Staff

If you youtube 'Christian Mcdonald', he explains everything in his series of videos. He's also overseeing the wireguard package for netgate, and talks about the whole process and where he wants to take it in the future. Hello! Speaking of netgate.com, we found this article on it which looks good: https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html In order to fit it to AirVPN, please generate a configuration file for WireGuard and the server or country you wish from the Configuration Generator. It's a text file inside which you can find the settings/values you need. Kind regards

@OpenSourcerer @tudou Hello! We have resolved the problem. Kind regards

Thank you for your great feedback and the head up. Lists should have been updated every 24 hours but the procedure started failing recently. We are working on it to detect the problem and restore the normal update every 24 hours. EDIT: problem detected and fixed. Kind regards

@cheapsheep @eburom @magnavoid @OpenSourcerer Thank you very much for the bug report, the issue will be investigated very soon. In the meantime please force nftables (if available, and remember that userspace utility nft is currently required) as @cheapsheep suggested to circumvent the problem. EDIT: Eddie, Hummingbird and Bluetit assume that iptable_* modules exist if iptables exists. This is no more true in some distributions, where iptables userland utility exists but iptable modules don't (and it would be false even in customized kernels compiled with embedded iptable). We will be working on a more robust implementation. @eburom Both implementations are logical and probably the "Right and Just" one does not exist. If Bluetit renounced to the connection when Network Lock fails it would leave the machine completely exposed (remember that Bluetit is a daemon) because it has no way to block the traffic when the firewall fails (*). If Bluetit goes on at least it tries to connect the machine and establish a "tunnel". In early Bluetit implementations Bluetit aborted the connection if Network Lock failed, now the other solution has been preferred even after consultation with users. (*) It might sabotage the routing table or the gateway or it might turn off the network interfaces to isolate the machine completely, but this solution is considered too invasive and it is unacceptable for various system administrators, especially those who run remote servers. Kind regards

@chimney sweep Hello! Understood, we are investigating, there's no need that you keep posting. Kind regards

@chimney sweep Hello! Feel free to specify the server. To forward an inbound port to a specific node, a server applies prerouting rules created (according to customer's settings), transmitted and ordered by our backends to the VPN server. Failure of rules enforcement only on one server hints to a problem of some kind related to that server, and by telling us the specific server you experience the problem on you help us troubleshoot those cases which are not detected by the automatic supervision and warnng system. Kind regards

@JamesFrancis Hello! Please try connections to specific Swiss servers and note whether you can connect to some of them. We operate different datacenters in Swiss so it seems impossible that they have the same problem at the same time. However, when you use the FQDN ch3.vpn.airdns.org, you end up to a specific server which the system reputes "the best in Swiss", therefore checking single servers one by one is essential to understand the nature of the problem. Then, please send us the list of servers you can't connect to and a log showing the connection failure. Kind regards

Hi, that's true. Perhaps the most practical solution is entering a transitional state by leaving some forum dedicated section still to Invision and rewriting (when the license allows it) some critical parts we don't like of those sections, while other important parts and pages will be completely detached from Invision. Then, in a farther future, eliminate the remaining Invision parts one by one. Kind regards

Hello! It's a work in progress and some tests have been performed successfully. If possible, but we do not promise it in any way for it's just a distant aim at the moment, we would like to offer a completely customized web site which gets rid of Invision once and for all. Kind regards

Hello! Of course, absence of evidence is not evidence of absence, but at least you can't find any proof that any identity of our customers has ever been disclosed, while such cases are notorious for various competitors. While science can't prove that there are no pink donkeys, because scientific inquiry can't bring evidence of absence, the scientific method forces you to bring a proof, specifically at least one pink donkey., to show that they exist. Now, either you bring some proof for your insinuations, or you are just another trolltard. Not at all, or at least "not necessarily",. You can still access our onion web site, or even access our regular web site through Tor, which is a much stronger clue against your fears than any audit can provide because an audit which is paid by the audited can not be trusted. Can you tell us what good the excellent audits performed on ExpressVPN (who hired CIA intelligence agent who worked for UAE government to crack activists and journalists devices) or PIA and CyberGhost (which are owned by an adware and malware specialized Israeli company) brought to customers? This shows your ignorance on how Tor works, shame on you. The power of Tor is mainly due to the fact that you don't need an audit of every single Tor relay and that end-to-end encryption has wiped out Tor malicious exit nodes which could intercept your unencrypted communications and take advantage from them even though the exit-node does not know where they come from. Please get informed before you publish such nonsense. Kind regards

@regvpn Therefore you are not able to substantiate your imaginary claim We acknowledge it and we assure the community that "regvpn" will not be able to troll here and pollute the community forum anymore.

@lex.luthor Hello! Please check rules with Bluetit not running as well. Make sure that INPUT and OUTPUT chains policy is, for both chains, set to ACCEPT when Bluetit is not running. If it's not, make sure to flush all rules and set the proper policy before you start Bluetit again. Registering a root process like Hummingbird as a "service" is another Window-ish abomination made easy by systemd which incredibly discourages true daemons even in the documentation! In general it is a bad idea. Use real daemons like Bluetit instead as you are correctly doing now, please do not follow the Windows-ish logic of systemd, at least in this case. Feel free to keep us posted! Kind regards

Hello! It's an Invision Power Board feature we don't like as well, but it's used only for your comfort. We do not exploit (if it was even possible) such data to profile you. We are anyway dropping IPB (the procedure is not trivial, we started it months ago but some more time is still needed). Also note that our web site and apps do not use tracking cookies, trackers or anything else and we run scripts to wipe out some IPB caching, just in case it was dangerous. If we had known in 2010 that IPB would have evolved in this way, our initial choice for the community and non-community forum would have probably been different ProtonMail had a court order to log and transmit the IP address of a specific account, they actually did not do it before they were served the subpoena. It's anyway a mail related issue, not a VPN one, where a subpoena can't indicate an e-mail address (we do not require an e-mail address in account data). Please note that contrarily to what numerous "competitors" did, in 11 years of activity AirVPN has never disclosed the identity of its customers, not a single one. In any case some skepticism is welcome and we invest very much on Tor (4% of worldwide Tor exit nodes traffic is supported economically by AirVPN), which is free for everyone and offers a very robust layer of anonymity. Use Tor for free in any case and especially if you can't trust us. Last but not least, the problem you have correctly underlined is negligible when compared to other dangers you must take into account. We wrote an article in 2013 to suggest how to defeat powerful adversaries, even when you can't trust one of your providers (including the VPN). It's an 8 years old article but it's still good and valid: https://airvpn.org/forums/topic/54-using-airvpn-over-tor/?tab=comments#comment-1745 Kind regards

@lex.luthor Hello! Yes, some progress in names resolution which is now successful (even though we still see an initial failure, then the resolution is successful and correct). Unfortunately now a new problem has come out: UDP appears as a blocked protocol. Might it be that you're running some other firewall frontend such as ufw that's creating some interfering rules? We remember (but we could be wrong) that some default ufw configurations create custom chains and that UDP to some ports get blocked. If that's the case can you please try again with ufw (or any other custom fw frontend) completely disabled? The error message: Nov 25 21:39:38 betelgeuse bluetit: UDP send exception: send: Operation not permitted is a typical error hinting to a local, and not external, system UDP block. Kind regards

@Pwbkkee Hello! The system does exactly what it's instructed to do and you are clearly warned that such a situation may occur if your run systemd-resolved or a network manager. The traffic flows only between your router and your system and any final public destination that's not the VPN server is blocked on the system where the AirVPN Suite runs. It's not blocked on devices where Goldcrest and Bluetit don't even run. This is so obvious that we did not think it's necessary to explicitly explain it. You can't consider Goldcrest/Bluetit responsible for something that your router, and not your system, does: Goldcrest and Bluetit do not even run on the router and they have no control over it. Thank you anyway for your point of view, we will consider to specify that the AirVPN Suite can't magically influence the behavior of devices which it doesn't run on. Kind regards

Hello! Sure. From your descriptions we assume that it's systemd-resolved the daemon handling DNS setting in your Ubuntu 20 system, so we suggest you check here: https://unix.stackexchange.com/questions/588658/override-ubuntu-20-04-dns-using-systemd-resolved Do not miss this bug, just in case it's relevant in your case: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1774632 The bug is pointed out in the above linked thread but in a minor comment and it could be missed. When you know it, patch is straightforward. If you need a recommendation on DNS servers, we suggest Quad9 (9.9.9.9) and OpenNIC, also see https://www.quad9.net/ and https://www.opennic.org If we're wrong about our first assumption, please tell us how your system handles DNS settings and we will point you in the (hopefully ) right direction. Kind regards

Hello! Suspension of constitutional rights in a state of emergency is foreseen by the Constitution itself, which explicitly mentions sanitary/public health emergency. A state of emergency, in any case, must be approved by the majority of the Parliament, it can't be declared unilaterally by the Government, and has a clear end time, after which it must be renewed again with Parliament majority approval, otherwise it ends. Human rights suspended in Italy have been suspended even in many other countries belonging to the so called "Western democracies", it's not that Italy is so special here. This has nothing to do with the above. It can be enforced even without the state of sanitary emergency. Such subpoena can't acquire anyway data which does not exist, obviously. We already told you very clearly that such traffic data retention does not exist in our infrastructure, and we mentioned the relevant EUCJ decisions on the matter to explain why some EU countries we operate servers in can't legally oblige blanket data retention in spite they try to do so, so they can be challenged successfully if a casus belli emerges.. The Privacy Notice is very clear about it too and you explicitly accepted it years ago, so you may not claim you don't know it under a legal point of view. The Privacy Notice is linked at the bottom of all of our web pages. Here some excerpt for your comfort: Maybe in your fantasy? Please point us where it is stated, because it's not true. Currently in Italy we operate only a geo-routing server, which is irrelevant for VPN data protection. Kind regards

@Pwbkkee Hello! You have various options to resolve this problem. You can have e a longer DHCP lease time (1 year is not atypical), you can disable DHCP for sensitive machines, or you may set in one second the proper firewall rule to block traffic to port 53 of your router IP address (after Network Lock has been enabled). Another solution is setting on the router, as primary DNS server, 10.4.0.1 address (VPN DNS address). Sorry that's false. Network Lock is advertised to prevent any traffic leak outside the tunnel to the Internet IPv6/IPv4 addresses, it is not advertised to lock your computer out from your router (i.e. prevent traffic to your local router) . Moreover you are clearly warned that running systemd-resolved and/or Network Manager is dangerous and may cause DNS leaks. We will think about it for port 53 for sure. It's not a big deal by the way: just see above the proposed solutions, in the meantime. Yes, with the obvious exception to your local upstream (typically your router) otherwise your system would be completely isolated and no communications would be possible, including of course VPN connections. Kind regards

@lex.luthor Hello! Thanks. As you can see the error is different now, AAAA is no more into the game. The problem now is that your DNS doesn't work, not even in IPv4. Fix it or, as a workaround, have Bluetit connect to specific servers, so that it will not rely on names resolutions. Kind regards

Hello! Italy is in breach of THREE legally binding CJEU decisions on Data Retention from 2014, 2016 and 2020 (*) and we have therefore no servers in Italy (other EU countries are in breach too, and we are already fighting in Spain, so we don't want more "battle/legal" fronts). Apart from that serious and unacceptable breach of human rights in disdain of multiple decisions of the highest court of the European Union (which hopefully will soon cause the opening of an infraction procedure by the Commission against Italy), can you be more specific about how Italy would be cracking down on human rights? About "seizing all the data", nobody can seize data which does not exist. Make sure you do not enter (but who would?) personal data in your account details, we don't even require an e-mail address (but if you use it for your comfort, make sure you use one which can not be exploited to disclose your identity or other personal information). (*) The Court of Justice declares the Data Retention Directive to be invalid https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf The Members States may not impose a general obligation to retain data on providers of electronic communications services https://curia.europa.eu/jcms/upload/docs/application/pdf/2016-12/cp160145en.pdf The Court of Justice confirms that EU law precludes national legislation requiring a provider of electronic communications services to carry out the general and indiscriminate transmission or retention of traffic data and location data for the purpose of combating crime in general or of safeguarding national security https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-10/cp200123en.pdf Kind regards

@waterfall Hello! Can you please confirm that after you followed AppleCare recommendations the problem got resolved? Thanks in advance! Kind regards

@lex.luthor Hello! Do you mean that AAAA resolution is attempted even when IPv6 is off? Please publish the log generated with the new settings. Kind regards

@pnnl Hello! You can now connect to port 47107 too, on all servers. WireGuard testing on server side can be considered successfully complete. We will probably advertise WireGuard support as a stable one when Eddie 2.21 is released (currently it's in beta testing). Kind regards

Hello! That's correct and expected because Network Lock does not and must not block communications with your router, otherwise your system would be completely isolated from the network. Please note that while a connection is active, your system can't query the router DNS server, because Bluetit sets VPN DNS (provided that you do not disable this feature) - and actually you need to specify in dig a specific address. It's up to you to prevent such situation when the VPN connection is not active. The "problem" is that your system gateway address is also your system DNS server address. Act accordingly by configuring properly DNS settings of either your system, your router or both. Network Lock might make an effort to prevent some communications with your router by blocking destination port 53 to your router. That's however a questionable solution and currently it's not adopted, maybe we could implement it as an option in the future. Anyway it would not work in Hummingbird but only in Bluetit, given the different network lock and persistent network lock: logic when Hummingbird drops the connection, it cancels Network Lock, while Bluetit does not, when persistent Network Lock is enabled (consider to enable it anyway). Kind regards

@lex.luthor Hello! Nov 24 11:12:45 betelgeuse bluetit: WARNING: Cannot resolve nl3.ipv6.vpn.airdns.org (Temporary failure in name resolution) Apparently your local DNS has problems with AAAA. Try to connect in IPv4 by re-setting "airipv6" to off (default value) in bluetit.rc. If your ISP does not support IPv6, you can anyway tunnel IPv6 over IPv4 (set "air6to4" to on). Kind regards