Jump to content
Not connected, Your IP:


  • Content Count

  • Joined

  • Last visited

  • Days Won


Posts posted by Staff

  1. @cannac


    We can confirm the problem when "country" has a value (any value, not only US). Please comment out your country US line in bluetit.rc file and you should be fine: Bluetit will pick the "best rated" server between those included in the white list you specified.

    We will investigate with the developers the issue you reported in the near future, thank you.

    Kind regards

  2. 23 hours ago, cannac said:
    So the airwhiteserverlist option in bluetit.rc found here, cannot be used at bootstrap and is only used by the goldcrest client? Should/Can this option be used in goldcrest.rc or is it only available in bluetit.rc?


    If you define a "quick" connection mode at boot, Bluetit will consider and respect white and black list directives included in bluetit.rc during the connection at bootstrap. Therefore, the proposed solution is optimal and does not require Goldcrest: just remember to change connection mode to quick (and do not set it to country), and define white lists according to the conditions written in our previous message (i.e. three empty intersection subsets, one subset per device).

    Kind regards

  3. @cannac


    You have related options in Goldcrest. If the white list must be global and respected by all users, superuser must define it in Bluetit run control file. If the white list can be decided each time by any user inside airvpn group, then superuser must not define it in Bluetit run control file. The related Goldcrest options, which can be specified on the command line only, and not in goldcrest.rc file, are:
    --air-white-server-list, -G : AirVPN white server list <list>
    --air-black-server-list, -M : AirVPN black server list <list>

    Please see also:

    Kind regards

  4. @cannac


    A solution which might meet your needs is partitioning the US Air VPN servers set into three empty intersection subsets, one per device, compiling airwhitserverlist directive with a unique subset in each device, and finally restarting the three connections via Goldcrest on the US country basis.  and finally defining the connection mode in bluetit.rc as quick. If the connection mode is not defined as quick Bluetit ignores white and black lists but it does not warn you. A warning in the log and a clarification on the documentation will be implemented.

    By doing so you will never have two or more devices connecting to the same server.

    when the air-connect command for the same country is issued by different clients in different devices. If Bluetit connects during the machine bootstrap, remember to send disconnect first: enabled persistent network lock by directive networklockpersist ensures no traffic leak outside the VPN tunnel.

    In a future Bluetit version we might implement a new Bluetit run control file directive defining a white list for automatic connection at bootstrap so that you will not need to send a connection order via a client later on.

    Kind regards

  5. On 9/11/2021 at 10:33 PM, bcheprenpe said:

    Just wondering whether my AirVPN connection can/does protect my privacy over cellular networks independent of WiFi connections? I'm new to the VPN world. Just trying to know my limitations.


    Yes, of course, you get the same privacy protection enhancements in both connection types (provided that the VPN connection is established). In particular:
    • your outgoing packets do not have anymore your "real" IP address when they get out of the VPN server (this is also why, in addition to privacy enhancement, we define our service as capable to provide "a layer of anonymity")
    • you are no more subject to DNS poisoning, which is common practice with all ISP in the world including European ISPs
    • the VPN tunnel protects you from injection of forged packets
    • your ISP and anybody who wiretaps your ISP line can not see anymore which services you contact, which underlying protocols you use and which underlying applications you run, because of the encryption of outgoing and incoming packets between your client and the VPN server
    A caveat in cellular connections when it is used together with a device running iOS or Android. By Apple policy, Apple applications can bypass at will any VPN tunnel (and actually some of them already do it) Similarly, in Android systems, manufacturer's applications might potentially do the same. This is possible because you are not the administrator in Android and iOS systems and therefore you have no control on those important parts of the system which would prevent such "leaks". Therefore, when privacy protection is a priority, Android and iOS should not be trusted.

    What about the "anonymity layer" we mentioned earlier? The anonymity layer is provided by the first point of the list, together with the fact that we operate servers in countries where data retention is not mandatory, so we not only avoid inspecting traffic to remain a mere conduit, but we also do not log traffic metadata. So it's not an intrinsic property of a VPN, but it is related to how it is implemented in our systems.

    Now, this anonymity layer resists as long as we don't betray your trust AND our servers are not secretly wiretapped.

    How to defeat an adversary with the power to wiretap your line AND all the VPN servers you connect to? And what to do when you can't afford to trust our contractual commitment on "no logging"? This question has become relevant for more and more persons who are "high profile targets".

    Remember that everyone can become a "high profile target" simply by being an activist on certain matters. Every year, for example, hundreds of environmental activists are killed around the world and hundreds disappear mysteriously or suffer severe limitations on personal freedom or suffer major physical harm. And that pertains only to activism on environmental problems.

    Bloggers and journalists are imprisoned, as well as whistleblowers, or killed, in the so called "Western countries" too, simply for having told the truth. In certain areas of Italy, you must protect your identity even if you write a few substantiated rows anywhere on the web against some minor political figure in your tiny district when that political figure has ties with the organized crime, and we know that something similar happened in other EU countries.

    We could go on with plenty of horrendous exemplary cases, which took place even in "Western countries", where a more effective layer of anonymity would have saved, during the years, thousands of lives, but let's answer the original question on how to improve the anonymity layer and defeat a powerful adversary with this old article of ours:

    So, we wrote the above article many years ago, which may help high profile targets. Keep in mind that everything starts from the assumption that your system is NOT compromised. If it is, any VPN, Tor, Tor over VPN, will be useless. So we come to other important limitations you must be aware of:
    • a VPN does not protect your device
    • a VPN is useless if your device is compromised, and some systems such as Android and iOS may be compromised in a matter of minutes by a powerful entity that comes to know your IP address
    • a VPN must not be meant as an anti-cracking tool: the only protection against some types of cracks is no remote port forwarding, which is mild
    • a VPN can not hide your personal data or identity if you send out personal information inside your traffic flow and the recipient of such information is compromised, or if you send it out in public
    • a VPN does not prevent correlations when you mix identities, i.e. it can't protect you from your own behavior, therefore take care not to mix identities inside and outside the VPN. Trivial, maybe stupid, example. if you have used an e-mail account without VPN, and then you use it from the VPN, the mail provider and other entities can still come to know your real identity via IP address of your past connections on record or other data.
    • a VPN does not hide your system and browser fingerprint. For highly sensitive information transmission when your identity must not be disclosed, avoid the WWW completely (recommended solution). However, if you are compelled to rely on the WWW, at least use the Tor Browser

    Kind regards

  6. 17 hours ago, OpenSourcerer said:

    By the way, if I do this test, I'm shown the private v4, too, alongside the v6 UGA. Are you expecting this to show people's public v4?


    Of course. That's the risk with WebRTC: the disclosure of the "real" IP address when you don't want that. The "noble" purpose is allowing two or more peers to connect directly with each other for video chats and so on. Each peer must know the public IP address of the other ones to accomplish the task. WebRTC (when it is active) provides developers with an API which can disclose it. See
    and following docs.


    Well, I'm concerned because it's showing the local address of the physical NIC.

    As long as the local address is private and assigned by your home router, that's the only case of no concern.

    If it would've been the tun address, all good.

    With OpenVPN, disclosure of the tun address is not a concern, right, because we are unable to correlate a VPN IP address to a user when the connection is over.

    But it's not all good in general, unfortunately: with Wireguard, disclosure of the tun address (the VPN IP address) is risky too, because of the bijection between client keys and static VPN IP addresses which Wireguard also mandates to replicate in a file on every server. Under this respect we can only mitigate the problem by randomizing IP addresses assigned to keys and deleting periodically the file entries when we suppose a client is no more connected (Wireguard lacks even the disconnection notification feature by explicit design). But in the whole time between deletions, we know who is who, and we must provide this information for example after a court order, which could also include prohibition to delete relevant data whereas it is an ACTIVE action that we (and not some third-party app) perform in spite of lack of technical necessity.

    Kind regards

  7. 13 hours ago, bestinshow said:

    Thanks for the additional info, I'm not upgrading to the beta version at the moment as I'm happy with Eddie in conjunction with VPNetMon (less challenging for my know how at present!).


    In this case just send us, if you have time and will, the crash message from Eddie 2.20.

    An important suggestion: you should never use VPNetMon. it is insecure by design, not able to prevent most types of leaks (wrong binding, UPnP, NAT-PMP... by your torrent software) and it's dangerous, as it may kill forcefully applications causing their data corruption in your HDD/SSD. Furthermore it is not able to prevent leaks, not even in ordinary disconnections if it can't detect them, if the CPU has a high load, or if the app hangs. Use Network Lock instead. Activate it before you start a connection by clicking the big button on the main Eddie window. Network Lock prevents any type of leaks, even if Eddie or OpenVPN crash, because it is a set of firewall rules.

    As mentioned above trying to run utorrent from the "vpnup" setting resulted in  the  message "running event vpn.up" on the overview screen, no further message, and Eddie was stuck at this point, not finishing its start up whilst utorrent itself did start. Hope eventually you can make this a bit more user friendly as we are not all experts or can use the command line, best wishes

    Eddie was not stuck, it was just waiting for the application to return an exit code. You can tell Eddie to not wait and go on as we wrote. In this case Eddie will run the application only, and will immediately forget it and move on. When you define the command for an event, the window shows "Wait end of process". By default it is ticked. You can de-tick it in order to make Eddie not wait for the end of the process. We don't see how we could make it "a bit more user friendly"... anyway, now you know.

    Kind regards

  8. @airsupportusertempforum


    Those problems you mention should be different and unrelated. When Bluetit gets stuck in a loop of re-connections caused by OpenVPN3-AirPVN inability to reconnect to the same server, no --recover-network should be necessary, provided that you stop Bluetit properly, or you just send a disconnect command. Then you can send an air-connect command or what you need. The OpenVPN3 inability to re-connect when you abruptly disconnect, and later re-connect, the Ethernet cable will be investigated. As far as we can see it may occur with OpenVPN 2 too and we suspect to know why. In such cases anyway a disconnection followed by a connection resolves the issue both with OpenVPN3-AirVPN and OpenVPN 2.

    The problem mentioned by @cannac has not been reproduced unfortunately. and we have no clues or suggestions at the moment. Can you tell us your Linux distribution name and version and describe the problem which forced you to change the symlink?

    Kind regards


  9. 11 hours ago, bestinshow said:

    Tried the event settings today, unfortunately as before still no result. Placing the path to utorrent in the VPN up field starts utorrent but leaves Eddie stuck


    Eddie can run scripts and binaries when certain events take place and:
    1. wait for the script/binary/whatever run by the event to return an exit code, OR
    2. run & forget & move on (no wait, defined as asynchronous mode in the documentation)

    From your description you needed solution 2, with a kill to the same process at the next suitable event. About the kill, do as @OpenSourcerer wrote in a previous message.

    Would be good if the Eddie developers could add this feature in future in a user friendly way, being able to simply execute and terminate a program when running I think is a pretty basic requirement

    Yes, the feature you want was implemented in 2014 or so, but it needs to be documented.for the GUI. Currently it's documented on the CLI guide and on the man. Anyway now you know and it's quite intuitive, enjoy!

    • event.app.start.filename - Filename of the script/executable to launch on event.
    • event.app.start.arguments - Arguments of the script/executable.
    • event.app.start.waitend - Use True if the software needs to wait the end (synchronous) or False to be asynchronous. Default: True
    • event.app.stop.filename - Filename of the script/executable to launch on event.
    • event.app.stop.arguments - Arguments of the script/executable.
    • event.app.stop.waitend - Use True if the software needs to wait the end (synchronous) or False to be asynchronous. Default: True

    You can achieve all of the above in the GUI too. Can you verify whether the unexpected crash (we can't reproduce it) persists with Eddie 2.21 beta version? If so, would you be so kind to send us the whole crash message? To download Eddie latest beta version please see here:

    Kind regards

  10. 5 hours ago, OpenSourcerer said:

    What you are leaking is your ISP IP in the browser via WebRTC. Click on the link there for possible solutions.

    Probably not, the screenshot is not extremely clear but it seems WebRTC test displays the private IP address of @BobbyTee system network interface ( @BobbyTee - the ipleak test thus seems completely fine but please check the above anyway

    Kind reg

  11. Hello!

    We're very glad to inform you that the alpha 2 version is now available. It implements new features you can check on the first thread post and an extensive rewrite of the native library. Please find the download URL and all the news on the first post.

    Thank you very much for your tests! Please report any glitch, bug and unexpected behavior!

    Kind regards


  12. Hello!

    We're glad to inform you that AirVPN from now on accepts payments via Amazon Pay too. The new gateway will let users with an Amazon account to get AirVPN plans quickly and swiftly by using their own Amazon account.


    Amazon Pay is added on top of PayPal and 2Checkout/Avangate (Verifone) gateways in order to offer a thorough range of payment methods which include bank transfers and all the most widespread credit cards.

    Once again we remind you anyway that for better privacy purposes we accept directly (without intermediaries) cryptocurrencies, which remain the favorite choice if you need to prevent disclosure of your AirVPN purchase to financial entities or human rights hostile regimes.

    Kind regards & datalove
    AirVPN Staff

  13. @bestinshow


    You're right, losing settings and data should not happen during upgrades, save for when you upgrade from Eddie versions older than 2.12 to the current version. It's therefore an unexpected event.

    And yes, "default.profile" (or other files, if you entered new profiles with new names on the settings) is the file keeping all the data and settings.

    Kind regards

  14. On 9/7/2021 at 6:14 PM, PrivacyMatters said:

    Would the use of a VPN, such as AirVPN or ProtonVPN (in this case, I believe the users did not use the bundled service) or TOR prevent this situation?


    We can't answer for ProtonVPN, but in case of AirVPN or Tor, the answer is yes provided that:
    • the activist never connected from his real IP address to ProtonMail since when the wiretapping and gag orders ware issued on enforced on ProtonMail
    • the activist never wrote to some infiltrator information which could have disclosed his identity
    • the activist always used gpg to encrypt e-mail content, so that the content was hidden to anyone wiretapping Proton servers

    All of the above is limited to disclosing the identity only through Proton order and French data retention (remember that France data retention is in breach of the CJEU legally binding decisions, because blanket data retention is enforced on ISPs). If other investigation methods were used (for example by relying on finding e-mail recipients, identifying them and forcing them to reveal the activist identity), the activist identity could have been disclosed anyway, but not through Proton forced co-operation.

    Kind regards


  15. 1 hour ago, kbps said:

    I understand that price will always be the deciding factor, after many other factors, but Air air does have a 10 Gig server, Ain in Sweden, so the precedence has been set.  As you say the availability of 10 Gig is there.  We shall just have to wait and see.


    Our first 10 Gbit/s lines dedicated only to our servers were used for the first time in Dallas, Texas, several years ago. One line is for the VPN servers and another one for the Tor nodes by Quintex. Then we had four (now six) 10 Gbit/s lines in the Netherlands. Each line was and is shared by 10 or 11 of our servers.

    Then Xuange came, in Switzerland, that was the first one with an exclusive 10 Gbit/s line. Ain then followed and has been the last one at the moment.

    As @OpenSourcerer says, prices in some locations (such as Tokyo) are too high for 10 Gbit/s and at least 600 TB traffic per month for a single server (2 Gbit/s 24/7 means you generate 600 TB in a month). Moreover, in order to beat the usual 1 Gbit/s full duplex, more powerful hardware is needed and a different software approach too.

    Even so, on Xuange and Ain we could not manage to squeeze more than 3-4 Gbit/s (in total, up+down) when more than 150 clients are connected, and even the most powerful CPUs available on the market, running one OpenVPN instance per virtual core, suffer. The whole system get choked if we go up to 300 clients, which would be the minimum amount required to run those servers without losing money. Wireguard might help but it's uncertain and anyway many core customers of ours don't accept it for the notorious privacy problems, other customers can't use it for UDP blocks/shaping and so on, so we can't and we won't drop OpenVPN in any case.

    EDIT: it's not only a pure AES/CHACHA20 processing power issue, but also a conntrack and packert mangling huge queue related issue, which gets intertwined with pure encryption/decryption processing power problems. - pj

    For us, the cost per user to be provided with high bandwidth is remarkably higher with dedicated 10 Gbit/s single server lines, because we experimentally see that we can not put on such a server 10 times the users a 1 Gbit/s server can handle (unless we wanted to lower the quality of service, which is not on the table). Therefore, if we want to keep the same prices and at the same time we don't want to oversell, offering an infrastructure all based on a 10 Gbit/s line per server for 2.75 EUR/month (the current price for 3 years subscriptions) is not realistic.

    Remember that year after year prices of AirPVN went down or remained unchanged, and today AirVPN is probably the less expensive VPN around (ruled out the free ones, as they profile you or do worse things too).

    Maybe in the future, or maybe with a different pricing, migration to all "10 Gbit/s servers" could be pursued.

    We're not "over-cautious" but realistic: in the last 5-6 years, while other VPN services accumulated important debts surpassing tens and tens of USD millions (think about PIA mother company, which went down for more than 30 millions in just 3 or 4 years; and other big ones, which are forced to oversell and continuously pay for favorable bogus reviews hiding overselling in order to survive) AIrVPN never ever had debts.

    Who would be interested in paying more (probably x3 or even x4) to have access to 10 Gbit/s dedicated lines (one line per server) on a wide variety of AirVPN locations with the usual AirVPN quality? We might start a survey to know.

    Kind regards


  16. Quote

    UDP is a better idea: If OpenVPN's UDP loses a packet, a UDP connection in the tunnel will be treated as if a UDP packet is lost (no effect, in essence, maybe a lost frame in the video conference)

    And you avoid the TCP over TCP meltdown effect, i.e. when "lower and upper layers (which both are running their own version of congestion control algorithm) start competing with each other and in fact worsening the situation at each try. This is specially true for slow links and could result in terribly slow connections and constant freezing". https://hamy.io/post/0002/openvpn-tcp-or-udp-tunneling/

  17. @airvpnforumuser

    Personally, the one thing that the manual could benefit from is examples using different languages - not everyone uses/is proficient with C++ and would make it simple to understand how your library can be implemented elsewhere (in fact, such a project/pesudo-project on Gitlab would be very nice indeed).


    All the code examples in the manual are in C++. C++ for the AirVPN Suite has been picked for a variety of reasons including high portability, speed and efficiency.

    From page 10:

    The preferred method of inter-operating with Bluetit is by using AirVPN–SUITE C++ classes, although this is limiting the development of a client in C++ only.

    All the AirVPN–SUITE classes can be virtually ported to any object-oriented programming language provided it can offer access or support to D-Bus.

    Also note AirVPN–SUITE classes are based on D-Bus low level C API and the use of an object-oriented programming language is not mandatory provided the target functions and/or classes are developed according to the AirVPN–SUITE classes marshaling mechanism, which is essential for the whole architecture in order to exchange data to and from the clients and the daemon.

    We do not rule out other programming interfaces for other languages according to requests in the future.

    Kind regards


  18. @airvpnforumuser

    Yes, the option to not use the Master Password will be implemented. Not in alpha 2 but probably during the beta stage. Anyway, it will be implemented before we reach the stable release.

    perhaps OOM kills the VPN which has happened under low memory pressures...

    Maybe. Would you like to collect the logcat (and send it to us) just after the problem has occurred, so we can verify what happens exactly? Hopefully it's not a crash for some Eddie bug but let's see, alpha and beta testing aim at finding out bugs. :)

    Feel free to keep us informed.

    Kind regards

  19. 5 hours ago, encrypted said:

    I appreciate the basic summary of current development status of various AirVPN projects.

    Thank you for your feedback!


    2) the "AirVPN suite" consisting of *no Eddie-like GUI* but instead there are command-line binaries and config files to manage AirVPN's own divergent/semi-proprietary "OpenVPN-like" ecosystem.

    It's a superior solution but it's not limited to "command line-binaries". Surely you have totally missed what Bluetit does. Read the documentation to understand more.

    On another subject, divergent from what? Maybe you don't realize that when we took OpenVPN3 it could not even run in Linux. No alternative was available, even for the reason explained by @OpenSourcerer There is no divergence, at least not in the wicked sense you mean. Read on to understand why, on top of OpenSourcerer considerations.


    Instead of delivering that expected (GTK-based) native GUI, the AirVPN team(s) went on to spend the next five years to build their own fork of an entire ecosystem instead.  😲 

    No doubts that a GTK based interface has not been delivered for Eddie, and no doubts that  it was a promise by Eddie chief developer which was not fulfilled, mainly because Eddie was split between frontend and backend (with the backend entirely rewritten in C++ to make it free from Mono), and because the Linux and Mac sofrtware have been re-considered for Qt, which we now consider more efficient than GTK and available in other systems we're interested in (macOS, FreeBSD). Firecrest (another client for Bluetit) plans include Qt and not GTK

    However, it's not true that the new development team (i.e. the one not working on Eddie desktop) spent five years for a fork, obviously. The total work on the fork so far can be summed up to just a few months in total during all the years.

    We do not see any "divergence" either, since OpenVPN3-AirVPN maintains full compatibility with OpenVPN 2.2 servers and higher versions, including OpenVPN 2.5. It also maintains full compatibility with profiles and directives according to OpenVPN 2 branch. We were careful not only to comply to the new OpenVPN 2.5 requirements, but even not to hurt backward compatibility with servers running older OpenVPN versions. So all the software can be used to connect to any OpenVPN based system, not only AirVPN: no divergence, no isolated ecosystem.

    Between 2018 and 2021, i.e. three years and a half and not five, OpenVPN3 rewrite in several parts to make it work properly has been a fraction of the work:
    • Eddie Android edition was totally rewritten to get rid of Mono completely
    • seven Eddie Android edition versions were released
    • five Hummingbird versions were released,
    • three Bluetit and Goldcrest versions were released
    • Hummingbird has been ported to macOS
    • the (in our opinion outstanding) Bluetit Developer's Reference Manual has been written
    • some more work behind the scenes has been accomplished. In particular, careful Bluetit engineering and development has been rewarded by a software (incidentally a real daemon), which was never seen before in the OpenVPN clients world.
    • OpenVPN3 by AirVPN is 108 commits ahead of the main branch, the library works very well in Linux and obeys to OpenVPN 2.5 server new options and handshake requirements, a thing that can't be said of the main branch, at least up to a few months ago.

    The delay of a GTK based GUI for Eddie has triggered a variety of new projects that have brought to Linux and Android users superior solutions never offered before by anybody, so at the end of the day Linux and Android users have had something much better and more will come.

    Kind regards


  20. 14 hours ago, encrypted said:
    However based on that development update by Staff back in July 2016 there was going to be a (Linux native) GTK+ GUI for "Eddie 3.x soon".

    With all AirVPN development taking place behind the scenes there's little place for development discussions here in the forum so perhaps I'm merely poorly informed about the actual status of development.


    The intentions of Eddie chief developer remained intentions, unfortunately. However, getting rid of Mono blob was a task which has been accomplished in Linux and macOS.

    The development lines for Linux have changed and the most important outcome has been the AirVPN Suite which features a fully documented, real daemon, an exclusive software with a complete reference manual which nobody has ever offered. Even Eddie Android edition, another important software which we released after 2016, does not require Mono for Android.

    Development of Eddie Desktop edition on one side, and Eddie Android edition, OpenVPN3-AirVPN and AirVPN Suite on the other side, have been completely split. Different development cycles, teams and plans.

    Bluetit also uses OpenVPN3-AirVPN library, a fork of the original OpenVPN 3 library which features very important improvements. OpenVPN3-AirVPN library, currently used by Eddie Android edition, Hummingbird in macOS and Linux, and Bluetit in Linux, has been another important development branch in the last years in AirVPN.

    The AirVPN Suite offers an option to all Linux users to completely drop Eddie and Mono.

    You can follow the "News" forum for all the information and announcements.

    AirVPN Suite User's Documentation: https://airvpn.org/suite/readme/
    Bluetit Developer's Reference Manual: https://gitlab.com/AirVPN/AirVPN-Suite/-/blob/master/docs/Bluetit-Developers-Reference-Manual.pdf

    OpenVPN3-AirVPN library (108 commits ahead of the main branch currently): https://github.com/AirVPN/openvpn3-airvpn

    Kind regards

  21. On 8/20/2021 at 10:30 PM, airvpnforumuser said:

     I also usually check source code before installation also (Eddie desktop beta source code is already on Github for example), I may even go through the effort of building the code myself if I am super-paranoid, understandably the alpha may not be suitable but I'd like to provide feedback!


    We apologize for the late reply about the quoted comment: we do not publish source code of alpha, beta, RC etc. versions, but only of stable releases.

    Kind regards
  • Create New...