Staff

Hello! It would be great if you could publish the solution for the benefit of the readers. Kind regards

@mamegoma @183aTr78f9o Hello! We suspect that the problem is caused by a virtual network interface too large MTU size for your network/devices. Our tests with different MTU sizes are meaningful but not conclusive. While WireGuard application forces it to 1280 bytes, Eddie lets the Android VPNService builder set the Operating System default. Please open "Settings" > "Advanced" > "MTU", set it to 1280 bytes, re-start a connection and check whether the problems get resolved or not (please test various servers). Please report back at your convenience, thank you! Kind regards

@mamegoma @183aTr78f9o Thank you very much! Yes, your tests outcome hints to a specific problem in Eddie WireGuard implementation. Eddie calls the native WireGuard library. Thank you for the thorough description and for having found out and reported the problem. We still have some unexplained and puzzling data set (for example, ProtonMail app works in our tests when Eddie is connected through WireGuard), and the problem investigation will take high priority. WireGuard original app needs simple configuration file names since it wants to create a network interface with the same name, which is impossible (not only on Android, but in in general in every system) due to system limitations which don't allow network interfaces to have complex long names. Eddie takes care of the matter while WireGuard app doesn't. Kind regards

Hello! Thank you. We confirm that Eddie round trip times wrong values can not be related to VPN DNS. To perform the tests the system must be outside the VPN and therefore you can't use VPN DNS. Furthermore, Eddie needn't resolve names to perform the tests. You can therefore keep this issue on its own topic (already existing, we see) and split from this one. Kind regards

Hi, the apps i experienced issues with are LAZADA and Signal as well as tutanota and protonmail. Im not exactly sure how to get the domain name for the services. The servers which I noticed issues are Antares, Lacaille, Struve, Taphao, Bharani, Biham, Fleed, Okab and Albaldah which are the servers I regularly use. Hello! Thank you for the information. At the moment we tested only ProtonMail and it works, but now that we have a server list we will perform additional test, even with those other apps you mention. In the meantime, can you please tell us whether, from the same VPN server, those apps: work or not when you switch connection to OpenVPN3-AirVPN (to do so just tap the "OpenVPN/WireGuard" switch on Eddie's connection views and make sure that it's set to OpenVPN, then start a new connection) work or not when you connect through the wg app available on the Play Store Kind regards

Hello! Problem acknowledged. It's a feature unsupported by WireGuard (you will see that the wg app never allows communications with the private network, unless you compile a complex profile, see also https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/ ) and we see that Eddie needs a different implementation. At the moment do NOT activate Exclude local network from the VPN with WireGuard, as it may cause total traffic leak if "Always on VPN" + "Block traffic if VPN is inactive" options are not enabled (options not available in Android TV). We will consider the possibility to implement a properly working option, which is not trivial, during the alpha or beta testing. Kind regards

Hello! Please check here: https://airvpn.org/routes/?q=https%3A%2F%2Facademyofideas.com and pick the Canada (or other country) servers which can access the website. Currently 7 servers in Canada are not blocked by the website. Kind regards

@sarum4n Hello! Thank you, you're really a long time customer! You can have default.profile not encrypted at all as it was with old Eddie versions. Check the options in "Preferences" windows. Scripts related to events are available, and they are not launched anymore with root privileges. If you need to perform root operations with the scripts launched by Eddie events, you must gain root privileges first. This is an important security feature which is inalienable as the old method was too dangerous and exposed an attack surface vulnerable to privilege escalation from normal user to superuser. In this way such exploit is no more possible. Downgrading to Eddie 2.16.3 is always possible, but the operation is not as swift and automatic as an upgrade. Remember to delete all previous configuration files generated by newer versions first, because upward compatibility is not guaranteed in software. Then uninstall the new version and finally install the older version. Kind regards

Hello! It might have been related to a DNS issue on the server side which we should have resolved a few hours ago. Can you please repeat the tests? Should you find any problem again, please report the VPN server name(s), the domain names whose resolution fails, and the names of the 'problematic' apps. Kind regards

Hello! We might have solved the problem, please keep reporting to confirm or deny. If you still find problems please mention the VPN server name(s). @Seebarschtian Thank you! Kind regards

Hello! Thank you, good to know. Can you write down the list of servers you have the issue with OpenVPN? We can't reproduce it with OpenVPN. Kind regards

Hello! We have just noticed the problem (what a pity that nobody opened a ticket about it). We managed to reproduce it on various servers from a variety of non-M247 datacenters. It is therefore unrelated to M247 servers. Moreover the fact that, according to our tests so far, the problem takes place only with WireGuard and not with OpenVPN rules definitely out some M247 specific problem and makes us focus on WireGuard. We will keep investigating. Kind regards

@delta313 Thank you very much for your tests! Where can we find the report generated just after the problem has occurred? You will find a new feature: by tapping the arrow icon on the Log view bar rightmost side you will generate a full system report which will include both log and logcat and have it sent to our servers. Then you just need to send us the link the app will show you (open a ticket if you prefer to do it in private). Kind regards

Hello! Fire OS is based on Android and features slim differences from Android TV. Lack of Always on VPN option is common. You can therefore enable "VPN Lock" in Eddie settings and use OpenVPN to have a robust leaks prevention. In this way when a connection is lost the device will not communicate with the Internet and you have all the time to stop apps and then re-start the connection manually. A second option: you may enable automatic re.-connection and even use WireGuard. If a connection is lost WireGuard will keep the device locked for a while, and then Eddie will re-connect as soon as possible. WireGuard connections are very fast but anyway during the re-connection phase leaks are possible. Kind regards

Hello! We're very glad to inform you that Eddie Android edition 3.0 preview is now available. UPDATE 2022-07-08: Eddie Android edition 3.0 Alpha 2 is now available. UPDATE 2022-07-28: Eddie Android edition 3.0 Alpha 3 is now available. UPDATE 2022-09-02: Eddie Android edition 3.0 Beta 1 is now available. UPDATE 2022-09-12: Eddie Android edition 3.0 Beta 2 is now available. UPDATE 2022-10-14: Eddie Android edition 3.0 Beta 3 is now available. UPDATE 2022-11-04: Eddie Android edition 3.0 Beta 4 is now available. UPDATE 2022-11-14: Eddie Android edition 3.0 Release Candidate 1 is now available UPDATE 2022-12-01: Eddie Android edition 3.0 has been released Eddie 3.0 preview features WireGuard full integration with AirVPN, a thorough improvement on network management to provide additional robustness on network switching and re-connections, an exclusive option to access local network even when connecting over WireGuard and a dark theme. According to our tests, on most Android devices, when compared with OpenVPN3-AirVPN library or OpenVPN3 and on agnostic networks, performance is remarkably higher and battery life is approximately 15-20% longer, even when the throughput is slightly higher. You can download Eddie Android 3.0 RC 1 APK directly from our repository or from the Google Play Store: https://airvpn.org/forums/topic/29660-using-airvpn-with-eddie-client-for-android/ Please note that Eddie 3.0 is not yet available on the Amazon Store. It should be updated in a few business days. To those who will decide testing: thank you so much! Please report any bug and problem in this thread. If possible generate a report from the app. You will find a new feature: by tapping the arrow icon on the Log view bar rightmost side you will generate a full system report which will include both log and logcat and have it sent to our servers. Then you just need to send us the link the app shows you (open a ticket if you prefer to do it in private). Important: if you run Android 8 or higher version, we strongly recommend that you activate Always on VPN and Block connection without VPN (aka VPN Lockdown) from Android advanced per app VPN settings That's the most secure method to prevent traffic leaks in various circumstances. If you run Android 7 or older versions and you set Eddie to connect through WireGuard, a best effort is made to prevent leaks, but it may not be as effective as Android 8 and higher versions mentioned settings. Finally, keep in mind that Android TV suffered the Always On VPN feature amputation, therefore Eddie start & connection at bootstrap are not possible from Android TV 10 and higher versions. Older versions can still run Eddie during the bootstrap and have it connected. Furthermore, a totally effective leaks prevention is hindered when you use WireGuard on Android TV, although Eddie will always perform a best effort to prevent them. Main features (new features in bold): Free and open source WireGuard and OpenVPN GUI based on latest OpenVPN3-AirVPN library (free and open source software library by AirVPN) and official WireGuard native library full WireGuard integration with AirVPN improved network change management optional access to local network even when connecting over WireGuard (local network tunneling exemption) dark theme revamped quick connection algorithm one-tap pre-connection switch from WireGuard to OpenVPN 3 and vice-versa easy system report (log and logcat) one-tap generation and delivery to our servers ability to connect to any service via WireGuard and OpenVPN profiles OpenVPN3-AirVPN 3.8.2 library inked against OpenSSL 1.1.1r Full compatibility up to Android 13 Full compatibility with Android TV 10, 11 and 12 ChaCha20-Poly1305 and AES-GCM support on both OpenVPN Control and Data channel Robust, best effort prevention of traffic leaks outside the VPN tunnel with OpenVPN Totally effective prevention of traffic leaks outside the VPN tunnel with WireGuard and OpenVPN on Android 8 and higher versions Battery-conscious application Low RAM footprint Ergonomic and friendly interface Ability to start and connect the application at device boot Option to define which apps must have traffic inside or outside the VPN tunnel through white and black list Localization in simplified and traditional Chinese, Danish, Dutch, English, French, German, Italian, Portuguese, Russian, Spanish, Turkish Full integration with AirVPN Enhanced security thanks to locally stored encrypted data through optional master password Quick one-tap connection and smart, fully automated server selection Smart server selection with custom settings Manual server selection Ability to start and connect during device startup according to a priority list which includes automatic choice, your defined country and your defined AirVPN server Smart attempts to bypass OpenVPN blocks featuring protocol and server fail-over Full Android TV compatibility including D-Pad support. Mouse emulation is not required. Enhancements aimed at increasing accessibility and comfort to visually impaired persons AirVPN servers sorting options Customizable "Default", "Favorite" and "Forbidden" servers and countries OpenVPN/WireGuard mimetype support to import profiles from external applications Multiple OpenVPN/WireGuard profile support and management Support for custom bootstrap servers Support for favorite and forbidden countries AirVPN broadcast messages support User's subscription expiration date is shown in login/connection information The app is aware of concurrent VPN use. in case another app is granted VPN access Eddie acts accordingly and releases VPN resources Optional local networks access. In such a case, local network devices are exempted from the VPN and can be accessed within the local devices Localization override. User can choose the default language and localization within the app and have them changed live (no need to re-start the app) Favorite and forbidden lists can be emptied with a single tap Ability to directly select an AirVPN area (country, continent, planet) to connect to VPN re-connection after unexpected disconnection (VPN Lock must be disabled) VPN concurrency management Full integration with VPN traffic leaks prevention by system in Android 7 or higher version User can generate or save a profile for any AirVPN server or country and save it in the internal OpenVPN/WireGuard profile manager or export it On the fly language change allowing to switch language without re-starting application Exclusive optional VPN lock in case the device cannot take advantage of Android's VPN direct management (Android 5 and 6) Server scoring algorithm implementing the latest AirVPN balancing factors in order to determine the best server for quick connection Network name and extra information are shown along with network type Device network status management Fully compatible with Android TV 5.1 and higher versions bug fixes and general architectural improvements Kind regards & datalove AirVPN Staff

EDIT: problem has been resolved around 12.00 2022-06-16 UTC Hello! We're sorry to inform you that a PayPal ongoing malfunction is causing a serious issue with purchase validations and plan activation. IPN (Instant Payment Notification) is not sent, so we must validate PayPal payments manually one by one. PayPal has been notified hours ago. We apologize for the delayed activation but the problem is out of our responsibility and control. Hopefully PayPal will resolve the problem very soon. If you have paid via PayPal and you don't see your plan activation within a few hours feel free to open a ticket as we are struggling to keep the pace on the long run. If you are reading this message before you made a purchase, please consider to pay via Stripe, Amazon Pay or Bitcoin for a faster and automated plan activation. This thread will be updated as new information comes in. Kind regards

Hello and thank you for your choice! Please check again now. A PayPal ongoing malfunction is causing the issue. IPN (Instant Payment Notification) is not sent (they are all stuck) so we must validate payments manually one by one. Hopefully the problem will be resolved in a matter of hours otherwise we can't keep the pace and we will need to disable PayPal. PayPal has been notified hours ago. We apologize for the delayed activation but the problem out of our responsibility and control. [PROBLEM RESOLVED} Kind regards

Hello! Your account reserved ports already include two consecutive ports so you needn't do anything in this case. In general, to find consecutive ports (if available) enter the amount of required ports and click "Search" on the "Suggest a range of sequential free ports" section of your account port panel. Kind regards

Hello! Well, it should (must) work with any OpenVPN3 compatible profile. Which error do you get exactly? Kind regards

@CinnamonStick Hello! The attacker can do exactly the same with tls-crypt v2: subscribe and get the TLS key to pass the first barrier and then perform the attack . tls-crypt v2 is stronger against flood because the attacker, at least, must create more than one attacking account in order to keep flooding after a key gets blocked, while with tls-crypt it can keep flooding with just one key which remains valid (because we would block all the customers if we changed it). That's surely a strong reason to plan tls-crypt v2 implementation. To be effective, however, tls-auth must be dropped, otherwise the flooder can always point to the entry-IP addresses where OpenVPN in tls-auth responds. Nothing changes on the client side security between tls-crypt and tls-crypt v2, while an important change over tls-auth is due to the fact, as we already wrote, that the parser is not exposed and the communication can be dropped sooner. This makes tls-crypt more robust than tls-auth against flood attacks and reduces the attack surface. However it's not yet time for us to drop tls-auth and break backward compatibility, because tls-auth it is still required by customers who run OpenVPN versions which don't support tls-crypt. This has been always done by tls-crypt which we implemented several years ago. It's not something new of tls-crypt v2. A working proof of concept has never been published so we are dubious, but that's not important, because if the exploit had been able to work even against tls-crypt (let's assume for argument's sake that tls-crypt had been available at the time), then it would have worked even against tls-crypt 2. Strömberg says it very clearly: they did not attack servers with tls-auth, because it was just a useless over-complication, as anyone could get the tls-auth key in their (or our) service (and today anyone can get a specific tls-crypt v2 key, nohting changes). The server key is always secret and in particular the DH key is unique to each server. So tls-crypt 2 makes no difference again: if an attack successfully gets the server secrets to impersonate that one server in an attempt to have the target victim connect to it via some additional traffic hijack, it can work either with tls-crypt or tls-crypt v2, because the difference for this purpose is only that the tls-crypt key is common to all clients, while the tls-crypt v2 key may be unique to each client and/or server group, so it can be obtained anyway immediately. This is well explained in GitHub: https://github.com/OpenVPN/openvpn/blob/master/doc/tls-crypt-v2.txt Don't charge tls-crypt v2 with super-features which it doesn't have and has not been designed to have. Kind regards

Hello! Before any investigation starts, please upgrade Eddie. You are running a version dated August 2015 which is no more compatible with our service (thank you very much, you are indeed a long time customer!). You can download Eddie latest release for Windows here: https://airvpn.org/windows Let us know whether the new version resolves all the problems. Kind regards

Hello Heartbleed exploit was made possible by the OpenSSL library on web servers and has been resolved since April 2014, more than 8 years ago. Anyway, with OpenVPN working in TLS mode (like it always did in our infrastructure), the private key was never at risk (not to mention decrypting the client traffic, totally impossible with Heartbleed), not even with the vulnerable OpenSSL version: TLS Auth was sufficient. Heartbleed was particularly dangerous for web servers, not for OpenVPN working in TLS Mode (with TLS Auth and PFS). Using tls-crypt has nothing to do with Heartbleed and vulnerabilities of the sort. If a vulnerability is discovered on the SSL/TLS library, its exploit may or may not affect OpenVPN too, but if it does, tls-crypt and tls-crypt v2 probably will make no difference (it depends mainly on the parsers). This is already implemented in tls-auth. No need of tls-crypt or tls-crypt v2 for it. Strangely you quote features already implemented in tls-auth as advantages of tls-crypt over tls-auth, causing confusion. A clarification is due. tls-crypt and tls-crypt v2 allow early connection abort, while tls-auth needs to expose TLS.X509 parser before dropping the connection, enlarging therefore the attack surface. Moreover, by not sending anything back and dropping all when metadata verification fails, tls-crypt makes the server slightly more robust against floods and DoS attacks in general. This is of course great for the servers and tls-crypt is already implemented (on AirVPN servers entry-IP addresses 3 and 4), and we might also consider tls-crypt v2 in the future and dropping tls-auth (which we maintain on entry-IP 1 and 2 for backward compatibility), but you must not assume that it is useful more than tls-auth to defeat a class of attacks against the clients or aimed at decrypting the client traffic. Another advantage of tls-crypt over tls-auth is that the Data Channel gets completely encrypted since the handshake, thus tls-crypt (and its version 2 of course) can more easily bypass ISP blocks triggered by detection of OpenVPN handshake "fingerprint". Kind regards

@CinnamonStick Again, the added protection against attacks is only on the server side, as you have just confirmed. Strangely tls-crypt v2 seems available on OpenVPN Access Server only, not on OpenVPN, or at least it is missing in the OpenVPN manual, we can find it only on OpenVPN AS manual. Kind regards

Hello! You can have recurring payments only through PayPal in our service. An authorization to recurring payments to us needs double confirmation and can be deleted anytime quickly and easily, it's a matter of a few seconds: https://www.paypal.com/sm/smarthelp/article/how-do-i-cancel-an-automatic-payment-i-have-with-a-merchant-faq2058?app=searchAutoComplete Kind regards

Hello! It should happen by default, as tunpersist is set to "on" by default. Can you please check your /etc/bluetit.rc file? Try also to explicitly declare tunpersist on (on any line in the file). Edit the file with root privileges. Kind regards