Staff

UPDATE 2021-04-07: 1.1.0 RELEASE CANDIDATE 1 IS AVAILABLE UPDATE 2021-04-15: 1.1.0 RELEASE CANDIDATE 2 IS AVAILABLE UPDATE 2021-04-17: 1.10 RELEASE CANDIDATE 3 IS AVAILABLE UPDATE 2021-05-14: 1.10 RELEASE CANDIDATE 4 IS AVAILABLE UPDATE 2021-06-04: 1.1.0 HAS BEEN RELEASED Hello! We're very glad to introduce a new AirVPN Suite version for Linux. Check supported systems below The suite includes: Bluetit: lightweight, ultra-fast D-Bus controlled system daemon providing full connectivity and integration to AirVPN servers, or generic OpenVPN servers. Bluetit can also enforce Network Lock and/or connect the system to AirVPN during the bootstrap Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN servers Hummingbird: lightweight and standalone binary for generic OpenVPN server connections All the software is free and open source, licensed under GPLv3. What's new in 1.1.0 version full compatibility with OSMC, Open Source Media Center enhanced compatibility with Raspbian persistent Network Lock implementation, useful for example to enforce prompt Network Lock during system bootstrap and prevent traffic leaks caused by processes at bootstrap (**). Use directive networklockpersist in bluetit.rc to enable Network Lock as soon as Bluetit starts, regardless of network status and connection attempts revisited Network Lock logic for additional safety new directives for bluetit.rc: networklockpersist, connectretrymax and aircipher enhanced DNS handling for peculiar systemd-resolved operational modes more rigorous handling of events through semaphore implementation new D-Bus methods for Network Lock aimed at easier control by clients. Developer's documentation will be published soon crash caused by systemd signal flooding has been resolved libcurl crash in OSMC and other systems has been fixed crash in some 32 bit systems has been fixed logical flaw causing Network Lock missed activation in case of account login failure has been fixed various bug fixes see the changelog below for more information and details Important notes (**) Ponder the option carefully if your machine needs network sync via NTP or other network services outside the VPN during the bootstrap phase (***) Fedora 33 and openSUSE 15.2 users beware: we have noticed that in freshly installed Fedora 33 libcurl cannot find CA LetsEncrypt certificates and this will prevent Bluetit from detecting the country from ipleak.net. In this case, you can overcome this bug by using the country directive in bluetit.rc file, therefore avoiding the need to contact ipleak.net web site. AirVPN Suite changelog Version 1.1.0 RC 4 - 14 May 2021 [ProMIND] optionparser.cpp: added proper message errors in case of invalid argument and allocation memory error [ProMIND] netfilter.cpp: systemBackupExists() now evaluate every firewall mode backup file name [ProMIND] netfilter.cpp: restore() now check for every firewall mode backup and restore it accordingly [ProMIND] netfilter.cpp: IPv6 rules are now allowed or added only in case IPv6 is available in the system Version 1.1.0 RC 3 - 16 April 2021 [ProMIND] Updated to OpenVPN 3.7 AirVPN [ProMIND] vpnclient.hpp: avoid netFilter setup in case NetFilter object is not private [ProMIND] dbusconnector.cpp: fine tuned D-Bus wait cycle in R/W dispatch. Implemented a thread safe wait in order to avoid D-Bus timeout policy Version 1.1.0 RC 1 - 7 April 2021 Release Candidate, no change from Beta 2 Version 1.1.0 Beta 2 - 2 April 2021 [ProMIND] localnetwork.cpp: added getDefaultGatewayInterface() method Version 1.1.0 Beta 1 - 11 March 2021 [ProMIND] rcparser.cpp: removed formal list control for STRING type [ProMIND] netfilter.hpp, netfilter.cpp: added functions to set the availability of specific iptables tables in order to properly use available tables only [ProMIND] vpnclient.hpp: onResolveEvent() sets iptables tables according to the loaded modules [ProMIND] vpnclient.hpp: Changed constructor in order to use both private and external NetFilter object [ProMIND] localnetwork.cpp: added getLoopbackInterface(), getLocalIPaddresses() and getLocalInterfaces() methods [ProMIND] airvpntools.cpp: added detectLocation() method to retrieve location data from ipleak.net [ProMIND] airvpnuser.cpp: detectUserLocation() now uses AirVPNTools::detectLocation() [ProMIND] airvpnuser.cpp: loadUserProfile() now correctly sets userProfileErrorDescription in case of network failure [ProMIND] airvpnserverprovider.cpp: added "DEFAULT" rule to getUserConnectionPriority() in case user's country or continent is undefined [ProMIND] airvpnmanifest.cpp: loadManifest() now correctly sets the status STORED in case of network failure [ProMIND] Added Semaphore class [ProMIND] dnsmanager.hpp: method revertAllResolved() renamed to restoreResolved(). Besides reverting all interfaces it now restarts systemd-resolved service as well. [ProMIND] install.sh: improved update/upgrade process Bluetit changelog Version 1.1.0 RC 4 - 14 May 2021 [ProMIND] Added directives airipv6 and air6to4 in bluetit.rc [ProMIND] In case it is requested a network recovery, VpnClient object is now initialized with NetFilter::Mode::OFF [ProMIND] In case the requested network lock method is not available, connection is not started [ProMIND] In case system location cannot be determined through ipleak.net, country is now properly set to empty, latitude and longitude to 0. [ProMIND] Persistent network lock is enabled only in case Bluetit status is clean [ProMIND] AirVPN boot connection is started only in case Bluetit status is clean [ProMIND] DNS backup files are now properly evaluated when determining dirty status [ProMIND] Added D-Bus commands "reconnect_connection" and "session_reconnect" Version 1.1.0 Beta 2 - 2 April 2021 [ProMIND] Gateway and gateway interface check at startup. Bluetit won't proceed until both gateway and gateway interface are properly set up by the system [ProMIND] Increased volume and rate data sizes for 32 bit architectures [ProMIND] Added aircipher directive to bluetit.rc [ProMIND] Added maxconnretries directive to bluetit.rc Version 1.1.0 Beta 1 - 11 March 2021 [ProMIND] connection_stats_updater(): now uses server.getEffectiveBandWidth() for AIRVPN_SERVER_BANDWIDTH [ProMIND] added bool shutdownInProgress to control bluetit exit procedure and avoid signal flooding [ProMIND] system location is detected at boot time and eventually propagated to all AirVPN users [ProMIND] Network lock and filter is now enabled and activated before AirVPN login procedure [ProMIND] Added dbus methods "enable_network_lock", "disable_network_lock" and "network_lock_status" [ProMIND] Renamed bluetit.rc directive "airconnectonboot" to "airconnectatboot" [ProMIND] Added bluetit.rc directive "networklockpersist" Goldcrest changelog Version 1.1.2 RC 4 - 14 May 2021 [ProMIND] DNS backup files are now properly evaluated when determining dirty status [ProMIND] ProfileMerge is now constructed by allowing any file extension [ProMIND] Reconnection (SIGUSR2) is now allowed only in case tun persistence is enabled Version 1.1.2 - 2 April 2021 [ProMIND] Updated base classes Hummingbird changelog Version 1.1.2 RC 4 - 14 May 2021 [ProMIND] DNS backup files are now properly evaluated when determining dirty status [ProMIND] ProfileMerge is now constructed by allowing any file extension [ProMIND] Reconnection (SIGUSR2) is now allowed only in case tun persistence is enabled Architecture The client-daemon architecture offered by Goldcrest and Bluetit combination offers a robust security model and provides system administrators with a fine-grained, very flexible access control. Bluetit is fully integrated with AirVPN. The daemon is accessed through a D-Bus interface by providing specific methods and interface in order to give full support to OpenVPN connection and AirVPN functionality, including - but not limited to - quick automatic connection to the best AirVPN server for any specific location as well as any AirVPN server or country. Connection during system bootstrap is fully supported as well. New OpenVPN 3 library features Hummingbird and Bluetit are linked against a new version of our OpenVPN 3 library which supports directive data-ciphers: it can be used consistently with OpenVPN 2.5 syntax in OpenVPN profiles. The directive allows OpenVPN 3 based software to negotiate a common Data Channel cipher with the OpenVPN server,, updating therefore our library to ncp-like negotiation with OpenVPN 2 branch. Hummingbird and Bluetit are already linked against the new library version, while Eddie Android edition will be updated in the near future. The new library also includes a different handling of IV_CIPHERS variable, fixing OpenVPN main branch issues which caused a plethora of problems with OpenVPN 2.5. The implementation, at the same time, takes care of full backward compatibility with OpenVPN versions older than 2.5. ncp-disable directive, which to date has never been implemented in the main branch, is still supported, in order to further enhance backward compatibility with both OpenVPN profiles and servers, as well as connection flexibility with servers running older than 2.5 OpenVPN versions. Please note that if you enforce a specific Data Channel cipher by means of Bluetit configuration file, Hummingbird line option, or Goldcrest configuration file and/or line option, the enforced Data Channel cipher will override data-ciphers profile directive. Notes on systemd-resolved In Fedora 33 systemd-resolved comes pre-configured to work in "on-link" mode and network-manager works together with it. This very peculiar, Windows-like setup kills Linux global DNS handling, causing those DNS leaks which previously occurred only on Windows. Hummingbird and Bluetit take care of preventing the brand new DNS leaks caused by such a setup. Also note that systemd-resolved comes pre-configured with fallback DNS (Google DNS is a systemd-resolved default fallback DNS, smart choices pile up!) which will be queried if each interface DNS server fails some resolution. In such a case, if and only if you have Network Lock enabled will DNS leaks be prevented. Supported systems The suite is currently available for Linux x86-64, i686 (32 bit distributions), arm7l (for example Raspbian, OSMC and other ARM 32 bit based systems) and aarch64 (ARM 64 bit). Both systemd and SysV-style init based systems are supported. AirVPN Suite is free and open source software licensed under GPLv3. Overview and main features AirVPN’s free and open source OpenVPN 3 suite based on AirVPN’s OpenVPN 3 library fork Bluetit: lightweight D-Bus controlled system daemon providing full connectivity to AirVPN servers and generic OpenVPN servers. Ability to connect the system to AirVPN during the bootstrap. Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN servers Hummingbird: lightweight and standalone client for generic OpenVPN server connection Linux i686, x86-64, arm7l and arm64 (Raspberry) support Full integration with systemd, SysV Style-init and chkconfig No heavy framework required, no GUI Tiny RAM footprint Lightning fast Based on OpenVPN 3 library fork by AirVPN version 3.6.6 with tons of critical bug fixes from the main branch, new cipher support and never seen before features ChaCha20-Poly1305 cipher support on both Control and Data Channel providing great performance boost on ARM, Raspberry PI and any Linux based platform not supporting AES-NI. Note: ChaCha20 support for Android had been already implemented in our free and open source Eddie Android edition Robust leaks prevention through Network Lock based either on iptables, nftables or pf through automatic detection Proper handling of DNS push by VPN servers, working with resolv.conf as well as any operational mode of systemd-resolved additional features User documentation (*) and source code: https://gitlab.com/AirVPN/AirVPN-Suite (*) Developer documentation to create custom software clients for Bluetit will be published in the near future. Download links: Linux x86-64: https://eddie.website/repository/AirVPN-Suite/1.1-RC4/AirVPN-Suite-x86_64-1.1.0-RC4.tar.gz Linux x-86-64 sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.1-RC4/AirVPN-Suite-x86_64-1.1.0-RC4.tar.gz.sha512 Linux i686: https://eddie.website/repository/AirVPN-Suite/1.1-RC4/AirVPN-Suite-i686-1.1.0-RC4.tar.gz Linux i686 sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.1-RC4/AirVPN-Suite-armv7l-1.1.0-RC4.tar.gz.sha5123 Linux arm7l: https://eddie.website/repository/AirVPN-Suite/1.1-RC4/AirVPN-Suite-armv7l-1.1.0-RC4.tar.gz Linux arm7l sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.1-RC4/AirVPN-Suite-armv7l-1.1.0-RC4.tar.gz.sha512 Linux aarch64: https://eddie.website/repository/AirVPN-Suite/1.1-RC4/AirVPN-Suite-aarch64-1.1.0-RC4.tar.gz Linux aarch64 sha512 check file: https://eddie.website/repository/AirVPN-Suite/1.1-RC4/AirVPN-Suite-aarch64-1.1.0-RC4.tar.gz.sha512 Kind regards AirVPN Staff

This is mainly a bug fix release. Windows users: Preferences -> Advanced -> Use wintun driver is still disabled by default in this version, but we recommend to our beta testers to check it and report any issue, thanks. Kind regards

Hello! We're very glad to inform you that a new stable release of Eddie is now available for Linux (various ARM based architectures included), Mac, Windows. Eddie is a free and open source (GPLv3) OpenVPN GUI and CLI by AirVPN with many additional features such as: traffic leaks prevention via packet filtering rules DNS handling optional connections over Tor or a generic proxy customizable events traffic splitting on a destination IP address or host name basis complete and swift integration with AirVPN infrastructure white and black lists of VPN servers ability to support IPv4, IPv6 and IPv6 over IPv4 What's new in Eddie 2.20.0 [change] [all] OpenVPN 2.5.1 [change] [all] New default setting - Networking -> Switch to 'Block' if issue is detected, new default value: True [bugfix] [Windows 32bit] - Error at startup (released as a hotfix in 2.19.7 stable) [bugfix] [all] "Failed to compare two elements in the array" [bugfix] [all] Using OpenVPN provider other than AirVPN [bugfix] [all] IPv6 in manifest/bootstrap [bugfix] [Linux] Elevation failure on Ubuntu on some arm64/aarch64 architecture Eddie GUI and CLI now run with normal user privileges, while only a "backend" binary, which communicates with the user interface with authentication, gains root/administrator privileges, with important security safeguards in place: stricter parsing is enforced before passing a profile to OpenVPN in order to block insecure OpenVPN directives external system binaries which need superuser privileges (examples: openvpn, iptables, hummingbird) will not be launched if they do not belong to a superuser Eddie events are no more run with superuser privileges: instead of trusting blindly user's responsibility and care when dealing with events, now the user is required to explicitly operate to run something with high privileges, if necessary Backend binary is written in C++ on all systems (Windows included), making the whole application faster. Settings, certificates and keys of your account stored on your mass storage can optionally be encrypted on all systems either with a Master Password or in a system key-chain if available. Eddie 2.20.0 can be downloaded here: https://airvpn.org/linux - Linux version https://airvpn.org/macos - Mac version https://airvpn.org/windows - Windows version Eddie is free and open source software released under GPLv3. Source code is available on GitHub: https://github.com/AirVPN/Eddie Complete changelog can be found here. Kind regards & datalove AirVPN Staff

@salacronix Hello! TLS mode is mandatory because it is required by our servers, and for very good reasons. You can pick between TLS Auth and TLS Crypt. TLS Crypt is recommended, as it encrypts completely the Control Channel (important to prevent detection of OpenVPN handshake "fingerprint" by Deep Packet Inspection). Kind regards

@zurround Thank you! Problem detected and reproduced. Hummingbird and Bluetit rely on the ability of the system to change on the fly the global DNS settings. This is possible in most systems, Linux included. However, resolved seems unable to do that. It appears that every and each time someone needs to change global DNS on Linux when systemd-resolved works in any mode bypassing resolv.conf, she must stop and start systemd-resolved, forcing it to re-read the configuration. A workaround fixing the problem will be included in the next, imminent AirVPN Suite release. In the meantime you can quickly fix the problem, you don't need to reboot. You can save time by re-starting systemd-resolved when you are done using AirVPN Suite: sudo systemctl restart systemd-resolved Alternatively, you can consider to not use systemd-resolved. Kind regards

@ProphetPX Hello! Firefox is immune even in "normal" mode because it re-issues requests for Favicons even when they are cached, so it smashes the attack down very radically. According to the paper author this is a bug, but call it a bug or a feature, Firefox is not vulnerable. About Google Chrome tracking techniques, as well as Google pervasive tracking and profiling... we'll leave this relatively complex and very broad matter to the community. It has been discussed in the community forums in the past as well, if we are not mistaken. Kind regards

Hello! We're very glad to inform you that a new 1 Gbit/s server located in Auckland (NZ) is available: Fawaris. We're also very pleased to be back in Oceania. The AirVPN client will show automatically the new server. If you use any other OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator"). The server accepts connections on ports 53, 80, 443, 1194, 2018 UDP and TCP. Just like every other Air server, Fawaris supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3 and tls-crypt. Full IPv6 support is included as well. As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses. You can check the server status as usual in our real time servers monitor: https://airvpn.org/servers/Fawaris Do not hesitate to contact us for any information or issue. Kind regards and datalove AirVPN Team

@zurround Hello! If the problem persists, can you please send us the output of the following commands before you run the suite (when everything works) during the connection (while the system is connected successfully to the VPN) after the connection (while the problem is ongoing) cat /etc/resolv.conf resolvectl Open a terminal, and enter the above commands (in each of the above situations), then select and copy everything, finally paste into your message. Kind regards

@Aghinix Thank you! We will send this thread to Eddie developer. Kind regards

@kbps Hello! However, mega.nz operates servers in Luxembourg (at least from what we can see on the web site). We think that New Zealand poses no privacy problems at all. The issue is just finding a suitable datacenter. Kind regards

@OpenSourcerer Oh, OK, so it is impossible to identify someone in practice in the ATM described by @Mad_Max. We had the impression that you wanted to imply otherwise. About masks and other protections which make facial recognition fail, they are mandatory (in many countries in the EU you can be severely fined if you don't wear them outdoors and you don't have a medically motivated exemption, or even criminally prosecuted) or strongly recommended nowadays, so it's not a big deal, even if they were necessary. Kind regards

@Aghinix Hello! Can you tell us whether the AppImage's eddie-tray fails with the identical error, or you get a different one? What is your current Desktop Environment? Apart from the minimization problem, is anything else fine? What is your version of libappindicator? Can you please re-check whether libindicator is available? Kind regards

@OpenSourcerer Hello! It's a good idea. Actually we already have it (it is shown only to special users, we don't know if you can see it) so it would be simple to make it available to anyone. We will consider it seriously. Kind regards

@OpenSourcerer So, how is it possible that the ATMs described by @Mad_Max (which actually exist for sure) can be used in Germany to aggregate ex-post all the anonymous transactions of each person performing them, and provided that this is possible, how is it possible to link that video footage to an identity (for example if the aggregated withdrawals total exceeds some anti-laundering limit by law). This is technically very interesting and raises questions on the fundamental right to privacy. If confirmed, it may be advisable to use ATM with facial masks, glasses and adequate hats, which make facial recognition impossible (currently). Kind regards

Hello! You can add Estonia and update the list: we have a 1 Gbit/s server in Tallinn, Estonia: https://airvpn.org/servers/Alruba/ New Zealand would be great, especially when you consider the infamous and outrageous anti-encryption law which prevents us from operating in Australia: we have been and we are struggling to find the right infrastructure. We'll keep searching. Kind regards

Hello! From a private message from @monstrocity we understand that he/she has not understood what we wrote. If that was the case for other readers, here comes some more explicit clarification. Iskandar load at 86% means that it has still 858 Mbit/s free Okab load at 34% means that it has still 1360 Mbit/s free In general, 100% load means that you have 700 Mbit/s free on Japan servers. Re-read our messages to understand why. Furthermore, the CPU load is not heavy. These servers can achieve 1.7 Gbit/s with just four OpenVPN instances (experimentally confirmed, so it's for sure). The problem might be different: you experience congestion in the weakest hop or interconnection between your ISP and our ISP during specific peak times your ISP network is congested (or traffic shaping is enforced) in the peak times you mentioned our datacenter (*) is congested in the peak times you mentioned a combination of two or all of the above points In the first two cases, we can't do anything. In the third case, we can't do anything on that datacenter (adding servers would be mainly useless, of course) except pushing legally for the bandwidth we must have by contract (8 Gbit/s total, or 4 Gbit/s full duplex, as you prefer). However, since we do not experience the problems you mention, not even from Italy or other dedicated servers, we tend to exclude the third option. Thread will remain locked for 24 hours to avoid looping around the same biased arguments over and over. (*) Our Tokyo servers are in Equinix TY8 dc https://www.equinix.com/locations/asia-colocation/japan-colocation/tokyo-data-centers/ty8/ Kind regards

Hello! We don't understand this last message of yours. We have just shown you with clear data that there is no overload at all. During the peak times you have defined there's plenty of free bandwidth and CPU time. We closely monitor all servers, not only Japan ones, and when necessary we add servers or bandwidth. Kind regards

Hi, since when in Germany ATMs perform identification via facial recognition without informing the citizen? What facial database are they authorized to access to have a match? Kind regards

@monstrocity Thank you! Round trip time shown by Eddie is very unreliable and must not be taken as an absolute value, but has its usefulness as a relative value. We will keep an eye on Japan. Currently there's still a lot of free bandwidth 24/7 as you may easily verify (check the average bandwidth over a day, a week, a month etc. on each Japan server from https://airvpn.org/status ), On average, Japan servers are still busy only 50% during a weekend. Let's see the next ones. However, we must keep into account CPU load, because those servers are not able to use full 2 Gbit/s (that's why we report, for maximum transparency, only 1 Gbit/s). Iskandar - Picture shows that Iskandar bandwidth is on a weekly average 58% free on a 500 Mbit/s full duplex basis and that on peak times it reached 1.6 Gbit/s (out of 1 Gbit/s full duplex), which is not yet 100% CPU (these servers' hardware can reach a maximum of 1.7 Gbit/s) Kind regards

@Agrock Hello! We can see two possible explanations, which need a verification. 1) It could be some form of traffic shaping enforced by your ISP (or your router, but it would be so refined that we doubt that your router enforces it without your knowledge). It can't be against UDP tout court, because Wireguard works in UDP. It might be a fuzzy logic based shaping against BitTorrent: when it detects a specific pattern in UDP to specific ports, for example 443 Even if you use a VPN, torrent traffic pattern may be recognized, although with a low degree of reliability. Traffic shaping based on encrypted traffic patterns was widespread about 15-18 years ago, then it was dropped because it was unreliable and caused a plethora of negative side effects unexpected by the ISPs themselves. Traffic shaping is not triggered: when you use Wireguard in UDP, maybe because you connect Wireguard to some other port (which one?) when you use OpenVPN in TCP + tls-crypt, maybe because traffic shaping is not triggered anyway when UDP does not enter into play Counter-check to validate or falsify the assumptions may be based on using Wireguard in UDP to port 443, or connecting OpenVPN in UDP + tls-crypt to the same port Wireguard connects to (if possible) and then running torrent software. 2) Another potential explanation is that you have Windows, and you use the TAP driver with OpenVPN. Windows OpenVPN TAP driver is infamous to cause various bandwidth bottleneck problems in Windows, even (but not limited to) with torrents and/or UDP. If that was the case, you can now use wintun even with OpenVPN (2.5 or higher version required). Kind regards

@busybee911 Hello! After you have stopped and disabled systemd-resolved you should generate your own resolv.conf file before running Eddie, or restart networking and let network-manager do that (via DHCP etc.) if you wish to query the router. The new resolv.conf file will then be the file that Eddie will restore when its job is finished. Kind regards

@triggerdingus Hello! Can you confirm that you run some Linux distribution? If so, developer managed to reproduce the crash, so the matter is under investigation. Kind regards

@Agrock Hello! For the error description: https://developer.apple.com/forums/thread/42334 Of course, knowing what it means does not tell us why the kernel runs out of memory while OVPN 3 is over UDP and why only in macOS. We will keep an eye on it. How frequently do you have this problem? Kind regards

@Searching Hello! Please open a ticket and send us a system report generated by Eddie: click "Log" tab, click the LIFE BELT icon, click the "copy all" icon and paste into your message. The system report should provide us with a better insight. Kind regards

Hello! In this case Hummingbird is not for you. We have planned a GUI for Bluetit in the next months based on Qt (Firecrest). Initially it will be available for Linux but it will be ported to macOS later on, together with Bluetit. Before that, we will add to Goldcrest a TUI based on ncurses. In the meantime you may run Eddie, once you have resolved the problems you have reported with the help of the support team. In turn, Eddie can run Hummingbird, in place of OpenVPN (it features a specific option in Preferences to do that), to boost your Mac performance in the VPN. Kind regards