Staff

@cloudofsky Hello! Can we see the complete Goldcrest log, Bluetit log and bluetit.rc and goldcrest.rc files content? To print Bluetit log: sudo journalctl | grep bluetit Kind regards

@Breeze Hello! Thank you! Access activation to Wireguard beta testing will be available in the "Client Area". We will have more information on a definite date very soon, we're still working on it. Announcement will follow in "News" forum. Can you also tell us your Linux distribution name and version? If you run Eddie beta from other packages (not the AppImage) do you see the same crash? Kind regards

Hello! Please be aware that the core router serving our servers in Dallas (TX, USA) will be replaced on Saturday October the 9th at 18.00 UTC (20.00 CEST). Expected downtime of all of our servers is approximately 1 hour. Kind regards

@y0wl Hello! The procedure you describe should not be necessary as Eddie must take care of it. However some old Eddie version has a bug and Hummingbird could not be launched because it was not owned by root. Eddie, for security reasons, does not start with root privileges anything not owned by root. Do you still need the procedure you describe with Eddie latest release 2.20.0? Kind regards

Hello! The current state of play as well as important clarifications. The issue occurs only in those OpenVPN clients linked against OpenSSL 3 and only to some of our users, see below Since 2017, our system generates CRT signed with SHA512 algorithm. Previously they were signed with SHA1. Regeneration of old CRT is not triggered and forced by us automatically, because it would invalidate any previous OVPN configuration file out there and lock out the user who does not follow our forum, notification e-mails etc. @rprimus you have a client CRT (user.crt) dated 2015. You and anybody else using pre-2017 user certificates: please go to your "Client Area" > "Devices" menu, renew your cert/key pair, re-download your OVPN configuration files from the Configuration Generator, use them and you will be fine. (*) The problem has never been caused by the CA certificate. Replacing the CA.crt is not mandatory, it just avoids warning message (that you can safely ignore and has nothing to do with the main issue of this thread) you may meet in Eddie Android edition, Hummingbird and Bluetit. Anyway, now even ca.crt is SHA512 signed, so you will not get anymore the mentioned warning (*) Yellow rows show certificates which use a signature based on a deprecated for security reasons hash algorithm (SHA1). They are still here to ensure backward compatibility, because we can't know whether you still use them in generated profiles. However, future OpenVPN versions might not allow them anymore. Click 'Renew' or 'Delete' to resolve the issue. After that, re-generate profile(s) with our Configuration Generator. If you run our client software Eddie, you just need to log your account out and in again from the main window. Kind regards

@OpenSourcerer @77festus77 Thank you. Can you tell us how you reproduced the problem? In our current tests, OpenVPN for Android 0.7.25 (latest version on the Play Store) connects fine to our servers, both on entry-IP addresses 1 and 3. Tested on various devices based on Android 6, 10, 11. Apart from various app explosions, when it does not crash it connects fine. Kind regards

Hello! Signature of a root CA certificate is there only as a dummy one, and the verification of a CA certificate is not based on any signature, obviously. So, there is no security hazard coming from the signature algorithm of a root CA certificate. Anyway if the source of the problem is the one you mention we will plan some solution to have OpenVPN for Android compatible again. It will take some time, so you might consider to run Eddie Android edition 2.4 or 2.5 alpha in the meantime. "The purpose of the signature in a certificate chain is that a higher authority certifies a lower authority. For a root CA, there is no higher authority by definition (that's what "root" means), so there is nobody who could possibly sign the certificate. Since, as was mentioned, certificates must be signed, root CAs are signed with a "dummy" signature, and the simplest way to do that, is to self-sign. So, not only is there no need to verify, the very idea of verifying the signature of a root CA is non-sensical." Jörg W Mittag, in https://serverfault.com/questions/837994/why-are-ca-root-certificates-all-sha-1-signed-since-sha-1-is-deprecated Kind regards

@cloudofsky Hello! Yes, please check the manual here: https://airvpn.org/suite/readme/#goldcrest-client The option meeting your needs is: List items shall be separated by a comma. Enjoy AirPVN suite! Kind regards

@apero We confirm what we wrote in our initial message, we're sorry. @apero No doubts, but it's the system that's designed to prevent VPN connections at boot, and we loosely suspect that it's a deliberate choice. Remember that you have very limited control on "your" Android TV device, with limited privileges. We would be glad to implement some hack to allow connection at boot; so far we did not find any, unfortunately. Kind regards

UPDATE 2021-10-01: we have modified server side chain order. Therefore, even old TLS libraries bugs should not enter into play anymore. The quick fix is no more needed. Please feel free to report any malfunction. Hello! If you are running Eddie Desktop edition and you have started experiencing route check failures, read on. We have here a clear explanation, an easy solution and a slightly more complex solution as an alternative. Please make sure that you're running Eddie 2.19.7 or higher version (upgrade if necessary). The best solution is upgrading your TLS library and your curl and libcurl packages. However, if you can't or don't want to do so, a quicker and very simple workaround is available: from Eddie's main window select "Preferences" > "Advanced" de-tick "Check if the VPN tunnel works" click "Save" from Eddie's main window select "Preferences" > "DNS" de-tick "Check Air VPN DNS" click "Save" from Eddie's main window enable Network Lock The above quick fix will resolve the problem on Eddie. The initial checks become useless when you keep Network Lock enabled, so you don't have to worry about safety and security. We are considering whether packaging Eddie with proper curl and libcurl builds linked against very recent TLS libraries, but we must consider all the potential issues in each system. Explanation of the issue: consider that AirVPN uses mainly LetsEncrypt certificates. Then read here: https://blog.germancoding.com/2021/04/16/lets-encrypt-and-expired-root-certificates/ Now, if you run a cURL version linked against OpenSSL older than 1.1.0, or LibreSSL version older than 3.2.0, or GnuTLS version older than 3.6.7, the validation chain will fail (messed up path building) with the current LetsEncrypt certificates. It's a TLS library bug working in negative synergy with LetsEncrypt decision. Special thanks to Ryan Sleevi who made us understand exactly the nature of the problem with his great article written more than a year ago and which we read only now: https://medium.com/@sleevi_/path-building-vs-path-verifying-implementation-showdown-39a9272b2820 Kind regards

Hello and thank you for your choice! Please make sure that you're running Eddie 2.19.7 or higher version (upgrade if necessary). Then, please try the following settings: from Eddie's main window select "Preferences" > "Advanced" de-tick "Check if the VPN tunnel works" click "Save" from Eddie's main window select "Preferences" > "DNS" de-tick "Check Air VPN DNS" click "Save" from Eddie's main window enable Network Lock Try again connections to various servers. Explanation of the issue: consider that AirVPN uses mainly LetsEncrypt certificates. Then read here: https://blog.germancoding.com/2021/04/16/lets-encrypt-and-expired-root-certificates/ Now, if you run a cURL version linked against OpenSSL 1.1.0 or older versions, or against LibreSSL older than 3.2.0, or GnuTLS older than 3.6.7, the validation chain will fail (and Eddie does use libcurl and curl). It's a TLS library bug. At the moment we can not fix on our side: we would cut out all Android versions older than 7.1, and we don't want to do so . Momentarily, the above quick fix will resolve the problem on Eddie. The initial checks become useless when you keep Network Lock enabled, so you don't have to worry about safety and security. Kind regards

Hello and thank you for your choice! Please make sure that you're running Eddie 2.19.7 or higher version (upgrade if necessary). Then, please try the following settings: from Eddie's main window select "Preferences" > "Advanced" de-tick "Check if the VPN tunnel works" click "Save" from Eddie's main window select "Preferences" > "DNS" de-tick "Check Air VPN DNS" click "Save" from Eddie's main window enable Network Lock Try again connections to various servers. Explanation of the issue: consider that AirVPN uses mainly LetsEncrypt certificates. Then read here: https://blog.germancoding.com/2021/04/16/lets-encrypt-and-expired-root-certificates/ Now, if you run a cURL version linked against OpenSSL 1.1.0 or older versions, or against LibreSSL older than 3.2.0, or GnuTLS older than 3.6.7, the validation chain will fail (and Eddie does use libcurl and curl). It's a TLS library bug. At the moment we can not fix on our side: we would cut out all Android versions older than 7.1, and we don't want to do so . Momentarily, the above quick fix will resolve the problem on Eddie. The initial checks become useless when you keep Network Lock enabled, so you don't have to worry about safety and security. Kind regards

Hello and thank you for your choice! Please make sure that you're running Eddie 2.19.7 or higher version (upgrade if necessary). Then, please try the following settings: from Eddie's main window select "Preferences" > "Advanced" de-tick "Check if the VPN tunnel works" click "Save" from Eddie's main window select "Preferences" > "DNS" de-tick "Check Air VPN DNS" click "Save" from Eddie's main window enable Network Lock Try again connections to various servers. Explanation of the issue: consider that AirVPN uses mainly LetsEncrypt certificates. Then read here: https://blog.germancoding.com/2021/04/16/lets-encrypt-and-expired-root-certificates/ Now, if you run a cURL version linked against OpenSSL 1.1.0 or older versions, or against LibreSSL older than 3.2.0, or GnuTLS older than 3.6.7, the validation chain will fail (and Eddie does use libcurl and curl). It's a TLS library bug. At the moment we can not fix on our side: we would cut out all Android versions older than 7.1, and we don't want to do so . Momentarily, the above quick fix will resolve the problem on Eddie. The initial checks become useless when you keep Network Lock enabled, so you don't have to worry about safety and security. Kind regards

Hello and thank you for your choice! Please make sure that you're running Eddie 2.19.7 or higher version (upgrade if necessary). Then, please try the following settings: from Eddie's main window select "Preferences" > "Advanced" de-tick "Check if the VPN tunnel works" click "Save" from Eddie's main window select "Preferences" > "DNS" de-tick "Check Air VPN DNS" click "Save" from Eddie's main window enable Network Lock Try again connections to various servers. Explanation of the issue: consider that AirVPN uses mainly LetsEncrypt certificates. Then read here: https://blog.germancoding.com/2021/04/16/lets-encrypt-and-expired-root-certificates/ Now, if you run a cURL version linked against OpenSSL 1.1.0 or older versions, or against LibreSSL older than 3.2.0, or GnuTLS older than 3.6.7, the validation chain will fail (and Eddie does use libcurl and curl). It's a TLS ibrary bug. At the moment we can not fix on our side: we would cut out all Android versions older than 7.1, and we don't want to do so . Momentarily, the above quick fix will resolve the problem on Eddie. The initial checks become useless when you keep Network Lock enabled, so you don't have to worry about safety and security. Kind regards

Hello! Now we do not enforce any micro-routing to Binance, we have just re-checked and we have tested from Netherlands servers to confirm. Can you please re-check now? Kind regards

Hello! VPN DNS and "Assigned IP address" technical specifications just changed. All the changes have been reported in the https://airvpn.org/specs page. The changed section is: Assigned IP Servers support both IPv4 and IPv6 tunnels and are reachable over IPv4 and IPv6 on entry-IP addresses. DNS server address is the same as gateway, in both IPv4 and IPv6 layer. Chosen IPv4 Local Address OpenVPN: 10.{daemon}.*.*, Subnet-Mask: 255.255.255.0 WireGuard: 10.128.0.0/10 Chosen IPv6 Unique Local Address (ULA) OpenVPN: fde6:7a:7d20:{daemon}::/48 WireGuard: fd7d:76ee:e68f:a993::/64 The new sections are: DoH, DoT Every gateway/daemon assigned to you acts as a DNS (port 53), DoH (dns-over-http, port 443), DoT (dns-over-tls, port 853). DoH and DoT don't add any actual benefit, because plain DNS requests are encrypted inside our tunnel anyway. However, users might need it for special configurations. In such cases, use dns.airservers.org (automatically resolved into VPN gateway address). Our DNS returns a NXDOMAIN for "use-application-dns.net", for compatibility reasons. Special resolutions check.airservers.org - Gateway IPv4 and IPv6 addresses exit.airservers.org - Exit-IPv4 and exit-IPv6 addresses use-application-dns.net - NXDOMAIN, for DoH compatibility, ensuring Air DNS will be used (for anti-geolocation features) Special URLs https://check.airservers.org - Info about connected server https://check.airservers.org/api/ - Same as above, in JSON Use https://ipv4.airservers.org or https://ipv6.airservers.org - Same as above, specific IP layer Kind regards and datalove AirVPN Staff

Hello and thank you very much for your tests! This is no more a problem in Android 8 and higher versions. Do not turn VPN Lock on, but enable "Always on VPN" and its sub-option "Block traffic not in the VPN tunnel" in the Android settings. You will have complete leaks prevention and ability to re-connect, without leaks between disconnection and re-connection, in case of unexpected disconnection. We will investigate on the other bugs you found. We guess that you can't send us Eddie's log because in your system the "share" button crashes the app when tapped, right? What about a logcat, do you have the option to take it and send it to us after you have reproduced the various problems including the crash? https://www.siteforinfotech.com/capture-android-logs-minimal-adb-and-fastboot/ Kind regards

@airvpnforumuser Hello! We have failed so far to reproduce the problem you reported. Can you please tell us your device brand and model, and your exact Android version? You could also send us the first lines of Eddie log where thorough system information is printed. Thanks in advance! Kind regards

Yes, Google Search can index web sites even when the web server listens to non-standard ports, according to some Google executives. https://webmasters.stackexchange.com/questions/77378/does-google-treat-different-ports-as-different-sites https://webmasters.stackexchange.com/questions/61762/does-google-crawl-and-index-sites-hosted-on-an-ip-address-only-with-no-domain-n/61767#61767 Kind regards

@BKK20 Exactly. The port is always added as it is an integral part of the URI, but when omitted in the URI, this is auto-completed with :80 and :443 respectively for HTTP and HTTPS, as we already told you twice. AirVPN does not allow remote inbound port forwarding of ports between 1 and 2048, as reported in the FAQ and the manual. AirVPN is not a hosting provider. You might rent a VPS or a dedicated server to run your web server or any other service, and then you may make your service reachable on any port you like. If you don't need any privacy or anonymity layer for your web server (or other service), that's a logical solution, and it's not expensive. Kind regards

@BKK20 Step 1 is almost correct: please remember that our VPN servers have different entry and exit-IP addresses The relevant DNS record must be set to the exit-IP address. Step 2 is correct.. "after that" is not correct. The proper URI for your browser would be http://www.example.com:34567 or https://www.example.com:34567 (http or https according to your web server settings). Also remember to access your web server running behind a VPN server from a machine that's not connected to the same VPN server. Kind regards

@Stalinium Thank you! The problem has been resolved with the domain name. However, we still have issues with three servers in Dallas, including Pegasus, which have been closed (so they will not be picked for names resolution or by our software). We are working on them. EDIT: problem resolved. Kind regards

@JBronson Hello! The 1st problem was here: Sep 25 05:19:21 mostfantasticfox bluetit[2260]: Bluetit is already running or did not exit gracefully on its last run or has been killed. Exiting Sep 25 05:20:23 mostfantasticfox bluetit[2164]: Requested method "bluetit_status -> Bluetit is connected to VPN" Bluetit was in a dirty status and refused to proceed. However, when queried about the status it replied with the wrong message "connected to VPN". This is a bug we need to fix, thank you for having found it out, which explains why no tun interface was up when Bluetit misleadingly reported it was connected to the VPN. Later on, Bluetit does not detect anymore a dirty status but the nameserver remained set to a VPN DNS address, which is inaccessible from outside the VPN. Maybe you have tried to recover the network settings manually and you forgot to restore DNS? We ask because suddenly Bluetit does not detect anymore a dirty status and refuses to perform a network recovery: Sep 25 05:33:09 mostfantasticfox bluetit[1648]: Requested method "recover_network -> " Sep 25 05:33:09 mostfantasticfox bluetit[1648]: Requested method "Bluetit does not need a network recovery." Therefore, the subsequent connection attempts are doomed: Sep 25 05:28:21 mostfantasticfox bluetit[1441]: Allowing system DNS 10.7.58.1 to pass through the network filter Sep 25 05:28:31 mostfantasticfox bluetit[1441]: WARNING: Cannot resolve ca3.vpn.airdns.org (Temporary failure in name resolution) and Bluetit enters an infinite loop of re-connection attempts which don't succeed for the same reason. In order to resolve the issue, please make sure that Bluetit has exited cleanly and is not running, then manually modify DNS settings. Pick your favorite, publicly accessible, nameservers. Kind regards

Hello! Yes of course. Maybe you have missed the answers twice, please check them: https://airvpn.org/forums/topic/49776-own-webhosting-port-fowarding-set-a-record/?do=findComment&comment=169233 https://airvpn.org/forums/topic/49776-own-webhosting-port-fowarding-set-a-record/?do=findComment&comment=169282 Kind regards

Hello! 1. Thank you very much for your tests and bug report! We will check and fix. 2, Yes. Next version (either alpha 3 or beta 1, we'll see) will offer a range of options to start Eddie and have your device connected to AirVPN even without profiles, when the Master Password is disabled, during the bootstrap. Kind regards