Not connected, Your IP: 3.145.107.181
Online: 22440 users - 251794 Mbit/s total BW
.png.f3c947a2e9e68659251859004ed11f01.png){kind=avatar}
Staff
-
Content Count
10647 -
Joined
... -
Last visited
... -
Days Won
1780
Posts posted by Staff
-
-
Did it. Exactly. Step by step. Line by line.
Can't attach any files for you to verify.
Hello!
You can attach jpeg, doc, txt, gif and some other formats. If you are unable to do that, please send them via mail to info@airvpn.org
Also, a screenshot of your "Global Rules" would be helpful.
When my LAN adapter is "Unidentified" after restarting, even GUI won't connect. Both adapters DNS TCP/Ipv4 = OpenVPN (208.67.222.222-208.67.220.220)
Please help
Did you follow precisely all the 14 points described in the above linked post? Please send also details about your internal network and your implementation of point 11.
Kind regards
-
maggieairvpn wrote:
Checking your options:
1. hosts file is not working (Win7, 64bit) properly when LAN adapted is blocked by Comodo. Tried CMD Ping, no connection to airvpn
2. Same thing with OpenVPN GUI, no connection when network is "Undentified"
Thank you
Hello!
Please delete the rule for svchost.exe and follow these instructions:
https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142
Kind regards
-
I left AirVPN logged in and went to bed. UTorrent was also on. When I checked the following morning, AirVPN had disconnected and was trying to reconnect. the UTorrent was still connected, but now downloading using my real current IP. I don't know how long that had gone on like that. Is there a way to have AirVPN terminate any DL's or UL's from continuing if AirVPN disengages?
Hello!
Of course! It's a very simple task which will take you few minutes. You need a firewall.
Instructions for Windows (with Comodo), *BSD (including MacOSX, with either pf or ipfw) and Linux (with iptables) are here:
https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142
Further instructions for Windows & Comodo are here:
https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142
Kind regards
-
Hello
Rather than route my VPN traffic over Tor, I would like to first connect to AirVPN and then connect to Tor.
How might this be achieved?
Thanks
Hello!
It's very simple, first connect to Air, then launch the TOR browser Aurora (if you use the TOR browser bundle) or your favorite TOR configuration. Please note that in this case only applications configured to use TOR will be tunneled over TOR over Air, all the others will be tunneled over Air only.
Kind regards
-
Dear Admin,
I have read your topic and have a little suggestion: what if you can modify the "service status" screen to include current IP addresses? This may help to quickly check if Global Rules has an actual NN#.
Hello!
Sure, thank you for the suggestion. You can already see them from the source code of the page, anyway for your and other readers comfort you can see them in the configuration files, at the line "remote". You can generate all the configuration files in one shot with our configuration generator.
We don't publish the entry-IP addresses list publicly in plain-text to mitigate DDoS botnets attacks.
Kind regards
-
No, I set it to block only bit torrent and it failed to block it,
Hello!
This is the reason for which you wrongly reported that Comodo does "not block": you did not activate it. Please make sure to set Comodo "Firewall Security Level" to "Custom Policy". If "Firewall Security Policy" is set to "Training Mode", "Disabled" or "Safe Mode", the custom rules are not applied.
Private firewall doesn't block ranges, only single addresses.
Pirvatefirewall supports IP ranges. Just specify a NetMask, please see the previous message for an explanation.
Is there another program I can use to block bit torrent when airvpn is offline?
Basically, any firewall that deserves to be called a firewall can do the job. However, the only firewall we recommend for Windows is Comodo, due to severe outgoing leaks and insufficient pro-active security suffered by any other firewall for Windows (in particular on 64 bit systems).
You can get a list of firewalls here, all of them checked with 110 significant tests which try to provoke leaks:
http://www.matousec.com/projects/proactive-security-challenge-64/results.php
For your security, we recommend to avoid firewalls with a Product Score lower than 90%.
Please refer to this post in order to set Comodo rules:
https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142
Kind regards
-
Why should your speed be halved on port 53 TCP?
I thought a TCP connection was slower than a UDP connection? It's certainly slower than my previous ISP connection (through port 443 UDP on the same hardware and line) was. It's about half of my maximum speed.
Hello!
Yes, there's an overhead, but usually the difference in performance is not so dramatic.
I don't mind, though. The connection you've helped me get is good enough, and I'll be re-subscribing for a long time to come. Thank you very much for the help.
Thank you very much. At your convenience do not hesitate to contact us, because chances are that the problem lies in your device or OS, not in BT. It will be interesting that you test out new servers when they are available (soon). By the way, did you perform the "DNS test" recommended by the previous admin?
Kind regards
-
Hello!
Previous thread on Windows and Comodo to prevent DNS leaks and leaks in case of unexpected VPN disconnection have become very big and detailed. We invite you to consult those threads for details and support, while we publish this message as a quick, clarifying overview of the essential steps.
Please note that if you don't use Windows you don't need to read this post. If you use Windows and a firewall other than Comodo, you can anyway take these rules as an example and adapt them to your firewall.
This is a minimal set of instructions to prevent any leak in case of unexpected VPN disconnection and prevent, in any case, DNS leaks, on Windows system with Comodo firewall. Comodo firewall is currently the only firewall we recommend for Windows. The free version is just fine for our purposes.
Never rename the rules: in case you need support, we need to see what the rules really state.
1) If you're not familiar with a firewall, read Comodo Firewall manual or guides. In particular, please see the following:https://help.comodo.com/topic-72-1-451-4773-global-rules.html
https://help.comodo.com/topic-72-1-451-4884-Network-Zones.html
2) Install Comodo Personal Firewall free version available here: https://personalfirewall.comodo.com/
3) Set the Firewall Security Level to "Custom Policy"
4) Determine or create the Network Zone of your TAP-Win32 network adapter (from now on "AirVPN"). A safe way to define it: IP Range [10.1.0.0 - 10.255.255.255]
if you need OpenVPN over SSH/SSL and other alternative connection modes, see also https://airvpn.org/specs
5) Determine the entry-IP addresses of the AirVPN server(s) you wish to connect to: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses
6) Define a "Global Rule" which blocks everything:
Block And Log IP In/Out From MAC Any To MAC Any Where Protocol Is Any
The logging is important for troubleshooting if necessary.
7) Put the above Global Rule in the top position. This will block completely your connectivity and let you add a whitelist of Allow global rules put BEFORE this total block global rule. All the "Allow" rules that you want to be evaluated shall be put BEFORE (i.e. higher than) the above block rule.
8) Define a"Global" rule which allows in/out communications of your TAP-Win32 adapter ("AirVPN") both In and Out:
Allow IP In/Out From In [AirVPN] To MAC Any Where Protocol Is Any
Allow IP In/Out From MAC Any To In [AirVPN] Where Protocol Is Any
9) Do the same for your loopback zone (IP range 127.0.0.1 - 127.255.255.254)
Allow IP In/Out From In [Loopback Zone] to MAC Any Where Protocol Is Any
Allow IP In/Out From MAC Any To In [Loopback Zone] Where Protocol Is Any
10) Do the same for any entry-IP address of the VPN servers you wish to connect to. For example for Leporis:
Allow TCP or UDP In/Out From IP 95.211.191.33 To MAC Any Where Source Port Is Any And Destination Port Is Any
Allow TCP or UDP In/Out From MAC Any To IP 95.211.191.33 Where Source Port Is Any And Destination Port Is Any
For your comfort, you might define a Network Zone (for example [Air servers entry IPs]) containing only the entry-IP addresses of our servers and then set two rules like
Allow TCP or UDP In/Out From In [Air servers entry IPs] To MAC Any Where Source Port Is Any And Destination Port Is Any
Allow TCP or UDP In/Out From MAC Any To In [Air servers entry IPs] Where Source Port Is Any And Destination Port Is Any
In this way, you will only need to add a single IPv4 address to that Network Zone in order to connect to a new server, instead of defining two additional rules for each server, which may be annoying if you switch between a lot of servers.
11) Add similar rules to allow communications of your device with your router (and within your home/office network, if you wish so). For example, if your network is [192.168.0.0 / 255.255.0.0] define a network zone with IP Range [192.168.0.0 - 192.168.255.255] (let's call it "Home Network") and set the following rules:
Allow TCP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Any
Allow UDP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Not 53
Allow ICMP In/Out From In [Home Network] To In [Home Network] Where ICMP Message Is Any
11a) Allow DHCP "negotiation":
Allow IP In/Out From MAC Any To IP 255.255.255.255 Where Protocol Is Any
12) In order to allow "airvpn.org" resolution even when disconnected (and any other hostname you wish to be resolved even when VPN is disconnected), add to your hosts file the line:
95.211.138.143 airvpn.orgDo not forget about this change! If we change our main frontend IP address, you will not be able to reach airvpn.org anymore until you remove that line. No more necessary starting with Air client edition 2 "Eddie".
13) If you use the Air client, add rules to allow communications with IP addresses 5.196.64.52 and 95.211.138.143 (two of our frontend servers), In and Out
Allow TCP or UDP In/Out From IP 5.196.64.52 To MAC Any Where Source Port Is Any And Destination Port Is Any
Allow TCP or UDP In/Out From MAC Any To IP 5.196.64.52 Where Source Port Is Any And Destination Port Is AnyAllow TCP or UDP In/Out From IP 95.211.138.143 To MAC Any Where Source Port Is Any And Destination Port Is Any
Allow TCP or UDP In/Out From MAC Any To IP 95.211.138.143 Where Source Port Is Any And Destination Port Is Any
14) You can progressively enlarge your whitelist just by adding "Allow" rules before the total blocking rule of point 6) according to your system needs.
Keep in mind that there are literally dozens of ways to accomplish the same task with Comodo.
Pay attention not to confuse the "-" symbol, which stands for "IP range", with the "/" symbol, which stands for IP address / NetMask. For example, [10.4.0.0 - 10.9.255.255] is correct (the IP range from 10.4.0.0 to 10.9.255.255), while [10.4.0.0 / 10.9.255.255] is NOT correct (IP 10.4.0.0 NetMask 10.9.255.255, which covers almost every existing IP address!).
When you have defined all the rules, do not forget to click "Apply" and "OK" in order to store them and make them active for any new connection. Test everything and do not be afraid to experiment before you rely on the secured connection for sensitive data transmissions.
Kind regardsFisitaedar reacted to this -
After much testing, port 53 TCP is the only port I can connect though.
Hello!
That's odd, we will keep you informed if we receive similar reports from British Telecom customers. Thank you for the information. Also, please make sure that a firewall (on your computer or router) is not blocking ports. Also antivirus programs have sometimes been reported to act weirdly with OpenVPN. Anyway, please note that from the previous logs it appears that you can also connect to Lyra port 443 UDP just fine.
Pointing my "preferred" DNS to 10.9.0.1 (AirVPN) and my "alternative" to Open DNS and running a test on dnsleaktest.com shows 6 results, all Google DNS servers located in the US and Germany beginning 74.125.xxx.xxx.
The Google results are fine. If you don't see any OpenDNS DNS, then you have no DNS leak. This does not mean that DNS leaks (i.e. DNS queries unencrypted going to OpenDNS) may not happen in the future, if you use Windows. In the forum you'll find several ways to prevent DNS leaks for Windows.
Is this correct and secure? I don't mind halving my connection speed by connecting through port 53 as long as my connection to Airvpn is watertight.
Why should your speed be halved on port 53 TCP?
Kind regards
-
By giving administrator privielages to openvpn.exe and connecting through the Openvpn GUI, I managed to get a connection to Omicron on TCP Port 53. The IP seemed to match the Omicron IP, and DNSLeaks showed I was using 2 german DNS servers, and a UK Open DNS server.
The bad news is that this was one successful attempt after 7 or 8 tries. All the other attempts showed that I had successfuly connected to an AirVPN server, but I appeared to have no internet access. Loading websites would just cause my browser to hang and then display a 404 error, although Steam mysteriously logged me back into my account, so maybe it's specific to the HTTP port?
Hello!
The logs are just fine.
It might be a DNS problem. Try the following:
- connect to a TCP port (like you did with Omicron)
- open your browser and browse to http://46.105.19.36 and http://airvpn.org (alternatively, ping or dig different IP addresses and domain names).
If you can see that you can reach hosts without DNS resolution (that is, pointing directly to their IP address), but not pointing to their name, then you have a DNS push problem, which may happen sometimes on Windows systems. In this case, force the system to use our DNS as primary ("preferred", in Win7 idiom) and you favorite DNS as secondary ("alternate"). In order to determine the IP address of our DNS according to the port you connect to, please see here:
For example, DNS for clients in VPN port 53 TCP is 10.9.0.1.
Kind regards
-
@softrock
Hello!
As it was suspected, the problem is in your system. See here:
Wed Aug 15 12:21:42 2012 NOTE: FlushIpNetTable failed on interface [17] {4754D006-F2F6-4F1B-AEDF-E8A2D558524A} (status=5) : Access is denied.
Wed Aug 15 12:21:47 2012 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Aug 15 12:21:47 2012 C:\WINDOWS\system32\route.exe ADD 62.212.85.65 MASK 255.255.255.255 192.168.2.1
Wed Aug 15 12:21:47 2012 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=12]
Wed Aug 15 12:21:47 2012 Route addition via IPAPI failed [adaptive]
Wed Aug 15 12:21:47 2012 Route addition fallback to route.exe
The requested operation requires elevation.
Wed Aug 15 12:21:47 2012 ERROR: Windows route add command failed [adaptive]: returned error code 1
It means that OpenVPN has not the privilege to modify the routing table and/or access the TAP-Win32 network interface. Please make sure that you launch OpenVPN (or the OpenVPN GUI) with administrator privileges and that the TAP-Win32 interface is installed (check with "ipconfig /all").
If you can't manage to solve the problem, the quickest solution is a complete uninstall and re-install of OpenVPN. When you re-install, please make sure that you authorize the installer to install ALL the drivers it asks for your authorization.
Kind regards
-
@pmatisse
Hello!
The authentication with our VPN servers is performed through key and certificates, so you should never be prompted for a username/password when using OpenVPN. Perhaps OpenVPN can't access a certificate or the key? Can you please send us the attempted connection logs?
Kind regards
-
So, situation is:
1. hosts file updated with "46.105.19.36 airvpn.org"
2. Comodo Application rule for svchost.exe created - block out all TCP & UDP except 10.4.0.0-10.9.255.255
3. After machine restarting this rule blocking access to the network and internet from Ethernet adapter (TAP is not yet activated)
4. After attempt to connect getting message "AirVpn.org cannot be resolved" (???)
5. AirVPN client NOR Openvpn GUI cannot connect.
What can it be?
Thank you
Hello!
Please activate that rule only after the connection to a VPN server. Switch to global rules in order to be able to connect without having to turn on and off rules.
Kind regards
-
Hello!
Since we have no reports from any other BT customer, perhaps it's a problem in your connection or configuration, not in BT network. Can you please send us the connection logs?
Kind regards
-
I'm trying to fix my DNS leaking issues by using the first soultion (dnsfixsetup) from this link
http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php
But after i restart my airVPN client and rerun the DNS leak test i get the same results.
Is there any way to fix this or do i have to stop using the client?
Thanks in advance!
Hello!
DNS leaks are a typical Windows problem. You can fix it easily, please see here:
http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php
Furthermore, you can secure your connection against any leak in case of unexpected disconnection, which will also fix any DNS leak, with a firewall (Comodo firewall is recommended):
https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=2183&Itemid=142
Kind regards
-
I am using openvpn directly, not the client, the above sequence happened on Castor yesterday?? maybe the day before... exactly as described and I tried reconnecting multiple times, hoping you would notice your end, since there is no logging, guess not... seems to be happening exactly as I have described and there has been no change - I notice the apparent timeout seems to be longer than 2 mins sometimes... among the 1Gb servers the ones least hit are Castor and Sirius, guess that is why they are the most used.
Hello!
Castor had problems for less than 15 minutes due to unknown reasons (probably related to the datacenter). When we realized the problem and started investigating, the issue was already solved, so we did not publish any announcement.
Has the added user benefit that if one forgets to kill the VPN before leaving a site one can still use it from mobile, knowing that your fixed connection has been killed ofr you.
We have discussed between us about this and we found it quite questionable, if not totally unacceptable. Basically, we considered that if a user forgets the connection on, he/she may as well forget his/her p2p client or anything else running. Forcing a disconnection, and therefore potentially causing an IP leak (or a stop of activities if the user secured the connection with a firewall), and/or ports and services exposure etc. is an intrusive behavior which we consider dangerous, sort of undue "baby sitting".
Kind regards
-
Paulo why not broadcast a disconnect existing for a particular account to all your servers when a new connection is established?
Hello again,
the VPN servers don't "know" the accounts that are connected to themselves or to any other VPN server. This is necessary for additional security (no database stored on the VPN servers).
Kind regards
-
I have been complaining about this problem for nearly 6 months now - Paulo why don't you fix it? Such a great service is spoilt by this problem - your 120 sec timeout mechanism just does not work... normal operation of the internet will trigger a disconnect/retry in openvpn and then if the retry fails (but does get to your end) it will retry in 2 secs and always then bombing out as above and requiring manual intervention to restart the service. One can keep on trying to reconnect but your software counts a connection attempt as a connection and restarts the timeout each time!!! One never gets through, unless one goes away for a while and tries again.
Hello! This was fixed. There is no 2 minutes timeout. Currently the problems are essentially on the client side and (rarely) when a VPN server has connection problems with the backend (we'll solve this very soon as well), however we're installing new software versions on the server side to fix the remaining OpenVPN server glitches. You can test the new version on Orionis and Leonis. If the results are good as we expect, we will install it on all the servers. The beta testing phase has been successfully passed so we put it into production on these two servers 7 days ago to check whether there are negative feedbacks (none at the moment).
Kind regards
-
I did. I set it to block EVERYTHING. It still doesn't block.
Hello!
You mean you set the Comodo firewall in "Block All" mode and it did not block ANY outgoing or incoming packet? Also, please make sure that when you define your rules, you set the firewall security level to "Custom Policy". You might like to check your traffic with Wireshark.
Kind regards
-
You can set a netmask for each IP address you specify (at least Privatefirewall version 7.0.28.1 has this option).
I don't want to allow only ip addresses. I want to allow the vpn's ip range (10.4.0.0-10.9.255.255)
Hello!
Yes, you had the answer already. You can set a netmask for each IP address to approximate the IP range. For example 10.0.0.0 NetMask 255.240.0.0 is 10.0.0.0->10.15.255.255 (in CIDR notation: 10.0.0.0/12).
Kind regards
-
@nobody12321EDIT:
I uninstalled nod32 and went with Comodo's internet suite. Once again' date=' it fails to block programs that it's supposed to block.[/quote']
Hello!
If the incompatibility issues are solved for sure, then chances are that you have rules with precedence, please make sure to put the blocking rules for your torrent client before the allow rules, if any (just "move up" the rules).
I really don't understand why you think that program is any good.Independent peer reviews are important. You can't assume that Comodo pays all the researchers in the world. The following tests, just to make an example, are very important in terms of pro-active security and leaks:
http://www.matousec.com/projects/proactive-security-challenge-64/results.php
Anyway, under a general point of view, you are right, personal software firewalls for Windows have very low quality if compared to free and open source products in other OS. Perhaps this is just a consequence of the Windows OS design and its closeness.
Also, I can't find anything on google that suggests that private firewall is capable of blocking ip ranges.You can set a netmask for each IP address you specify (at least Privatefirewall version 7.0.28.1 has this option). You might like to ask for support in their forum.
Kind regards
-
Love it! Thanks. Be aware that OpenVPN GUI for Windows only allows a max of 50 entries. One question: I've tried both the separate certs and the embedded ones...they both work fine. Why would one choose embedded .vs separate? Is there any difference related to security, etc...?
Thanks Air!
JD
Hello!
There is no difference in security. We offer both options to meet a wider range of tastes and needs.
Kind regards
-
Thanks! Glad she's back. For some reason, I get better performance using UDP 80 or 53 (about 1600 KB/s) .vs UDP 443 (about 400 KB/s)...from USA. Tested by downloading a TWiT (This Week In Tech) HD video.
JD
Hello!
Thank you very much for the information.
We strongly recommend all Draconis users to perform the same test on all the ports.
Kind regards
-
Where can I download the older version of Airvpn which worked fine?
I can't trust 1.7 because I should never see packets from my ISP's DNS Servers to my Private IP address.
As I said, my firewall log shows ICMP Type 3, Code 10 packets blocked from my ISP's DNS Servers to 10.4.6.70 which certainly can not be correct.
Thank you.
Hello!
Older Air client versions are not available in our website. You might like to connect via the OpenVPN GUI.
About ICMP packets from your ISP DNS, there is no correlation with the Air client. See also here:
http://forums.comodo.com/empty-t16873.0.html
When you're connected to the VPN, you can safely drop those packets as you do now. When you're not connected, you might like to accept those packets, because they show some malfunctioning from your ISP DNS (one of your ISP DNS port 53 does not respond).
Kind regards
Air VPN & DC++
in General & Suggestions
Posted ...
Hello!
Can you please make sure that the ports you have remotely forwarded are "CLOSED" in your router? If you're 100% sure that the router ports are closed, then the red token is a false positive and you can go on with peace of mind. Actually, when performing tests we obtain false positives, but they are very rare, while in your case it appears that you ALWAYS get a red token. If the ports in the router are not closed, then the red tokens are correct. From what we learned from recent history, correlation attacks are dangerous for DirectConnect users so it's better to have some false positives and perform a triple-check than having a very dangerous false negative.
DC users are also encouraged to secure their connections in order to prevent leaks in case of unexpected VPN disconnections.
We're looking forward to hearing from you.
Kind regards