Staff

Hello! It's very simple, first connect to Air, then launch the TOR browser Aurora (if you use the TOR browser bundle) or your favorite TOR configuration. Please note that in this case only applications configured to use TOR will be tunneled over TOR over Air, all the others will be tunneled over Air only. Kind regards

Hello! Sure, thank you for the suggestion. You can already see them from the source code of the page, anyway for your and other readers comfort you can see them in the configuration files, at the line "remote". You can generate all the configuration files in one shot with our configuration generator. We don't publish the entry-IP addresses list publicly in plain-text to mitigate DDoS botnets attacks. Kind regards

Hello! This is the reason for which you wrongly reported that Comodo does "not block": you did not activate it. Please make sure to set Comodo "Firewall Security Level" to "Custom Policy". If "Firewall Security Policy" is set to "Training Mode", "Disabled" or "Safe Mode", the custom rules are not applied. Pirvatefirewall supports IP ranges. Just specify a NetMask, please see the previous message for an explanation. Basically, any firewall that deserves to be called a firewall can do the job. However, the only firewall we recommend for Windows is Comodo, due to severe outgoing leaks and insufficient pro-active security suffered by any other firewall for Windows (in particular on 64 bit systems). You can get a list of firewalls here, all of them checked with 110 significant tests which try to provoke leaks: http://www.matousec.com/projects/proactive-security-challenge-64/results.php For your security, we recommend to avoid firewalls with a Product Score lower than 90%. Please refer to this post in order to set Comodo rules: https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142 Kind regards

I thought a TCP connection was slower than a UDP connection? It's certainly slower than my previous ISP connection (through port 443 UDP on the same hardware and line) was. It's about half of my maximum speed. Hello! Yes, there's an overhead, but usually the difference in performance is not so dramatic. Thank you very much. At your convenience do not hesitate to contact us, because chances are that the problem lies in your device or OS, not in BT. It will be interesting that you test out new servers when they are available (soon). By the way, did you perform the "DNS test" recommended by the previous admin? Kind regards

Hello! Previous thread on Windows and Comodo to prevent DNS leaks and leaks in case of unexpected VPN disconnection have become very big and detailed. We invite you to consult those threads for details and support, while we publish this message as a quick, clarifying overview of the essential steps. Please note that if you don't use Windows you don't need to read this post. If you use Windows and a firewall other than Comodo, you can anyway take these rules as an example and adapt them to your firewall. This is a minimal set of instructions to prevent any leak in case of unexpected VPN disconnection and prevent, in any case, DNS leaks, on Windows system with Comodo firewall. Comodo firewall is currently the only firewall we recommend for Windows. The free version is just fine for our purposes. Never rename the rules: in case you need support, we need to see what the rules really state. 1) If you're not familiar with a firewall, read Comodo Firewall manual or guides. In particular, please see the following: https://help.comodo.com/topic-72-1-451-4773-global-rules.html https://help.comodo.com/topic-72-1-451-4884-Network-Zones.html 2) Install Comodo Personal Firewall free version available here: https://personalfirewall.comodo.com/ 3) Set the Firewall Security Level to "Custom Policy" 4) Determine or create the Network Zone of your TAP-Win32 network adapter (from now on "AirVPN"). A safe way to define it: IP Range [10.1.0.0 - 10.255.255.255] if you need OpenVPN over SSH/SSL and other alternative connection modes, see also https://airvpn.org/specs 5) Determine the entry-IP addresses of the AirVPN server(s) you wish to connect to: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses 6) Define a "Global Rule" which blocks everything: Block And Log IP In/Out From MAC Any To MAC Any Where Protocol Is Any The logging is important for troubleshooting if necessary. 7) Put the above Global Rule in the top position. This will block completely your connectivity and let you add a whitelist of Allow global rules put BEFORE this total block global rule. All the "Allow" rules that you want to be evaluated shall be put BEFORE (i.e. higher than) the above block rule. 8) Define a"Global" rule which allows in/out communications of your TAP-Win32 adapter ("AirVPN") both In and Out: Allow IP In/Out From In [AirVPN] To MAC Any Where Protocol Is Any Allow IP In/Out From MAC Any To In [AirVPN] Where Protocol Is Any 9) Do the same for your loopback zone (IP range 127.0.0.1 - 127.255.255.254) Allow IP In/Out From In [Loopback Zone] to MAC Any Where Protocol Is Any Allow IP In/Out From MAC Any To In [Loopback Zone] Where Protocol Is Any 10) Do the same for any entry-IP address of the VPN servers you wish to connect to. For example for Leporis: Allow TCP or UDP In/Out From IP 95.211.191.33 To MAC Any Where Source Port Is Any And Destination Port Is Any Allow TCP or UDP In/Out From MAC Any To IP 95.211.191.33 Where Source Port Is Any And Destination Port Is Any For your comfort, you might define a Network Zone (for example [Air servers entry IPs]) containing only the entry-IP addresses of our servers and then set two rules like Allow TCP or UDP In/Out From In [Air servers entry IPs] To MAC Any Where Source Port Is Any And Destination Port Is Any Allow TCP or UDP In/Out From MAC Any To In [Air servers entry IPs] Where Source Port Is Any And Destination Port Is Any In this way, you will only need to add a single IPv4 address to that Network Zone in order to connect to a new server, instead of defining two additional rules for each server, which may be annoying if you switch between a lot of servers. 11) Add similar rules to allow communications of your device with your router (and within your home/office network, if you wish so). For example, if your network is [192.168.0.0 / 255.255.0.0] define a network zone with IP Range [192.168.0.0 - 192.168.255.255] (let's call it "Home Network") and set the following rules: Allow TCP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Any Allow UDP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Not 53 Allow ICMP In/Out From In [Home Network] To In [Home Network] Where ICMP Message Is Any 11a) Allow DHCP "negotiation": Allow IP In/Out From MAC Any To IP 255.255.255.255 Where Protocol Is Any 12) In order to allow "airvpn.org" resolution even when disconnected (and any other hostname you wish to be resolved even when VPN is disconnected), add to your hosts file the line: 95.211.138.143 airvpn.org Do not forget about this change! If we change our main frontend IP address, you will not be able to reach airvpn.org anymore until you remove that line. No more necessary starting with Air client edition 2 "Eddie". 13) If you use the Air client, add rules to allow communications with IP addresses 5.196.64.52 and 95.211.138.143 (two of our frontend servers), In and Out Allow TCP or UDP In/Out From IP 5.196.64.52 To MAC Any Where Source Port Is Any And Destination Port Is Any Allow TCP or UDP In/Out From MAC Any To IP 5.196.64.52 Where Source Port Is Any And Destination Port Is Any Allow TCP or UDP In/Out From IP 95.211.138.143 To MAC Any Where Source Port Is Any And Destination Port Is Any Allow TCP or UDP In/Out From MAC Any To IP 95.211.138.143 Where Source Port Is Any And Destination Port Is Any 14) You can progressively enlarge your whitelist just by adding "Allow" rules before the total blocking rule of point 6) according to your system needs. Keep in mind that there are literally dozens of ways to accomplish the same task with Comodo. Pay attention not to confuse the "-" symbol, which stands for "IP range", with the "/" symbol, which stands for IP address / NetMask. For example, [10.4.0.0 - 10.9.255.255] is correct (the IP range from 10.4.0.0 to 10.9.255.255), while [10.4.0.0 / 10.9.255.255] is NOT correct (IP 10.4.0.0 NetMask 10.9.255.255, which covers almost every existing IP address!). When you have defined all the rules, do not forget to click "Apply" and "OK" in order to store them and make them active for any new connection. Test everything and do not be afraid to experiment before you rely on the secured connection for sensitive data transmissions. Kind regards

Hello! That's odd, we will keep you informed if we receive similar reports from British Telecom customers. Thank you for the information. Also, please make sure that a firewall (on your computer or router) is not blocking ports. Also antivirus programs have sometimes been reported to act weirdly with OpenVPN. Anyway, please note that from the previous logs it appears that you can also connect to Lyra port 443 UDP just fine. The Google results are fine. If you don't see any OpenDNS DNS, then you have no DNS leak. This does not mean that DNS leaks (i.e. DNS queries unencrypted going to OpenDNS) may not happen in the future, if you use Windows. In the forum you'll find several ways to prevent DNS leaks for Windows. Why should your speed be halved on port 53 TCP? Kind regards

Hello! The logs are just fine. It might be a DNS problem. Try the following: - connect to a TCP port (like you did with Omicron) - open your browser and browse to http://46.105.19.36 and http://airvpn.org (alternatively, ping or dig different IP addresses and domain names). If you can see that you can reach hosts without DNS resolution (that is, pointing directly to their IP address), but not pointing to their name, then you have a DNS push problem, which may happen sometimes on Windows systems. In this case, force the system to use our DNS as primary ("preferred", in Win7 idiom) and you favorite DNS as secondary ("alternate"). In order to determine the IP address of our DNS according to the port you connect to, please see here: https://airvpn.org/specs For example, DNS for clients in VPN port 53 TCP is 10.9.0.1. Kind regards

@softrock Hello! As it was suspected, the problem is in your system. See here: It means that OpenVPN has not the privilege to modify the routing table and/or access the TAP-Win32 network interface. Please make sure that you launch OpenVPN (or the OpenVPN GUI) with administrator privileges and that the TAP-Win32 interface is installed (check with "ipconfig /all"). If you can't manage to solve the problem, the quickest solution is a complete uninstall and re-install of OpenVPN. When you re-install, please make sure that you authorize the installer to install ALL the drivers it asks for your authorization. Kind regards

@pmatisse Hello! The authentication with our VPN servers is performed through key and certificates, so you should never be prompted for a username/password when using OpenVPN. Perhaps OpenVPN can't access a certificate or the key? Can you please send us the attempted connection logs? Kind regards

Hello! Please activate that rule only after the connection to a VPN server. Switch to global rules in order to be able to connect without having to turn on and off rules. Kind regards

Hello! Since we have no reports from any other BT customer, perhaps it's a problem in your connection or configuration, not in BT network. Can you please send us the connection logs? Kind regards

Hello! DNS leaks are a typical Windows problem. You can fix it easily, please see here: http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php Furthermore, you can secure your connection against any leak in case of unexpected disconnection, which will also fix any DNS leak, with a firewall (Comodo firewall is recommended): https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=2183&Itemid=142 Kind regards

Hello! Castor had problems for less than 15 minutes due to unknown reasons (probably related to the datacenter). When we realized the problem and started investigating, the issue was already solved, so we did not publish any announcement. We have discussed between us about this and we found it quite questionable, if not totally unacceptable. Basically, we considered that if a user forgets the connection on, he/she may as well forget his/her p2p client or anything else running. Forcing a disconnection, and therefore potentially causing an IP leak (or a stop of activities if the user secured the connection with a firewall), and/or ports and services exposure etc. is an intrusive behavior which we consider dangerous, sort of undue "baby sitting". Kind regards

Hello again, the VPN servers don't "know" the accounts that are connected to themselves or to any other VPN server. This is necessary for additional security (no database stored on the VPN servers). Kind regards

Hello! This was fixed. There is no 2 minutes timeout. Currently the problems are essentially on the client side and (rarely) when a VPN server has connection problems with the backend (we'll solve this very soon as well), however we're installing new software versions on the server side to fix the remaining OpenVPN server glitches. You can test the new version on Orionis and Leonis. If the results are good as we expect, we will install it on all the servers. The beta testing phase has been successfully passed so we put it into production on these two servers 7 days ago to check whether there are negative feedbacks (none at the moment). Kind regards

Hello! You mean you set the Comodo firewall in "Block All" mode and it did not block ANY outgoing or incoming packet? Also, please make sure that when you define your rules, you set the firewall security level to "Custom Policy". You might like to check your traffic with Wireshark. Kind regards

I don't want to allow only ip addresses. I want to allow the vpn's ip range (10.4.0.0-10.9.255.255) Hello! Yes, you had the answer already. You can set a netmask for each IP address to approximate the IP range. For example 10.0.0.0 NetMask 255.240.0.0 is 10.0.0.0->10.15.255.255 (in CIDR notation: 10.0.0.0/12). Kind regards

Independent peer reviews are important. You can't assume that Comodo pays all the researchers in the world. The following tests, just to make an example, are very important in terms of pro-active security and leaks: http://www.matousec.com/projects/proactive-security-challenge-64/results.php Anyway, under a general point of view, you are right, personal software firewalls for Windows have very low quality if compared to free and open source products in other OS. Perhaps this is just a consequence of the Windows OS design and its closeness. You can set a netmask for each IP address you specify (at least Privatefirewall version 7.0.28.1 has this option). You might like to ask for support in their forum. Kind regards

Hello! There is no difference in security. We offer both options to meet a wider range of tastes and needs. Kind regards

Hello! Thank you very much for the information. We strongly recommend all Draconis users to perform the same test on all the ports. Kind regards

Hello! Older Air client versions are not available in our website. You might like to connect via the OpenVPN GUI. About ICMP packets from your ISP DNS, there is no correlation with the Air client. See also here: http://forums.comodo.com/empty-t16873.0.html When you're connected to the VPN, you can safely drop those packets as you do now. When you're not connected, you might like to accept those packets, because they show some malfunctioning from your ISP DNS (one of your ISP DNS port 53 does not respond). Kind regards

@nobody12321 Hello! First of all, we're very glad to read that you managed to solve the problem and we would like to thank you for the detailed report. To summarize your considerations, these are our recommendations for Windows users. Of course anybody is free to ignore them. 1) Never use simultaneously two (or more) different antivirus, firewall or any other software which can run with high privileges. This is also true for any combination of programs which monitor the system 2) Never use Symantec products 3) Comodo is the ONLY firewall we recommend for Windows 64 bit. Should other product beat its reliability, we will make an update. Currently most of Windows firewall (including Microsoft Windows firewall) appear as useless toys when it comes to pro-active security and prevention of outgoing leaks. However, recently Privatefirewall (7.0.28.1 or higher) has been greatly improved and it is probably the best firewall after Comodo. It supports IP ranges (just specify a netmask). Obviously you can't pretend on Windows systems the reliability and power of packet filtering tools available in BSD and Linux systems. Our considerations are based on independent peer-reviews from the major security experts around the world. Kind regards

Hello! Interesting, this looks like a completely different problem. Assuming that you started your torrent client after you connected to the VPN, new torrents work with or without port forwarding (except when you are the initial seed). It may be caused by very many different factors (DHT disabled and private trackers, unconnectable trackers etc.), so that old torrents continued to work because the client had cached at least the IP address of one active peer and peer-exchange was enabled, while new torrents could not start, missing both the DHT and tracker bootstrap. Kind regards

Hello! Can you please try a connection with the OpenVPN GUI, with the very same Comodo rules (you don't need to modify anything), and see whether the problem is solved or not? Kind regards

Hello! Just a remark: torrent clients work with Air "out of the box". They can run without any port forwarding (as millions of users behind a NAT without port forwarding know well ). Port forwarding is an additional option to improve performance and allow initial seeding, while at the same time maintaining the added security of a shared exit-IP address. Kind regards