Staff

@blueport26 The original plan was to write Eddie frontend in GTK#. According to when and IF Mono will be ported to Mac M1 based plans could change. @OpenSourcerer We were not aware of such incidents which are NOT acceptable for us, unless the author himself/herself told the developer to not be credited Can you please provide us with all the relevant information about the incident? We will investigate for sure. Firecrest will be a Qt based client of Bluetit. Before Firecrest, however, we want to implement a TUI mode for Goldcrest. Kind regards

@airvpnforumuser Hello! We're glad anyway that you posed your questions, so you know now that the most important features you required are already available in AirVPN. The famous "golden rule" makes sense nowadays too when your threat model includes an adversary with typical organized crime power: connect to a server located in a different country from the country you are in, just to make life harder to those who could perform dangerous correlations by wiretapping lines in the same country, an action which we have seen possible by criminal organizations in the past, in Western countries too. By connecting to a server in another country you often make their correlations attempts much more difficult. We will try to be even more transparent about our decisions (and their reasons) on the infrastructure and its design when possible in the future. How do you like the Bluetit developer's manual? With it and with the source code you should be able to see exactly many things, for example how the bootstrap servers work in details, and how the "manifest" file is built. On the other hand, Bluetit provides you with the option to integrate your software with AirVPN even if you don't mind about the inner mechanisms, thus greatly simplifying your development work. Kind regards

@airvpnforumuser 1) Irrelevant if not wasteful given PFS. Client certificate and keys do not allow decryption of traffic, so one that steals them has indeed nothing to decrypt. 2) That's up to the user. We think it's a bad idea to force renewal of a key of a simple API, for some good reasons tied to customers' behavior and needs. 3) Fluff and nonsense if referred to client certificate and static key. About PFS, what you propose is insecure, because by "rotating" key you would use the same keys over and over, periodically, so you violate the basic paradigm of Forward Secrecy, OpenVPN implements PFS, uses a one time key and renews it every 60 minutes by default. You can decide an arbitrary renewal time (<=60 minutes) and you will never use the same key again. 4) It's already possible (since 2012) but we ask you to contact us to do so. Our requirement is caused by attempted frauds in the past. 5) So what? 6) That was done recently, in 2019 if we recall it correctly. Due to some technical limitations with IPB you must anyway enter at least a character in your e-mail field, but that's all. In order not to overlap with other existing e-mail field contents. just enter a random string. 7) Incredibly awful and dangerous idea about server rotations, and we can easily see why no provider offers it. Key "rotation" is also a terrible idea, we (and OpenVPN) have something much better, check 3). We are very sorry to see how even our own customers are misinformed about AirVPN features or ignore essential features which have been implemented since years ago. We must be making mistakes in our communications, we will perform an internal exam (but we will not pay parasite reviewers to avoid that they hide such features, of course ). Kind regards

@blueport26 Hello! First and foremost we must say that we have not updated our knowledge on Poland data retention legal framework. Our old information tells us that it's NOT compliant with the latest decisions of the CJEU which forbid Member States to put any obligation on any provider of service in the information society for pre-emptive, blanket, indiscriminate data retention. All that follows is therefore based on our not up-to-date knowledge. Feel free to point us to the relevant laws if we base our decision on no more valid knowledge. Now, we can actually ignore the EU Member States legal frameworks on data retention where they clearly infringe the EU Court of Justice legally binding decisions, because in a casus belli we can challenge, or defend against, the rogue Member State with high likelihood of winning. At the same time, we must carefully decide which legal battle fronts we want to open, because legal costs for cases which must be brought up to the highest courts may easily become very high. We are already challenging Spain legal framework on Data Retention, and, given AirVPN size, it's not wise to challenge multiple Member States simultaneously. That's the main reason we do not operate VPN servers in France and Italy, other Member States whose data retention framework is in flagrant violation of the legally binding decisions of the CJEU. We're not like those marketing fluff based VPNs which lie to you and in reality perform Data Retention in the countries where it is mandatory: you have plenty of examples from the press to prove what we claim here, when VPN customers identities and activities have been disclosed because of that very same data retention the VPN providers claimed not to perform. When we say we do not retain data and metadata of your traffic we really do it, that's why we must carefully evaluate the countries legal framework we plan to operate servers within. Kind regards P.S. Ukraine does not oblige dacenters and VPN providers to any data retention.

Hello! If all tier1 transit providers co-operated with each other to exchange all of their data and could do that with impunity in every country, you would have a global adversary-like entity, against which you can't prevent correlations between source and destination of a packet of yours.. You can protect your data content against the global adversary trivially (end-to-end encryption), but you can't hide the real destination and source of your own communications (provided that you don't perform illegal war-driving and similar actions of course). What you can do is making the correlation as expensive as possible, in order to render data harvesting through correlations no more financially attractive, as long as you are not a high profile target. Please read the following, old article of ours: https://airvpn.org/forums/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745 Kind regards

Hello! We inform you that all of our VPN servers in Maidenhead will cease operations on 03 September 2021. They will be replaced by servers in London featuring more modern hardware. Unfortunately, both technical and non-technical reasons force us to leave the current dc in Maidenhead. Servers in London are anyway located just 40 Km from Maidenhead and they will be announced and available in the next days. The new machines will keep the same names in order to support the old FQDN used by OpenVPN client profiles. Since the datacenter seems to have put offline already a server before the natural expiration date, we could put the new servers online before the mentioned 03 September date. When new servers are turned on, older ones with the same name will be disconnected from the infrastructure. This thread will be updated, if necessary, accordingly. The replacement servers are five, while the replaced ones are six. That's because we might be adding in the future another datacenter in UK in a different location. Kind regards AirVPN Staff

Always, not usually. Kind regards

Hello! You can use all ports from every and each connection slot provided that you make sure that each connection ends up to a different VPN server, i.e. you must not connect more than one device to the same VPN server. Kind regards

@LazyGuy Actually, early child porn censorship is catastrophic, because: it warns criminals that their content has been detected and become a target, allowing them to put in place early counter-measures which may compromise future investigations and cause more atrocious sufferance to the victims it is seen as an early and urgent mitigation measure, sufficient by itself, de-prioritizing or cancelling victims identification and arrest of criminals it is used as political fluff to show the public that effective actions are performed According to the above, the investigations must follow the opposite direction, that is: FIRST you try to identify and put the victims to safety, follow the cash flow and arrest the criminals, investigate further ramifications and perform additional arrests; THEN, as a very final stage when nobody can be prematurely alerted anymore, you censor the content. Relying on censorship is once again plain stupid or hints to connivance. And always be very careful when someone wants to suppress some human right in the name of "child protection", "security against threats of any kind" and so on and so forth, because History teaches that such actions imply a sinister, hidden agenda. https://www.youtube.com/watch?v=RkmcupFx3FQ Kind regards

@Obvious Hello! Incoming packet forwarding is a server side matter. It makes no difference whether the VPN connection is handled by OpenVPN 2,. OpenVPN 3 or Wireguard. In Linux and macOS, Eddie can run both OpenVPN and Hummingbird, which is an AirVPN software based on OpenVPN3-AirVPN library. You can tell Eddie to run Hummingbird and not OpenVPN by ticking "Use Hummingbird" item in Eddie's "Preferences" > "Advanced" window. On a client settings equal footing, packet forwarding behavior discrepancy between VPN servers should be investigated server side too. From your description it is possible that you're just wasting time as it appears that you're investigating incorrectly: please open a ticket. The support team can, first and foremost, ascertain whether packets are actually pre-routed and forwarded to your node or not. Kind regards

Hello! [THREAD REPLACED WITH OTHER RELEVANT INFORMATION}. Kind regards AirVPN Staff

@OpenSourcerer Hello! Out of curiosity, the current inbound forwarded ports/customers ratio is 1.1 Kind regards

@Maggie144 Hello! It was a purely hypothetical example, such a company does not exist. Kind regards

@LazyGuy The RSA key is essential to encrypt the TLS hansdhake See also https://security.stackexchange.com/questions/205184/when-is-an-rsa-key-used-in-tls-handshake RSA keys smaller than 2048 bit are considered insecure and currently 1024 bit RSA keys can be quickly cracked. 2048 bit size is considered secure, while 4096 bit size is so secure that further increasing this size is not recommended nowadays, as it would increase dramatically handshake time and computation load (a thing that becomes relevant on the server side where you might have suddenly a hundred of handshakes concurrently). Some search engines perform good attempts to index onion hidden services, although you can't be guaranteed you'll find everything there is in the hidden web. While search engines like Google Search index more than 70% of all the estimated 3 billion pages of the "surface" Word Wide Web, which in turn is estimated to contain less than 1% of all the information on the Internet (less than 1% might sound insufficient but it is anyway a huge amount), you should expect lower efficiency in search engines like https://darknetsearch.io - also consider that the "Deep Web" (which the onion services are a small fraction of) according to some researchers is about 500 times bigger than the "surface" web (other researchers claim it's 40 times bigger, not 500). Kind regards

@56Kmodem Thank you, it's probably the configuration file "default.profile" which is not removed by the uninstaller (correctly, because it's an uninstall and not a purge) and which is not upward compatible. It remains to be seen why the problem arose in the first place with 2.21 beta. The very first time you had the problem, were you testing beta 1 or beta 2? What is your exact Windows version? Kind regards

Hello! We have now added it in the announcement. Thank you in advance for your tests! Currently it's not in our plans but we can re-consider in the future. Yes, our plans include Wireguard support by Eddie Android edition after the beta testing on the infrastructure from desktop clients has begun. Kind regards

Hello! We are very glad to know it. We had not thought about a dark theme, but we can consider it. Thank you for your current and future reports on battery life, performance and anything else! Kind regards

Hello! We're very glad to inform you that Eddie Android edition 2.5 alpha beta is available. UPDATE 2021-09-14: Alpha 2 is now available. UPDATE 2021-11-10: Alpha 3 is now available. UPDATE 2021-12-10: Beta 1 is now available. UPDATE 2021-12-17: Release Candidate 1 is now available. UPDATE 2021.-12-24: 2.5 has been released. Topic locked, let's move to # sha256sum org.airvpn.eddie-2.5-RC1-Unsigned.apk 2133a81c584ca7a20c930824b5823d1c882492a0bc23e22cd64c8f44ce839d1c org.airvpn.eddie-2.5-RC1-Unsigned.apk What's new in Eddie 2.5 RC 1 updated to the latest OpenVPN3-AirVPN and asio libraries extensive native library rewrite and revision for higher efficiency improved VPN concurrency management global objects enhanced instance handling linked against OpenSSL 1.1.1l (*) full integration with VPN traffic leaks prevention by system in Android 7 or higher version full compatibility with Android 10, 11 and 12, including ability to start and connect from a profile during device bootstrap ability to start and connect during bootstrap (if Master Password is disabled) according to a priority list which includes automatic choice, your defined country and your defined server ability to select directly an area (country, continent, planet) to connect to on the fly language change allowing to switch language without re-starting application unification of connection parameters between settings and server settings: changes on one side are mirrored to the other so that no discrepancy occurs anymore improved login credentials prompt: if wrong credentials are entered, the prompt is proposed again even when "Remember me" is selected VPN lock option off by default Opt-in Master Password which remains off by default TLS minimum required version set to 1.2 by default option to select an OpenVPN boot profile in Android 7 or higher version VPN lock is forced to off and cannot be activated if "Block connection without VPN" is enabled in Android 8 or higher version system settings connection restore now allows re-connection during the device bootstrap from the last active or default OpenVPN profile. It requires "VPN Always On" system setting active and Android 7 or higher version Force AES-CBC suite option has been removed compatibility with Android 5.1 and higher version has been maintained bug fixes solving various issues, including the crash occurring on specific devices when some contextual menu item to connect was selected new option to skip a single promotional message ("Do not show anymore") has been implemented, without prejudice to future promotional messages manifest permissions modified in order to populate correctly app black and white lists in Android 11 and 12 check the changelog at the end of the message (*) Eddie 2.4 was linked against mbedTLS library. Such a major change has been adopted to offer TLS 1.3 and slightly higher performance both with AES and CHACHA20 cipher suites. Please do not hesitate to report any variation in battery life and performance in your device compared to Eddie 2.4. Important note for Android TV users. In Android 10, 11 and 12, a VPN application can start and connect during the device bootstrap if and only if "Always on VPN" option is active. Unfortunately the option is not available in Android TV 10, 11 and 12. Therefore the ability to start at boot is lost. OpenVPN for Android and openvpn-connect applications are affected by the same constraint. For a complete list of Eddie Android edition features please see here: https://gitlab.com/AirVPN/EddieAndroid Special thanks in advance to all users who will test Eddie Android edition 2.5 alpha and beta versions! Changelog 2.5 RC 1 (VC 26) - Release date: 17 December 2021 by ProMIND - [ProMIND] Added "QUERY_ALL_PACKAGES" permission to the manifest - [ProMIND] Minimum TLS level now defaults to 1.2 - [ProMIND] VPN Lock is now off by default - [ProMIND] Removed force aes-cbc suite option - [ProMIND] Native library updated to the latest dependencies - [ProMIND] "AirVPN profile" has been renamed to "AirVPN Key" - [ProMIND] All android devices having at least API level 24 (Android 7) are now fully managed by Android system VPN facilities (including "VPN Always On" and "Block Connections without VPN") - [ProMIND] In case a connected OpenVPN profile is about an AirVPN server, the name is shown across the whole app instead if the IP - [ProMIND] Compression is now off by default - [ProMIND] Language override is now immediate and does not need app restart anymore Native Library - [ProMIND] Updated to OpenVPN3 3.7.1 AirVPN - [ProMIND] Moved to version 1.4 (Complete revision of code, structure and naming scheme) - [ProMIND] Moved all header files in eddie directory into include directory - [ProMIND] Renamed several 1.0 classes and members to more solid names - [ProMIND] Removed all references to boost library functions and switched to standard C++ equivalents api.cpp - [ProMIND] Added sslLibraryVersion() function api.hpp - [ProMIND] Added sslLibraryVersion() function client.cpp (Native library) - [ProMIND] Implemented private method releaseJniCallbackObject() - [ProMIND] Switched to instance model management for JNI callback object - [ProMIND] removed tun_builder_set_block_ipv6() function - [ProMIND] added tun_builder_set_allow_family() function client.hpp (Native library) - [ProMIND] Added private method releaseJniCallbackObject() - [ProMIND] removed tun_builder_set_block_ipv6() function - [ProMIND] added tun_builder_set_allow_family() function common.h (Native library) - [ProMIND] New file. It defines all common macros and includes constants.cpp (Native library) - [ProMIND] removed file constants.h (Native library) - [ProMIND] removed file macros.h (Native library) - [ProMIND] removed file stdafx.h (Native library) - [ProMIND] removed file types.h (Native library) - [ProMIND] removed file utils.cpp (Native library) - [ProMIND] Removed all C function and reimplemented as relative class methods - [ProMIND] Most of methods and functions have been rewritten from scratch - [ProMIND] Removed all references to boost library functions and switched to standard C++ equivalents AirVPNManifest.java - [ProMIND] Added method getServerByIP() - [ProMIND] Added method getFullServerDescription(String name) - [ProMIND] Added method getFullServerDescriptionByIP(String ip) - [ProMIND] Added method isEncrypted() - [ProMIND] Added Continent stats - [ProMIND] Added "Do not show again" methods for manifest messages AirVPNUser.java - [ProMIND] Added method isEncrypted() - [ProMIND] private class getUserLocation is now aware of current local country setting - [ProMIND] Added method reloadUserLocation() AirVPNServerProvider.java - [ProMIND] added "DEFAULT" case to getUserConnectionPriority() method AirVPNServerSettingsActivity.java - [ProMIND] TLS, Protocol, Port and IP Version are now linked to their relative default options BootVPNActivity.java - [ProMIND] Revamped VPN connection boot logics. It now supports AirVPN best server, AirVPN default server and AirVPN default country and improved management of default OpenVPN profile and last active connection ConnectAirVPNServerFragment.java - [ProMIND] Added default AirVPN items management - [ProMIND] Added direct connection to country's best server via context menu - [ProMIND] Added direct connection to continent and world best servers - [ProMIND] exportOpenVPNProfile() now exports profiles both to internal databse and external file - [ProMIND] Added export continent, country and server profile to file ConnectOpenVpnProfileFragment.java - [ProMIND] Added "set" and "unset" boot in context menu for OpenVPN profiles CountryContinent.java - [ProMIND] Added methods getTreeMapCountry and countryCount() - [ProMIND] Added methods getTreeMaoContinent() and continentCount() EddieApplication.java - [ProMIND] Initialization log messages are now sent once at the first run of the app instance - [ProMIND] Classes SettingsManager, EddieLogger, SupportTools, VPNManager, MainActivity, CountryContinent, AirVPNManifest, AirVPNUser and NetworkStatusReceiver are now instantiated here and the unique instance is used all over the app - [ProMIND] Checks whether manifest and user's data files are encrypted and sets "Enable Master Password" setting accordingly - [ProMIND] Added method isVisible() returning whether the app is in foreground or visible EddieEvent.java - [ProMIND] Removed generic onAirVPNIgnoredDocumentRequest - [ProMIND] Added onAirVPNIgnoredManifestDocumentRequest and onAirVPNIgnoredUserDocumentRequest - [ProMIND] Added onAirVPNRequestError event EddieEventListener.java - [ProMIND] Removed generic onAirVPNIgnoredDocumentRequest - [ProMIND] Added onAirVPNIgnoredManifestDocumentRequest and onAirVPNIgnoredUserDocumentRequest - [ProMIND] Added onAirVPNRequestError event EddieLogger.java - [ProMIND] Added instance and context support in order to keep the log across multiple runs belonging to the same app instance LogActivity.java - [ProMIND] Added "Clear log" button MainActivity.java - [ProMIND] At startup check whether system's "Block connections without VPN" setting is enable, if so VPN Lock is disabled and show a dialog - [ProMIND] Added new VPN Statuses management - [ProMIND] AirVPN Manifest messages are now shown only in case they have the "do not show again" flag turned off - [ProMIND] Max reconnection retries now supports infinite OpenVPNProfileDatabase.java - [ProMIND] Added "boot" element and relative methods - [ProMIND] Added "airVPNServerName" element and relative methods - [ProMIND] Added "airVPNServerLocation" element and relative methods - [ProMIND] Added "airVPNServerCountry" element and relative methods SettingsActivity.java - [ProMIND] In case system's "Block connections without VPN" setting is enable, VPN Lock is disabled and hidden - [ProMIND] Added controls for new settings - [ProMIND] Revised language change setting and adapted to new Android levels. The change is now immediate and does not require restart anymore - [ProMIND] Added infinite to max reconnection retries setting SettingsManager.java - [ProMIND] Added SYSTEM_IS_ALWAYS_ON_VPN and SYSTEM_VPN_LOCKOWN internal settings and relative get/set methods - [ProMIND] Added AIRVPN_CURRENT_LOCAL_COUNTRY and AIRVPN_CURRENT_LOCAL_COUNTRY_DEFAULT internal settings and relative get/set methods - [ProMIND] Added AIRVPN_DO_NOT_SHOW_AGAIN_MESSAGES and AIRVPN_DO_NOT_SHOW_AGAIN_MESSAGES_DEFAULT internal settings and relative get/set methods VPN.java - [ProMIND] Added CONNECTION_CANCELED to Status enum VPNManager.java - [ProMIND] Improved VPN concurrency management VPNService.java - [ProMIND] Check "VPN Always On" and "Block connections without VPN" system options and set Eddie's internal options accordingly WebViewerActivity.java - [ProMIND] http: and https: links are now opened by invoking the external browser - [ProMIND] Added bottom "Do not show again" layout bar - [ProMIND] Restore language/locale to the app setting and reverts Chrome/WebView default locale override Kind regards and datalove AirVPN Staff

@56Kmodem Hello! With revo, did you fix the problem in Eddie 2.21 beta 2 or in Eddie 2.20.0? Kind regards

@Maggie144 Hello! That's out of AirVPN mission scope as it would crumble the anonymity layer. Moreover it would put some additional legal duties on AirVPN as a hosting provider, so it's even outside AirVPN core business. We are perfectly aware that we could be offering valid VPS with one dedicated IPv4 address for less than 5 EUR per month (in an hyper-inflated business segment), but again that would be best accomplished by some partner company ad hoc created, in order not to mix different businesses with mutually incompatible purposes which, on the long run, would undoubtedly damage AirVPN good reputation as a privacy protector and a service capable to provide an anonymity layer of a significant degree. While competition increases, simply for the incredible amount of VPN services for consumers which are born every other day, in a world facing an economic crisis due to the pandemic and slowly progressing shortage of energy resources, it's somehow normal that each company tries to survive by innovating, or by adding different services, or sometimes, unfortunately, by betting on marketing fluff. Remember that when PIA controlling company was acquired by Kape, it had accumulated more than 32'000'000 USD debt which had to be covered by Kape itself, so it's normal that new services are added to increase much needed revenues in an attempt to make PIA profitable again, or anyway more profitable. https://www.techradar.com/uk/news/cyberghost-owner-buys-pia-for-dollar955m-to-create-vpn-giant In this specific case we underline once again that the service you mention is really incompatible with AirVPN Terms of Service and general mission, so you could find it only by some other company controlled by us and not in AirVPN infrastructure. Kind regards

Version 2.21.1 (Thu, 19 Aug 2021 12:19:20 +0000) [change] [windows] OpenVPN 2.5.3 also in Windows 7/8 [change] [linux] Removed "libappindicator1" dependency in .deb package [bugfix] [linux] Fixed an issue with portable/AppImage packages ('cannot open shared object file') [bugfix] [windows] Fixed Windows 7 issues [bugfix] [all] Fixed an issue when IPv6 is disabled at system level [bugfix] [windows] Updated libcurl [change] [all] New ping engine Windows users: now if Wintun is used (default from this version), a network adapter is created when session starts and destroyed when session ends. Wintun driver is installed (or upgraded) when the adapter is created and removed when the adapter is removed. We added an option to keep the adapter in Preferences->Advanced window. Windows/Linux/macOS: we rewrote the latency/ping system to make it work better and faster, resolve some UI issues in Linux and provide more accurate results in macOS. @airvpnforumuser and other: issues after system suspension, and the error "Windows WFP, unexpected: Rule 'ipv6_block_all' already exists" is still under investigation, it is our next priority. About Windows OS compatibility: Windows 8 works exactly like Windows 10. In Windows 7 the latest Wintun driver doesn't work for some currently unknown reason, so it is not used (OpenVPN works with the tapdriver6), and for the same reason Wireguard (which can use ONLY Wintun) will not be supported on Win7. Kind regards and datalove

@PugConsultant Hello! In the host machine, your setup will force all traffic over OpenVPN over a Tor fixed circuit. You can't compare it with Tor-ification because the Tor circuit is fixed. However, what happens to the traffic from and to the VM depends on how the VM connects to the physical network interface: if the VM connects directly to some physical network interface, i.e. it works in "bridge mode", the tunnel(s) in the host machine are "bypassed" completely if the VM is attached to the host via NAT, all the VM traffic will also be tunneled over VPN over Tor The latter setup 2 is particularly important when your threat model includes powerful adversaries. OpenVPN over Tor tunnels OpenVPN over a fixed Tor circuit. Now, if you use Tor on the VM attached to the host via NAT, you add another Tor circuit, this time dynamic (i.e. re-built for every and each new TCP stream), where the traffic will end up before getting on to the Internet (your node -> Tor circuit 1 -> Air VPN server -> Tor different circuit -> the Internet). A significant improvement of the anonymity layer (on the VM) at the price of slower performance. Kind regards

@hardknox Hello! Network Lock already includes a rule which allows any TCP and UDP packet from 192.168.0.0/16 to 192.168.0.0/16. If you need to reach different subnet inside 192.168.0.0/16 between different network interfaces, remember to enable IP forwarding. Also remember that Network Lock does not allow data exchange between different private blocks, for example from 10.0.0.0/8 to 192.168.0.0/16. Should that be your need you must add additional firewall rules on top, after each Network Lock activation. Kind regards

@Monotremata Hello! Yes, please send us (in a ticket maybe, because this thread is for Eddie) the complete Eddie log (Eddie log will include any log by Hummingbird) pertaining to the event. From your description it definitely sounds like some unexpected OpenVPN3-AirVPN library problem. Do you connect in TCP or UDP? Kind regards

@hardknox Hello! Whereas you have set connectatboot server in bluetit.rc, when started Bluetit will propound the aircipher specified AES-128-GCM cipher, which is supported by all of our servers, for the OpenVPN Data Channel. If you want to try CHACHA20-POLY1305 just change aircipher into CHACHA20-POLY1305 and re-start Bluetit, or use Goldcrest with the proper options to disconnect and start a new connection. However, if your system does support AES New Instructions, you may lose performance with CHACHA20. Not all systems take advantage of AES-NI, even when they are implemented in the CPU, thus a test with CHACHA20 is worth its time. Furthermore, please make sure to test different servers in various locations, in order to maximize likelihood of good peering between our and your transit providers. If performance remains low, test TCP, according to @OpenSourcerer suggestion, just in case your ISP enforces some cap on UDP. Just change airproto into tcp and restart Bluetit. Kind regards