Staff

@Maggie144 Thanks. AES-CBC is not supported on the data channel (hence "bad cipher" error). When you configure AES-GCM, we see that you can't reach Kitalpha on port 53 at all. In fact the server is reachable on port 53, and the problem could be caused by your ISP (for example by hijacking all packets to port 53, as Vodafone did some time ago). Can you try different servers and different ports? Kind regards

@Maggie144 Hello! Now the connection goes through but it's broken almost immediately, that's why you can't browse: We also notice that your system DNS setting seems wrong (10.17.151.1 is a DNS of another subnet of the same VPN server you're connecting to), as if a system restore from a previous connection to the same server on a different port was not performed correctly. Please try the following procedure and let's see whether the problem is resolved and if it re-occurs: make sure that Hummingbird is not running verify the DNS settings of your system and set the correct DNS delete the whole content of /etc/airvpn with command "sudo rm /etc/airvpn/*" reboot the system try again a connection with Hummingbird Kind regards

@Maggie144 Hello! We can't reproduce the issue with config files generated with the same settings (for example Alrami, UDP, 443 etc.). Can you send us one of those files (1, 2, or 3, for 4 and 5 the outcome is expected), without certificate and key? Yes, that's normal, because Eddie takes care to prepare the first tunnel (via SSH or stunnel) first, and only later it tells OpenVPN how to connect to that first tunnel. Kind regards

@Maggie144 Hello! The problem is here: Apparently you have generated a configuration file for OpenVPN over SSH/TLS connections, i.e. OpenVPN should connect locally to a previously established SSH or TLS tunnel. Since SSH or stunnel do not run, OpenVPN fails. Can you please check and generate a new ovpn file? Kind regards

Version 2.21.4 (Fri, 18 Feb 2022 12:04:45 +0000) [new] OpenVPN 2.5.5 [new] Allows setting a generic adapter (and not only a specific IP address) in "Interface used for connection" [change] Added an IPv6 bootstrap address in boot manifest [change] A useless, wrong error message if connection fails (about object not defined) [change] [windows] Improvement about driver detection [change] [windows] wgtunnel.dll 0.5.2 [bugfix] [windows] Unquoted service path fix [bugfix] [linux] bug with iptables/iptables-legacy/nftables in some distribution [bugfix] Useless re-auth for non-beta users [bugfix] Other minor fixes

@SleepySocks Hello! A new Eddie beta version is coming out very soon (maybe even today). It features some fixes related to nft. Can you please test the new version when it's available (check the "News" forum) and verify whether the problem is resolved or not? Kind regards

Hello! Soon after IPv6 implementation years ago, but it was not advertised and we also wrote a message claiming it was not supported. That message was wrong. Kind regards

@OpenSourcerer @deguito18090 Hello! We're glad to inform that inbound packet forwarding is implemented for IPv6 too. Please feel free to open a ticket for additional investigation. Out of curiosity, IPv6 DNAT and Masquerading are supported even in Linux starting from netfilter6 in kernel 3.9.x or 4 if we remember correctly. Kind regards

@blatrala Hello! Thank you for your choice. We can't reproduce the issue, either with Firefox, Safari or Chromium. Can you tell us your browser and Operating System names and versions? Are cookies and javascript allowed in the browser? Have you tested with disabled add-ons? Kind regards

Hello! The AirVPN guide to correctly configure your torrent software and optimize performance in AirVPN by using inbound remote port forwarding and avoiding wrong settings is available in the FAQ: https://airvpn.org/faq/p2p/ Kind regards

Hello! Update: AirVPN Suite 1.2.0 Release Candidate 1 is now available. Original message download links and changelog have been updated accordingly. RC 1 is linked against the new OpenVPN3-AirVPN library and fixes all the glitches you have found so far in beta 1. Thank you for your tests! Kind regards

Hello! Update: Hummingbird 1.2.0 Release Candidate 1 is now available. Links to download the packages have been updated in this thread first message. Thank you very much for your tests! Kind regards

Hello! If you still need to increase the UDP buffer size beyond please see here: http://slaptijack.com/system-administration/mac-os-x-tcp-performance-tuning/ The article pertains to TCP but the principle is identical. By increasing mbuf clusters through setting ncl boot argument via nvram, you will be able to increase kern.ipc.maxsockbuf value after the bootstrap. So, if you need more buffer room to avoid the mentioned errors, you can have it. Maximum software buffer in bytes should be ~ (1/16) * ncl (each cluster is 2048 bytes). Remember to run nvram with root privileges and reboot to apply boot argument change. Please, we kindly ask you to keep us informed. Kind regards

@Maggie144 Hello! It was probably caused by lack of Internet connectivity. Once the connection is over Eddie is in control and is the one "checking authorization" indefinitely, Hummingbird is not running. The fact that Eddie was unresponsive to "Cancel" and kept going on indefinitely might be an Eddie's bug, we will verify. Kind regards

@Monotremata Hello! Please set the UDP buffer at its maximum size: sudo sysctl -w kern.ipc.maxsockbuf=16554432 and test again. See also: https://airvpn.org/forums/topic/46764-hummingbird-110-released/?do=findComment&comment=173140 Please keep us posted. Kind regards

Hello! Fixed, can you please try again now? Kind regards

Hello! Two tips to make the "quick" connection quicker in Eddie. Maybe you can't have the same lightning speed you have in Android and in general on Linux based systems, but you can improve remarkably the current situation. Disable route check and DNS check, provided that you keep Network Lock enabled. You can disable route check by unchecking "Check if the VPN tunnel works" in "Preferences" > "Advanced" window, while you can disable DNS check by unchecking "Check Air VPN DNS" in "Preferences" > "DNS" window. By doing so you disable security checks, thus Network Lock becomes important and probably you want to keep it always enabled. Define a white list of servers or countries, respectively in "Preferences" > "Servers" and "Countries" window which suit your needs, when you are confident to do so. Eddie will compute round trip times only of servers included in the white list, so the tests will be very few and you will save plenty of time. If you are confident to connect always to the same pool of servers, you might even completely disable any test, and save even more time. You can do so in "Preferences" > "Advanced" window by unchecking "Enable latency tests" Kind regards

Hello! Explanation found. OpenVPN3 hard codes internally the OpenSSL header value at compilation time, even though OpenSSL is linked dynamically. So, if you compile in, say, Debian 9 to ensure maximum compatibility, OpenVPN 3 will claim "1.1.0h" regardless of the actual OpenSSL used during runtime. It's a wrong approach our library inherited from the master branch. The correct approach would be for example using the proper library function to get and return the library version and avoid the aforementioned hard coding. We are going to fix this botch in our fork asap. EDIT: fix implemented in OpenVPN3 AirVPN 3.7.2. AirVPN Suite 1.2.0 RC 1 is now linked against the new library. Kind regards

@OpenSourcerer Hello! Sure, the *.rc templates will be adjusted accordingly. The Suite must use system OpenSSL library, simply because it has nothing else. That log entry is very strange, as OpenSSL 1.1.0 is nowhere, and we have noticed the same on a different system (Fedora 35). Under investigation. Thanks again. Kind regards

Hello! Yes, ipv6 option has been removed. From the changelog: [ProMIND] Removed ipv6 command line option and replaced with allowuaf option (Allow Unused Address Families) in order to comply to the new OpenVPN3 specifications The next user's manual which will be published with the stable release will reflect the change. Kind regards

Hello! We're very glad to inform you that we have just released Hummingbird 1.2.0 macOS (High Sierra or higher version required). UPDATE 15 FEB 2022: Release Candidate 1 is available UPDATE 08 MAR 2022: Release Candidate 2 is available UPDATE 17 MAR 2022: Release Candidate 3 is available 24 MAR 2022: Production Release is now available Main features Lightweight and stand alone binary No heavy framework required, no GUI Small RAM footprint Lightning fast Based on OpenVPN 3 library fork by AirVPN robust leaks prevention through Network Lock based on pf - working perfectly on Big Sur and higher versions too proper handling of DNS push by VPN servers capable of higher throughput than OpenVPN 2.5 What's new bug fixes pertaining to --restore-network --pause --resume and --reconnect options update of all support libraries improved handling of AirVPN IPv6 bootstrap servers higher performance, mainly thanks to the new OpenSSL library version. Both Apple M1 and Intel based Mac performances are finally on par with Linux and Windows ones. Throughput as high as 650-700 Mbit/s has been reached both with CHACHA20 and AES-GCM, both on M1 and Intel based Mac computers Check the changelog for detailed information. Download Hummingbird for macOS is distributed in plain versions for M1 and Intel based Mac computers. Notarized versions will be available with the stable release. Download page: https://airvpn.org/macos/hummingbird/ Hummingbird is released under GLPv3. Source code and repository: https://gitlab.com/AirVPN/hummingbird Changelog Version 1.2.0 - 22 March 2022 [ProMIND] production release Version 1.2.0 RC 3 - 17 March 2022 [ProMIND] updated to OpenVPN3 AirVPN 3.8.1 [ProMIND] do not check for supported ciphers in OpenVPN config file in case eval.cipher is empty [ProMIND] changed references of ClientAPI::OpenVPNClient class to ClientAPI::OpenVPNClientHelper to conform to the new OpenVPN3 client class names [ProMIND] replaced calls to removed OpenVPN client's eval_config_static() with ClientAPI::OpenVPNClientHelper::eval_config() Version 1.2.0 RC 2 - 8 March 2022 [ProMIND] Added --list-data-ciphers option [ProMIND] Check and validate requested data cipher according to VpnClient's supported ciphers [ProMIND] Normalized (extended) bool values for options allowuaf, compress and network-lock Version 1.2.0 RC 1 - 15 February 2022 [ProMIND] Updated to OpenVPN 3.7.2 AirVPN Version 1.2.0 Beta 1 - 7 February 2022 [ProMIND] updated to OpenVPN 3.7.1 AirVPN and latest support libraries and support projects [ProMIND] Added SSL library version to version message [ProMIND] Removed ipv6 command line option and replaced with allowuaf option (Allow Unused Address Families) in order to comply to the new OpenVPN3 specifications [ProMIND] Added OpenVPN and copyright information and SSL library information to the welcome message [ProMIND] Fixed recover network procedure. It now properly checks the existence of network backup file Thank you for your tests! Please feel free to report any bug, malfunction etc. on this thread or through a ticket. Kind regards & datalove AirVPN Staff

@OpenSourcerer Thank you! Do you have "ipv6 on" in your goldcrest.rc ? We brought in from OpenVPN3 main branch the IPv6 member deletion and other IPv6 related modifications. EDIT: ...so ipv6 option is no more supported (check our next message). Kind regards

@colorman Hello! The failure is 2022-02-09 11:35:55 Client exception in transport_recv: crypto_alg: AES-256-CBC: bad cipher for data channel use AES-CBC cipher must not (and is not according to our tests) be selected with default settings. Therefore we would like to see the content of the mentioned files to understand how AES-CBC happened to be selected. Forget about Goldcrest running options, we see that you give Goldcrest an ovpn file to parse. Please note that if you generated an OpenVPN configuration file for OpenVPN 2.4, the directive: cipher AES-256-CBC will be included. This directive will cause the error you see on latest OpenVPN3-AirVPN and OpenVPN 2 versions. To generate a proper configuration file for AirVPN Suite and latest OpenVPN 2.5 releases, tick "Advanced Mode", then select "OpenVPN >= 2.5". In this way the aforementioned directive will not be included. Alternatively, do not use ovpn files at all (Bluetit and Goldcrest don't require them with AirVPN). Kind regards

@colorman Hello and thank you! AES-CBC for Data Channel is no more accepted and should not be picked automatically, can we see your bluetit.rc and goldcrest.rc files content? Kind regards

@OpenSourcerer Hello! Thank you, bug confirmed and fixed. Before the next version comes out, you might like to use "--air-connect" in place of "-O" to keep testing. Kind regards