regards

After reading zdrifter's post I found that I use tun1 interface. I added the new iptables (except for the last line) in the firewall and saved. I still have a dns leak confirmed with http://www.dnsleaktest.com

Hello!

Can you please tell us which DNS servers are displayed by the dns leak test?

Kind regards

Hello!

That sounds very technical; could you explain what a backend server is and what happened to it? And what does this "failover redundancy system" do?

Thank you :kiss:

Hello!

A backend server is a machine which works "behind the scene". No client ever communicates directly with it, but the VPN servers do for various purposes (remember, we don't keep ANY database on VPN servers for security reasons). When a backend server does not respond, the VPN server queries the next one (and so on) - a redundancy system to keep the system up even if one or more servers are down. In this case, the system worked partially when a backend server began to have problems: the website could remain up, but establishing new connections to VPN servers was not possible. We're investigating.

Kind regards

Hello!

We have had a major problem on one of our backend servers. The problem did not affect already established connections or the website, but it did prevent new connections. The failover system worked only partially . The problem has been now fixed, however we are still working on the system so please do not hesitate to contact us for any further issue.

Kind regards

Admin is usually very responsive. This tells me that something very major has happened. I couldn't even reach the web site and recieved a message on the page: "Our Tubes are Clogged!" Finally I could reach it. I just hope Airvpn haven't been seized or shut down. This has been a good service, but governments that want to spy or censor their citizens don't like it. I hope nothing like this has happened to Airvpn.

Hello!

We have had a major problem on one of our backend servers. No attacks, no pressure from any entity (except the usual spammers, but that goes on by default ). The problem prevented new connections to our servers and has been now fixed. However, we're still working on the system in order to ascertain why the failover redundancy system worked only partially, therefore please do not hesitate to contact us for any further issue.

Kind regards

For the last couple of days I have had intermittent disconnections. When I try to reconnect I get an error message saying I am already connected, even after I have rebooted my PC and broadband equipment. I have checked with my ISP and they are not experiencing problems. Please help.

Hello!

We have had a major problem on one of our backend servers which prevented new connections. The problem has now been fixed, can you please try again? We're still working on the system, so if you find any issue please do not hesitate to contact us.

Kind regards

Good News Everyone! (sorry, just couldn't resist the Futurama reference)

I have just successfully connected to the server (Orionis) using the AirVPN client. It seems the problem has been fixed (hopefully permanently). I suppose you must expect hiccups now and again - I still think AirVPN is the best and will stick with them.

Hello!

We have had a major problem in one of our backend servers. It did not affect already established client connections but it did prevent new connections for 5 hours. The problem has been now fixed. However, we're still working on the system, so please do not hesitate to contact us for any issue.

We apologize for the inconvenience.

Kind regards

Hello!

We have had a major problem in one of our backend servers. The failover system worked only partially and we needed some time to restore everything. The problem did not affect already connected clients, but it did prevent new connections for about 5 hours. The problem has been now fixed. We're still working on the system, therefore please do not hesitate to contact us for any issue.

We apologize for the inconvenience.

Kind regards

Hello!

We're sorry, we use OpenVPN in "routing mode". The adapter, both on the server and client side, must be a TUN interface operating on layer 3, not a tap adapter handling layer 2 packets. If you use OpenVPN in bridged mode, you can't connect to Air servers.

That said, it remains to be seen whether what you want achieve is possible with PPTP. Your household machine should act simultaneously as a PPTP server and OpenVPN client. Unfortunately we are not able to give you support on this and we can't say for sure if it's possible or not.

However, it is definitely possible (at least on Linux) to run multiple OpenVPN instances, each running either in server or client mode, with an arbitrary number of tun interfaces, and it is also definitely possible to use a Linux box as a simultaneous OpenVPN server for its clients and an OpenVPN client for the Air servers. It is possible to do that even with just one physical network card. You will need to modify the routes pushed by our servers to your OpenVPN client, enable IP forwarding and set an appropriate routing table which allows packets routing and NATting between OpenVPN server and client. The setup requires a fairly good knowledge in networking, anyway you can be sure 100% it's possible (with only one physical network card) because we do that for services both for our clients and for internal purposes.

Kind regards

Hello!

It might be a firmware problem. Can you please try to change version?

Kind regards

I changed my firmware version and was able to connect! The OpenVPN setup page on DD-WRT wouldn't accept LZO Compression set to "yes" only "adaptive".

Hello!

That's great, thank you for the information. Could you please specify the exact firmware version that is working with your router model?

I notice that I have a DNS leak. On my WAN status page it shows 3 DNS servers 10.4.0.1 plus 2 from my ISP. How do I prevent them for connecting?

That does not necessarily mean that you have a DNS leak from your router. First please check that you really have a DNS leak here:

http://dnsleaktest.com

Then, please make sure that the leak is not caused by the devices connected to the router (do not force them to use different DNS servers).

If the leak is confirmed, you might like to read the zdrifter post about that and more (it will prevent any leak):

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=2377&Itemid=142#2377

Kind regards

well its a pain in the ass really the last week and still testing ive found out no matter what port be it udp or tcp add in your portnr. of choice, on any netherland server gives less than optimal performance than used to be its ridiculous, exspecially on the swedish server side its a complete nightmare !!! that one wont even connect most of the times and if,then its sloooooowwwwww or wont work at all cause of the low speed you get , and ive tried this on my main rig with a complete airvpn uninstall reinstall and on a completely fresh installed windows 7 firewall disabled and only airvpn fresh install laptop , still the same so no its not the network settings since ive hadnt had this 2 weeks ago where the speeds was blazin and all was great as you all know , kinda pissed off now, heres a new log , once again speeds are still perfect without vpn , so it IS on airvpns side

Hello!

The peering of our servers datacenters did not change in the last 2 weeks and the recorded performance is as high as usual. Furthermore we also added more bw redundancy. Please note that:

- our NL and DE servers are in datacenters with POPs directly connected to tier1 providers with high bandwidth redundancy

- you find the very same problem on different datacenters and networks

- 2 weeks ago you recorded "blazing speeds"

- you record high performance during the first minutes, then you lose connection or you have very high packet loss

Therefore and unfortunately everything, really everything, suggests that it is a problem either of your ISP (or the ISP of your ISP etc.) or maybe of your last-mile, born during the last 2 weeks, Unfortunately, in this case, there's nothing we can do. If it was a fault on our side, we could work on it, but given the information you provided the problem is on your side and we are powerless. Just to try all the options, maybe it is not your ISP fault, but only a faulty router which shows the defect especially during tunneling (you would hardly notice dropouts without tunneling).

Kind regards

Hello!

The logs show that the connection was fully successful. Could you access the Internet from your DD-WRT connected devices ?

Kind regards

The log showed that I do connect but then disconnect. I tried the connection with the same configuration again with the same results. The STATE keeps showing Client:RECONNECTING.

20120912 21:06:22 I TCP connection established with 108.59.8.147:80

20120912 21:06:22 I TCPv4_CLIENT link local: [undef]

20120912 21:06:22 I TCPv4_CLIENT link remote: 108.59.8.147:80

20120912 21:06:22 TLS: Initial packet from 108.59.8.147:80 sid=686390b6 ba017dab

20120912 21:06:23 VERIFY OK: depth=1 /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

20120912 21:06:23 VERIFY OK: nsCertType=SERVER

20120912 21:06:23 VERIFY OK: depth=0 /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

20120912 21:06:23 MANAGEMENT: Client connected from 127.0.0.1:5001

20120912 21:06:23 D MANAGEMENT: CMD 'state'

20120912 21:06:23 MANAGEMENT: Client disconnected

20120912 21:06:23 MANAGEMENT: Client connected from 127.0.0.1:5001

20120912 21:06:23 D MANAGEMENT: CMD 'state'

20120912 21:06:23 MANAGEMENT: Client disconnected

20120912 21:06:23 MANAGEMENT: Client connected from 127.0.0.1:5001

20120912 21:06:23 D MANAGEMENT: CMD 'state'

20120912 21:06:23 MANAGEMENT: Client disconnected

20120912 21:06:24 MANAGEMENT: Client connected from 127.0.0.1:5001

20120912 21:06:24 D MANAGEMENT: CMD 'log 500'

19700101 00:00:00

Hello!

It might be a firmware problem. Can you please try to change version?

Kind regards

OK, so that was the problem - DDOS? I'll download the TCP config. Is there anyway to have a section that alerts to which servers are being attacked, when it happens? Sad that idiots (or the RIAA/MPAA) DDOS VPNs.

PD

Hello!

Yes, a new servers real time monitor which will provide you with more information is almost ready.

Kind regards

Hi,

Am having a few issues and would appreciate any feedback.

1. In the past couple of weeks or so, connecting to NL_Castor would cause Comodo to register a new network zone each time. It has never happened before. So far 3 have been established (the MAC address remains unchanged). Not being familiar with networking I am puzzled.

Hello!

This is normal: Comodo can't know the exact range of our network zones. You can avoid this annoyance defining a network zone which covers the range 10.4.0.0->10.9.255.255. For more information please see https://airvpn.org/specs

2. Am having problems with the AirVPN site. Lately at times it is taking ages opening web pages (eg like forum topics)

3. Though all is fine now, earlier this morning I had problems connecting to AirVPN. Firstly the Dutch AirVPN servers were refusing connection. Secondly if connected the connection will drop after a while, needing a reboot to reconnect. I have experience this problem randomly before. Looking through the forum thread it seems to have happened to a few users. Any explanations?

We have noticed those problems intermittently and we have partially solved them, we're still investigating. Currently you should not have any problem, neither on the website nor with servers connection. Please do not hesitate to contact us for any further issue.

Kind regards

Thanks, admin, for the reply. I have given you the requested information using the "Contact Us" form and referenced to this thread. I hope this will help to find out what mutorrent is doing here.

For my part, I'm a happy camper since everything works smoothly and mutorrent is fast and works fine (with the green "network ok" symbol displayed). But it would still be good to know if there is maybe some unexpected security risk, since it seems the green symbol should actually not be displayed if no ports are being forwarded.

To summarize: when running mutorrent, I usually have quite a lot of UDP Out connections from 10.x.x.x to all kinds of outside IPs, and typically can see also a few UPD In connections coming from outside to 10.x.x.x:(listening port of mutorrent). So it looks as if my listening port is forwarded somehow by mutorrent, even I did not enable port forwarding on my router (at least not on the Advanced -> Port Forwarding settings which afaik is the only place where to specify this in the router) nor on the AirVPN website.

P.S.: Since my system is not special in any way, I would think that there must be other customers here who use mutorrent and get the green "network ok" symbol even without specifying any port forwarding? Is there anyone else out there who sees this behavior in mutorrent?

Hello!

uTorrent is capable to perform the correct UDP Hole Punching through our VPN servers NAT. Skype is considered to be able to do that too.

This is possible because Air implemented NAT is p2p friendly, a "cone NAT" (see RFC 3489) . It "focuses" all sessions originating from a single private endpoint through the same public endpoint on the NAT. (Ford, MIT, "Peer-to-Peer Communication Across Network Address Translators", 2005).

[...] hole punching does not compromise the security of a private network. Instead, hole punching enables applications to function within the default security policy of most NATs, effectively signaling to NATs on the path that peer-to-peer communication sessions are “solicited” and thus should be accepted. This paper documents hole punching for both UDP and TCP, and details the crucial aspects of both application and NAT behavior that make hole punching work.

For (a lot of) additional information please see http://www.brynosaurus.com/pub/net/p2pnat , in particular paragraphs 3.2, 3.4 and 5.1.

Kind regards

Hello!

Thank you very much, your words are much appreciated. We are committed to providing you with an ever improving service.

Kind regards

How do I check this? Sorry, this is very new to me.

Thanks

Hello!

Please check whether all the files inside the zipped archive have been copied and pasted into the proper directory (for example /sdcard/openvpn). Besides the .ovpn configuration file(s), you must see ca.crt, user.crt and user.key. Absence of any of those files will prevent your device to connect. In particular, absence of user.key will cause the client to prompt you for (an impossible) authentication

Kind regards

Hi,

I've modified OpenVPN configuration to connect to the same server(Vega) but this time using TCP protocol and Port 80.

OpenVPN client keeps trying to reconnect to the server with no real success. The state bar shows "RECONNECTING".

When using UDP on port 443 the state bar showed "AUTH".

I've attached the log file and the screen shot with the new configuration for OpenVPN. I've also disabled firewall, so we can focus first on connection.

Thanks

Hello!

Can you please make sure that your ISP router is working in bridge mode?

About the "Unroutable control packet received" error, it is normally due to an invalid certificate (expired or not yet valid). Please check your routers system clocks and that you have properly pasted ca.crt and user.crt.

Kind regards