Staff

Logbook of an old salt, written on the first day of a fresh two-year voyage aboard the proud AirVPN fleet:

Brethren and sister privateers,

The yearly discount chest has been opened once again, and I have filled my hold with twenty-four more months of wind. While the quartermaster counts the gold, let this weathered mariner raise a weather-beaten voice:

We need a berth in Poland. One single, sturdy server flying the white-and-red banner would save an entire nation of sailors from slow death by a thousand of exceptions.

Behold the enemies that lie in wait in Polish waters:

The heavy galleon Poczta Polska (Polish Post) and her tender Envelo (online postage) The ironclad banks that fire broadsides the moment a foreign IP drops anchor The judicial fortresses and their batteries Legal archives, university libraries, and even honest merchant carracks


All of them roar: “No foreign keel shall pass!”

The only way to trade with them is to rip plank after plank from our own hulls – dozens, sometimes hundreds of holes in iptables so the cannonballs of “access denied” fly straight through. (Call it split-tunneling if ye be landlubbers; we call it scuttling the ship to save the cargo.)

I have sailed these waters for years in the AirVPN flotilla, and the oceans grow darker every season. Ports that once welcomed us now slam the gates. The great YouTube leviathan mistakes every one of our frigates for a pirate bot and demands we strike our colours and show papers none of us will ever sign. So we dance the server hornpipe – Netherlands to Switzerland to Sweden to Canada – tacking frantically until one harbour opens its arms for a fleeting moment, only to chase us out again before the song is over.

Need to see them Canadian iron beasts racing the prairie? We glide in under Japanese colours, drop anchor for a fleeting moment of peace… then, the instant the port starts sniffing at our false ensign, we cut the cable and fly before the black-list cannonade roars.

This be not the fault of our admirable Admiral and the crew – ‘tis the spirit of the age trying to chain the very sea itself – but one safe haven on Polish soil would turn a gauntlet of fire into a calm inland lake for all local hands.

May fair winds fill AirVPN sails forever!
May the fleet grow stronger every year!
Hail Poland! Hail AirVPN! Hail all ye beautiful bastards and bitches who still believe the high seas should be free! 

Yours in rum and packets,
An old Polish privateer 🇵🇱
 

Hello!
 
We're very glad to announce that Eddie Android edition 4.0.0 Beta 1 is now available.
This is a major update: for the first time Eddie Android edition features AmneziaWG complete support.

Eddie Android edition is a fully integrated with AirVPN, free and open source client allowing comfortable connections to AirVPN servers and generic VPN servers offering compatible protocols. Eddie 4.0.0 aims primarily at adding, besides the already available OpenVPN and WireGuard, a thorough and comfortable AmneziaWG support. 

AmneziaWG is a free and open source fork of WireGuard by Amnezia inheriting the architectural simplicity and high performance of the original implementation, but eliminating the identifiable network signatures that make WireGuard easily detectable by Deep Packet Inspection (DPI) systems. It can operate in several different ways, including a fallback, "compatibility mode" with WireGuard featuring anyway various obfuscation techniques.
 
What's new in Eddie 4.0.0
  AmneziaWG support Amnezia WireGuard API updated OpenSSL, OpenVPN3-AirVPN and WireGuard libraries see the complete changelog below  
AmneziaWG overview
  From the official documentation: https://docs.amnezia.org/documentation/amnezia-wg AmneziaWG offers:
Dynamic Headers for All Packet Types (compatibility with WireGuard: YES)
During tunnel initialization, the library generates a set of random constants applied to each of the four WireGuard packet formats: Init, Response, Data, Under‑Load. These constants:
Replace predictable WireGuard packet identifiers; Shift offsets of Version/Type fields; Modify reserved bits. As a result, no two clients have identical headers, making it impossible to write a universal DPI rule.
 
Handshake Length Randomization (compatibility with WireGuard: NO)
In WireGuard, the Init packet is exactly 148 bytes, and the Response packet is exactly 92 bytes. AmneziaWG adds pseudorandom prefixes S1 and S2 (0-64 bytes by default):
len(init) = 148 + S1 len(resp) = 92  + S2 Offsets of the remaining fields are automatically adjusted, and MAC tags are recalculated accordingly. In order to keep backward compatibility with WireGuard, S1 and S2 must be set to 0. 
  Obfuscation Packets I1-I5 (Signature Chain) & CPS (Custom Protocol Signature) (compatibility with WireGuard: partial, with fallback)
Before initiating a "special" handshake (every 120 seconds), the client may send up to five different UDP packets fully described by the user in the CPS format. In this way AmneziaWG can mimic perfectly QUIC, DNS and other protocols adding powerful methods to circumvent blocks. QUIC is particularly interesting as HTTP/3 is built on it and currently, from Chrome and other compatible browsers, 50% of traffic to/from Google is QUIC traffic. Therefore, blocking QUIC may have major disruptions for any ISP.
 
Junk‑train (Jc) (compatibility with WireGuard: YES)
Immediately following the sequence of I-packets, a series Jc of pseudorandom packets with lengths varying between Jmin and Jmax is sent. These packets blur the timing and size profile of the session start, significantly complicating handshake detection.
 
Under‑Load Packet (compatibility with WireGuard: YES)
In WireGuard, a special keep-alive packet (“Under-Load”) is used to bypass NAT timeouts. AmneziaWG replaces its fixed header with a randomized one, the value of which can be set manually. This prevents DPI from filtering short ping packets, ensuring stable tunnel connections, especially on mobile networks.
 
 
How to use Eddie with AmneziaWG

To enable AmneziaWG mode, just tap the connection mode available in the main and other views. It will rotate between WireGuard, AmneziaWG and OpenVPN. Set it to AmneziaWG. In its default AmneziaWG mode, Eddie will use all the possible obfuscation, except protocol mimicking, that keeps WireGuard compatibility, thus allowing connections to AirVPN servers. The default settings choice was possible thanks to the invaluable support of persons living in countries where VPN blocks are widespread. Such settings have been tested as working and capable to bypass the current blocking methods in various countries. You may consider to modify them if they are ineffective to bypass "your" specific blocks.
  In Settings > Advanced, you will find, at the bottom of the page, a new "Custom Amnezia WG directives" item. By tapping it you will summon a dialog that will let you customize any possible AmneziaWG parameter.

You can maintain backward compatibility with WireGuard in the dialog WireGuard section, or enable the full AmneziaWG support in the Amnezia section, which is not compatible (at the moment) with AirVPN WireGuard servers. This mode will be mostly valuable in a not distant future, when AirVPN servers will start to support AmneziaWG natively. You may also enable QUIC or DNS mimicking for additional obfuscation efficacy. 

In order to maintain WireGuard backward compatibility, with or without QUIC or DNS mimicking, you must set:
S1 = S2 = 0
Hn ∈ {1, 2, 3, 4}
H1 ≠ H2 ≠ H3 ≠ H4

Furthermore, do not exceed the valid limit of the J parameters (anyway Eddie will not let you do it). In this preview version, Eddie's formal control of the input data is based on the following document. We strongly recommend you read it if you need to modify manually parameters:
https://github.com/amnezia-vpn/amneziawg-linux-kernel-module?tab=readme-ov-file#configuration


Please do not modify In parameters if you don't know exactly what you're doing. 

Eddie implements QUIC and DNS mimicking and random obfuscation packets for each specific "I" parameter (by using the corresponding "Generate" button). You can enable them with a tap on the proper buttons. You may mimic QUIC and DNS even to connect to WireGuard based servers.

When you enable QUIC mimicking and you maintain WireGuard backward compatibility, you add a powerful tool against blocks, because the first packets will be actual QUIC packets. AmneziaWG will fall back to WireGuard compatibility very soon. However, when DPI and SPI tools, and demultiplexers in general, identify the initial QUIC flow, most of them will be unable to detect a WireGuard flow for several minutes. This has been tested thoroughly with deep packet inspection on Linux and FreeBSD based machines by AirVPN staff.

Therefore, in different blocking scenarios the QUIC mimicking increases likelihood of successful block bypass. NOTE: the same does not happen with DNS mimicking. In this case DPI / SPI tools identify the stream initially as DNS, but are much quicker (just in a few dozens of packets) to identify the stream as WireGuard's, after the initial DNS identification.
 
If you decide to test, please report at your convenience any bug and problem in this thread. If possible generate a report from the app in a matter of seconds: by tapping the paper plane icon on the Log view bar rightmost side you will generate a full system report which will include both log and logcat and have it sent to our servers. Then you just need to send us the link the app shows you (open a ticket if you prefer to do it in private).  
Download link, checksum and changelog
https://eddie.website/repository/Android/4.0.0-Beta1/EddieAndroid-4.0.0-Beta-1.apk
 
This is a build debug package and side load is mandatory.
 
$ sha256sum EddieAndroid-4.0.0-Beta-1.apk 617269290a0406237646cc0885e5b10f3916252f89fe82ba9ccb947354980fcb EddieAndroid-4.0.0-Beta-1.apk
Changelog 4.0.0 (VC 37) - Release date: 26 November 2025 by ProMIND
Native Library
[ProMIND] updated to version 4.0.0, API 10 [ProMIND] added Amnezia WireGuard API [ProMIND] updated to OpenVPN-AirVPN 3.12 (20251126)
AirVPNUser.java
[ProMIND] getWireGuardProfile(): added Amnezia support

ConnectAirVPNServerFragment.java
[ProMIND] showConnectionInfo(): added AmneziaWG logo display [ProMIND] onCreateContextMenu(): added AmneziaWG items [ProMIND] onContextItemSelected(): added AmneziaWG items [ProMIND] added method loadVPNProfile()
ConnectVpnProfileFragment.java
[ProMIND] added Amnezia support
EddieLibraryResult.java
[ProMIND] added Amnezia WireGuard API
QuickConnectFragment.java
[ProMIND] onCreateView(): added AmneziaWG logo display [ProMIND] updateStatusBox(): added AmneziaWG logo display
SettingsActivity.java
[ProMIND] added "Custom AmneziaWG directives" setting
SettingsManager.java
[ProMIND] added Amnezia specific settings and methods
SupportTools.java [ProMIND] removed method getVPNProfile()
VPN.java
[ProMIND] added methods enableAmneziaWireGuard() and isWireGuardAmneziaEnabled()
VPNManager.java
[ProMIND] added method isWireGuardAmneziaEnabled()
VPNProfileDatabase.java
[ProMIND] added AMNEZIA type
WebViewerActivity.java
[ProMIND] EddieWebViewClient.shouldOverrideUrlLoading(): it now properly opens android asset files
WireGuardClient.java
[ProMIND] added WireGuard tunnel node to constructor  [ProMIND] added methods for generating Amnezia's junk settings
WireGuardTunnel.java
[ProMIND] added support for Amnezia WireGuard [ProMIND] added Mode enum [ProMIND] added tunnel node to constructor 
EddieLibrary.java
[ProMIND] added Amnezia WireGuard API
Kind regards & datalove
AirVPN Staff

Hello!

Yes. The kernel already does a wonderful job to distribute fairly bandwidth, aided by the excellent ability to scale of WireGuard. OpenVPN is a little more problematic but we force a round robin distribution of peers on different instances to balance core load. Where a limit must be enforced artificially is in the amount of concurrent connections INSIDE the tunnel. Normally we allow the maximum amount supported by a powerful home router, i.e. 20000 concurrent connections per node. This limit is usually not even noticed by the users as it is well beyond the usage of virtually all of our user base.

Kind regards
 

Hello!
 
We're very glad to announce that Eddie Android edition 4.0.0 Beta 1 is now available.
This is a major update: for the first time Eddie Android edition features AmneziaWG complete support.

Eddie Android edition is a fully integrated with AirVPN, free and open source client allowing comfortable connections to AirVPN servers and generic VPN servers offering compatible protocols. Eddie 4.0.0 aims primarily at adding, besides the already available OpenVPN and WireGuard, a thorough and comfortable AmneziaWG support. 

AmneziaWG is a free and open source fork of WireGuard by Amnezia inheriting the architectural simplicity and high performance of the original implementation, but eliminating the identifiable network signatures that make WireGuard easily detectable by Deep Packet Inspection (DPI) systems. It can operate in several different ways, including a fallback, "compatibility mode" with WireGuard featuring anyway various obfuscation techniques.
 
What's new in Eddie 4.0.0
  AmneziaWG support Amnezia WireGuard API updated OpenSSL, OpenVPN3-AirVPN and WireGuard libraries see the complete changelog below  
AmneziaWG overview
  From the official documentation: https://docs.amnezia.org/documentation/amnezia-wg AmneziaWG offers:
Dynamic Headers for All Packet Types (compatibility with WireGuard: YES)
During tunnel initialization, the library generates a set of random constants applied to each of the four WireGuard packet formats: Init, Response, Data, Under‑Load. These constants:
Replace predictable WireGuard packet identifiers; Shift offsets of Version/Type fields; Modify reserved bits. As a result, no two clients have identical headers, making it impossible to write a universal DPI rule.
 
Handshake Length Randomization (compatibility with WireGuard: NO)
In WireGuard, the Init packet is exactly 148 bytes, and the Response packet is exactly 92 bytes. AmneziaWG adds pseudorandom prefixes S1 and S2 (0-64 bytes by default):
len(init) = 148 + S1 len(resp) = 92  + S2 Offsets of the remaining fields are automatically adjusted, and MAC tags are recalculated accordingly. In order to keep backward compatibility with WireGuard, S1 and S2 must be set to 0. 
  Obfuscation Packets I1-I5 (Signature Chain) & CPS (Custom Protocol Signature) (compatibility with WireGuard: partial, with fallback)
Before initiating a "special" handshake (every 120 seconds), the client may send up to five different UDP packets fully described by the user in the CPS format. In this way AmneziaWG can mimic perfectly QUIC, DNS and other protocols adding powerful methods to circumvent blocks. QUIC is particularly interesting as HTTP/3 is built on it and currently, from Chrome and other compatible browsers, 50% of traffic to/from Google is QUIC traffic. Therefore, blocking QUIC may have major disruptions for any ISP.
 
Junk‑train (Jc) (compatibility with WireGuard: YES)
Immediately following the sequence of I-packets, a series Jc of pseudorandom packets with lengths varying between Jmin and Jmax is sent. These packets blur the timing and size profile of the session start, significantly complicating handshake detection.
 
Under‑Load Packet (compatibility with WireGuard: YES)
In WireGuard, a special keep-alive packet (“Under-Load”) is used to bypass NAT timeouts. AmneziaWG replaces its fixed header with a randomized one, the value of which can be set manually. This prevents DPI from filtering short ping packets, ensuring stable tunnel connections, especially on mobile networks.
 
 
How to use Eddie with AmneziaWG

To enable AmneziaWG mode, just tap the connection mode available in the main and other views. It will rotate between WireGuard, AmneziaWG and OpenVPN. Set it to AmneziaWG. In its default AmneziaWG mode, Eddie will use all the possible obfuscation, except protocol mimicking, that keeps WireGuard compatibility, thus allowing connections to AirVPN servers. The default settings choice was possible thanks to the invaluable support of persons living in countries where VPN blocks are widespread. Such settings have been tested as working and capable to bypass the current blocking methods in various countries. You may consider to modify them if they are ineffective to bypass "your" specific blocks.
  In Settings > Advanced, you will find, at the bottom of the page, a new "Custom Amnezia WG directives" item. By tapping it you will summon a dialog that will let you customize any possible AmneziaWG parameter.

You can maintain backward compatibility with WireGuard in the dialog WireGuard section, or enable the full AmneziaWG support in the Amnezia section, which is not compatible (at the moment) with AirVPN WireGuard servers. This mode will be mostly valuable in a not distant future, when AirVPN servers will start to support AmneziaWG natively. You may also enable QUIC or DNS mimicking for additional obfuscation efficacy. 

In order to maintain WireGuard backward compatibility, with or without QUIC or DNS mimicking, you must set:
S1 = S2 = 0
Hn ∈ {1, 2, 3, 4}
H1 ≠ H2 ≠ H3 ≠ H4

Furthermore, do not exceed the valid limit of the J parameters (anyway Eddie will not let you do it). In this preview version, Eddie's formal control of the input data is based on the following document. We strongly recommend you read it if you need to modify manually parameters:
https://github.com/amnezia-vpn/amneziawg-linux-kernel-module?tab=readme-ov-file#configuration


Please do not modify In parameters if you don't know exactly what you're doing. 

Eddie implements QUIC and DNS mimicking and random obfuscation packets for each specific "I" parameter (by using the corresponding "Generate" button). You can enable them with a tap on the proper buttons. You may mimic QUIC and DNS even to connect to WireGuard based servers.

When you enable QUIC mimicking and you maintain WireGuard backward compatibility, you add a powerful tool against blocks, because the first packets will be actual QUIC packets. AmneziaWG will fall back to WireGuard compatibility very soon. However, when DPI and SPI tools, and demultiplexers in general, identify the initial QUIC flow, most of them will be unable to detect a WireGuard flow for several minutes. This has been tested thoroughly with deep packet inspection on Linux and FreeBSD based machines by AirVPN staff.

Therefore, in different blocking scenarios the QUIC mimicking increases likelihood of successful block bypass. NOTE: the same does not happen with DNS mimicking. In this case DPI / SPI tools identify the stream initially as DNS, but are much quicker (just in a few dozens of packets) to identify the stream as WireGuard's, after the initial DNS identification.
 
If you decide to test, please report at your convenience any bug and problem in this thread. If possible generate a report from the app in a matter of seconds: by tapping the paper plane icon on the Log view bar rightmost side you will generate a full system report which will include both log and logcat and have it sent to our servers. Then you just need to send us the link the app shows you (open a ticket if you prefer to do it in private).  
Download link, checksum and changelog
https://eddie.website/repository/Android/4.0.0-Beta1/EddieAndroid-4.0.0-Beta-1.apk
 
This is a build debug package and side load is mandatory.
 
$ sha256sum EddieAndroid-4.0.0-Beta-1.apk 617269290a0406237646cc0885e5b10f3916252f89fe82ba9ccb947354980fcb EddieAndroid-4.0.0-Beta-1.apk
Changelog 4.0.0 (VC 37) - Release date: 26 November 2025 by ProMIND
Native Library
[ProMIND] updated to version 4.0.0, API 10 [ProMIND] added Amnezia WireGuard API [ProMIND] updated to OpenVPN-AirVPN 3.12 (20251126)
AirVPNUser.java
[ProMIND] getWireGuardProfile(): added Amnezia support

ConnectAirVPNServerFragment.java
[ProMIND] showConnectionInfo(): added AmneziaWG logo display [ProMIND] onCreateContextMenu(): added AmneziaWG items [ProMIND] onContextItemSelected(): added AmneziaWG items [ProMIND] added method loadVPNProfile()
ConnectVpnProfileFragment.java
[ProMIND] added Amnezia support
EddieLibraryResult.java
[ProMIND] added Amnezia WireGuard API
QuickConnectFragment.java
[ProMIND] onCreateView(): added AmneziaWG logo display [ProMIND] updateStatusBox(): added AmneziaWG logo display
SettingsActivity.java
[ProMIND] added "Custom AmneziaWG directives" setting
SettingsManager.java
[ProMIND] added Amnezia specific settings and methods
SupportTools.java [ProMIND] removed method getVPNProfile()
VPN.java
[ProMIND] added methods enableAmneziaWireGuard() and isWireGuardAmneziaEnabled()
VPNManager.java
[ProMIND] added method isWireGuardAmneziaEnabled()
VPNProfileDatabase.java
[ProMIND] added AMNEZIA type
WebViewerActivity.java
[ProMIND] EddieWebViewClient.shouldOverrideUrlLoading(): it now properly opens android asset files
WireGuardClient.java
[ProMIND] added WireGuard tunnel node to constructor  [ProMIND] added methods for generating Amnezia's junk settings
WireGuardTunnel.java
[ProMIND] added support for Amnezia WireGuard [ProMIND] added Mode enum [ProMIND] added tunnel node to constructor 
EddieLibrary.java
[ProMIND] added Amnezia WireGuard API
Kind regards & datalove
AirVPN Staff

We have kept the OP message to show the pervasiveness of the PRC's propaganda lackeys. We consider Taiwan (Republic of China) to be independent and autonomous from the PRC (People's Republic of China), as it is in fact. ipleak uses MaxMind and IANA databases to display results, and we are pleased that these are aligned with an anti-imperialist and democratic vision that is clearly unpalatable to the dictatorial regime of the PRC, which sees it as an obstacle to its expansionist ambitions.

Hello!

You could split the traffic of the application you run to access CS2 or Steam (a browser and/or a dedicated game client, we don't know). All the traffic of the system would continue flowing into the VPN tunnel except the specific Steam related applications traffic. While no trivial solution is available for macOS at the moment (you could consider virtualization), on Linux you can achieve app traffic splitting with the AirVPN Suite 2, on Windows with WireSock, on Android with Eddie Android edition.

Kind regards
 

Hello!

We're very glad to inform you that the Black Friday weeks have started in AirVPN!

Save up to 74%
when compared to one month plan price
 
Check all plans and discounts here: https://airvpn.org/buy
 
If you're already our customer and you wish to jump aboard for a longer period, any additional subscription will be added on top of already existing subscriptions and you will not lose any day.

AirVPN is one of the oldest and most experienced consumer VPN on the market, operating since 2010. It never changed ownership and it was never sold out to data harvesting or malware specialized companies as it regrettably happened to several competitors. Ever since 2010 AirVPN has been faithful to its mission.

AirVPN does not inspect and/or log client traffic and offers:
five simultaneous connections per account (additional connection slots available if needed) state of the art and flexible inbound remote port forwarding active daemons load balancing for unmatched high performance - current 'all time high' on client side is 730 Mbit/s with OpenVPN and 2000 Mbit/s with WireGuard flexible and customizable opt-in block lists protecting you from adware, trackers, spam and other malicious sources. You can customize answers or exceptions globally, at account level or even at single device level. powerful API IPv6 full support comfortable management of your client certificates and keys AES-GCM and ChaCha20 OpenVPN ciphers on all servers Perfect Forward Secrecy with unique per-server 4096 bit Diffie-Hellman keys internal DNS. Each server runs its own DNS server. DNS over HTTPS and DNS over TLS are also supported. free and open source software client side software support to traffic splitting on an application basis on Android and Linux and on a destination basis on Windows and macOS GPS spoofing on Android application
AirVPN is the only VPN provider which is actively developing OpenVPN 3 library with a fork that's currently 330 commits ahead of OpenVPN master and adds key features and bug fixes for a much more comfortable and reliable experience:
https://github.com/AirVPN/openvpn3-airvpn

AirVPN, in accordance with its mission, develops only free and open source software for many platforms, including Android, Linux (both x86 and ARM based systems), macOS and Windows.
Promotion due to end on 2025-12-03 (UTC).

Kind regards & datalove
AirVPN Staff

Hello!

Holy moly whack a moly, from you description the outcome seems correct and expected, apparently (again from your description) you missed entirely to configure and run any listening program, can you clarify?

Kind regards
 

Ich hatte noch nicht mal Zeit, mich da voll reizufuchsen. Egal wird schon hinhauen😎 2 Jahre.

But you'd be supporting a good cause.

Renewed for another 3 years  

At least add a few more months, just as a precaution. 

Hello!

We're very glad to inform you that two new 10 Gbit/s full duplex servers located in Amsterdam, the Netherlands, are available: Taiyangshou and Vindemiatrix. 

The AirVPN client will show automatically the new servers; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. They support OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard.

Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the status as usual in our real time servers monitor :
https://airvpn.org/servers/Taiyangshou
https://airvpn.org/servers/Vindemiatrix
 
Do not hesitate to contact us for any information or issue.

Kind regards & datalove
AirVPN Staff

Hello!

We're very glad to inform you that two new 10 Gbit/s full duplex servers located in Amsterdam, the Netherlands, are available: Taiyangshou and Vindemiatrix. 

The AirVPN client will show automatically the new servers; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. They support OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard.

Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the status as usual in our real time servers monitor :
https://airvpn.org/servers/Taiyangshou
https://airvpn.org/servers/Vindemiatrix
 
Do not hesitate to contact us for any information or issue.

Kind regards & datalove
AirVPN Staff

Hello!
 
This is interesting.

We are gradually activating IPv6 on every server, but you have IPv6 disabled at OS level, and this causes a fatal error.

For the moment, you can:

- Reactivate IPv6
No good reason is known to disable IPv6 at OS level. If you are scared about IPv6 leak when connecting to servers without IPv6 support,
a cleaner solution is simply blocking IPv6 traffic with ip6tables.
 
OR
 
- Append the following directives in your .ovpn files:
 
pull-filter ignore "dhcp-option DNS6" pull-filter ignore "tun-ipv6" pull-filter ignore "ifconfig-ipv6"  
This will skip IPv6 configuration of tunnel and avoid your error. We are considering related options to Config Generator.
 
Kind regards

@Bohdan Kushnirchuk

Hello!

How to solve:
  To grant Terminal full disk access (except some specific critical directories) on macOS, follow these steps:
Open System Settings (or System Preferences):
On macOS Ventura and later, click the Apple menu at the top-left of your screen, then choose System Settings.
On macOS Monterey or earlier, choose System Preferences.
Go to Privacy & Security:
In System Settings (Ventura and later), select Privacy & Security in the left-hand menu.
In System Preferences (Monterey and earlier), click Security & Privacy, then go to the Privacy tab.
Select Full Disk Access:
In the Privacy & Security or Security & Privacy tab, scroll down and click Full Disk Access in the left menu.
Unlock Settings:
At the bottom-left of the window, you might need to click the lock icon and enter your admin password to make changes.
Add Terminal:
Once the lock is open, click the + button beneath the list of apps with Full Disk Access.
In the file chooser window that pops up, go to Applications > Utilities, and select Terminal.
Click Open to add it to the list.
Restart Terminal:
Close the Terminal app if it’s open, then reopen it to apply the changes.

 
2. Open the terminal and change ownership of the relevant files: sudo chown root /Applications/Eddie.app/Contents/MacOS/*
Kind regards
 

@Ptwifty
Hello!

This is a regrettable attempt to irritate AirVPN customers as retaliation by Eddie for not granting him certain benefits after almost 15 years of service. We will have to suppress these attempts at rebellion with a firm and unyielding hand.
 
Joking aside, it seems that you have defined Sheratan as the only server to which Eddie can connect. From your description, you say that you have defined a blacklist with a single server, but in reality you have defined a whitelist with that single server. Please re-check your lists in the "Servers" window.

Kind regards
 

Hello!

We're very glad to inform you that two new 10 Gbit/s full duplex servers located in Amsterdam, the Netherlands, are available: Taiyangshou and Vindemiatrix. 

The AirVPN client will show automatically the new servers; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. They support OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard.

Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the status as usual in our real time servers monitor :
https://airvpn.org/servers/Taiyangshou
https://airvpn.org/servers/Vindemiatrix
 
Do not hesitate to contact us for any information or issue.

Kind regards & datalove
AirVPN Staff

Hello!

We're very glad to inform you that two new 10 Gbit/s full duplex servers located in Amsterdam, the Netherlands, are available: Taiyangshou and Vindemiatrix. 

The AirVPN client will show automatically the new servers; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637, 47107 and 51820 UDP for WireGuard. They support OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard.

Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the status as usual in our real time servers monitor :
https://airvpn.org/servers/Taiyangshou
https://airvpn.org/servers/Vindemiatrix
 
Do not hesitate to contact us for any information or issue.

Kind regards & datalove
AirVPN Staff

@Ptwifty
Hello!

This is a regrettable attempt to irritate AirVPN customers as retaliation by Eddie for not granting him certain benefits after almost 15 years of service. We will have to suppress these attempts at rebellion with a firm and unyielding hand.
 
Joking aside, it seems that you have defined Sheratan as the only server to which Eddie can connect. From your description, you say that you have defined a blacklist with a single server, but in reality you have defined a whitelist with that single server. Please re-check your lists in the "Servers" window.

Kind regards
 

You shouldn't, please read the announcement, thanks! 😋

Kind regards
 

I can confirm this works on Homatics Dune HD Homatics Box R 4K Plus. It needs to be done through real USB connection. ADB TV was not working for me.

Hello!

You will appear on the Internet with the same IP address if you connect to the same VPN server. In order to prevent this from happening please make sure to connect each device to a different VPN server.

Kind regards
 

Hello!

We're very glad to announce that AirVPN Suite 2.0.0 Release is available. Special thanks to the outstanding community beta testers whose continued support in over a year and a half has been invaluable and decisive to find out and address several, insidious bugs.

AirVPN Suite 2.0.0 introduces AirVPN's exclusive per app traffic splitting system, bug fixes, revised code, WireGuard support, and the latest OpenVPN3-AirVPN 3.12 library. Please see the respective changelogs for a complete list of  changes for each component of the suite. 
 
The 2.0.0 Suite includes:
Bluetit: lightweight, ultra-fast D-Bus controlled system daemon providing full connectivity and integration to AirVPN servers, or generic OpenVPN and WireGuard servers. Bluetit can also enforce Network Lock and/or connect the system to AirVPN during the bootstrap Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN and WireGuard servers Hummingbird: lightweight and standalone binary for generic OpenVPN and WireGuard server connections Cuckoo: traffic split manager, granting full access and functionality to AirVPN's traffic split infrastructure airsu: a "run and forget" tool to automatically set and enable the user environment for the X.Org or Wayland based ecosystem without any user input
WireGuard support
 
WireGuard support is now available in Bluetit and Hummingbird. OpenVPN or WireGuard selection is controlled by Bluetit run control file option airvpntype or by Goldcrest option -f  (short for --air-vpn-type). Possible values: openvpn, wireguard. New 2.0.0 default: wireguard.

Bluetit run control file (/etc/airvpn/bluetit.rc) option:
airvpntype: (string) VPN type to be used for AirVPN connections. Possible values: wireguard, openvpn. Default: wireguard Goldcrest option:
--air-vpn-type, -f : VPN type for AirVPN connection <wireguard|openvpn>  
Suspend and resume services for systemd based systems

For your comfort, the installation script can create suspend and resume services in systemd based systems, according to your preferences. allowing a more proper management of VPN connections when the system is suspended and resumed. The network connection detection code has also been rewritten to provide more appropriate behavior.

  Asynchronous mode

A new asynchronous mode (off by default) is supported by Bluetit and Goldcrest, allowing asynchronous connections. Network Lock can be used accordingly in asynchronous connections. Please consult the readme.md file included in every tarball for more information and details.
  Word completion on bash and zsh

Auto completion is now available by pressing the TAB key when entering any Goldcrest or Hummingbird option and filename on a bash or zsh interpreter. Auto completion files are installed automatically by the installation script.

 
AirVPN's VPN traffic splitting

AirVPN Suite version 2.0.0 introduces traffic splitting by using a dedicated network namespace. The VPN traffic is carried out in the default (main) namespace, ensuring all system data and traffic to be encrypted into the VPN tunnel by default. No clear and unencrypted data are allowed to pass through the default namespace. Any non-tunneled network traffic must be explicitly requested by an authorized user with the right to run cuckoo, the AirVPN traffic split manager tool.

AirVPN's traffic splitting is managed by Bluetit and configured through run control directives. The system has been created in order to minimize any tedious or extensive configuration, even to the minimal point of telling Bluetit to enable traffic splitting with no other setting.

In order to enable and control AirVPN's traffic splitting, the below new run control directives for /etc/airvpn/bluetit.rc have been implemented: allowtrafficsplitting: (on/off) enable or disable traffic splitting. Default: off trafficsplitnamespace: (string) name of Linux network namespace dedicated to traffic splitting. Default: aircuckoo trafficsplitinterface: (string) name of the physical network interface to be used for traffic splitting. All the unencrypted and out of the tunnel data will pass through the specified network device/interface. In case this directive is not used and unspecified, Bluetit will automatically use the main network interface of the system and connected to the default gateway. Default: unspecified trafficsplitnamespaceinterface: (string) name of the virtual network interface to be associated to the Linux network namespace dedicated to traffic splitting. Default: ckveth0 trafficsplitipv4: (IPv4 address|auto) IPv4 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv4 address belonging to the system's host sub-network (/24) Default: auto trafficsplitipv6: (IPv6 address|auto) IPv6 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv6 address belonging to the system's host sub-network (/64) Default: auto trafficsplitfirewall: (on/off) enable or disable the firewall in Linux network namespace dedicated to traffic splitting. The firewall is set up with a minimal rule set for a very basic security model. Default: off AirVPN's traffic splitting is designed in order to minimize any further configuration from the system administrator. To actually enable traffic splitting, it is just needed to set "allowtrafficsplitting" directive to "on" and Bluetit will configure the traffic split namespace with the default options as explained above. When needed, the system administrator can finely tune the traffic splitting service by using the above directives.  
  Power and limitations
 
The adopted solution offers a remarkable security bonus in terms of isolation. For example, it gets rid of the dangerous DNS "leaks in" typical of cgroups based traffic splitting solutions. However, the dedicated namespace needs an exclusive IP address. If the system is behind a NAT (connected to a home router for example) this is not a problem, but if the system is not behind any NAT, i.e. it is assigned directly a public IP address, you will need another public IP address for the network namespace dedicated to traffic splitting. You will need to manually set the other public IP address on the trafficsplitipv4 or trafficsplitipv6 directive as the guessing abilities of Bluetit may work only within a private subnet. Please keep this limitation in mind especially if you want to run the Suite with per app traffic splitting on a dedicated or virtual server in some datacenter, as they are most of the times NOT behind any NAT.
 
Introducing Cuckoo, the AirVPN traffic splitting manager tool

To generate out of the tunnel traffic, any application software must be run inside the "traffic split" namespace by using the dedicated traffic split tool cuckoo which can be run by users belonging to the airvpn group only. It cannot be used by the superuser.

The usage is documented in the manual and on the inline help.
The traffic split namespace uses its own routing, network channels and system DNS. It will not interfere or communicate in any way with the default namespace using its own encrypted tunnel.
 
Programs started with cuckoo are regular Linux processes and, as such, can be managed (stopped, interrupted, paused, terminated and killed) by using the usual process control tools. The programs started by cuckoo are assigned to the user who started cuckoo.

As a final note, in order to work properly, the following permissions must be granted to cuckoo and they are always checked at each run.
Owner: root
Group: airvpn
Permissions: -rwsr-xr-x (owner can read, write, execute and setuid; group can read and execute, others can read and execute)
 
Special note for snap packages users
Snap is a controversial, locking-in package management system developed by Canonical and praised by Microsoft. It packages applications as snaps, which are self-contained units that include all necessary dependencies and run in a sandboxed environment in its default namespace. Therefore, "snap" applications will bypass the order by the system via Cuckoo to have an application running in one specific namespace created for reverse traffic splitting. As a result, snap applications will jettison the Suite's reverse traffic splitting feature. Currently, you must avoid snap packages of those applications whose traffic must flow outside the VPN tunnel. The issue is particularly relevant ever since Ubuntu migrated certain packages exclusively to Snap, such as Chromium and Firefox. At the moment it is still possible to eradicate snap from various distributions, including Ubuntu, quickly.
 
Special note for firewalld users
Please read here, it's very important: https://airvpn.org/forums/topic/70164-linux-network-lock-and-firewalld/
  AirVPN Switch User Tool Airsu
Running an application in a graphical environment requires a user having a local environment properly set, in particular variables and access to specific sockets or cookies. They are usually set at the moment of graphical login, while they may not be properly set in case a user logged in by using the system tool su.
In this specific case the user will not probably be allowed to access the graphical environment, so any GUI application will not start.
AirVPN’s airsu is used for this specific purpose and configures the user environment to the current X.Org (X11) or Wayland based manager, thus allowing access to GUI applications when run through cuckoo.
 
Note on GUI software and Web Browsers
Complete compatibility with both X11 and Wayland based environments has been implemented.
Because of the specific Linux architecture and namespaces, some applications may need to specify the graphical environment in order to start and use the currently selected window manager on an X.Org (X11) or Wayland based habitat. Cuckoo can automatically do this by “injecting” predefined options to some preset applications, in particular those based on the chromium engines, most of them being web browsers. To see the list of predefined applications, please start cuckoo with --list-preset-apps option.

When running an application with cuckoo, the user should make sure to actually start a new instance. This is usually granted by starting an application from the command line (such as running it with cuckoo). By starting an application from the desktop environment this may not happen.
 
Download AirVPN Suite 2.0.0
The Suite is available in various flavors: ARM 64 bit, ARM 64 bit legacy, ARM 32 bit, ARM 32 bit legacy, x86-64 and x86-64 legacy. Download page: 
https://airvpn.org/linux/suite/

Changelog and source code
Changelog for each component is available inside each package and on GitLab. Source code is available on GitLab:
https://gitlab.com/AirVPN/AirVPN-Suite

Kind regards and datalove
AirVPN Staff
 

Hello!

We're very glad to inform you that the Black Friday weeks have started in AirVPN!

Save up to 74%
when compared to one month plan price
 
Check all plans and discounts here: https://airvpn.org/buy
 
If you're already our customer and you wish to jump aboard for a longer period, any additional subscription will be added on top of already existing subscriptions and you will not lose any day.

AirVPN is one of the oldest and most experienced consumer VPN on the market, operating since 2010. It never changed ownership and it was never sold out to data harvesting or malware specialized companies as it regrettably happened to several competitors. Ever since 2010 AirVPN has been faithful to its mission.

AirVPN does not inspect and/or log client traffic and offers:
five simultaneous connections per account (additional connection slots available if needed) state of the art and flexible inbound remote port forwarding active daemons load balancing for unmatched high performance - current 'all time high' on client side is 730 Mbit/s with OpenVPN and 2000 Mbit/s with WireGuard flexible and customizable opt-in block lists protecting you from adware, trackers, spam and other malicious sources. You can customize answers or exceptions globally, at account level or even at single device level. powerful API IPv6 full support comfortable management of your client certificates and keys AES-GCM and ChaCha20 OpenVPN ciphers on all servers Perfect Forward Secrecy with unique per-server 4096 bit Diffie-Hellman keys internal DNS. Each server runs its own DNS server. DNS over HTTPS and DNS over TLS are also supported. free and open source software client side software support to traffic splitting on an application basis on Android and Linux and on a destination basis on Windows and macOS GPS spoofing on Android application
AirVPN is the only VPN provider which is actively developing OpenVPN 3 library with a fork that's currently 330 commits ahead of OpenVPN master and adds key features and bug fixes for a much more comfortable and reliable experience:
https://github.com/AirVPN/openvpn3-airvpn

AirVPN, in accordance with its mission, develops only free and open source software for many platforms, including Android, Linux (both x86 and ARM based systems), macOS and Windows.
Promotion due to end on 2025-12-03 (UTC).

Kind regards & datalove
AirVPN Staff