@chimney sweep

Hello!

Feel free to specify the server. To forward an inbound port to a specific node, a server applies prerouting rules created (according to customer's settings), transmitted and ordered by our backends to the VPN server. Failure of rules enforcement only on one server hints to a problem of some kind related to that server, and by telling us the specific server you experience the problem on you help us troubleshoot those cases which are not detected by the automatic supervision and warnng system.

Kind regards
 

@JamesFrancis

Hello!

Please try connections to specific Swiss servers and note whether you can connect to some of them. We operate different datacenters in Swiss so it seems impossible that they have the same problem at the same time. However, when you use the FQDN ch3.vpn.airdns.org, you end up to a specific server which the system reputes "the best in Swiss", therefore checking single servers one by one is essential to understand the nature of the problem.

Then, please send us the list of servers you can't connect to and a log showing the connection failure.

Kind regards
 

2 hours ago, OpenSourcerer said:

Probably the best option. Though, it involves coding something of a forum, too, if you want to keep it.

Hi,

that's true. Perhaps the most practical solution is entering a transitional state by leaving some forum dedicated section still to Invision and rewriting (when the license allows it) some critical parts we don't like of those sections, while other important parts and pages will be completely detached from Invision. Then, in a farther future, eliminate the remaining Invision parts one by one.

Kind regards
 

18 hours ago, OpenSourcerer said:

So, what might be the next board software? Anything tested so far?

Hello!

It's a work in progress and some tests have been performed successfully. If possible, but we do not promise it in any way for it's just a distant aim at the moment, we would like to offer a completely customized web site which gets rid of Invision once and for all.

Kind regards
 

6 hours ago, turtle8437 said:

The fact that there's no proof you've ever given evidence to the government doesn't mean you haven't. You haven't been independently audited. And you're fingerprinting people's hardware. When they register. And asking users to trust you because you've funded tor nodes that also haven't been audited.

Hello!

Of course, absence of evidence is not evidence of absence, but at least you can't find any proof that any identity of our customers has ever been disclosed, while such cases are notorious for various competitors. While science can't prove that there are no pink donkeys, because scientific inquiry can't bring evidence of absence, the scientific method forces you to bring a proof, specifically at least one pink donkey., to show that they exist. Now, either you bring some proof for your insinuations, or you are just another trolltard.
 

Quote

But fine, I guess I can trust you. After all, at the end of the day, good privacy has to come down to trust, right?

Not at all, or at least "not necessarily",. You can still access our onion web site, or even access our regular web site through Tor, which is a much stronger clue against your fears than any audit can provide because an audit which is paid by the audited can not be trusted. Can you tell us what good the excellent audits performed on ExpressVPN (who hired CIA intelligence agent who worked for UAE government to crack activists and journalists devices) or PIA and CyberGhost (which are owned by an adware and malware specialized Israeli company) brought to customers?
 

Quote

And asking users to trust you because you've funded tor nodes that also haven't been audited.

This shows your ignorance on how Tor works, shame on you. The power of Tor is mainly due to the fact that you don't need an audit of every single Tor relay and that end-to-end encryption has wiped out Tor malicious exit nodes which could intercept your unencrypted communications and take advantage from them even though the exit-node does not know where they come from. Please get informed before you publish such nonsense.

Kind regards
 

@regvpn

Therefore you are not able to substantiate your imaginary claim 
 

Quote

According to VPN site your servers are based in Italy

We acknowledge it and we assure the community that "regvpn" will not be able to troll here and pollute the community forum anymore.






 

@lex.luthor

Hello!

Please check rules with Bluetit not running as well. Make sure that INPUT and OUTPUT chains policy is, for both chains, set to ACCEPT when Bluetit is not running. If it's not, make sure to flush all rules and set the proper policy before you start Bluetit again.

Registering a root process like Hummingbird as a "service" is another Window-ish abomination made easy by systemd which incredibly discourages true daemons even in the documentation! In general it is a bad idea. Use real daemons like Bluetit instead as you are correctly doing now, please do not follow the Windows-ish logic of systemd, at least in this case.

Feel free to keep us posted!

Kind regards
 

Hello!

It's an Invision Power Board feature we don't like as well, but it's used only for your comfort. We do not exploit (if it was even possible) such data to profile you. We are anyway dropping IPB (the procedure is not trivial, we started it months ago but some more time is still needed). Also note that our web site and apps do not use tracking cookies, trackers or anything else and we run scripts to wipe out some IPB caching, just in case it was dangerous. If we had known in 2010 that IPB would have evolved in this way, our initial choice for the community and non-community forum would have probably been different

ProtonMail had a court order to log and transmit the IP address of a specific account, they actually did not do it before they were served the subpoena. It's anyway a mail related issue, not a VPN one, where a subpoena can't indicate an e-mail address (we do not require an e-mail address in account data).

Please note that contrarily to what numerous "competitors" did, in 11 years of activity AirVPN has never disclosed the identity of its customers, not a single one. In any case some skepticism is welcome and we invest very much on Tor (4% of worldwide Tor exit nodes traffic is supported economically by AirVPN), which is free for everyone and offers a very robust layer of anonymity. Use Tor for free in any case and especially if you can't trust us.

Last but not least, the problem you have correctly underlined is negligible when compared to other dangers you must take into account. We wrote an article in 2013 to suggest how to defeat powerful adversaries, even when you can't trust one of your providers (including the VPN). It's an 8 years old article but it's still good and valid:
https://airvpn.org/forums/topic/54-using-airvpn-over-tor/?tab=comments#comment-1745

Kind regards
 

@lex.luthor

Hello!

Yes, some progress in names resolution which is now successful (even though we still see an initial failure, then the resolution is successful and correct). Unfortunately now a new problem has come out: UDP appears as a blocked protocol. Might it be that you're running some other firewall frontend such as ufw that's creating some interfering rules? We remember (but we could be wrong) that some default ufw configurations create custom chains and that UDP to some ports get blocked. If that's the case can you please try again with ufw (or any other custom fw frontend) completely disabled? The error message:

Nov 25 21:39:38 betelgeuse bluetit: UDP send exception: send: Operation not permitted

is a typical error hinting to a local, and not external, system UDP block.

Kind regards
 

@Pwbkkee

Hello!

The system does exactly what it's instructed to do and you are clearly warned that such a situation may occur if your run systemd-resolved or a network manager. The traffic flows only between your router and your system and any final public destination that's not the VPN server is blocked on the system where the AirVPN Suite runs. It's not blocked on devices where Goldcrest and Bluetit don't even run. This is so obvious that we did not think it's necessary to explicitly explain it.

You can't consider Goldcrest/Bluetit responsible for something that your router, and not your system, does: Goldcrest and Bluetit do not even run on the router and they have no control over it. Thank you anyway for your point of view, we will consider to specify that the AirVPN Suite can't magically influence the behavior of devices which it doesn't run on.

Kind regards


 

4 hours ago, lex.luthor said:

Thanks for your help. Can you please point me in the right direction to resolve the issue with my DNS?

Hello!

Sure. From your descriptions we assume that it's systemd-resolved the daemon handling DNS setting in your Ubuntu 20 system, so we suggest you check here:
https://unix.stackexchange.com/questions/588658/override-ubuntu-20-04-dns-using-systemd-resolved

Do not miss this bug, just in case it's relevant in your case: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1774632
The bug is pointed out in the above linked thread but in a minor comment and it could be missed. When you know it, patch is straightforward.

If you need a recommendation on DNS servers, we suggest Quad9 (9.9.9.9) and OpenNIC, also see https://www.quad9.net/ and https://www.opennic.org

If we're wrong about our first assumption, please tell us how your system handles DNS settings and we will point you in the (hopefully ) right direction.

Kind regards
 

2 hours ago, regvpn said:

Italy has created a precedent when government can demand people to do whatever it wants without any regard to human rights. Lockdown, de facto forcing people to do stuff to their bodies, banning them from work.

Hello!

Suspension of constitutional rights in a state of emergency is foreseen by the Constitution itself, which explicitly mentions sanitary/public health emergency. A state of emergency, in any case, must be approved by the majority of the Parliament, it can't be declared unilaterally by the Government, and has a clear end time, after which it must be renewed again with Parliament majority approval, otherwise it ends. Human rights suspended in Italy have been suspended even in many other countries belonging to the so called "Western democracies", it's not that Italy is so special here.
 

Quote

Along this lines, nothing can stop the government to subpoena all the Airvpn records and logs. 

This has nothing to do with the above. It can be enforced even without the state of sanitary emergency. Such subpoena can't acquire anyway data which does not exist, obviously.
 

Quote

In you response you glaze over the logs issue and data retention. What and how log this information "does exist"? 

We already told you very clearly that such traffic data retention does not exist in our infrastructure, and we mentioned the relevant EUCJ decisions on the matter to explain why some EU countries we operate servers in can't legally oblige blanket data retention in spite they try to do so, so they can be challenged successfully if a casus belli emerges.. The Privacy Notice is very clear about it too and you explicitly accepted it years ago, so you may not claim you don't know it under a legal point of view. The Privacy Notice is linked at the bottom of all of our web pages. Here some excerpt for your comfort:
 

Quote

Air servers and software procedures in general do not acquire personal data.
[,,,]
Activity traffic and/or traffic content and/or IP addresses of the customers or users are not inspected, logged or stored into any mass storage device.
[...]
Users do not need to enter any personal data to access Air services.
[...]
A valid e-mail address is NOT required to access Air services and/or receive technical support, so usage of a valid e-mail address remains totally optional.
[...]
Users have the right to ask for information about their data and to ask for deletion of any data pertaining to them with a simple written request by e-mail to: info (at) airvpn (dot) org.

 

Quote

According to VPN site your servers are based in Italy, i

Maybe in your fantasy? Please point us where it is stated, because it's not true. Currently in Italy we operate only a geo-routing server, which is irrelevant for VPN data protection.

Kind regards
 

@Pwbkkee
 

Quote

My system can and does query the router's resolver during an active VPN session—it does so after its DHCP lease is renewed during the active VPN session.

Hello!

You have various options to resolve this problem. You can have e a longer DHCP lease time (1 year is not atypical), you can disable DHCP for sensitive machines, or you may set in one second the proper firewall rule to block traffic to port 53 of your router IP address (after Network Lock has been enabled). Another solution is setting on the router, as primary DNS server, 10.4.0.1 address (VPN DNS address).
 

Quote

The system then leaks requests to the router. Network Lock as advertised is supposed to prevent such leaks

Sorry that's false. Network Lock is advertised to prevent any traffic leak outside the tunnel to the Internet IPv6/IPv4 addresses, it is not advertised to lock your computer out from your router (i.e. prevent traffic to your local router) . Moreover you are clearly warned that running systemd-resolved and/or Network Manager is dangerous and may cause DNS leaks.
 

Quote

A switch that makes Network Lock block all communications from the system to the router over the detected DNS port would therefore be of great help

We will think about it for port 53 for sure. It's not a big deal by the way: just see above the proposed solutions, in the meantime.
 

Quote

And doesn't Eddie's Network Lock have a switch that blocks LAN communications?

Yes, with the obvious exception to your local upstream (typically your router) otherwise your system would be completely isolated and no communications would be possible, including of course VPN connections.

Kind regards

 

@lex.luthor

Hello!

Thanks. As you can see the error is different now, AAAA is no more into the game. The problem now is that your DNS doesn't work, not even in IPv4. Fix it or, as a workaround, have Bluetit connect to specific servers, so that it will not rely on names resolutions.

Kind regards
 

On 11/25/2021 at 12:17 AM, regvpn said:

Italy is cracking down on human rights and one has to wonder how safe the users actually are, before the government starts knocking and seises all the data?

Hello!

Italy is in breach of THREE legally binding CJEU decisions on Data Retention from 2014, 2016 and 2020 (*) and we have therefore no servers in Italy (other EU countries are in breach too, and we are already fighting in Spain, so we don't want more "battle/legal" fronts).

Apart from that serious and unacceptable breach of human rights in disdain of multiple decisions of the highest court of the European Union (which hopefully will soon cause the opening of an infraction procedure by the Commission against Italy), can you be more specific about how Italy would be cracking down on human rights?

About "seizing all the data", nobody can seize data which does not exist. Make sure you do not enter (but who would?) personal data in your account details, we don't even require an e-mail address (but if you use it for your comfort, make sure you use one which can not be exploited to disclose your identity or other personal information).

(*)

The Court of Justice declares the Data Retention Directive to be invalid
https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf

The Members States may not impose a general obligation to retain data on providers of electronic communications services
https://curia.europa.eu/jcms/upload/docs/application/pdf/2016-12/cp160145en.pdf

The Court of Justice confirms that EU law precludes national legislation requiring a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime in general or of safeguarding national security
https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-10/cp200123en.pdf

Kind regards
 

@waterfall

Hello!

Can you please confirm that after you followed AppleCare recommendations the problem got resolved? Thanks in advance!

Kind regards
 

@lex.luthor

Hello!

Do you mean that AAAA resolution is attempted even when IPv6 is off? Please publish the log generated with the new settings.

Kind regards
 

@pnnl

Hello!

You can now connect to port 47107 too, on all servers. WireGuard testing on server side can be considered successfully complete. We will probably advertise WireGuard support as a stable one when Eddie 2.21 is released (currently it's in beta testing).

Kind regards
 

4 hours ago, Pwbkkee said:

Network Lock apparently does not prevent my Debian 11.1 system from querying my router's DNS resolver and receiving valid responses from it. After establishing a VPN connection with Goldcrest, and after Goldcrest has reported the removal of my router's IP address (192.168.1.1) from the network filter,
...
dig @192.168.1.1 -q airvpn.org -t A +dnssec +multiline +tcp returns a complete and valid response.

Hello!

That's correct and expected because Network Lock does not and must not block communications with your router, otherwise your system would be completely isolated from the network. Please note that while a connection is active, your system can't query the router DNS server, because Bluetit sets VPN DNS (provided that you do not disable this feature) - and actually you need to specify in dig a specific address.

It's up to you to prevent such situation when the VPN connection is not active. The "problem" is that your system gateway address is also your system DNS server address. Act accordingly by configuring properly DNS settings of either your system, your router or both.

Network Lock might make an effort to prevent some communications with your router by blocking destination port 53 to your router. That's however a questionable solution and currently it's not adopted, maybe we could implement it as an option in the future. Anyway it would not work in Hummingbird but only in Bluetit, given the different network lock and persistent network lock: logic when Hummingbird drops the connection, it cancels Network Lock, while Bluetit does not, when persistent Network Lock is enabled (consider to enable it anyway).

Kind regards
 

@lex.luthor

Hello!

Nov 24 11:12:45 betelgeuse bluetit: WARNING: Cannot resolve nl3.ipv6.vpn.airdns.org (Temporary failure in name resolution)

Apparently your local DNS has problems with AAAA.

Try to connect in IPv4 by re-setting "airipv6" to off (default value) in bluetit.rc. If your ISP does not support IPv6, you can anyway tunnel IPv6 over IPv4 (set "air6to4" to on).

Kind regards
 

Hello!

We're very glad to inform you that the Black Friday week has just begun in AirVPN!
 

Save up to 74%

 

Check all plans and discounts here: https://airvpn.org/buy

If you're already our customer and you wish to jump aboard for a longer period, any additional subscription will be added on top of already existing subscriptions and you will not lose any day.

AirVPN is one of the oldest and most experienced consumer VPN on the market, operating since 2010. It never changed ownership, it was never sold out to data harvesting or malware specialized companies as it regrettably happened to most competitors. 

AirVPN does not inspect and/or log client traffic, and offers:

• five simultaneous connections per account
• IPv6 full support
• AES-GCM and ChaCha20 OpenVPN ciphers on all servers
• WireGuard support on all servers
• Perfect Forward Secrecy with unique per-server 4096 bit Diffie-Hellman keys
• active daemons load balancing for unmatched high performance - current 'all time high' on client side is 730 Mbit/s with OpenVPN and 1046 Mbit/s with WireGuard
• even more, exclusive features, such as DNS customizable and flexible block lists to neutralize sources of ads, spam, trackers etc.

AirVPN is the only VPN provider which is actively developing OpenVPN 3 library with a fork that's currently 113 commits ahead of OpenVPN master and adds key features and bug fixes for a much more comfortable and reliable experience:

AirVPN, in accordance with its mission, develops only free and open source software for many platforms, including Android, Linux (both x86 and ARM based systems), macOS and Windows.


 

 

Kind regards & datalove
AirVPN Staff

31 minutes ago, inc said:

Another mystery, using either Wireguard or Hummingbird I can check using IP/DNS that I am connected to Airvpn but when I go to Ookla speed test it shows my real IP and ISP (Three uk) is this right It never used to show that it used to show  ISP: M247 Ltd has some thing changed or have I changed a setting somewhere over the last week trying to get Wireguard working.

Hello!

It doesn't sound right but from your description it might be some cached page. Hummingbird enables Network Lock by default so everything should be fine (provided you did not disable Network Lock manually) but to stay on the safe side please open a ticket for a cross-check (it's off topic here).

Kind regards
 

13 hours ago, Daniel15 said:

I'd love to know this too. With OpenVPN you get hardware accelerated algorithms, but it runs entirely in userland so there's a lot more context switching. WireGuard is not hardware-accelerated, however it's in kernel code so there's less switching between userland and kernel mode. With a large number of connections, I'm curious as to whether the reduction in context switching offsets the lack of hardware acceleration for the encryption algorithms.

Hello!

You are correct. Furthermore, OpenVPN runs in a single thread of a single core, so we need to run multiple instances (one per virtual CPU) to get more performance at server level (of course a client remains connected to the same instance during the whole session life), while WireGuard scales well. We will not publish at the moment meaningful statistics, unfortunately, because our servers run at the same time multiple OpenVPN instances and WireGuard, and clients connect in a wide mixture of modes. Any data set would not have relevance or reliability.

Kind regards
 

1 hour ago, misam said:

Public Report – VPN by Google One: Technical Security & Privacy Assessment

https://research.nccgroup.com/2021/04/08/public-report-vpn-by-google-one-technical-security-privacy-assessment/

We don't see how any assessment of any kind would make any difference when NSA has inner access to Google infrastructure, as we all know since 2013 when the PRISM program, revealed by the documents leaked by Snowden, provided proof of that. On top, of course, of all the ties between Google, the CIA and the State Department disclosed by Wikileaks (check also Julian Assange's "When Google met Wikileaks" and the excerpt https://wikileaks.org/google-is-not-what-it-seems/).

Kind regards
 

@Zebby

Warning points are not there. Other than that, usual netiquette applies.

Kind regards