Staff

Hello! Our first 10 Gbit/s lines dedicated only to our servers were used for the first time in Dallas, Texas, several years ago. One line is for the VPN servers and another one for the Tor nodes by Quintex. Then we had four (now six) 10 Gbit/s lines in the Netherlands. Each line was and is shared by 10 or 11 of our servers. Then Xuange came, in Switzerland, that was the first one with an exclusive 10 Gbit/s line. Ain then followed and has been the last one at the moment. As @OpenSourcerer says, prices in some locations (such as Tokyo) are too high for 10 Gbit/s and at least 600 TB traffic per month for a single server (2 Gbit/s 24/7 means you generate 600 TB in a month). Moreover, in order to beat the usual 1 Gbit/s full duplex, more powerful hardware is needed and a different software approach too. Even so, on Xuange and Ain we could not manage to squeeze more than 3-4 Gbit/s (in total, up+down) when more than 150 clients are connected, and even the most powerful CPUs available on the market, running one OpenVPN instance per virtual core, suffer. The whole system get choked if we go up to 300 clients, which would be the minimum amount required to run those servers without losing money. Wireguard might help but it's uncertain and anyway many core customers of ours don't accept it for the notorious privacy problems, other customers can't use it for UDP blocks/shaping and so on, so we can't and we won't drop OpenVPN in any case. EDIT: it's not only a pure AES/CHACHA20 processing power issue, but also a conntrack and packert mangling huge queue related issue, which gets intertwined with pure encryption/decryption processing power problems. - pj For us, the cost per user to be provided with high bandwidth is remarkably higher with dedicated 10 Gbit/s single server lines, because we experimentally see that we can not put on such a server 10 times the users a 1 Gbit/s server can handle (unless we wanted to lower the quality of service, which is not on the table). Therefore, if we want to keep the same prices and at the same time we don't want to oversell, offering an infrastructure all based on a 10 Gbit/s line per server for 2.75 EUR/month (the current price for 3 years subscriptions) is not realistic. Remember that year after year prices of AirPVN went down or remained unchanged, and today AirVPN is probably the less expensive VPN around (ruled out the free ones, as they profile you or do worse things too). Maybe in the future, or maybe with a different pricing, migration to all "10 Gbit/s servers" could be pursued. We're not "over-cautious" but realistic: in the last 5-6 years, while other VPN services accumulated important debts surpassing tens and tens of USD millions (think about PIA mother company, which went down for more than 30 millions in just 3 or 4 years; and other big ones, which are forced to oversell and continuously pay for favorable bogus reviews hiding overselling in order to survive) AIrVPN never ever had debts. Who would be interested in paying more (probably x3 or even x4) to have access to 10 Gbit/s dedicated lines (one line per server) on a wide variety of AirVPN locations with the usual AirVPN quality? We might start a survey to know. Kind regards

And you avoid the TCP over TCP meltdown effect, i.e. when "lower and upper layers (which both are running their own version of congestion control algorithm) start competing with each other and in fact worsening the situation at each try. This is specially true for slow links and could result in terribly slow connections and constant freezing". https://hamy.io/post/0002/openvpn-tcp-or-udp-tunneling/

UPDATE 3 Sep 2021 Replacement has been completed. Kind regards

Hello! We confirm the problem. We have now resolved it. We deeply apologize for the inconvenience. Kind regards

Hello and thank you for your choice! We confirm the problem. We are working to resolve it as soon as possible. We deeply apologize for the inconvenience. Kind regards

@airvpnforumuser Yes, the option to not use the Master Password will be implemented. Not in alpha 2 but probably during the beta stage. Anyway, it will be implemented before we reach the stable release. Maybe. Would you like to collect the logcat (and send it to us) just after the problem has occurred, so we can verify what happens exactly? Hopefully it's not a crash for some Eddie bug but let's see, alpha and beta testing aim at finding out bugs. Feel free to keep us informed. https://developer.android.com/studio/command-line/logcat Kind regards

Thank you for your feedback! It's a superior solution but it's not limited to "command line-binaries". Surely you have totally missed what Bluetit does. Read the documentation to understand more. On another subject, divergent from what? Maybe you don't realize that when we took OpenVPN3 it could not even run in Linux. No alternative was available, even for the reason explained by @OpenSourcerer There is no divergence, at least not in the wicked sense you mean. Read on to understand why, on top of OpenSourcerer considerations. No doubts that a GTK based interface has not been delivered for Eddie, and no doubts that it was a promise by Eddie chief developer which was not fulfilled, mainly because Eddie was split between frontend and backend (with the backend entirely rewritten in C++ to make it free from Mono), and because the Linux and Mac sofrtware have been re-considered for Qt, which we now consider more efficient than GTK and available in other systems we're interested in (macOS, FreeBSD). Firecrest (another client for Bluetit) plans include Qt and not GTK However, it's not true that the new development team (i.e. the one not working on Eddie desktop) spent five years for a fork, obviously. The total work on the fork so far can be summed up to just a few months in total during all the years. We do not see any "divergence" either, since OpenVPN3-AirVPN maintains full compatibility with OpenVPN 2.2 servers and higher versions, including OpenVPN 2.5. It also maintains full compatibility with profiles and directives according to OpenVPN 2 branch. We were careful not only to comply to the new OpenVPN 2.5 requirements, but even not to hurt backward compatibility with servers running older OpenVPN versions. So all the software can be used to connect to any OpenVPN based system, not only AirVPN: no divergence, no isolated ecosystem. Between 2018 and 2021, i.e. three years and a half and not five, OpenVPN3 rewrite in several parts to make it work properly has been a fraction of the work: Eddie Android edition was totally rewritten to get rid of Mono completely seven Eddie Android edition versions were released five Hummingbird versions were released, three Bluetit and Goldcrest versions were released Hummingbird has been ported to macOS the (in our opinion outstanding) Bluetit Developer's Reference Manual has been written some more work behind the scenes has been accomplished. In particular, careful Bluetit engineering and development has been rewarded by a software (incidentally a real daemon), which was never seen before in the OpenVPN clients world. OpenVPN3 by AirVPN is 108 commits ahead of the main branch, the library works very well in Linux and obeys to OpenVPN 2.5 server new options and handshake requirements, a thing that can't be said of the main branch, at least up to a few months ago. The delay of a GTK based GUI for Eddie has triggered a variety of new projects that have brought to Linux and Android users superior solutions never offered before by anybody, so at the end of the day Linux and Android users have had something much better and more will come. Kind regards

Hello! The intentions of Eddie chief developer remained intentions, unfortunately. However, getting rid of Mono blob was a task which has been accomplished in Linux and macOS. The development lines for Linux have changed and the most important outcome has been the AirVPN Suite which features a fully documented, real daemon, an exclusive software with a complete reference manual which nobody has ever offered. Even Eddie Android edition, another important software which we released after 2016, does not require Mono for Android. Development of Eddie Desktop edition on one side, and Eddie Android edition, OpenVPN3-AirVPN and AirVPN Suite on the other side, have been completely split. Different development cycles, teams and plans. Bluetit also uses OpenVPN3-AirVPN library, a fork of the original OpenVPN 3 library which features very important improvements. OpenVPN3-AirVPN library, currently used by Eddie Android edition, Hummingbird in macOS and Linux, and Bluetit in Linux, has been another important development branch in the last years in AirVPN. The AirVPN Suite offers an option to all Linux users to completely drop Eddie and Mono. You can follow the "News" forum for all the information and announcements. AirVPN Suite User's Documentation: https://airvpn.org/suite/readme/ Bluetit Developer's Reference Manual: https://gitlab.com/AirVPN/AirVPN-Suite/-/blob/master/docs/Bluetit-Developers-Reference-Manual.pdf OpenVPN3-AirVPN library (108 commits ahead of the main branch currently): https://github.com/AirVPN/openvpn3-airvpn Kind regards

@WYjNh056OGEG2tgNvV4iHzoNNU Hello! Please compare stability with OpenVPN 2 and report everything in a ticket. Please include complete Bluetit log and your Linux distribution name and version. You can print Bluetit log with command sudo journalctl | grep bluetit Kind regards

Hello! We apologize for the late reply about the quoted comment: we do not publish source code of alpha, beta, RC etc. versions, but only of stable releases. Kind regards

@airvpnforumuser Hello! Unfortunately it is impossible to port Bluetit into Android. It could be designed with heavy modifications to run only in rooted devices. As such it would remain a niche software, unused by most of our customers. It is possible to make Eddie GUI a Bluetit client, but it is not a trivial task because Eddie GUI is written in C#, and for other important reasons. Thus, Firescrest is the currently planned software which will be a Bluetit GUI . Before that, anyway, a TUI mode must be implemented into Goldcrest. Goldcrest TUI mode can in many cases be even more useful than a Qt based client because it will require only the light and available in all systems ncurses library (therefore no need for Qt or GTK or desktop environments). Yes, Bluetit can do it for your client already. Kind regards

Hello! We're very glad to know it. Stop here, that's the correct solution, although we don't understand why it is not already working with the simple "Allow LAN" option when it's enabled. Probably we miss something on how the firewall rules are modified with that option and we will ask the developer. About your last attempted solution, the critical error you get is caused by the /99 mask which is illegal. Since an IPv4 address is 32 bit long, you can't specify more than 32 bits in the CIDR prefix, which is the the count of consecutive leading 1-bits, from left to right, in the network mask. Thank you for the head up, it seems it's a bug because Eddie does not sanitize the input correctly, by accepting an illegal 99 bit value as CIDR prefix. Kind regards

@tammo Hello! Eddie should immediately react when OpenVPN tells it that the connection has been lost, but in UDP OpenVPN may need one minute to decide that the other peer is no more there. Maybe network-manager-openvpn sets lower ping-restart time, or connects in TCP, and therefore the disconnection is detected immediately (UDP is connectionless). What happens if you set the following directive in Eddie's "Preferences" > "OVPN Directives" window? ping-restart 15 It triggers a SIGUSR1 restart after 15 seconds pass without reception of a ping or a packet from the other side. Kind regards

@blueport26 That's correct, Hummingbird was not planned for Windows. In Windows, a software like Eddie running in the .NET framework makes perfect sense: the framework is pre-installed and perfectly integrated with the system. Lately, it also works better than Mono does in Linux or Mac. Good luck with your GUI! Kind regards

UPDATE 27 Aug 2021 VPN servers Alathfar and Carinae switch has been completed. Minkar will not be replaced at the moment and will cease operations on 03 Sep 2021. Kind regards

Hello! Note that the original plan was about GTK#, not GTK, therefore Eddie's GUI would have remained anyway based on Mono.. All the AirVPN Suite for Linux and Hummingbird for Mac were born to provide a software completely unrelated to Mono. In Linux you also have a real daemon, Bluetit, capable to offer a strong basis to develop any AirVPN client, even from third-party developers. In the past third-party AirVPN clients developers faced the formidable barrier of the undocumented bootstrap servers and undocumented "manifest" file format. No more problems of that kind now, as you probably know if you have checked Bluetit developer's manual. Kind regards

@blueport26 The original plan was to write Eddie frontend in GTK#. According to when and IF Mono will be ported to Mac M1 based plans could change. @OpenSourcerer We were not aware of such incidents which are NOT acceptable for us, unless the author himself/herself told the developer to not be credited Can you please provide us with all the relevant information about the incident? We will investigate for sure. Firecrest will be a Qt based client of Bluetit. Before Firecrest, however, we want to implement a TUI mode for Goldcrest. Kind regards

@airvpnforumuser Hello! We're glad anyway that you posed your questions, so you know now that the most important features you required are already available in AirVPN. The famous "golden rule" makes sense nowadays too when your threat model includes an adversary with typical organized crime power: connect to a server located in a different country from the country you are in, just to make life harder to those who could perform dangerous correlations by wiretapping lines in the same country, an action which we have seen possible by criminal organizations in the past, in Western countries too. By connecting to a server in another country you often make their correlations attempts much more difficult. We will try to be even more transparent about our decisions (and their reasons) on the infrastructure and its design when possible in the future. How do you like the Bluetit developer's manual? With it and with the source code you should be able to see exactly many things, for example how the bootstrap servers work in details, and how the "manifest" file is built. On the other hand, Bluetit provides you with the option to integrate your software with AirVPN even if you don't mind about the inner mechanisms, thus greatly simplifying your development work. Kind regards

@airvpnforumuser 1) Irrelevant if not wasteful given PFS. Client certificate and keys do not allow decryption of traffic, so one that steals them has indeed nothing to decrypt. 2) That's up to the user. We think it's a bad idea to force renewal of a key of a simple API, for some good reasons tied to customers' behavior and needs. 3) Fluff and nonsense if referred to client certificate and static key. About PFS, what you propose is insecure, because by "rotating" key you would use the same keys over and over, periodically, so you violate the basic paradigm of Forward Secrecy, OpenVPN implements PFS, uses a one time key and renews it every 60 minutes by default. You can decide an arbitrary renewal time (<=60 minutes) and you will never use the same key again. 4) It's already possible (since 2012) but we ask you to contact us to do so. Our requirement is caused by attempted frauds in the past. 5) So what? 6) That was done recently, in 2019 if we recall it correctly. Due to some technical limitations with IPB you must anyway enter at least a character in your e-mail field, but that's all. In order not to overlap with other existing e-mail field contents. just enter a random string. 7) Incredibly awful and dangerous idea about server rotations, and we can easily see why no provider offers it. Key "rotation" is also a terrible idea, we (and OpenVPN) have something much better, check 3). We are very sorry to see how even our own customers are misinformed about AirVPN features or ignore essential features which have been implemented since years ago. We must be making mistakes in our communications, we will perform an internal exam (but we will not pay parasite reviewers to avoid that they hide such features, of course ). Kind regards

@blueport26 Hello! First and foremost we must say that we have not updated our knowledge on Poland data retention legal framework. Our old information tells us that it's NOT compliant with the latest decisions of the CJEU which forbid Member States to put any obligation on any provider of service in the information society for pre-emptive, blanket, indiscriminate data retention. All that follows is therefore based on our not up-to-date knowledge. Feel free to point us to the relevant laws if we base our decision on no more valid knowledge. Now, we can actually ignore the EU Member States legal frameworks on data retention where they clearly infringe the EU Court of Justice legally binding decisions, because in a casus belli we can challenge, or defend against, the rogue Member State with high likelihood of winning. At the same time, we must carefully decide which legal battle fronts we want to open, because legal costs for cases which must be brought up to the highest courts may easily become very high. We are already challenging Spain legal framework on Data Retention, and, given AirVPN size, it's not wise to challenge multiple Member States simultaneously. That's the main reason we do not operate VPN servers in France and Italy, other Member States whose data retention framework is in flagrant violation of the legally binding decisions of the CJEU. We're not like those marketing fluff based VPNs which lie to you and in reality perform Data Retention in the countries where it is mandatory: you have plenty of examples from the press to prove what we claim here, when VPN customers identities and activities have been disclosed because of that very same data retention the VPN providers claimed not to perform. When we say we do not retain data and metadata of your traffic we really do it, that's why we must carefully evaluate the countries legal framework we plan to operate servers within. Kind regards P.S. Ukraine does not oblige dacenters and VPN providers to any data retention.

Hello! If all tier1 transit providers co-operated with each other to exchange all of their data and could do that with impunity in every country, you would have a global adversary-like entity, against which you can't prevent correlations between source and destination of a packet of yours.. You can protect your data content against the global adversary trivially (end-to-end encryption), but you can't hide the real destination and source of your own communications (provided that you don't perform illegal war-driving and similar actions of course). What you can do is making the correlation as expensive as possible, in order to render data harvesting through correlations no more financially attractive, as long as you are not a high profile target. Please read the following, old article of ours: https://airvpn.org/forums/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745 Kind regards

Hello! We inform you that all of our VPN servers in Maidenhead will cease operations on 03 September 2021. They will be replaced by servers in London featuring more modern hardware. Unfortunately, both technical and non-technical reasons force us to leave the current dc in Maidenhead. Servers in London are anyway located just 40 Km from Maidenhead and they will be announced and available in the next days. The new machines will keep the same names in order to support the old FQDN used by OpenVPN client profiles. Since the datacenter seems to have put offline already a server before the natural expiration date, we could put the new servers online before the mentioned 03 September date. When new servers are turned on, older ones with the same name will be disconnected from the infrastructure. This thread will be updated, if necessary, accordingly. The replacement servers are five, while the replaced ones are six. That's because we might be adding in the future another datacenter in UK in a different location. Kind regards AirVPN Staff

Always, not usually. Kind regards

Hello! You can use all ports from every and each connection slot provided that you make sure that each connection ends up to a different VPN server, i.e. you must not connect more than one device to the same VPN server. Kind regards

@LazyGuy Actually, early child porn censorship is catastrophic, because: it warns criminals that their content has been detected and become a target, allowing them to put in place early counter-measures which may compromise future investigations and cause more atrocious sufferance to the victims it is seen as an early and urgent mitigation measure, sufficient by itself, de-prioritizing or cancelling victims identification and arrest of criminals it is used as political fluff to show the public that effective actions are performed According to the above, the investigations must follow the opposite direction, that is: FIRST you try to identify and put the victims to safety, follow the cash flow and arrest the criminals, investigate further ramifications and perform additional arrests; THEN, as a very final stage when nobody can be prematurely alerted anymore, you censor the content. Relying on censorship is once again plain stupid or hints to connivance. And always be very careful when someone wants to suppress some human right in the name of "child protection", "security against threats of any kind" and so on and so forth, because History teaches that such actions imply a sinister, hidden agenda. https://www.youtube.com/watch?v=RkmcupFx3FQ Kind regards