Staff

Hello! We're very glad to inform you that a new stable release of Eddie is now available for Linux (various ARM based architectures included), Mac, Windows. Eddie is a free and open source (GPLv3) OpenVPN GUI and CLI by AirVPN with many additional features such as: traffic leaks prevention via packet filtering rules DNS handling optional connections over Tor or a generic proxy customizable events traffic splitting on a destination IP address or host name basis complete and swift integration with AirVPN infrastructure white and black lists of VPN servers ability to support IPv4, IPv6 and IPv6 over IPv4 What's new in Eddie 2.20.0 [change] [all] OpenVPN 2.5.1 [change] [all] New default setting - Networking -> Switch to 'Block' if issue is detected, new default value: True [bugfix] [Windows 32bit] - Error at startup (released as a hotfix in 2.19.7 stable) [bugfix] [all] "Failed to compare two elements in the array" [bugfix] [all] Using OpenVPN provider other than AirVPN [bugfix] [all] IPv6 in manifest/bootstrap [bugfix] [Linux] Elevation failure on Ubuntu on some arm64/aarch64 architecture Eddie GUI and CLI now run with normal user privileges, while only a "backend" binary, which communicates with the user interface with authentication, gains root/administrator privileges, with important security safeguards in place: stricter parsing is enforced before passing a profile to OpenVPN in order to block insecure OpenVPN directives external system binaries which need superuser privileges (examples: openvpn, iptables, hummingbird) will not be launched if they do not belong to a superuser Eddie events are no more run with superuser privileges: instead of trusting blindly user's responsibility and care when dealing with events, now the user is required to explicitly operate to run something with high privileges, if necessary Backend binary is written in C++ on all systems (Windows included), making the whole application faster. Settings, certificates and keys of your account stored on your mass storage can optionally be encrypted on all systems either with a Master Password or in a system key-chain if available. Eddie 2.20.0 can be downloaded here: https://airvpn.org/linux - Linux version https://airvpn.org/macos - Mac version https://airvpn.org/windows - Windows version Eddie is free and open source software released under GPLv3. Source code is available on GitHub: https://github.com/AirVPN/Eddie Complete changelog can be found here. Kind regards & datalove AirVPN Staff

@salacronix Hello! TLS mode is mandatory because it is required by our servers, and for very good reasons. You can pick between TLS Auth and TLS Crypt. TLS Crypt is recommended, as it encrypts completely the Control Channel (important to prevent detection of OpenVPN handshake "fingerprint" by Deep Packet Inspection). Kind regards

@zurround Thank you! Problem detected and reproduced. Hummingbird and Bluetit rely on the ability of the system to change on the fly the global DNS settings. This is possible in most systems, Linux included. However, resolved seems unable to do that. It appears that every and each time someone needs to change global DNS on Linux when systemd-resolved works in any mode bypassing resolv.conf, she must stop and start systemd-resolved, forcing it to re-read the configuration. A workaround fixing the problem will be included in the next, imminent AirVPN Suite release. In the meantime you can quickly fix the problem, you don't need to reboot. You can save time by re-starting systemd-resolved when you are done using AirVPN Suite: sudo systemctl restart systemd-resolved Alternatively, you can consider to not use systemd-resolved. Kind regards

@ProphetPX Hello! Firefox is immune even in "normal" mode because it re-issues requests for Favicons even when they are cached, so it smashes the attack down very radically. According to the paper author this is a bug, but call it a bug or a feature, Firefox is not vulnerable. About Google Chrome tracking techniques, as well as Google pervasive tracking and profiling... we'll leave this relatively complex and very broad matter to the community. It has been discussed in the community forums in the past as well, if we are not mistaken. Kind regards

Hello! We're very glad to inform you that a new 1 Gbit/s server located in Auckland (NZ) is available: Fawaris. We're also very pleased to be back in Oceania. The AirVPN client will show automatically the new server. If you use any other OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like every other Air server, Fawaris supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the server status as usual in our real time servers monitor: https://airvpn.org/servers/Fawaris Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

@zurround Hello! If the problem persists, can you please send us the output of the following commands before you run the suite (when everything works) during the connection (while the system is connected successfully to the VPN) after the connection (while the problem is ongoing) cat /etc/resolv.conf resolvectl Open a terminal, and enter the above commands (in each of the above situations), then select and copy everything, finally paste into your message. Kind regards

@Aghinix Thank you! We will send this thread to Eddie developer. Kind regards

@kbps Hello! However, mega.nz operates servers in Luxembourg (at least from what we can see on the web site). We think that New Zealand poses no privacy problems at all. The issue is just finding a suitable datacenter. Kind regards

@OpenSourcerer Oh, OK, so it is impossible to identify someone in practice in the ATM described by @Mad_Max. We had the impression that you wanted to imply otherwise. About masks and other protections which make facial recognition fail, they are mandatory (in many countries in the EU you can be severely fined if you don't wear them outdoors and you don't have a medically motivated exemption, or even criminally prosecuted) or strongly recommended nowadays, so it's not a big deal, even if they were necessary. Kind regards

@Aghinix Hello! Can you tell us whether the AppImage's eddie-tray fails with the identical error, or you get a different one? What is your current Desktop Environment? Apart from the minimization problem, is anything else fine? What is your version of libappindicator? Can you please re-check whether libindicator is available? Kind regards

@OpenSourcerer Hello! It's a good idea. Actually we already have it (it is shown only to special users, we don't know if you can see it) so it would be simple to make it available to anyone. We will consider it seriously. Kind regards

@OpenSourcerer So, how is it possible that the ATMs described by @Mad_Max (which actually exist for sure) can be used in Germany to aggregate ex-post all the anonymous transactions of each person performing them, and provided that this is possible, how is it possible to link that video footage to an identity (for example if the aggregated withdrawals total exceeds some anti-laundering limit by law). This is technically very interesting and raises questions on the fundamental right to privacy. If confirmed, it may be advisable to use ATM with facial masks, glasses and adequate hats, which make facial recognition impossible (currently). Kind regards

Hello! You can add Estonia and update the list: we have a 1 Gbit/s server in Tallinn, Estonia: https://airvpn.org/servers/Alruba/ New Zealand would be great, especially when you consider the infamous and outrageous anti-encryption law which prevents us from operating in Australia: we have been and we are struggling to find the right infrastructure. We'll keep searching. Kind regards

Hello! From a private message from @monstrocity we understand that he/she has not understood what we wrote. If that was the case for other readers, here comes some more explicit clarification. Iskandar load at 86% means that it has still 858 Mbit/s free Okab load at 34% means that it has still 1360 Mbit/s free In general, 100% load means that you have 700 Mbit/s free on Japan servers. Re-read our messages to understand why. Furthermore, the CPU load is not heavy. These servers can achieve 1.7 Gbit/s with just four OpenVPN instances (experimentally confirmed, so it's for sure). The problem might be different: you experience congestion in the weakest hop or interconnection between your ISP and our ISP during specific peak times your ISP network is congested (or traffic shaping is enforced) in the peak times you mentioned our datacenter (*) is congested in the peak times you mentioned a combination of two or all of the above points In the first two cases, we can't do anything. In the third case, we can't do anything on that datacenter (adding servers would be mainly useless, of course) except pushing legally for the bandwidth we must have by contract (8 Gbit/s total, or 4 Gbit/s full duplex, as you prefer). However, since we do not experience the problems you mention, not even from Italy or other dedicated servers, we tend to exclude the third option. Thread will remain locked for 24 hours to avoid looping around the same biased arguments over and over. (*) Our Tokyo servers are in Equinix TY8 dc https://www.equinix.com/locations/asia-colocation/japan-colocation/tokyo-data-centers/ty8/ Kind regards

Hello! We don't understand this last message of yours. We have just shown you with clear data that there is no overload at all. During the peak times you have defined there's plenty of free bandwidth and CPU time. We closely monitor all servers, not only Japan ones, and when necessary we add servers or bandwidth. Kind regards

Hi, since when in Germany ATMs perform identification via facial recognition without informing the citizen? What facial database are they authorized to access to have a match? Kind regards

@monstrocity Thank you! Round trip time shown by Eddie is very unreliable and must not be taken as an absolute value, but has its usefulness as a relative value. We will keep an eye on Japan. Currently there's still a lot of free bandwidth 24/7 as you may easily verify (check the average bandwidth over a day, a week, a month etc. on each Japan server from https://airvpn.org/status ), On average, Japan servers are still busy only 50% during a weekend. Let's see the next ones. However, we must keep into account CPU load, because those servers are not able to use full 2 Gbit/s (that's why we report, for maximum transparency, only 1 Gbit/s). Iskandar - Picture shows that Iskandar bandwidth is on a weekly average 58% free on a 500 Mbit/s full duplex basis and that on peak times it reached 1.6 Gbit/s (out of 1 Gbit/s full duplex), which is not yet 100% CPU (these servers' hardware can reach a maximum of 1.7 Gbit/s) Kind regards

@Agrock Hello! We can see two possible explanations, which need a verification. 1) It could be some form of traffic shaping enforced by your ISP (or your router, but it would be so refined that we doubt that your router enforces it without your knowledge). It can't be against UDP tout court, because Wireguard works in UDP. It might be a fuzzy logic based shaping against BitTorrent: when it detects a specific pattern in UDP to specific ports, for example 443 Even if you use a VPN, torrent traffic pattern may be recognized, although with a low degree of reliability. Traffic shaping based on encrypted traffic patterns was widespread about 15-18 years ago, then it was dropped because it was unreliable and caused a plethora of negative side effects unexpected by the ISPs themselves. Traffic shaping is not triggered: when you use Wireguard in UDP, maybe because you connect Wireguard to some other port (which one?) when you use OpenVPN in TCP + tls-crypt, maybe because traffic shaping is not triggered anyway when UDP does not enter into play Counter-check to validate or falsify the assumptions may be based on using Wireguard in UDP to port 443, or connecting OpenVPN in UDP + tls-crypt to the same port Wireguard connects to (if possible) and then running torrent software. 2) Another potential explanation is that you have Windows, and you use the TAP driver with OpenVPN. Windows OpenVPN TAP driver is infamous to cause various bandwidth bottleneck problems in Windows, even (but not limited to) with torrents and/or UDP. If that was the case, you can now use wintun even with OpenVPN (2.5 or higher version required). Kind regards

@busybee911 Hello! After you have stopped and disabled systemd-resolved you should generate your own resolv.conf file before running Eddie, or restart networking and let network-manager do that (via DHCP etc.) if you wish to query the router. The new resolv.conf file will then be the file that Eddie will restore when its job is finished. Kind regards

@triggerdingus Hello! Can you confirm that you run some Linux distribution? If so, developer managed to reproduce the crash, so the matter is under investigation. Kind regards

@Agrock Hello! For the error description: https://developer.apple.com/forums/thread/42334 Of course, knowing what it means does not tell us why the kernel runs out of memory while OVPN 3 is over UDP and why only in macOS. We will keep an eye on it. How frequently do you have this problem? Kind regards

@Searching Hello! Please open a ticket and send us a system report generated by Eddie: click "Log" tab, click the LIFE BELT icon, click the "copy all" icon and paste into your message. The system report should provide us with a better insight. Kind regards

Hello! In this case Hummingbird is not for you. We have planned a GUI for Bluetit in the next months based on Qt (Firecrest). Initially it will be available for Linux but it will be ported to macOS later on, together with Bluetit. Before that, we will add to Goldcrest a TUI based on ncurses. In the meantime you may run Eddie, once you have resolved the problems you have reported with the help of the support team. In turn, Eddie can run Hummingbird, in place of OpenVPN (it features a specific option in Preferences to do that), to boost your Mac performance in the VPN. Kind regards

@Terry Stanford Hummingbird for maCOS: Latest release overview: https://airvpn.org/forums/topic/48834-macos-hummingbird-111-released/ Manual and documentation: https://airvpn.org/hummingbird/readme/ Download page: https://airvpn.org/macos/hummingbird/ Kind regards

@Terry Stanford Hello! Please open a ticket at your convenience. Kind regards