Staff

No, the server is not connected by OpenVPN to one of the Air servers. Hello! In this case you don't need to remotely forward port 2242. Not necessarily. Port 2242 is reserved to some other client and it is dynamically forwarded to that client only when it is connected and only on the server it connects to. Kind regards

Hello! The connections is correctly established but the check from the Air client fails. Usually there are two main reasons for this: - the connection drops immediately after it has been established, OR - after the connection the client can't access anymore airvpn.org for the security check of established connection Can you please try a connection directly with OpenVPN, or with the OpenVPN GUI? When you have connected (or tried a connection) with OpenVPN, can you please send us the output of the commands "route print" and "ipconfig /all" (from a command prompt or the PowerShell)? Kind regards

Hello! The backend server was replying to VPN servers but incorrectly and it also had a low load. So the VPN servers assumed that the 1st backend server they queried was ok and would not try a connection to the subsequent backend server. On the contrary the primary frontend (website etc.) correctly connected to a different backend server (the backend servers have a clustered database so they are constantly "aligned"). The result was a refusal of any new connection from the VPN servers, while the website was still up. Another detrimental consequence was that the monitoring system did not detect any problem, so it did not send any urgent warning message to the techies. Some changes have been applied on the backend server which had this problem. Since it has happened for the first time after we implemented, some months ago, a clustered database, we're still investigating to gain a deeper understanding of the issue. Kind regards

Sorry, I tried to upload more than 1 screenshot. Hello! Ok, now we have all the information we need. A rule is missing: iptables -I OUTPUT -o ! --dst a.b.c.d -j DROP # if destination for outgoing packet on is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects # the above line can be duplicated for as many Air servers as you wish to connect to, just insert the appropriate Air server entry-IP This is the rule which will prevent leaks. a.b.c.d is the entry-IP address of the Air server DD-WRT router connects to. is your router network interface (probably br0, determine its name with command "netstat -r"). Important! Please note if you use the last entry above in the firewall (iptables -I OUTPUT -o br0 ! --dst a.b.c.d -j DROP) you will lose access to the router. Thus if the tunnel goes down ...well you know. So you may want to leave this entry off the GUI and if/when you are set up properly and then run it from the telnet prompt. That way if you need router access you can reboot and be OK. Please see also zdrifter post for more details. Kind regards

Before there were several dns servers listed including my isp, now only my isp. Hello! Ok, this new screenshot shows what you say. We should examine the iptables rules. Kind regards

Before there were several dns servers listed including my isp, now only my isp. Hello! They are not visible on the screenshot which is pertaining to the DD-WRT web interface. You should watch at the DNS servers displayed in the leak test site. Anyway, does the dns leak site display your ISP DNS? If so, can you please post your complete iptables rules list? Kind regards

Hello! Can you please try again now? Kind regards

Hello! We don't detect any problem anymore. Should you have any further issue, please do not hesitate to contact us. Kind regards

Hello! We have detected a problem on Serpentis port forwarding and potentially on other servers. It is probably related to the previous backend problem (the VPN servers need to know which ports are to be dynamically forwarded to which IP address inside the VPN). While all the connections between all the servers are re-established, this problem will be solved automatically. Please let us know which server(s) you detect the problem if it's not solved within a few minutes. Kind regards

Hello! Thank you very much, we're very glad and proud of this review. We would love to read the whole book as well! Can you give us the coordinates to buy the book? True, especially thanks to how OpenVPN works (if properly configured). Also, the different entry-IP and exit-IP addresses of each server prevent nasty correlation attacks against which even OpenVPN is powerless (it's not an OpenVPN fault, it's how the Internet works ). You will see a constant infrastructure expansion on various countries, some of them included in your list. We are also preparing new services which will be available in the next weeks to help people connect in countries where OpenVPN connections are disrupted. Unfortunately OpenVPN does not support XTS. In the future we will evaluate a change of cypher-system, however this is a delicate operation because it will force our clients to re-download configuration files. DD-WRT users might be forced to re-flash their router with new firmwares which implement latest OpenVPN versions. Currently AES-256-CBC, RSA 2048 bit key, double certificate authentication and TLS renegotiation provide a higher-than-military degree of security on the cypher-system side, without an excessive computational burden on older CPUs. It's true that our servers are (also) networking sharing devices. Sharing a device is a necessary prerequisite to keep a strong anonymity layer. The WIMIA test software is closed and undocumented. Currently, experts suggest that WIMIA maintainers also add IP addresses and IP ranges from dedicated servers providers on their database. Therefore there's no way to fool a WIMIA test if any person sends them one of our servers exit-IP addresses (they also have a form that can be used by snitches). This may become a problem if more and more web administrators will bar access from VPNs using WIMIA, however the more privacy awareness (as well as usage of NATs from ISPs) spread, the more this problem will heap only on those websites. We're looking forward to hearing from you. Kind regards

After reading zdrifter's post I found that I use tun1 interface. I added the new iptables (except for the last line) in the firewall and saved. I still have a dns leak confirmed with http://www.dnsleaktest.com Hello! Can you please tell us which DNS servers are displayed by the dns leak test? Kind regards

Hello! A backend server is a machine which works "behind the scene". No client ever communicates directly with it, but the VPN servers do for various purposes (remember, we don't keep ANY database on VPN servers for security reasons). When a backend server does not respond, the VPN server queries the next one (and so on) - a redundancy system to keep the system up even if one or more servers are down. In this case, the system worked partially when a backend server began to have problems: the website could remain up, but establishing new connections to VPN servers was not possible. We're investigating. Kind regards

Hello! We have had a major problem on one of our backend servers. The problem did not affect already established connections or the website, but it did prevent new connections. The failover system worked only partially . The problem has been now fixed, however we are still working on the system so please do not hesitate to contact us for any further issue. Kind regards

Hello! We have had a major problem on one of our backend servers. No attacks, no pressure from any entity (except the usual spammers, but that goes on by default ). The problem prevented new connections to our servers and has been now fixed. However, we're still working on the system in order to ascertain why the failover redundancy system worked only partially, therefore please do not hesitate to contact us for any further issue. Kind regards

Hello! We have had a major problem on one of our backend servers which prevented new connections. The problem has now been fixed, can you please try again? We're still working on the system, so if you find any issue please do not hesitate to contact us. Kind regards

Hello! We have had a major problem in one of our backend servers. It did not affect already established client connections but it did prevent new connections for 5 hours. The problem has been now fixed. However, we're still working on the system, so please do not hesitate to contact us for any issue. We apologize for the inconvenience. Kind regards

Hello! We have had a major problem in one of our backend servers. The failover system worked only partially and we needed some time to restore everything. The problem did not affect already connected clients, but it did prevent new connections for about 5 hours. The problem has been now fixed. We're still working on the system, therefore please do not hesitate to contact us for any issue. We apologize for the inconvenience. Kind regards

Hello! We're sorry, we use OpenVPN in "routing mode". The adapter, both on the server and client side, must be a TUN interface operating on layer 3, not a tap adapter handling layer 2 packets. If you use OpenVPN in bridged mode, you can't connect to Air servers. That said, it remains to be seen whether what you want achieve is possible with PPTP. Your household machine should act simultaneously as a PPTP server and OpenVPN client. Unfortunately we are not able to give you support on this and we can't say for sure if it's possible or not. However, it is definitely possible (at least on Linux) to run multiple OpenVPN instances, each running either in server or client mode, with an arbitrary number of tun interfaces, and it is also definitely possible to use a Linux box as a simultaneous OpenVPN server for its clients and an OpenVPN client for the Air servers. It is possible to do that even with just one physical network card. You will need to modify the routes pushed by our servers to your OpenVPN client, enable IP forwarding and set an appropriate routing table which allows packets routing and NATting between OpenVPN server and client. The setup requires a fairly good knowledge in networking, anyway you can be sure 100% it's possible (with only one physical network card) because we do that for services both for our clients and for internal purposes. Kind regards

I changed my firmware version and was able to connect! The OpenVPN setup page on DD-WRT wouldn't accept LZO Compression set to "yes" only "adaptive". Hello! That's great, thank you for the information. Could you please specify the exact firmware version that is working with your router model? That does not necessarily mean that you have a DNS leak from your router. First please check that you really have a DNS leak here: http://dnsleaktest.com Then, please make sure that the leak is not caused by the devices connected to the router (do not force them to use different DNS servers). If the leak is confirmed, you might like to read the zdrifter post about that and more (it will prevent any leak): https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=2377&Itemid=142#2377 Kind regards

Hello! The peering of our servers datacenters did not change in the last 2 weeks and the recorded performance is as high as usual. Furthermore we also added more bw redundancy. Please note that: - our NL and DE servers are in datacenters with POPs directly connected to tier1 providers with high bandwidth redundancy - you find the very same problem on different datacenters and networks - 2 weeks ago you recorded "blazing speeds" - you record high performance during the first minutes, then you lose connection or you have very high packet loss Therefore and unfortunately everything, really everything, suggests that it is a problem either of your ISP (or the ISP of your ISP etc.) or maybe of your last-mile, born during the last 2 weeks, Unfortunately, in this case, there's nothing we can do. If it was a fault on our side, we could work on it, but given the information you provided the problem is on your side and we are powerless. Just to try all the options, maybe it is not your ISP fault, but only a faulty router which shows the defect especially during tunneling (you would hardly notice dropouts without tunneling). Kind regards

The log showed that I do connect but then disconnect. I tried the connection with the same configuration again with the same results. The STATE keeps showing Client:RECONNECTING. 20120912 21:06:22 I TCP connection established with 108.59.8.147:80 20120912 21:06:22 I TCPv4_CLIENT link local: [undef] 20120912 21:06:22 I TCPv4_CLIENT link remote: 108.59.8.147:80 20120912 21:06:22 TLS: Initial packet from 108.59.8.147:80 sid=686390b6 ba017dab 20120912 21:06:23 VERIFY OK: depth=1 /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org 20120912 21:06:23 VERIFY OK: nsCertType=SERVER 20120912 21:06:23 VERIFY OK: depth=0 /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org 20120912 21:06:23 MANAGEMENT: Client connected from 127.0.0.1:5001 20120912 21:06:23 D MANAGEMENT: CMD 'state' 20120912 21:06:23 MANAGEMENT: Client disconnected 20120912 21:06:23 MANAGEMENT: Client connected from 127.0.0.1:5001 20120912 21:06:23 D MANAGEMENT: CMD 'state' 20120912 21:06:23 MANAGEMENT: Client disconnected 20120912 21:06:23 MANAGEMENT: Client connected from 127.0.0.1:5001 20120912 21:06:23 D MANAGEMENT: CMD 'state' 20120912 21:06:23 MANAGEMENT: Client disconnected 20120912 21:06:24 MANAGEMENT: Client connected from 127.0.0.1:5001 20120912 21:06:24 D MANAGEMENT: CMD 'log 500' 19700101 00:00:00 Hello! It might be a firmware problem. Can you please try to change version? Kind regards

Hello! Yes, a new servers real time monitor which will provide you with more information is almost ready. Kind regards

Hello! This is normal: Comodo can't know the exact range of our network zones. You can avoid this annoyance defining a network zone which covers the range 10.4.0.0->10.9.255.255. For more information please see https://airvpn.org/specs We have noticed those problems intermittently and we have partially solved them, we're still investigating. Currently you should not have any problem, neither on the website nor with servers connection. Please do not hesitate to contact us for any further issue. Kind regards

Hello! uTorrent is capable to perform the correct UDP Hole Punching through our VPN servers NAT. Skype is considered to be able to do that too. This is possible because Air implemented NAT is p2p friendly, a "cone NAT" (see RFC 3489) . It "focuses" all sessions originating from a single private endpoint through the same public endpoint on the NAT. (Ford, MIT, "Peer-to-Peer Communication Across Network Address Translators", 2005). (Ford) For (a lot of) additional information please see http://www.brynosaurus.com/pub/net/p2pnat , in particular paragraphs 3.2, 3.4 and 5.1. Kind regards

Hello! Thank you very much, your words are much appreciated. We are committed to providing you with an ever improving service. Kind regards