Staff

Hello!

We're very glad to inform you that two new 1 Gbit/s full duplex servers located in Miami, Florida, are available: Gudja and Kang,

The AirVPN client will show automatically the new servers; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637 and 47107 UDP for WireGuard.

Gudja and Kang support OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard.

Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the status as usual in our real time servers monitor:
https://airvpn.org/servers/Gudja/
https://airvpn.org/servers/Kang/
 
Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

Hello!

Thank you for linking to this interesting and well written article.
 
Yes, it has been highlighted by Windscribe, by us, and by multiple sources as early as 2022. For example:
https://airvpn.org/forums/topic/53136-vpn-companies-relationship-mesh/?tab=comments#comment-189777

and you may also like to check the search results:
https://airvpn.org/search/?q=crossrider
 
The company name, VAT ID and the Registration Code at the Chamber of Commerce of Italy is written at the bottom of each web site page. Through the European Commission VIES you can verify the company data by entering the VAT ID:
https://ec.europa.eu/taxation_customs/vies/#/vat-validation

If you have a subscription to a business intelligence and analytics reporting companies, for example Dun & Bradstreet, you can also get more information such as business reliability, solvency and so on, which, when correlated to other information, for example donations to specific organizations, can provide you with at least clues of what you may look for.

Kind regards
 

Yes, a very nice one.
 
Apparently it is perfectly formulated, because it's 100% true and accurate, and it's not formulated here, but there.
 
It's mentioned because Crossrider/Kape was founded by a member of Unit 8200, a cyber spy agency, and its (Crossrider's) primary business was facilitating malware and computer infections. Recently it acquired major VPNs (such as Private Internet Access, Express VPN and CyberGhost) as well as review web sites.
 
In reality in the FT article you mention you can read the interview to Lempert (chairman of the Unit 8200 alumni association and CEO of MER mobile comms group) who claims that 8200 is focusing (the article is 7 years old) on huge data mining, which is exactly extensive surveillance of the Internet, and we could also mention the documents leaked by Snowden, which revealed how Unit 8200, referred to as ISNU, receives raw, unfiltered data of U.S. citizens, as part of a secret agreement with the NSA.
https://en.wikipedia.org/wiki/File:Israel_Memorandum_of_Understanding_SIGINT.pdf

Are US citizens "bad neighbors" too?

Anyway. It's irrelevant whether the purposes of Kape match those of Unit 8200. Kape could be or not a puppet of 8200, you don't know and we don't know, and perhaps it's not,  and still that's not the point. The relevance of a member of 8200 founding a company spreading malware and now controlling VPN is the relationships and competence acquired by that member during his/her previous job, used against citizens unconditionally, since Kape operated essentially in browser hijacking, ad injectors and other remunerative computer infections worldwide.

Remember for example Gericke ("strangely", he is also ExpressVPN CIO), Adams and Baier: they used their great competence acquired while they worked for US intelligence agencies to assist UAE regime to crack journalists, activists, monarchy political opponents phones and computers, to help UAE suppress or control any possible dissident or uncomfortable journalist. Officially it was not CIA or USIC interest to do that (and actually all three of them have been charged by DoJ for that "job") but anyway they greatly succeeded in their UAE job because they were trained by and had the knowledge of and access to certain technology from their former employers.
https://www.justice.gov/opa/pr/three-former-us-intelligence-community-and-military-personnel-agree-pay-more-168-million

Kind regards
 

Hello!

Very interesting analytical and investigative work by Windscribe disclosing ties (even hidden ones) between VPN companies, publishers, review web sites. Click on node icons to read more details. Very sinister situation at a glance. Note for example how Crossrider (now Kape), well known malware company co-founded by a member of israeli Defense Forces Unit 8200, nowadays controls major VPNs and review web sites:
https://embed.kumu.io/9ced55e897e74fd807be51990b26b415#vpn-company-relationships/control-d

Kind regards
 

Hello!

VPNs are not in the scope of both the legislation and trivial tech considerations, as we don't have the keys for the communications: chat, instant messages and e-mails are encrypted end-to-end without our keys, but with the keys of the parties and/or the keys of the service offering e-mail / chat / messaging service, so we can't decrypt anything in any case. 

With that said, this abomination must be fought. We repute it is incompatible with the Charter of Fundamental Rights and with various CJEU decisions on data retention and privacy. We feel to share the position and the consideration offered by Tuta and EDRi here and here:
https://tuta.com/blog/chat-control-criticism
https://edri.org/our-work/most-criticised-eu-law-of-all-time/

Unfortunately, opposition has become more difficult because big AI actors see chat control as a great opportunity and they have spent tens of millions to lobby in favor of this abominable regulation. This is the main explanation that tells you why various politicians have changed their positions. 

Kind regards
 

Hello!

We are very pleased to inform you that we are taking the necessary steps to completely renovate our infrastructure in the United Kingdom.

The current servers will be dismissed and replaced by six 10 Gbit/s servers with newer and much more powerful hardware. Each 10 Gbit/s server will be connected to a full duplex 10 Gbit/s dedicated line and port. Each new server replaces 2.5 current 1 Gbit/s servers in order to increase remarkably the available bandwidth per connected client.

At the end of the upgrade, UK will offer a theoretical peak of 60 Gbit/s (full duplex) instead of the current 15 Gbit/s, through adequately powerful servers.

According to our plan, three servers will be located in London and three in Manchester. The new servers will start operations around 19-22 February 2026. Current 1 Gbit/s servers will cease operations on the night between 28 February and 01 March (UTC). Any plan changes and/or delays will be communicated promptly.

UPDATE 2026-02-24: the servers are almost ready and will be available not later than 2026-02-25 (UTC). Because of the unforeseen delay, we are considering to extend the current 1 Gbit/s UK servers operations up to the end of March 2026.

Kind regards & datalove
AirVPN Staff

 

Hello!

Not anymore, and even less in the near future. HTTP/3 is quickly spreading. Today, HTTP/3 is used by 36.5% of all the websites, including major web sites inside countries that enforce blocks against VPN. Furthemore, blocking UDP as such is no more realistic, not even in China, where UDP has become an instrumental protocol for many companies in any sector (video streaming, video conference, VoIP, marketing, social media marketing, regime propaganda and more), for regime aligned or regime owned activities.
 
In China you have a near 100% success rate and no shaping (apart from the normal shaping for anything outside China) with the current Amnezia "weak obfuscation" (no CPS) implementation, i.e. at the moment you don't even need QUIC mimicking (which is anyway available and very effective). Currently, bypassing blocks via UDP than via TCP is more efficient in China.
 
At the moment there is nothing more effective than mimicking QUIC with the signature / fingerprint of an existing web site that's not blocked, and you have this option right now. We see > 95% success rate, which is better than the success rates of SSH (not exceeding 75%), shadowsocks and XRay, V2Ray etc (but a lot faster!). The success rate is similar to any VPN protocol over HTTP/2, but, again, dramatically faster.
 
We're glad to know it. It is also very flexible. Thanks to CPS, you may mimic any transport layer protocol built on UDP, for example DNS, QUIC, SIP.

Kind regards
 

Hello!

Eddie Android edition 4.0.0 beta 2 is now available featuring improved AmneziaWG support and strengthened logic against AirVPN bootstrap server blocks:
https://airvpn.org/forums/topic/77633-eddie-android-edition-400-preview-available/

Kind regards
 

@zimbabwe
@AG999
@Upre1943
@Stalinium
@Nonsense
@H12345h12345

Hello!

Eddie Android edition 4.0.0 preview implements full AmneziaWG support:
https://airvpn.org/forums/topic/77633-eddie-android-edition-400-preview-available/

Feel free to test and report back (bug, glitches...)!

Kind regards & datalove
AirVPN Staff

 

Hello!

We're very glad to inform you that three new 10 Gbit/s full duplex servers located in Toronto (Ontario), Canada, are available: Castula, Chamukuy and Elgafar. 

The AirVPN client will show automatically the new servers; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. They support OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard.

Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the status as usual in our real time servers monitor :
https://airvpn.org/servers/Castula
https://airvpn.org/servers/Chamukuy
https://airvpn.org/servers/Elgafar/
 
Do not hesitate to contact us for any information or issue.

Kind regards & datalove
AirVPN Staff

Hello!

We are very pleased to inform you that we are taking the necessary steps to completely renovate our infrastructure in the United Kingdom.

The current servers will be dismissed and replaced by six 10 Gbit/s servers with newer and much more powerful hardware. Each 10 Gbit/s server will be connected to a full duplex 10 Gbit/s dedicated line and port. Each new server replaces 2.5 current 1 Gbit/s servers in order to increase remarkably the available bandwidth per connected client.

At the end of the upgrade, UK will offer a theoretical peak of 60 Gbit/s (full duplex) instead of the current 15 Gbit/s, through adequately powerful servers.

According to our plan, three servers will be located in London and three in Manchester. The new servers will start operations around 19-22 February 2026. Current 1 Gbit/s servers will cease operations on the night between 28 February and 01 March (UTC). Any plan changes and/or delays will be communicated promptly.

UPDATE 2026-02-24: the servers are almost ready and will be available not later than 2026-02-25 (UTC). Because of the unforeseen delay, we are considering to extend the current 1 Gbit/s UK servers operations up to the end of March 2026.

Kind regards & datalove
AirVPN Staff

 

Hello!

We are very pleased to inform you that we are taking the necessary steps to completely renovate our infrastructure in the United Kingdom.

The current servers will be dismissed and replaced by six 10 Gbit/s servers with newer and much more powerful hardware. Each 10 Gbit/s server will be connected to a full duplex 10 Gbit/s dedicated line and port. Each new server replaces 2.5 current 1 Gbit/s servers in order to increase remarkably the available bandwidth per connected client.

At the end of the upgrade, UK will offer a theoretical peak of 60 Gbit/s (full duplex) instead of the current 15 Gbit/s, through adequately powerful servers.

According to our plan, three servers will be located in London and three in Manchester. The new servers will start operations around 19-22 February 2026. Current 1 Gbit/s servers will cease operations on the night between 28 February and 01 March (UTC). Any plan changes and/or delays will be communicated promptly.

UPDATE 2026-02-24: the servers are almost ready and will be available not later than 2026-02-25 (UTC). Because of the unforeseen delay, we are considering to extend the current 1 Gbit/s UK servers operations up to the end of March 2026.

Kind regards & datalove
AirVPN Staff

 

Hello!

We are very pleased to inform you that we are taking the necessary steps to completely renovate our infrastructure in the United Kingdom.

The current servers will be dismissed and replaced by six 10 Gbit/s servers with newer and much more powerful hardware. Each 10 Gbit/s server will be connected to a full duplex 10 Gbit/s dedicated line and port. Each new server replaces 2.5 current 1 Gbit/s servers in order to increase remarkably the available bandwidth per connected client.

At the end of the upgrade, UK will offer a theoretical peak of 60 Gbit/s (full duplex) instead of the current 15 Gbit/s, through adequately powerful servers.

According to our plan, three servers will be located in London and three in Manchester. The new servers will start operations around 19-22 February 2026. Current 1 Gbit/s servers will cease operations on the night between 28 February and 01 March (UTC). Any plan changes and/or delays will be communicated promptly.

UPDATE 2026-02-24: the servers are almost ready and will be available not later than 2026-02-25 (UTC). Because of the unforeseen delay, we are considering to extend the current 1 Gbit/s UK servers operations up to the end of March 2026.

Kind regards & datalove
AirVPN Staff

 

Hello!

We are very pleased to inform you that we are taking the necessary steps to completely renovate our infrastructure in the United Kingdom.

The current servers will be dismissed and replaced by six 10 Gbit/s servers with newer and much more powerful hardware. Each 10 Gbit/s server will be connected to a full duplex 10 Gbit/s dedicated line and port. Each new server replaces 2.5 current 1 Gbit/s servers in order to increase remarkably the available bandwidth per connected client.

At the end of the upgrade, UK will offer a theoretical peak of 60 Gbit/s (full duplex) instead of the current 15 Gbit/s, through adequately powerful servers.

According to our plan, three servers will be located in London and three in Manchester. The new servers will start operations around 19-22 February 2026. Current 1 Gbit/s servers will cease operations on the night between 28 February and 01 March (UTC). Any plan changes and/or delays will be communicated promptly.

UPDATE 2026-02-24: the servers are almost ready and will be available not later than 2026-02-25 (UTC). Because of the unforeseen delay, we are considering to extend the current 1 Gbit/s UK servers operations up to the end of March 2026.

Kind regards & datalove
AirVPN Staff

 

Hello!

We are very pleased to inform you that we are taking the necessary steps to completely renovate our infrastructure in the United Kingdom.

The current servers will be dismissed and replaced by six 10 Gbit/s servers with newer and much more powerful hardware. Each 10 Gbit/s server will be connected to a full duplex 10 Gbit/s dedicated line and port. Each new server replaces 2.5 current 1 Gbit/s servers in order to increase remarkably the available bandwidth per connected client.

At the end of the upgrade, UK will offer a theoretical peak of 60 Gbit/s (full duplex) instead of the current 15 Gbit/s, through adequately powerful servers.

According to our plan, three servers will be located in London and three in Manchester. The new servers will start operations around 19-22 February 2026. Current 1 Gbit/s servers will cease operations on the night between 28 February and 01 March (UTC). Any plan changes and/or delays will be communicated promptly.

UPDATE 2026-02-24: the servers are almost ready and will be available not later than 2026-02-25 (UTC). Because of the unforeseen delay, we are considering to extend the current 1 Gbit/s UK servers operations up to the end of March 2026.

Kind regards & datalove
AirVPN Staff

 

Hello!

We are very pleased to inform you that we are taking the necessary steps to completely renovate our infrastructure in the United Kingdom.

The current servers will be dismissed and replaced by six 10 Gbit/s servers with newer and much more powerful hardware. Each 10 Gbit/s server will be connected to a full duplex 10 Gbit/s dedicated line and port. Each new server replaces 2.5 current 1 Gbit/s servers in order to increase remarkably the available bandwidth per connected client.

At the end of the upgrade, UK will offer a theoretical peak of 60 Gbit/s (full duplex) instead of the current 15 Gbit/s, through adequately powerful servers.

According to our plan, three servers will be located in London and three in Manchester. The new servers will start operations around 19-22 February 2026. Current 1 Gbit/s servers will cease operations on the night between 28 February and 01 March (UTC). Any plan changes and/or delays will be communicated promptly.

UPDATE 2026-02-24: the servers are almost ready and will be available not later than 2026-02-25 (UTC). Because of the unforeseen delay, we are considering to extend the current 1 Gbit/s UK servers operations up to the end of March 2026.

Kind regards & datalove
AirVPN Staff

 

@thetechnerd
@MikeHawkener

Hello!

Some additional related information that may be valuable for you both.

When you run OpenVPN: the assigned VPN IP address depends on the daemon of the VPN server you connect to. Each one lives in a separated /24 subnet somewhere inside 10.0.0.0/10 When you run WireGuard: WireGuard lacks any DHCP feature it lives in a unique, gigantic 10.128.0.0/10 subnet throughout the whole AirVPN infrastructure the VPN IP address of each node is linked permanently to the node's key and it is unique in the whole WireGuard address space thus you will have always the same VPN IP address when you use the same key and you don't renew it, no matter which VPN server you connect to Kind regards


 

@thetechnerd
@MikeHawkener

Hello!

Some additional related information that may be valuable for you both.

When you run OpenVPN: the assigned VPN IP address depends on the daemon of the VPN server you connect to. Each one lives in a separated /24 subnet somewhere inside 10.0.0.0/10 When you run WireGuard: WireGuard lacks any DHCP feature it lives in a unique, gigantic 10.128.0.0/10 subnet throughout the whole AirVPN infrastructure the VPN IP address of each node is linked permanently to the node's key and it is unique in the whole WireGuard address space thus you will have always the same VPN IP address when you use the same key and you don't renew it, no matter which VPN server you connect to Kind regards


 

Hello!

No need for MSS clamping when using WireGuard, just modify the MTU if necessary. Since MSS clamping 1. becomes necessary only when you can't modify MTU, 2. needs packet mangling (WireGuard does not expose any option for it) and 3. requires anyway a server side modification, just operate through MTU. (*)

In OpenVPN (only when working over UDP), where networking management is a bit different, you can seriously consider the mssfix directive if you have any "fragmentation" problem that causes packet loss and poor performance. mssfix announces to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes. See also OpenVPN manual: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html

In Eddie you can add custom directives for OpenVPN in "Preferences" > "OVPN Directives" window.

(*) EDIT: there is a special case where MSS clamping becomes necessary with WireGuard too, although it is a consequence of bad PMTUD handling. If an intermediate link doesn’t correctly handle PMTUD (Path MTU Discovery), TCP packets larger than the tunnel MTU may be dropped, and the client will observe hanging connections or stalled downloads, possibly only for certain destination. In this case MSS clamping helps for sure.

Kind regards
 

Hello!

Please see here: https://airvpn.org/forums/topic/79065-eddie-desktop-apt-repository-signing-key-update/

Kind regards
 

Hello!

Starting from February 1st, 2026, Debian (e.g. Trixie) enforces stricter OpenPGP policies and no longer accepts repository signatures involving SHA1-based certifications.

As a result, users may see errors such as:
 
Get:4 http://eddie.website/repository/apt stable InRelease [3,954 B]          Err:4 http://eddie.website/repository/apt stable InRelease   Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on C181AC89FA667E317F423998513EFC94400D7698 is not bound:            No binding signature at time 2025-01-14T13:07:46Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z Warning: OpenPGP signature verification failed: http://eddie.website/repository/apt stable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on C181AC89FA667E317F423998513EFC94400D7698 is not bound:            No binding signature at time 2025-01-14T13:07:46Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z Error: The repository 'http://eddie.website/repository/apt stable InRelease' is not signed. Notice: Updating from such a repository can't be done securely, and is therefore disabled by default. Notice: See apt-secure(8) manpage for repository creation and user configuration details.



This was caused by an outdated signing key certification used by the repository.
 
Solution

The repository signing key has been regenerated and the repository is now correctly signed again.
To restore updates, please re-import the updated maintainer key:
 
curl -fsSL https://eddie.website/repository/keys/eddie_maintainer_gpg.key | sudo tee /usr/share/keyrings/eddie.website-keyring.asc > /dev/null
Then run:
 
sudo apt update
Sorry for the inconvenience, and thanks for your patience.

Kind regards
 

Hello!

The "range" is specified by mask /32, so it's this single unique address. Yes, it's plausible that some past event flagged the IP address.
 
We don't know the internals of Tailscale but definitely this behavior should be investigated. Why an attempted connection to this specific IP address and why this port?

Kind regards
 

Hello!

Starting from February 1st, 2026, Debian (e.g. Trixie) enforces stricter OpenPGP policies and no longer accepts repository signatures involving SHA1-based certifications.

As a result, users may see errors such as:
 
Get:4 http://eddie.website/repository/apt stable InRelease [3,954 B]          Err:4 http://eddie.website/repository/apt stable InRelease   Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on C181AC89FA667E317F423998513EFC94400D7698 is not bound:            No binding signature at time 2025-01-14T13:07:46Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z Warning: OpenPGP signature verification failed: http://eddie.website/repository/apt stable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on C181AC89FA667E317F423998513EFC94400D7698 is not bound:            No binding signature at time 2025-01-14T13:07:46Z   because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance   because: SHA1 is not considered secure since 2026-02-01T00:00:00Z Error: The repository 'http://eddie.website/repository/apt stable InRelease' is not signed. Notice: Updating from such a repository can't be done securely, and is therefore disabled by default. Notice: See apt-secure(8) manpage for repository creation and user configuration details.



This was caused by an outdated signing key certification used by the repository.
 
Solution

The repository signing key has been regenerated and the repository is now correctly signed again.
To restore updates, please re-import the updated maintainer key:
 
curl -fsSL https://eddie.website/repository/keys/eddie_maintainer_gpg.key | sudo tee /usr/share/keyrings/eddie.website-keyring.asc > /dev/null
Then run:
 
sudo apt update
Sorry for the inconvenience, and thanks for your patience.

Kind regards
 

Hello!

There's nothing listening to port 54037 on any AirVPN server. We can't see why Tailscale seeks a connection to it, anyway we are sure now that there's no malware there as there's nothing. Probably Malwarebytes behavior comes from some past event or it's yet another over-blocking case.

Kind regards
 

the effective MTU of the tunnel is limited by the smallest MTU anywhere along the path

Hello!

On our servers the MTU limit is 1420 bytes on a standard Ethernet frame because of IPv6 over IPv4. For PPPoE see also https://www.hitoha.moe/wireguard-mtu-over-pppoe/ 

So, if you set 1432 bytes MTU for your WireGuard interface, the fragmentation will occur on our servers, not on your side. The upper, actual limit is the lowest MTU in the path, in other words the smallest MTU on the path silently limits the tunnel. The 12 bytes difference may be negligible and most packets will not be fragmented, and you will not see fragmentation on your side, but you could notice a performance hit on upload (upload from you to the server we mean).

Kind regards