Staff

Hello!

We inform you that due to datacenter needs, Aquila VPN server (Fremont, California) has been assigned new IP addresses. If you use Aquila-specific configuration files please re-generate them. If you run Eddie (any edition), no specific action is required, Eddie will update data automatically.

Kind regards
AirVPN Staff
 

Hello!

We're very glad to inform you that a new 1 Gbit/s full duplex server located in Tokyo (JP) is available: Ainalrami.

The AirVPN client will show automatically the new server. If you use any other OpenVPN or WireGuard client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The server accepts OpenVPN connections on ports 53, 80, 443, 1194, 2018 UDP and TCP, and WireGuard connections on ports 1637, 47107 and 51820.

Just like every other Air server, Ainalrami supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, tls-crypt and WireGuard.
Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the server status as usual in our real time servers monitor:
https://airvpn.org/servers/Ainalrami

Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

Hello!

We're very glad to inform you that a new 1 Gbit/s full duplex server located in Auckland (NZ) is available: Tianguan.

The AirVPN client will show automatically the new server. If you use any other OpenVPN or WireGuard client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The server accepts OpenVPN connections on ports 53, 80, 443, 1194, 2018 UDP and TCP, and WireGuard connections on ports 1637, 47107 and 51820.

Just like every other Air server, Tianguan supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, tls-crypt and WireGuard.
Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the server status as usual in our real time servers monitor:
https://airvpn.org/servers/Tianguan

Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

Hello!

It might be an unfortunate combination of events: Eddie 2.21.8 is unable to manage properly DNS changes when systemd-resolved runs in on-link mode or anyway any mode which bypasses resolv.conf, therefore your system DNS are not changed properly and you keep querying the usual system DNS most times. Then, one of your system DNS seems poisoned, and your school network administrators may try to act as a man in the middle to monitor your traffic (not so unusual in schools, although it is an abhorrent practice which will expose students to various tremendous attacks, and not only by the school personnel). However, if you have not installed their root certificates, the browsers can't get fooled and you will get those security errors you noticed.

You might like to upgrade to Eddie 2.23.2:
https://airvpn.org/forums/topic/56428-eddie-desktop-223-beta-released/

This new beta version added full support with proper DNS management for every systemd-resolved working mode. Then, please do not disable route check and DNS check. You must be absolutely sure that you bypass your school DNS and you must also be sure that the tunnel is established. Enable Network Lock as well (before you start a connection) from Eddie's main window.

When you start using Eddie 2.23.2 feel free to report again to re-check the whole situation.

Some more documentation about possible man in the middle attacks performed by corporate and school networks through the installation and acceptance of root certificates and monitoring proxies:
https://security.stackexchange.com/questions/104576/my-college-is-forcing-me-to-install-their-ssl-certificate-how-to-protect-my-pri

Note how a VPN will protect you against those attacks and therefore the network administrators might try to block VPN usage.

Kind regards
 

@benfitita

Hello!
You might check what happens with WireGuard when you have multiple addresses for a single host in the hosts file. gethostbyname or getaddrinfo will return all the addresses, same identical effect as multiple A records in DNS for a qualified domain name. So if you think that DNS resolution can be good for this use case, then you don't need DNS and FQDN, but you can just edit the hosts file. It remains to be seen which address WireGuard picks when the resolution returns an array or a linked list of addresses.

Kind regards
 

Hello!

We're very glad to inform you that a new 1 Gbit/s full duplex server located in Auckland (NZ) is available: Tianguan.

The AirVPN client will show automatically the new server. If you use any other OpenVPN or WireGuard client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The server accepts OpenVPN connections on ports 53, 80, 443, 1194, 2018 UDP and TCP, and WireGuard connections on ports 1637, 47107 and 51820.

Just like every other Air server, Tianguan supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, tls-crypt and WireGuard.
Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the server status as usual in our real time servers monitor:
https://airvpn.org/servers/Tianguan

Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

Hello!

We're very glad to inform you that a new 1 Gbit/s full duplex server located in Auckland (NZ) is available: Tianguan.

The AirVPN client will show automatically the new server. If you use any other OpenVPN or WireGuard client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The server accepts OpenVPN connections on ports 53, 80, 443, 1194, 2018 UDP and TCP, and WireGuard connections on ports 1637, 47107 and 51820.

Just like every other Air server, Tianguan supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, tls-crypt and WireGuard.
Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the server status as usual in our real time servers monitor:
https://airvpn.org/servers/Tianguan

Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

Hello!

We're very glad to inform you that a new 1 Gbit/s full duplex server located in Auckland (NZ) is available: Tianguan.

The AirVPN client will show automatically the new server. If you use any other OpenVPN or WireGuard client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The server accepts OpenVPN connections on ports 53, 80, 443, 1194, 2018 UDP and TCP, and WireGuard connections on ports 1637, 47107 and 51820.

Just like every other Air server, Tianguan supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, tls-crypt and WireGuard.
Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the server status as usual in our real time servers monitor:
https://airvpn.org/servers/Tianguan

Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

Hello!

We're very glad to inform you that a new 1 Gbit/s full duplex server located in Auckland (NZ) is available: Tianguan.

The AirVPN client will show automatically the new server. If you use any other OpenVPN or WireGuard client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The server accepts OpenVPN connections on ports 53, 80, 443, 1194, 2018 UDP and TCP, and WireGuard connections on ports 1637, 47107 and 51820.

Just like every other Air server, Tianguan supports OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, tls-crypt and WireGuard.
Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the server status as usual in our real time servers monitor:
https://airvpn.org/servers/Tianguan

Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

Hello!

A new server in Auckland has just been added.
https://airvpn.org/forums/topic/56975-new-1-gbits-server-available-nz/

Kind regards
 

Hello!

We're glad to inform you that we have an agreement and we are going to configure the new server. When the configuration is complete, we just need a day or two to test and then the server will be available.

Kind regards
 

I made a BCH payment approximately 25 minutes ago but it hasn’t gone through yet, is that normal?
And by that I mean there’s not a single confirmation even though I raised the transaction fee to 10.0 sat/byte (the cost is negligible anyhow) - all BCH were fused btw.
Any advice?

Never mind, it’s been completed 👍
Took longer than expected though, it had me worried for a few minutes...

Hello!

We're glad to inform you that we have an agreement and we are going to configure the new server. When the configuration is complete, we just need a day or two to test and then the server will be available.

Kind regards
 

In your fantasy world only. In AirVPN 2FA is based on TOTP https://en.wikipedia.org/wiki/Time-based_one-time_password which does not require any Google app and does not require any phone number. TOTP is an open protocol described by IETF in RFC 6238

Hello!

The alien VPN interface causes a critical error to OpenVPN. Please see here for a quick and effective solution:
https://airvpn.org/forums/topic/56643-stuck-in-a-broken-route-never-connects/?do=findComment&comment=225323

Kind regards
 

Hello!

In 2019 we pushed a commit with a major new feature for OpenVPN3 library but it was refused by the maintainer (Arne Schwabe) for stylistic reasons. In the opinion of some of us it's their (OpenVPN3 maintainers) style to be ugly, but OK it's a matter of personal tastes so the text format and spacing was changed accordingly and a new commit was ready.

The new commit was again refused, this time because the source code included tags mentioning the source code author "ProMIND". We couldn't fully understand why the author should not be mentioned in the source code itself, moreover the tags were useful for another purpose, but fine, all tags were removed and a new commit was ready.

The new commit was again refused, this time because the identity of the source code author ProMIND was not certified. In general we do not disclose the identity of our employees and collaborators, much less force them to certify it with any third party, and leave to them the choice to disclose real identity and certify it. The request was strange and we asked for some clarification. It came out, even from other OpenVPN community members, that the requirement was related to a specific contractual agreement mentioned here: https://github.com/OpenVPN/openvpn3/blob/master/CLA.rst

At that point we did not like the situation: please note that a new problem was mentioned only after each new commit was proposed, while it would have been fair that all problems were mentioned at the same time, obviously, since the very beginning. And we did not like anymore to allow OpenVPN Inc. to re-license under any new license our or ProMIND's code, which is under GPLv3, according to the mentioned contributor's agreement, specifically part II, (e) clause:
"(e) I understand that OpenVPN Inc. may relicense this project, this contribution, and any modification to it under any license. [...]".

Therefore we did not waste additional time on the matter and we went on with our fork without further ado. At this very moment we have no merging/commit plans.

On a lighter tone, this thread dated 2019 is funny in the last part:
https://airvpn.org/forums/topic/43850-openvpn-3-development/
because one of the AirVPN community moderators defended OpenVPN style and Schwabe refusals, and wrote: "If you had contributed to the Linux kernel like that, Linus would tear you to tiny bits." Ironically, after that message was written, Linus Torvalds examined OpenVPN code and he was horrified.

Kind regards
 

Hello!

We're very glad to inform you that AirVPN Suite version 2.0.0 alpha 1 is now available. UPDATE 2023-11-24: version 2.0.0 alpha 2 is now available.

AirVPN Suite 2.0.0 alpha 2 introduces AirVPN's exclusive per app traffic splitting system as well as some bug fixes, revised code in order to pave the way towards the final and stable release, WireGuard support, and the latest OpenVPN3-AirVPN 3.9 library. Please see the respective changelogs for a complete list of preliminary changes for each component of the suite. If you feel adventurous and you wish to test this preview version, please feel free to report any glitch, bug and problem in this very thread.

 
The 2.0.0 alpha 2 Suite includes:
Bluetit: lightweight, ultra-fast D-Bus controlled system daemon providing full connectivity and integration to AirVPN servers, or generic OpenVPN and WireGuard servers. Bluetit can also enforce Network Lock and/or connect the system to AirVPN during the bootstrap Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN and WireGuard servers Hummingbird: lightweight and standalone binary for generic OpenVPN server connections Cuckoo: traffic split manager, granting full access and functionality to AirVPN's traffic split infrastructure WARNING: this is alpha software in its development stage, it is provided "as is" and with no implicit or explicit warrant it will work properly and as expected or planned. Because of the development stage, the software may have bugs which may also cause critical and unstable conditions. This software is used at the whole risk of the user and it is strongly advised not to use it in production or critical systems or environments. Please note that features and functionalities of this alpha/development version may be changed or removed in future releases.
WireGuard support
 
WireGuard support is now available in Bluetit. OpenVPN or WireGuard selection is controlled by Bluetit run control file option airvpntype or by Goldcrest option -f  (short for --air-vpn-type). Possible values: openvpn, wireguard. Default: openvpn. The option is documented in the 1.3.0 manual as well. Currently Hummingbird does not support WireGuard, please rely on Bluetit and Goldcrest.

Bluetit run control file (/etc/airvpn/bluetit.rc) option:
airvpntype: (string) VPN type to be used for AirVPN connections. Possible values: wireguard, openvpn. Default: openvpn Goldcrest option:
--air-vpn-type, -f : VPN type for AirVPN connection <wireguard|openvpn>   AirVPN's VPN traffic splitting

AirVPN Suite version 2.0.0 introduces traffic splitting by using a dedicated network namespace, therefore completely separating the VPN traffic from unencrypted and "out of the tunnel" traffic. The VPN traffic is carried out in the default (main) namespace, ensuring all system data and traffic to be encrypted and tunneled into the VPN by default. No clear and unencrypted data are allowed to pass through the default namespace.
Any optional unencrypted data or clear network traffic must be explicitly requested by an authorized user with the right to run cuckoo, the AirVPN traffic split manager tool.

AirVPN's traffic splitting is enabled and controlled by Bluetit and by means of run control directives. The system has been created in order to minimize any tedious or extensive configuration, even to the minimal point of telling Bluetit to enable traffic splitting with no other setting.

In order to enable and control AirVPN's traffic splitting, the below new run control directives for /etc/airvpn/bluetit.rc have been introduced: allowtrafficsplitting: (on/off) enable or disable traffic splitting (unencrypted and out of the tunnel traffic) Default: off trafficsplitnamespace: (string) name of Linux network namespace dedicated to traffic splitting. Default: aircuckoo trafficsplitinterface: (string) name of the physical network interface to be used for traffic splitting. All the unencrypted and out of the tunnel data will pass through the specified network device/interface. In case this directive is not used and unspecified, Bluetit will automatically use the main network interface of the system and connected to the default gateway. Default: unspecified trafficsplitnamespaceinterface: (string) name of the virtual network interface to be associated to the Linux network namespace dedicated to traffic splitting. Default: ckveth0 trafficsplitipv4: (IPv4 address|auto) IPv4 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv4 address belonging to the system's host sub-network (/24) Default: auto trafficsplitipv6: (IPv6 address|auto) IPv6 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv6 address belonging to the system's host sub-network (/64) Default: auto trafficsplitfirewall: (on/off) enable or disable the firewall in Linux network namespace dedicated to traffic splitting. The firewall is set up with a minimal rule set for a very basic security model. Default: off AirVPN's traffic splitting is designed in order to minimize any further configuration from the system administrator. To actually enable traffic splitting, it is just needed to set "allowtrafficsplitting" directive to "on" and Bluetit will configure the traffic split namespace with the default options as explained above. When needed, the system administrator can finely tune the traffic splitting service by using the above directives. At this early alpha stage, it is advised not to change the network namespace name but leave it to its default value "aircuckoo" to let cuckoo tool properly work.  
Power and limitations
 
The adopted solution offers a remarkable security bonus in terms of isolation. For example, it gets rid of the dangerous DNS "leaks in" typical of cgroups based traffic splitting solutions. However, the dedicated namespace needs an exclusive IP address. If the system is behind a NAT (connected to a home router for example) this is not a problem, but if the system is not behind any NAT, i.e. it is assigned directly a public IP address, you will need another public IP address for the network namespace dedicated to traffic splitting. You will need to manually set the other public IP address on the trafficsplitipv4 or trafficsplitipv6 directive as the guessing abilities of Bluetit may work only within a private subnet. Please keep this limitation in mind especially if you want to run the Suite with per app traffic splitting on a dedicated or virtual server in some datacenter, as they are most of the times NOT behind any NAT.
 

Introducing Cuckoo, the AirVPN traffic splitting manager tool

Traffic splitting is implemented in AirVPN Suite by using a separate and independent network namespace, directly communicating with the system's default gateway through a virtual interface associated to a physical network interface available in the system. This ensures a true separation of traffic between tunneled and encrypted VPN data from the unencrypted and clear data to be channeled out of the VPN tunnel. The unencrypted traffic will never pass through the default namespace - which is under the VPN control - including, and most importantly, DNS requests.

To generate unencrypted and out of the tunnel traffic, any software having this need must be run inside the traffic split namespace. In order to do so, AirVPN Suite 2.0.0 introduces a new tool meant to be specifically used for this purpose: Cuckoo.
The tool can be used by users belonging to the airvpn group only. It cannot be used by root or any user belonging to the root group.

Additionally, in order to fully use the cuckoo tool, the user must also have special capabilities enabled, notably CAP_SYS_ADMIN, CAP_NET_ADMIN and CAP_NET_RAW. The installation script will set these capabilities to the "airvpn" user only. In case you need to let other users of the airvpn group use the cuckoo tool, you can simply duplicate the corresponding line in /etc/security/capability.conf and adapt it to your needs.
Note that in many distributions all of the above will not be necessary but keep it in mind if you find some issue and please feel free to report it.
At this current alpha stage cuckoo supports "aircuckoo" namespace only, that is the default namespace configured by Bluetit.

This preliminary alpha version does not provide any option and it is meant to simply run an application inside the traffic split namespace only.
The usage is straightforward: cuckoo program [program options]  
The traffic split namespace uses its own routing, network channels and DNS. It will not interfere or communicate in any way with the default namespace where the VPN is running and using its own encrypted tunnel. As for DNS, the traffic split namespace will use default system DNS settings.

Programs started with cuckoo are regular Linux processes and, as such, can be managed (that is stopped, interrupted, paused, terminated and killed) by using the usual process control tools. The programs started by cuckoo are assigned to the user who started cuckoo.

As a final note, in order to work properly, the following permissions must be granted to cuckoo and they are always checked at each run.
Owner: root
Group: airvpn
Permissions: -rwsr-xr-x (owner can read, write, execute and setuid; group can read and execute, others can read and execute)
Note on Web Browsers
 
Firefox and Chromium will not be able to resolve names in the aircuckoo namespace, not even when you run a unique instance of them inside the network namespace itself, in some Ubuntu systems. We are investigating this behavior. Brave, Opera and Konqueror are not affected by this problem, but please consider that due to how browser instances are tied to each other, you might get unexpected behavior if you run the same browser in both namespaces from the same user.
For example, if the browser has been started in the default namespace while there is an active AirVPN connection, the traffic will flow to the connected AirVPN server and from the associated VPN IP address from any future apparent instance launched by the same user, and vice-versa. The second instance may detect the first, delegate the task to it and exit, so you will have a new window but not another instance.
In order to circumvent the issue, at this stage you may tale care to run programs in the aircuckoo namespace via cuckoo only from airvpn account, and programs whose traffic must be tunneled from your ordinary account. In other words, to add security, do not add your ordinary account to the airvpn group if you plan to use traffic splitting, so your ordinary account will not be able to run cuckoo by accident.
 
Download AirVPN Suite 2.0.0 alpha 2:
https://eddie.website/repository/AirVPN-Suite/2.0-alpha2/AirVPN-Suite-x86_64-2.0.0-alpha-2.tar.gz $ sha512sum AirVPN-Suite-x86_64-2.0.0-alpha-2.tar.gz c70f7b553d5489e02233a3e326c175c047c085dac7d4f36289ffc07e0bf0d86c98df4c49f4258d3d83b4fde96c81efbccc394f326260a1ac80d2f7892b825b79 AirVPN-Suite-x86_64-2.0.0-alpha-2.tar.gz  
Kind regards & Datalove
AirVPN Staff

Last minute +3 years - hang the expense! - keep up the good work.

Hello!

In 2019 we pushed a commit with a major new feature for OpenVPN3 library but it was refused by the maintainer (Arne Schwabe) for stylistic reasons. In the opinion of some of us it's their (OpenVPN3 maintainers) style to be ugly, but OK it's a matter of personal tastes so the text format and spacing was changed accordingly and a new commit was ready.

The new commit was again refused, this time because the source code included tags mentioning the source code author "ProMIND". We couldn't fully understand why the author should not be mentioned in the source code itself, moreover the tags were useful for another purpose, but fine, all tags were removed and a new commit was ready.

The new commit was again refused, this time because the identity of the source code author ProMIND was not certified. In general we do not disclose the identity of our employees and collaborators, much less force them to certify it with any third party, and leave to them the choice to disclose real identity and certify it. The request was strange and we asked for some clarification. It came out, even from other OpenVPN community members, that the requirement was related to a specific contractual agreement mentioned here: https://github.com/OpenVPN/openvpn3/blob/master/CLA.rst

At that point we did not like the situation: please note that a new problem was mentioned only after each new commit was proposed, while it would have been fair that all problems were mentioned at the same time, obviously, since the very beginning. And we did not like anymore to allow OpenVPN Inc. to re-license under any new license our or ProMIND's code, which is under GPLv3, according to the mentioned contributor's agreement, specifically part II, (e) clause:
"(e) I understand that OpenVPN Inc. may relicense this project, this contribution, and any modification to it under any license. [...]".

Therefore we did not waste additional time on the matter and we went on with our fork without further ado. At this very moment we have no merging/commit plans.

On a lighter tone, this thread dated 2019 is funny in the last part:
https://airvpn.org/forums/topic/43850-openvpn-3-development/
because one of the AirVPN community moderators defended OpenVPN style and Schwabe refusals, and wrote: "If you had contributed to the Linux kernel like that, Linus would tear you to tiny bits." Ironically, after that message was written, Linus Torvalds examined OpenVPN code and he was horrified.

Kind regards
 

Bought 3 years 😎 

Mmh, your sass was duly noted.
If you pushed your code style onto the Linux kernel, it would've happened; what in god's name does that have to do with what Linus did or didn't say about the individual code style of a different project?

The much more funny thing is how overly sensitive you react to the slightest smell of criticism… it's irritating.

Hello!

We're very glad to inform you that the Black Friday week has started in AirVPN!

Save up to 74%
when compared to one month plan price
 
Check all plans and discounts here: https://airvpn.org/buy
 
If you're already our customer and you wish to jump aboard for a longer period, any additional subscription will be added on top of already existing subscriptions and you will not lose any day.

AirVPN is one of the oldest and most experienced consumer VPN on the market, operating since 2010. It never changed ownership and it was never sold out to data harvesting or malware specialized companies as it regrettably happened to several competitors. Ever since 2010 AirVPN has been faithful to its mission.

AirVPN does not inspect and/or log client traffic and offers:
five simultaneous connections per account remote port forwarding WireGuard support on all servers flexible and customizable opt-in block lists protecting you from adware, trackers, spam and other malicious sources. You can customize answers or exceptions globally, at account level or even at single device level. powerful API IPv6 full support comfortable access to your client certificates and keys management AES-GCM and ChaCha20 OpenVPN ciphers on all servers Perfect Forward Secrecy with unique per-server 4096 bit Diffie-Hellman keys active daemons load balancing for unmatched high performance - current 'all time high' on client side is 730 Mbit/s with OpenVPN and 1046 Mbit/s with WireGuard internal DNS. Each server runs its own DNS server. DNS over HTTPS and DNS over TLS are also supported. free software support to traffic splitting on an application basis on Android and Linux (alpha testing) and on a destination basis on Windows and macOS
AirVPN is the only VPN provider which is actively developing OpenVPN 3 library with a fork that's currently 190 commits ahead of OpenVPN master and adds key features and bug fixes for a much more comfortable and reliable experience:
https://github.com/AirVPN/openvpn3-airvpn

AirVPN, in accordance with its mission, develops only free and open source software for many platforms, including Android, Linux (both x86 and ARM based systems), macOS and Windows.
Promotion due to end on 2023-12-03 (UTC).

Kind regards & datalove
AirVPN Staff

About Tomato Firmware
 


Tomato is a small, lean and simple replacement firmware for Linksys' WRT54G/GL/GS, Buffalo WHR-G54S/WHR-HP-G54 and other Broadcom-based routers.
Official website: http://www.polarcloud.com/tomato.




PrerequisiteMake sure you triple-check that your version of Tomato supports OpenVPN or you'll be sorry. I strongly recommend Toastman's build of Tomato because of its widespread feature support and stability.


StepsUnder Basic->Network, configure your 3 static DNS servers. If you wish to use the AirVPN DNS set 10.4.0.1 as first DNS IP address. The Air DNS will enable you to access internal Air services, geo-routing services and bypass ICE/ICANN USA censorship (more information here).
About the others, I recommend picking ones from the OpenNIC Project because many of the servers don't keep any logs, which is consistent with the Air service, plus they would allow your internet service to continue functioning in the event of a government-ordered root DNS server shutdown- https://servers.opennic.org/ Under Basic->Time, make sure that the correct time zone and server is configured. Download the OpenVPN (.ovpn) file of your choosing under "Client Area -> Config Generator" after you log in the AirVPN site. In the Configuration Generator make sure to tick "Advanced Mode" and "Separate certs/keys from .ovpn files".
In order to determine the IP address of the server you wish to connect to, please resolve "servername.airservers.org". For example, for Acrux resolve "acrux.airservers.org". Find the server names by looking at Status page. For the actual configuration, please see the following two screenshots of the Basic and Advanced OpenVPN Client Configuration:

Under Basic, sub in your own correct protocol, IP and port in place of what I have in my own config.
In the Advanced Custom Configuration text box, the options are as follows:
  resolv-retry infinite remote-cert-tls server comp-lzo verb 3 Under Keys, you'll need to again text edit your user.key, user.crt, ca.crt and ta.key files, copy the matching keys and certificates and paste them into the text boxes in your router config.
- ta.key is the Static Key
- ca.crt is the Certificate Authority certificate (in some older builds, "Server certificate")
- user.crt is the Client Certificate
- user.key is the Client Key About certificates files (user.crt and ca.crt) content, just copy and paste from "-----BEGIN CERTIFICATE-----" (included) up to "-----END CERTIFICATE-----" (included). Save all settings. Under Status, click Start Now and count for 30 seconds. Go to https://airvpn.org and at the bottom of the screen it should show you are connected or visit https://ipleak.net for check.


Tested withToastman's build of Tomato [v1.28.7500 MIPSR2Toastman-RT K26 VPN] on Asus RT-N16 router. Tomato-ND-1.28.7633-Toastman-IPT-ND-SmallVPN on Buffalo WHR-G54S


Feedback
For any comment or feedback, you can find the discussion here.
Thanks to Baraka for this article.

Hello!

We're very glad to inform you that the Black Friday week has started in AirVPN!

Save up to 74%
when compared to one month plan price
 
Check all plans and discounts here: https://airvpn.org/buy
 
If you're already our customer and you wish to jump aboard for a longer period, any additional subscription will be added on top of already existing subscriptions and you will not lose any day.

AirVPN is one of the oldest and most experienced consumer VPN on the market, operating since 2010. It never changed ownership and it was never sold out to data harvesting or malware specialized companies as it regrettably happened to several competitors. Ever since 2010 AirVPN has been faithful to its mission.

AirVPN does not inspect and/or log client traffic and offers:
five simultaneous connections per account remote port forwarding WireGuard support on all servers flexible and customizable opt-in block lists protecting you from adware, trackers, spam and other malicious sources. You can customize answers or exceptions globally, at account level or even at single device level. powerful API IPv6 full support comfortable access to your client certificates and keys management AES-GCM and ChaCha20 OpenVPN ciphers on all servers Perfect Forward Secrecy with unique per-server 4096 bit Diffie-Hellman keys active daemons load balancing for unmatched high performance - current 'all time high' on client side is 730 Mbit/s with OpenVPN and 1046 Mbit/s with WireGuard internal DNS. Each server runs its own DNS server. DNS over HTTPS and DNS over TLS are also supported. free software support to traffic splitting on an application basis on Android and Linux (alpha testing) and on a destination basis on Windows and macOS
AirVPN is the only VPN provider which is actively developing OpenVPN 3 library with a fork that's currently 190 commits ahead of OpenVPN master and adds key features and bug fixes for a much more comfortable and reliable experience:
https://github.com/AirVPN/openvpn3-airvpn

AirVPN, in accordance with its mission, develops only free and open source software for many platforms, including Android, Linux (both x86 and ARM based systems), macOS and Windows.
Promotion due to end on 2023-12-03 (UTC).

Kind regards & datalove
AirVPN Staff

I've been with AirVPN since 2013, and it gives me a laugh every time there is a sale they're still using the same gif. 😄