Staff

@TooLittleTime Hello and thank you for your tests! We are unable to reproduce the issue at the moment, can you please tell us whether you see the same when you run Hummingbird (with Bluetit not running at all)? Kind regards

Hello! Unfortunately we will not operate in Australia because of the infamous anti-encryption law, we're sorry, but yes, we are going to seriously consider more bandwidth in New Zealand. Kind regards

Hello! DCO code is in highly experimental phase and subject to radical changes. Still. ** NOTE ** ovpn-dco is currently under heavy development, therefore neither its userspace API nor the code itself is considered stable and may change radically over time. Kind regards

Hello! Tor is free for everyone and we strongly encourage to use and support it. AirVPN has supported Tor since 2010, and TorProject multiple times in the last 8 years. Currently AirVPN provides a valuable support to 4% of the Tor exit nodes worldwide traffic in Quintex Alliance Consulting datacenters, which is a remarkable amount if you think of AirVPN size. AirVPN also offers the ability with a few clicks to build tunnels over OpenVPN over Tor which are a starting point to add further anonymity layers. Or you can simply connect to Tor after you have connected to our VPN servers for a paramount anonymity layer enhancement. Tor however does not support UDP, so all UDP based applications are cut out, and p2p is very problematic on the Tor network. Furthermore, if you need a quick inbound remote port forwarding to bypass your ISP NAT or just have some privacy for a service of yours which must be reachable from the Internet, with Tor you would need to setup an entire onion service which will be accessible only from Tor network, while with AirVPN it's a matter of a few clicks. That's when AirVPN comes into play. In the mentioned cases AirVPN becomes handy or even irreplaceable, just think how more and more VPN services have suddenly dropped the, sometimes vital, remote port forwarding support. We just ask as a courtesy not to run Tor exit nodes behind VPN servers for obvious reasons. On the other hand no VPN can provide something on par with Tor anonymity layer and the synergy between Tor and AirVPN is probably the "way to go", as some of our old customers told us recently. As @OpenSourcerer replied to your question, in general you should rely on Tor for multi-hopping and to strengthen the anonymity layer, and not on chaining VPN servers, in most threat models. Chaining VPN servers is usually too weak to be a suitable solution for any threat model except maybe those which foresee a very trivial adversary. Multi-hopping on different VPNs could even (paradoxically) LOWER your anonymity layer as you need to keep different subscriptions, different accesses, and any mistake can be exploited to add correlations. You could even double-hop with AirVPN servers with quick virtualization, or triple-hop with virtualization and a router, as any account can establish multiple concurrent connections, but we're the first to strongly deprecate this behavior for all the mentioned reasons. Remember that when you support monetarily AirVPN (i.e you don't use it only with the free access), you support Tor network too. Kind regards

@itzik_gerbi For your comfort we paste here the answer you received from the support team. As AirVPN staff, we would also like to add that both Eddie and the Suite are free and open source software under GPLv3. ====================================== Hello and thank you for your choice! Eddie features a GUI and a full integration with both WireGuard and OpenVPN. It also features many comfortable options. The GUI is based on Mono so it can be heavy on some systems. You must install the Mono framework. Consider at least half a GB of RAM footprint for the whole program including Mono libraries. It does not feature a daemon-client model but anyway the GUI process runs with normal user privileges, while only the backend runs with root privileges (it is actually a root process). AirVPN Suite is a lightweight suite which does not require Mono or any other framework with a true daemon-client secure architecture. It lacks a GUI, it must be controlled exclusively from a command line interface, it does not offer WireGuard (it will, in the future) and lacks many features that Eddie offers. However the new Suite 2.0.0 alpha 2 version offers per app traffic splitting, which is (at the moment) missing in Eddie, and complete WireGuard support and integration with AirVPN. If you have a machine without a Desktop Environment, or if you have a machine with limited RAM and CPU power, you should consider the Suite or the WireGuard line interface utility. In every other case, and provided that you can install Mono package, probably Eddie will suit your needs more comfortably. To help your choice, AirVPN Suite user's manual is available here: https://airvpn.org/suite/readme/ Eddie manual can be displayed with the command "man eddie-ui" in most Linux distributions. Eddie's FAQ answers are available here: https://eddie.website Kind regards AirVPN Support Team

Hello! Probably Halloween promotion will be confirmed and therefore it will come first. And you're right, free trials of 1 month never existed. Kind regards

Hello! Some context for the readers as well: Eddie 2.23.1 added full support with proper DNS management for every systemd-resolved working mode. Any older version will misbehave whenever systemd-resolved is running (various working modes are not supported). AirVPN Suite added full support with proper DNS management for every systemd-resolved working mode in 2022 (1.2.0 or higher version). Kind regards

@WildWereWolf Hello! It would be a very good idea to remain locked out from remote machines accessible only through remote desktop or ssh, and not IPMI interface. It is also an intrusive and permanent change of system settings which in the past was refused by the majority of our customers. Anyway, you can easily implement the feature in your Mint box with the proper three or four firewall rules (the support team already showed them to you when you asked for an iptables example). The solution is so fast (it takes literally a minute or less) that we don't see why you just don't implement it, end of the story. You may also consider the AirVPN Suite with its feature networklockpersist and Eddie's feature Enable Network Lock at startup - however they are not exactly the same because first Bluetit daemon or Eddie process must be raised up, and then network lock is enforced, therefore providing an additional protection against "locking out". AirVPN Suite manual is here. Kind regards

Hello! You can (Eddie 2.21.8 or higher version required). Please note that the domain name(s) must be resolved with your system DNS, before a VPN connection is started, and therefore Network Lock must allow this exception - Eddie will warn you if this condition is not met. Also note that this is not always a 100% reliable configuration for those services which rely on CDN serving content dynamically. Kind regards

Hi, the limit is exactly 5 messages, from now on your messages will not be subjected to moderator's approval. This community forum is by the community for the community as a gift from AirVPN, open to everyone, not restricted to AirVPN customers. If you don't like a gift, just refuse it and live happy, or become part of the community and help make this forum an even better place. It must be said anyway that in 13 years only 3-4 people complained about the messages approval time and the massive usage of this forum shows that it is appreciated by most people and even by non AirVPN customers, so after all this gift is fine and the community is able to manage properly the whole thing. Kind regards

Hello! It will end on Sunday 24 Sep 2023 23:59 CEST. Kind regards

Hello! Yes, of course, we take care of both resolv.conf and nsswitch.conf inside the aircuckoo namespace (/etc/netns/aircuckoo/nsswitch.conf) in order to prevent the feared and dangerous "DNS leaks inside then tunnel" which affect other traffic splitting implementations based on cgroups and cover various distributions, including systems where systemd-resolved runs. In our "reversed" traffic splitting implementation, the aircuckoo namespace apps must query the system DNS. Per network namespace resolver configuration seems an established feature, or do you mean something else with the proposal you mention? Or do you imply that systemd-resolved may cause additional problems we have not taken into account? For your specific problem, we have no immediate suggestion unfortunately, we would just recommend that you check (for example with Wireshark) what happens to Firefox packets after the system woke up. We're also unsure whether this article may help you, probably not but we link it anyway just in case: https://philipdeljanov.com/posts/2019/05/31/dns-leaks-with-network-namespaces/ Feel free to keep us posted, and we'll do the same, as the different outcome with / behavior of Firefox in different distributions is under investigation and we need to clarify the issue carefully. Kind regards

@andy097 Hello! The IPv4 route check is successful while the IPv6 route check fails. Let's see whether the latter is a false positive by Eddie or not. Try to disable route check as well as DNS check, respectively in "Preferences" > "Advanced" (uncheck "Check if the VPN tunnel works") and in "Preferences" > "DNS" (uncheck "Check Air VPN DNS"). Enable Network Lock and try again connections. Verify both your IPv4 and IPv6 connectivity (if everything is fine, you should be able to reach IPv4 sites as well ass IPv6 only sites, like ipv6.google.com). Kind regards

Hello! We're terribly sorry, the port to FreeBSD is currently frozen. We will re-consider it anyway in the future, but only after the Suite 2 stable version for Linux is released. As far as it pertains to Windows, we will leave the answer to the Eddie Windows edition developer. Kind regards

Hello and thank you for your tests! Of course, as you say, this is an early preview, an alpha 1, so we can and we will improve the software. With the understanding the the highest security level is reached only by renouncing to traffic splitting or by splitting traffic only through boosted virtualization via a proper hypervisor, our solution aims at offering a fair balance between a very light implementation and a safe environment. If we pushed on virtualization too much, then the user might as well use directly pushed solutions of non-Linux third-party components and software suites, such as VirtualBox or Docker. It's not in our vision to burden the AirVPN Suite at those levels, as the Suite is thought to remain the most lightweight piece of software we release. In the current default setup, you have a minimum of two separate login users in any Linux box: airvpn and your usual user. By default, only airvpn can run cuckoo. If you consider not to add your current user to the airvpn group, you can safely rely on the fact that the types of processes you mention launched by your current user will never be affected by processes started by airvpn user and vice-versa. In this way it's almost impossible to cause a confusion by distraction and, for example, using a browser outside the tunnel while you think that it's inside. It's also obvious that a decent concentration level is always required, but that's required even with full virtualization, because no security model can save you from the distraction to assume wrongly that a specific VM is connected to the VPN while in reality it is not. So nothing new, traffic splitting was, is and will be requiring some attention, no matter how you achieve it. Stay tuned for the alpha 2, we are working on it. Kind regards

Hello! It's a crack for some program unrelated to AirVPN or a malware. Our software does not need any crack, it is free and open source software which does not need the activation key they claim they give you. There's another "Air VPN" (with a space) in China using fraudulently this name but it was shut down recently. We will hide your link just in case it's malware. About NordVPN, yes, they have been cracked a couple of times and thousands of account were compromised in the past. By the way still unrelated to AirVPN. Kind regards

Hello! @1301 It might be a virtual network interface MTU size related problem, try with the custom directive mssfix 1280, or switch to WireGuard and set MTU to 1280 bytes. In Eddie, you can set custom OpenVPN directives in "Preferences" > "OVPN Directive" window. Type "mssfix 1280" in the custom directives field, click "Save", and re-start a connection to apply the change. You might like to test a connection over WireGuard as well. If you run Eddie 2.23.x you can also set WireGuard's MTU size in "Preferences" > "WireGuard" window. Also make sure that both your router firmware and your physical network interface driver are up to date. A sustained UDP flow causes problems on some old network interface drivers as well as old router firmwares. Possible, but it's not necessarily so, as some datagrams may fit in the frame other ones may not. Anyway from the log it's not clear whether all the packets had to be re-sent or not. Shrinking the MTU size is well worth a test. The following, however, makes the MTU size problem less likely, but not impossible anyway: Kind regards

Thank you very much, we will have developers investigate the problem, there's a potential bug somewhere. Can you post all the non-alphabetic characters you were using, like @ and #? Kind regards

Hello! No, that's not necessary. You don't need anyway configuration files with Eddie Android and Desktop editions. How is it related to the original problem? Kind regards

Hello! There is a bug affecting Eddie Android edition and causing a crash, but not a login failure, when the symbol % is in the username and not in the password. Anyway, please try to wipe out all the @, # and $ characters and check whether something changes or not. Kind regards

Hello! Eddie and the bootstrap servers it talks to may interpret correctly only UTF-8 characters. Do you have any character outside UTF-8 in your password? If in doubt, try to change your password to a password with only and exclusively ASCII characters. Kind regards

Hello! Unfortunately it will not work. We are investigating different issues caused by web browsers. Please check the original announcement, we have changed a part to reflect the matter, we paste it here for readers' comfort and in order to outline the issue: Note on Web Browsers Firefox and Chromium will not be able to resolve names in the aircuckoo namespace, not even when you run a unique instance of them inside the network namespace itself, in some Ubuntu systems. We are investigating this behavior. Brave, Opera and Konqueror are not affected by this problem, but please consider that due to how browser instances are tied to each other, you might get unexpected behavior if you run the same browser in both namespaces from the same user. For example, if the browser has been started in the default namespace while there is an active AirVPN connection, the traffic will flow to the connected AirVPN server and from the associated VPN IP address from any future apparent instance launched by the same user, and vice-versa. The second instance may detect the first, delegate the task to it and exit, so you will have a new window but not another instance. In order to circumvent the issue, at this stage you may tale care to run programs in the aircuckoo namespace via cuckoo only from airvpn account, and programs whose traffic must be tunneled from your ordinary account. In other words, to add security, do not add your ordinary account to the airvpn group if you plan to use traffic splitting, so your ordinary account will not be able to run cuckoo by accident. Kind regards

Hello! Thanks. Thus, it must be a different issue or maybe a bug. Can you tell us your distribution name and version? Can you also please send us the complete Bluetit log? You can see it via journalctl if you are in a systemd based distribution. The following command: sudo journalctl | grep bluetit > bluetit.log will store the whole log in bluetit.log file. When this other problem occurs, please send us a Bluetit log again as well as the content of the /etc/airvpn directory: sudo ls -l /etc/airvpn Kind regards

@OpenSourcerer Hello! There is some confusion on a few Linux concepts and architectural design in your last message which would require some longer explanation or a course-like series of articles. We're afraid that this thread could go off rails and on a long question/answer/question/answer "ping pong" which might be detrimental to the original purpose: community testing and bug reporting. Please feel free to ask your questions on some other forum, for example in "Off Topic" community forum and we'll do our best to explain, or maybe someone from the community will explain even better. We want to leave this thread (remember we're in "News and announcement") aimed at AirVPN Suite 2 preview version(s) community testing and bug reporting, thank you in advance for your understanding. 😉 Kind regards

Hello! That output is correct, and it does not imply what you assume, but only that the program you have just launched runs in an ambient which does not have the specified vector raised. For your verification see our previous command, or just verify for each user the capability. Example (as root): capsh --user=<username> --has-p=CAP_SYS_ADMIN ; echo $? It will exit with status 1 if the ambient vector has not that capability, it will exit with status 0 if it has. Please note that the whole new Suite would work anyway, in all the distributions we tested, if the installer doesn't edit /etc/security/capability.conf but we deem that this is a nice feature anyway, as it might be useful in some obscure distribution, and it adds clarity. We can't: nsenter links the process you run to some existing PID, making it a child of some already existing process in the namespace, so nsenter has different usage for quite different purposes. Yes, that obsolete paper anyway confirms how good this implementation is. Our use case is exactly one of the few perfectly proper, correct and needed "usages" of CAP_SYS_ADMIN without doubts. Additionally, all the worries of the original writer have been properly addressed, as explained (we paste here to readers' comfort again): addressing the issues raised by Eklektix and Kerrisk and others. To clarify: verify with ps. Kind regards