Staff

Hello! Is that the complete error message, no additional info? Can you tell us the Operating System and whether the configuration file pertains to OpenVPN or WireGuard? Which OpenVPN or WireGuard version do you run? Kind regards

@air92186 Hello! We fear that Gluetun's server list is hard coded here: https://raw.githubusercontent.com/qdm12/gluetun/master/internal/storage/servers.json Saclateni is not included in that list, maybe the list must be updated manually? To avoid hard coded lists a developer could parse the AirVPN manifest. How to download and how to parse the manifest must be seen on Eddie Android (Java) or AirVPN Suite (C++) source code, which is (in our opinion) very readable and well commented. A developer could also use the Bluetit daemon (developer's reference manual available here) for all the needed operations for a full integration with AirVPN (Bluetit exposes a D-Bus interface), although the integration requires that the target functions and/or classes are developed according to the AirVPN–SUITE classes marshaling mechanism (thoroughly documented anyway). However, there is no official document describing the manifest format and the procedure to download it from the bootstrap servers, we're sorry. We might plan a fully documented API for third party developers so they don't need hard coded lists of servers and IP addresses, or we might document the manifest download procedure and its format... we'll think about it. Kind regards

Hello! Thank you very much, you are a long time customer! Some Eddie Linux edition versions, including 2.21.8, have a bug which causes a race condition in some cases when the round trip times tests are performed. The bug was fixed in Eddie 2.22 and the whole round trip time checks procedure was significantly improved in 2.23. From your description, we suspect that your problem is caused by the mentioned bug. Please test Eddie 2.23.2 beta and check whether the problem gets solved. Please see here to download Eddie 2.23.2 beta version: https://airvpn.org/forums/topic/56428-eddie-desktop-223-beta-released/ If you are already running Eddie 2.23.2 then the problem must have a different cause, let us know. Kind regards

Hello! Please renew your client certificate and key according to the following instructions: https://airvpn.org/forums/topic/26209-how-to-manage-client-certificatekey-pairs/ Reason: we signed client certificates with SHA1 between 2010 and 2017. In 2017 we started to sign them with SHA512, but the update was not forced on customers in order to avoid sudden disconnections and potential compatibility problems. You're indeed a long time customer, thank you! Nowadays OpenSSL 3 (the SSL library used by OpenVPN) considers SHA1 based signatures insecure. By renewing the certificate you will have a new certificate signed through SHA512. Please remember that you need to re-generate your configuration file(s) after you have renewed the certificate. Kind regards

@julienth Hello! Eddie picks the DCO adapter which is already installed in the system, but this adapter is incompatible with the OpenVPN version (2.5.5) in your system that Eddie itself runs. You can solve quickly the problem in this way: https://airvpn.org/forums/topic/56643-stuck-in-a-broken-route-never-connects/?do=findComment&comment=225323 Alternatively you can install OpenVPN 2.6 (which supports DCO) and force Eddie to run OpenVPN 2.6. You can configure which OpenVPN binary Eddie must run in Preferences > Advanced > OpenVPN custom path. Kind regards

Hello! Let's verify whether the route check failure is a false positive or not: from Eddie's main window select "Preferences" > "Advanced" uncheck "Check if the VPN tunnel works" click "Save" enable Network Lock from Eddie's main window select "Preferences" > "DNS" uncheck "Check Air VPN DNS" click "Save" test again connections with WireGuard and OpenVPN. This time the connection should be fine from the log, but you must verify manually that you can perform your normal Internet activity. Network Lock will prevent anyway any traffic leak and make the route check superfluous Kind regards

Hello! Why do you mention the router again? The router would not enter into play in this case of port forwarding because you wrote that the connection is established from a computer behind the router, not by the router. Can you confirm this? Kind regards

Hello! Error 111 (connection refused) imply an active connection reset. Therefore the packets correctly reached the system connected to the VPN but they were actively refused. This event may occur when a packet filtering tool is configured to reject packets (and not dropping them silently) either globally or on a specific port, or when the operating system is configured to reset incoming connection without an end-point (in other words, when no process is "listening" to the destination port). Therefore, assuming that the Synology device is connected directly to the VPN, please check your packet filtering tool rules and check the configuration of the listening Download Station: it must be running, listening to the correct port (check your AirVPN account port panel) and binding (if a bind option is available) either to all interfaces or to the virtual network interface used by the VPN program. However, if it's your router the one connecting to the VPN and then sharing the connection with all the devices behind, then you must take care to forward the router port to the final destination, in this case the proper port of the LAN IP address of the Synology device. Kind regards

@julienth Hello! If the problem persists please post or attach to a ticket a system report generated by Eddie after the problem has occurred. Please see here to do so: https://airvpn.org/forums/topic/50663-youve-been-asked-for-a-support-filesystem-report-–-heres-what-to-do/ If the problem has been resolved in the meantime, please spend a minute to post the solution for all the community readers. Kind regards

Hello! Does the same problem persist if you try a connection via WireGuard? In order to switch to WireGuard: from Eddie's main window please select "Preferences" > "Protocols" uncheck "Automatic" select any line with WireGuard. The line will be highlighted. click "Save" and re-start a connection to apply the change please make sure to test a few servers in different locations around your node Kind regards

Hello! A new release is planned during April 2024. Stay tuned! Kind regards

Thank you for the head up! Problem fixed. Kind regards

Hello! This solution should work for you too: https://airvpn.org/forums/topic/56643-stuck-in-a-broken-route-never-connects/?tab=comments#comment-225323 Kind regards

Hello! It is possible, please see here: https://airvpn.org/forums/topic/26209-how-to-manage-client-certificatekey-pairs/ Kind regards

Hello! Before trying anything else, can you please make sure that your father's PC is really connected to the VPN? Please verify by browsing https://ipleak.net : the web site should show that the system is connected to some AirVPN servers and it should mention which server it is. For these preliminary tests please make sure to connect each device to a different VPN server: multiple connections to the same server with the same key may cause conflicts. In the future you can resolve the above problem (if you need to connect multiple devices to the same VPN server from the same account) by using unique key on each device, as AirVPN allows a thorough and flexible management of your account keys, please see here: https://airvpn.org/forums/topic/26209-how-to-manage-client-certificatekey-pairs/ Kind regards

Hello! The CPU of 10 Gbit/s servers does not have high load on average and the 10 Gbit/s servers have repeatedly reached more than 12 Gbit/s peak performance (6 up + 6 down). They also have quite a remarkable average, for example Haedus on weekends keeps an impressive 8 Gbit/s averaged on the 48 hours! OpenVPN surely loads the CPU, that's unavoidable, but we're topping CPU capacity only when the total amount of connected clients exceed 300, which normally should not happen: Eddie will not recommend connection to servers with approaching to limit connected clients and our areas FQDN will not resolve to those servers' IP addresses. As a side note, consider that the 10 Gbit/s servers marked with "6000 Mbit/s" maximum bandwidth are connected to a 10 Gbit/s port but with our plan the provider guarantees 3 Gbit/s full duplex 24/7, while they are "best effort" burstable to 10 Gbit/s. Kind regards

Hello! Please check your setup against the following guide: https://airvpn.org/faq/p2p/ On top of that, we have noticed a malfunction in some qBittorrent version (for example 4.5.5) in FreeBSD and Linux related to binding. If you set Tools > Preferences > Advanced > Optional IP addresses to bind to into All addresses, qBittorrent will reply only to IPv6 packets. If that's your case too, set that combo box to All IPv4 addresses. For additional safety you can also set the Network interface combo box (available in the same advanced menu) to your VPN interface. Always run qBittorrent only after a VPN connection has been successfully established. Kind regards

@shortfacedbear Hello! While Eddie Windows edition does not feature traffic splitting on an application basis (i.e. the feature you would need) WireSock for Windows has emerged in the last months as a practical and efficient solution even for your needs. https://www.wiresock.net/ On Windows, WireSock allows per app traffic splitting, per app reverse traffic splitting, per IP address destination traffic splitting, and hybrid traffic splitting with an extremely simple configuration file. According to the new reports we received from some of our Windows customers, it is probably a good solution which will save you from virtualization and from any solution requiring a fairly decent system and networking competence. According to those same reports, WireSock is fully compatible with AirVPN but unfortunately it is not open source software as far as we can see. Kind regards

Hello! Please force Eddie to refresh immediately the server list by clicking the refresh icon on the "Servers" window. If that doesn't work, from the main window uncheck "Remember me", log your account out, then log your account in again. On the iPhone, can you tell us which VPN server(s) you're trying to connect to? Also compare the servers with the current status https://airvpn.org/status Kind regards

Hello! It was a momentary problem which should have been solved. Can you please try again and report back? Kind regards

Hello! If DCO becomes stable and maintains the performance claimed in the OpenVPN Hackathon 2019 yes, we do, as DCO would outperform WireGuard (in real life we don't see much difference though, but we must keep into account that DCO is still highly experimental). On top of multi-threading support, it could be used over TCP too, which would be significant. On the server side it resolves also WireGuard limitation regarding the automatic IP address assignment in place of the moronic static, hard coded and on file key<->address bijection needed by WireGuard. On the other hand, on the Linux universe, we don't foresee DCO included in the mainline kernel, while WireGuard is already there. We'll see. It's a worthwhile test and we're thinking about it. Kind regards

Hello! You have entered the TLS Crypt key for the correct entry-IP address (213.152.162.86 is an entry-IP address "three", where you have support for tls-crypt). Thus the problem is somewhere else. On some firmware, the "static key" field is not the "TLS key" field. If that's the case you need to put the tls-auth.key content in the TLS field, while the static key field must be left empty (it's for an OpenVPN working mode without PFS which we do not support). Also you should make sure that there's no block against UDP in the firewall rules. Kind regards

You could certainly ADD a Wireguard only server, without taking away an OpenVPN server. Hello! The matter for future servers might be different of course. Kind regards

@marcos.machado Hello! Assuming that there is indeed no block at all against OpenVPN or UDP in the network, a possible cause of the problem is a mismatched TLS key. For entry-IP address 1 you need tls-auth key while for entry-IP address 3 you need TLS Crypt key. You deleted the IP address of the server so we can't tell which key you need. Since tls-auth and tls-crypt are mutually incompatible and OpenVPN server can start either in tls-auth or in tls-crypt mode we have been forced to make this distinction on different entry-IP addresses. Your OpenVPN version is also quite old, so consider an upgrade if possible. The Configuration Generator generates the proper key according to the connection mode you have picked. If you need split files (i.e. certificates and keys not embedded in the ovpn file) you can enable "Advanced" mode and then check "Separate certs/keys from ovpn files" option. In this case, the CG names the tls-auth and tls-crypt keys respectively ta.key and tls-crypt.key. You will also need to select "2.4" in the "OpenVPN profile" combo box, because OpenVPN 2.5 and newer versions support directives which are unknown to OpenVPN 2.4. Kind regards

Hello! Yes, it's strictly mandatory to support OpenVPN on every and each existing server, otherwise we would break compatibility with a relevant portion of customers who rely on OpenVPN support for their devices (or even because WireGuard is blocked in their network) on specific server(s). Stopping OpenVPN on existing server(s) would be a huge and serious problem, even without considering the contractual breaches. Kind regards