Staff

Hello! CBS is perfectly accessible both from Vega and Sirius. Perhaps you have a leak from some program that disclose that you are not in the USA to the CBS tests. The usual suspects are the browser and its plugins. If you use Windows, avoid Internet Explorer at all costs. Kind regards

Hello! Please connect to your DD-WRT router via Telnet or SSH (http://www.dd-wrt.com/wiki/index.php/SSH) and type the command netstat -nr or route -n Then just copy the output and paste it here. Kind regards

Hello! We are aware that blocking outbound port 25 may be annoying, but leaving it open would cause a quick blacklisting of our servers on most spam detectors with severe consequences for us and all our customers. On the other hand, using an SMPT server which accepts TLS/SSL connections (for example on port 465) is a good practice and it's also extremely simple, so it's not really an issue. An e-mail provider that does not offer such connections should not be taken seriously. Please do not hesitate to contact us for any further information. Kind regards

Hello! Are you able to ping the 10.x.0.1 IP address (for example, if you connect to port 443 UDP, are you able to ping 10.4.0.1)? Could you please publish the routing table after the connection (delete your real IP address for privacy reasons)? Kind regards

Hello! This is a bug of the AEC payment processor (a commercial product) that we use to handle accounts expirations. We have given you back your 6 missing days. We apologize for the inconvenience. Please do not hesitate to contact us for any further information or support. Kind regards

Hello! You have various options, for example connecting the guest OS to the TAP-Win32 adapter via bridging and disabling access to all the other network cards. In this way, if the VPN connection is not established (or drops), the guest OS can't communicate with the Internet. VirtualBox, currently one of the best virtualization packages available, will let you do that with a few clicks. Please refer to the manuals of your virtualization software for additional details, and do not hesitate to contact us for any further information. Kind regards

Hello! Your message has a reply to the e-mail address you specified to receive the answer. Please re-send it if you did not get the reply [EDIT: please make sure that your e-mail address properly receive e-mails] Kind regards

Hello! Can you please see this thread, from here: https://airvpn.org/index.php?option=com_kunena&func=view&catid=2&id=970&limit=6&limitstart=12&Itemid=142#1748 ? Try to apply the suggested fix. We're looking forward to hearing from you. Kind regards

Hello! Thank you for your nice words. We're glad to know that you have managed to have a working and secure setup. If there was a conflict, the message should not have been "syntax error", but something different. Anyway, "block out any"? The rule is "block out all". Kind regards

Hello! About the glitch of the red token on UDP ports, we are still investigating. This does not prevent anyway the correct forwarding of UDP packets. The remaining is not a glitch (please see our previous message). Also, it appears from our tests that everything is working properly. Can you please check that listening services are configured to listen to the matching ports and on the correct network interface? Kind regards

Hello! This is correct. If you leave the remote port field blank and click Add, the system will pick randomly an available port and remap it to the same local port (if the local port field has been left blank) or to the specified local port. Kind regards

Hello! [EDIT] We're looking into the issue, please stand-by. In the meantime you can try to: - forward a new port explicitly specifying as "local port" the same number of the forwarded port; - forward a new port without specifying any local port [EDIT 2] About the red token, we are now aware that there's the chance that you get a red token (for an UDP port only) even if that port is closed on your router. Techies will work on it too asap. Kind regards

Hello! We're sorry, currently we don't provide step-by-step support for Symantec products. Symantec products are commercial products which offer full customer support, so you might try to have support from their team. You could: - replicate the rules suggested for any firewall in the forum (Comodo, PF...) on your Norton Firewall - switch to Comodo: independent peer-reviews performed with high-standard leak tests show that Comodo Firewall in terms of security is highly superior to Norton Firewall (we underline "firewall"); in severe leak tests Norton Firewall 2012 protection rates as "NONE" (!!!) while Comodo rates as "excellent", see for example http://www.matousec.com/projects/proactive-security-challenge/results.php - Comodo is not open source but it's freely redistributable, see https://personalfirewall.comodo.com The only software firewalls for old Windows OS that are not useless (or dangerous) toys are (% shows the percentage of passed leak tests, the higher the better): Comodo Internet Security 5.3.176757.1236FREE 100 % Online Solutions Security Suite 1.5.14905.0 99% Privatefirewall 7.0.25.4FREE 98 % Outpost Security Suite Free 7.0.4.3418.520.1245.401FREE 97% Outpost Security Suite Pro 7.5.1.3791.596.1681 97% BitDefender Internet Security 2011 14.0.30.357 97 % Kaspersky Internet Security 2012 12.0.0.374 93 % Malware Defender 2.7.3.0002FREE 91% Norton Internet Security 2012 has 20% (protection "none"). For the most updated "Proactive Security Challenge", see http://www.matousec.com/projects/proactive-security-challenge-64/results.php. This new challenge shows that apart from Comodo (94%), a secure firewall for 64-bit Windows versions does not exist. Kind regards

Hello! No, this is not what you want, the firewall will not block anything without that rule. Replace it with: block out from 192.168.0.0/16 to any PF will block any outgoing packet from 192.168.*.*, except those which match the subsequent "pass out" rules. If there are no more syntax errors, test the configuration. Activate pf. Now you should lose your Internet connectivity, except toward Lyra. Connect to Air server Lyra entry-IP (62.212.85.65), any port. The connection should succeed thanks to the relevant pass out rule. Now you should have full connectivity. Launch a bittorrent client, share some redistributable content. Let it work for some minutes. Then, disconnect from the VPN. If everything is ok, you should immediately see a total drop of outgoing packets from any application, including the bittorrent client. Anyway, you should investigate further, because "block out all" is a perfectly legal directive on any pf version. Kind regards

Hello! Locate line 23 to be sure to identify which line is giving syntax error. Also, make sure that after the copy & paste you have not inserted characters which may cause problems to the pf parser, for example CR+LF. Also, each line must be terminated with a CR, including the last line. Refer finally to your pf man page to check whether the syntax of your pf version is slightly different. Kind regards

Hello! It looks like geolocalization of those services needs improvements! We have verified that CBS, Hulu, Pandora and Netflix are accessible from Sirius and Vega. Please do not hesitate to contact us for any further information and support. Kind regards

Hello! About point one: yes, a simple but not very flexible way would be to run the service before you connect to an Air server. When you connect to the VPN, the service will continue exchanging packets outside the tunnel, but only for already established connections. Thus, if this is a TCP based service the above may be a good solution, otherwise it's probably not. The alternative would be to modify your routing table. By default our VPN servers push routes so that all your traffic will be routed through the encrypted tunnel. After the connection you might modify routes so that traffic for certain IP addresses is routed outside, through your "normal" gateway, bypassing tun interface. Compare your routing tables before and after the connection, and proceed with caution, a mistake may compromise the anonymity layer. About point two: 40 Mbit/s is an awesome result, better (as far as we know) than the average bandwidth offered by most VPN providers in the world. To beat that, you need at least a 100 Mbit/s server exclusively dedicated to you (please note that your 40 Mbit/s imply 80 Mbit/s on the Air server - bw used by the server for a client is the double of the bw used by that client). Actually, we can provide 100 Mbit/s and 1 Gbit/s servers (please note that a dedicated server will not offer the usual AirVPN anonymity layer) but probably you would not beat that speed anyway. Any additional bandwidth allocation guaranteed by us probably would have no effect, because you already enjoy from Air servers an available bandwidth (700-800 Mbit/s) greater than the maximum speed you can reach. Kind regards

Hello! The green token shows that your service is reachable when behind the VPN. Let's try to make a step at a time, then. Change the SSH daemon listening port. Set it to a TCP port you have remotely forwarded without local remap. Then connect your server to an AirVPN server. Check that ssh has a bind to the correct network interface: it must listen on the tun interface used by OpenVPN. Finally, make sure to start ssh. If the ssh service was already running, restart it, this is very important. After all that, try to connect to your server with ssh :, from a device NOT connected to the same Air server. We're looking forward to hearing from you. Kind regards

Hello! What is that 443 in line pass out quick from 192.168.0.0/16 to 62.212.85.65 443? Please delete it. Kind regards

Hello! 1. Could you please elaborate? 2. Currently premium members connecting to 1 Gbit/s servers already have more than that. 1 Gbit/s servers are Delphini, Sirius, Vega, Draconis and Castor. On these servers there are constantly 700-800 Mbit/s (that is 75-100 MB/s) available. Kind regards

@Orfeo Hello! What happens with the following rules? block out all pass out quick from 127.0.0.1 to any pass out quick from 192.168.0.0/16 to <AirVPN_server_entry_IP> pass out quick from 10.0.0.0/8 to any pass out quick from 192.168.0.0/16 to 192.168.0.0/16 Kind regards

Hello! PF needs ALTQ (Alternate Queing for Network Packets) kernel support to use all its features. Alternate queuing of network packets provides disciplines for queuing outgoing network packets (for example traffic shaping) in *BSD based systems. Apparently your Mac OSX does not come with a kernel built with this support or your network card driver does not support ALTQ functions, however you should not need them for basic firewall operations: PF will just run with disabled ALTQ functions. You can't recompile and build Mac OSX kernel (it's not open source). The default configuration file read by pf is pf.conf, not pf.con (if it was just a mistyping on your message, ignore this warning). Lines 23 and 24 have a syntax error, feel free to paste pf.conf here. You can find the entry-IP address by watching at the line with directive "remote" in the air.ovpn configuration file you have (just display it with the cat command or open it with any text editor). Please do not hesitate to contact us for any further information. Kind regards

Hello! Suppose that the account used by your SSH server has forwarded port 12345 TCP and remapped it to local port 22. Then, when your server is running OpenVPN as a client connected to one of our Air servers, you will be able to reach the SSH service on your server on :12345, NOT :22 Perform a check from your panel (click "Check", wait for some seconds, then click "Refresh"). If you see a green token, then your service on your server is reachable. If you see a gray token, then your service is not responding (or not running). If you see a yellow token, then your server is responding on port 22 even when reached to its real IP address. You might as well change the SSH listening port to a TCP port number>=2048 that matches one of the remotely forwarded TCP port numbers. In this case you will not need a remap to local port 22, and you should obtain a red token (evaluate if this can be a vulnerability exploitable for correlation attacks and if so solve it). You should also make sure that once your server establishes a connection with an Air server, it can communicate with the Internet as usual (except for incoming connections on non-forwarded ports, of course). Please do not hesitate to contact us for any further information. Kind regards

Hello! We kindly ask you to read the ToS and the Privacy Notice, available through the links at the bottom of most pages of our website, and the FAQ (menu "More"->"Frequently Asked Questions"). Acceptance of ToS and PN is mandatory for subscriptions. In a few words we don't log IP addresses on any VPN server and we don't log and/or monitor traffic (including both headers and payload) on any VPN server. Please do not hesitate to contact us for any further information. Kind regards

Hello! Thanks for your clarification. Can you please tell us how do you disconnect from an AirVPN server (just in case it is a useful info for better troubleshooting)? Kind regards