Staff

Hello!

Yes, of course, we take care of both resolv.conf and nsswitch.conf inside the aircuckoo namespace (/etc/netns/aircuckoo/nsswitch.conf) in order to prevent the feared and dangerous "DNS leaks inside then tunnel" which affect other traffic splitting implementations based on cgroups and cover various distributions, including systems where systemd-resolved runs. In our "reversed" traffic splitting implementation, the aircuckoo namespace apps must query the system DNS.
Per network namespace resolver configuration seems an established feature, or do you mean something else with the proposal you mention? Or do you imply that systemd-resolved may cause additional problems we have not taken into account?

For your specific problem, we have no immediate suggestion unfortunately, we would just recommend that you check (for example with Wireshark) what happens to Firefox packets after the system woke up. We're also unsure whether this article may help you, probably not but we link it anyway just in case:
https://philipdeljanov.com/posts/2019/05/31/dns-leaks-with-network-namespaces/

Feel free to keep us posted, and we'll do the same, as the different outcome with / behavior of Firefox in different distributions is under investigation and we need to clarify the issue carefully.

Kind regards
 

Hello and thank you for your tests!

Of course, as you say, this is an early preview, an alpha 1, so we can and we will improve the software. With the understanding the the highest security level is reached only by renouncing to traffic splitting or by splitting traffic only through boosted virtualization via a proper hypervisor, our solution aims at offering a fair balance between a very light implementation and a safe environment. If we pushed on virtualization too much, then the user might as well use directly pushed solutions of non-Linux third-party components and software suites, such as VirtualBox or Docker. It's not in our vision to burden the AirVPN Suite at those levels, as the Suite is thought to remain the most lightweight piece of software we release.

In the current default setup, you have a minimum of two separate login users in any Linux box: airvpn and your usual user. By default, only airvpn can run cuckoo. If you consider not to add your current user to the airvpn group, you can safely rely on the fact that the types of processes you mention launched by your current user will never be affected by processes started by airvpn user and vice-versa. In this way it's almost impossible to cause a confusion by distraction and, for example, using a browser outside the tunnel while you think that it's inside.

It's also obvious that a decent concentration level is always required, but that's required even with full virtualization, because no security model can save you from the distraction to assume wrongly that a specific VM is connected to the VPN while in reality it is not. So nothing new, traffic splitting was, is and will be requiring some attention, no matter how you achieve it. Stay tuned for the alpha 2, we are working on it.

Kind regards
 

Hi, I delete only that signs: $#@
Regards.

Hi, I change password without signs and now works. Thank You for help.

Hello!

There is a bug affecting Eddie Android edition and causing a crash, but not a login failure, when the symbol % is in the username and not in the password. Anyway, please try to wipe out all the @, # and $ characters and check whether something changes or not.

Kind regards
 

@OpenSourcerer

Hello!

There is some confusion on a few Linux concepts and architectural design in your last message which would require some longer explanation or a course-like series of articles. We're afraid that this thread could go off rails and on a long question/answer/question/answer "ping pong" which might be detrimental to the original purpose: community testing and bug reporting. Please feel free to ask your questions on some other forum, for example in "Off Topic" community forum and we'll do our best to explain, or maybe someone from the community will explain even better. We want to leave this thread (remember we're in "News and announcement") aimed at AirVPN Suite 2 preview version(s) community testing and bug reporting, thank you in advance for your understanding. 😉

Kind regards
 

Hello!

How many independently owned VPN services remain? According to another Reddit list of recommendations  we discovered:
https://www.reddit.com/r/VPNTorrents/comments/13d41c1/ovpn_acquired_by_pango_removed_from/

only AirVPN, Mullvad and iVPN? And there was WeVPN but it's defunct.

Kind regards
 

Way to go!

Hello!

Please see here for an explanation and a quick solution:
https://airvpn.org/forums/topic/56657-cant-connect-to-anything/?do=findComment&comment=225418

Kind regards
 

Hello!

We're very glad to inform you that AirVPN Suite version 2.0.0 alpha 1 is now available. UPDATE 2023-11-24: version 2.0.0 alpha 2 is now available.

AirVPN Suite 2.0.0 alpha 2 introduces AirVPN's exclusive per app traffic splitting system as well as some bug fixes, revised code in order to pave the way towards the final and stable release, WireGuard support, and the latest OpenVPN3-AirVPN 3.9 library. Please see the respective changelogs for a complete list of preliminary changes for each component of the suite. If you feel adventurous and you wish to test this preview version, please feel free to report any glitch, bug and problem in this very thread.

 
The 2.0.0 alpha 2 Suite includes:
Bluetit: lightweight, ultra-fast D-Bus controlled system daemon providing full connectivity and integration to AirVPN servers, or generic OpenVPN and WireGuard servers. Bluetit can also enforce Network Lock and/or connect the system to AirVPN during the bootstrap Goldcrest: Bluetit client, allowing full integration with AirVPN servers, users, keys, profiles as well as generic OpenVPN and WireGuard servers Hummingbird: lightweight and standalone binary for generic OpenVPN server connections Cuckoo: traffic split manager, granting full access and functionality to AirVPN's traffic split infrastructure WARNING: this is alpha software in its development stage, it is provided "as is" and with no implicit or explicit warrant it will work properly and as expected or planned. Because of the development stage, the software may have bugs which may also cause critical and unstable conditions. This software is used at the whole risk of the user and it is strongly advised not to use it in production or critical systems or environments. Please note that features and functionalities of this alpha/development version may be changed or removed in future releases.
WireGuard support
 
WireGuard support is now available in Bluetit. OpenVPN or WireGuard selection is controlled by Bluetit run control file option airvpntype or by Goldcrest option -f  (short for --air-vpn-type). Possible values: openvpn, wireguard. Default: openvpn. The option is documented in the 1.3.0 manual as well. Currently Hummingbird does not support WireGuard, please rely on Bluetit and Goldcrest.

Bluetit run control file (/etc/airvpn/bluetit.rc) option:
airvpntype: (string) VPN type to be used for AirVPN connections. Possible values: wireguard, openvpn. Default: openvpn Goldcrest option:
--air-vpn-type, -f : VPN type for AirVPN connection <wireguard|openvpn>   AirVPN's VPN traffic splitting

AirVPN Suite version 2.0.0 introduces traffic splitting by using a dedicated network namespace, therefore completely separating the VPN traffic from unencrypted and "out of the tunnel" traffic. The VPN traffic is carried out in the default (main) namespace, ensuring all system data and traffic to be encrypted and tunneled into the VPN by default. No clear and unencrypted data are allowed to pass through the default namespace.
Any optional unencrypted data or clear network traffic must be explicitly requested by an authorized user with the right to run cuckoo, the AirVPN traffic split manager tool.

AirVPN's traffic splitting is enabled and controlled by Bluetit and by means of run control directives. The system has been created in order to minimize any tedious or extensive configuration, even to the minimal point of telling Bluetit to enable traffic splitting with no other setting.

In order to enable and control AirVPN's traffic splitting, the below new run control directives for /etc/airvpn/bluetit.rc have been introduced: allowtrafficsplitting: (on/off) enable or disable traffic splitting (unencrypted and out of the tunnel traffic) Default: off trafficsplitnamespace: (string) name of Linux network namespace dedicated to traffic splitting. Default: aircuckoo trafficsplitinterface: (string) name of the physical network interface to be used for traffic splitting. All the unencrypted and out of the tunnel data will pass through the specified network device/interface. In case this directive is not used and unspecified, Bluetit will automatically use the main network interface of the system and connected to the default gateway. Default: unspecified trafficsplitnamespaceinterface: (string) name of the virtual network interface to be associated to the Linux network namespace dedicated to traffic splitting. Default: ckveth0 trafficsplitipv4: (IPv4 address|auto) IPv4 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv4 address belonging to the system's host sub-network (/24) Default: auto trafficsplitipv6: (IPv6 address|auto) IPv6 address of the virtual network interface used for traffic splitting. In case it is set to 'auto', Bluetit will try to automatically assign an unused IPv6 address belonging to the system's host sub-network (/64) Default: auto trafficsplitfirewall: (on/off) enable or disable the firewall in Linux network namespace dedicated to traffic splitting. The firewall is set up with a minimal rule set for a very basic security model. Default: off AirVPN's traffic splitting is designed in order to minimize any further configuration from the system administrator. To actually enable traffic splitting, it is just needed to set "allowtrafficsplitting" directive to "on" and Bluetit will configure the traffic split namespace with the default options as explained above. When needed, the system administrator can finely tune the traffic splitting service by using the above directives. At this early alpha stage, it is advised not to change the network namespace name but leave it to its default value "aircuckoo" to let cuckoo tool properly work.  
Power and limitations
 
The adopted solution offers a remarkable security bonus in terms of isolation. For example, it gets rid of the dangerous DNS "leaks in" typical of cgroups based traffic splitting solutions. However, the dedicated namespace needs an exclusive IP address. If the system is behind a NAT (connected to a home router for example) this is not a problem, but if the system is not behind any NAT, i.e. it is assigned directly a public IP address, you will need another public IP address for the network namespace dedicated to traffic splitting. You will need to manually set the other public IP address on the trafficsplitipv4 or trafficsplitipv6 directive as the guessing abilities of Bluetit may work only within a private subnet. Please keep this limitation in mind especially if you want to run the Suite with per app traffic splitting on a dedicated or virtual server in some datacenter, as they are most of the times NOT behind any NAT.
 

Introducing Cuckoo, the AirVPN traffic splitting manager tool

Traffic splitting is implemented in AirVPN Suite by using a separate and independent network namespace, directly communicating with the system's default gateway through a virtual interface associated to a physical network interface available in the system. This ensures a true separation of traffic between tunneled and encrypted VPN data from the unencrypted and clear data to be channeled out of the VPN tunnel. The unencrypted traffic will never pass through the default namespace - which is under the VPN control - including, and most importantly, DNS requests.

To generate unencrypted and out of the tunnel traffic, any software having this need must be run inside the traffic split namespace. In order to do so, AirVPN Suite 2.0.0 introduces a new tool meant to be specifically used for this purpose: Cuckoo.
The tool can be used by users belonging to the airvpn group only. It cannot be used by root or any user belonging to the root group.

Additionally, in order to fully use the cuckoo tool, the user must also have special capabilities enabled, notably CAP_SYS_ADMIN, CAP_NET_ADMIN and CAP_NET_RAW. The installation script will set these capabilities to the "airvpn" user only. In case you need to let other users of the airvpn group use the cuckoo tool, you can simply duplicate the corresponding line in /etc/security/capability.conf and adapt it to your needs.
Note that in many distributions all of the above will not be necessary but keep it in mind if you find some issue and please feel free to report it.
At this current alpha stage cuckoo supports "aircuckoo" namespace only, that is the default namespace configured by Bluetit.

This preliminary alpha version does not provide any option and it is meant to simply run an application inside the traffic split namespace only.
The usage is straightforward: cuckoo program [program options]  
The traffic split namespace uses its own routing, network channels and DNS. It will not interfere or communicate in any way with the default namespace where the VPN is running and using its own encrypted tunnel. As for DNS, the traffic split namespace will use default system DNS settings.

Programs started with cuckoo are regular Linux processes and, as such, can be managed (that is stopped, interrupted, paused, terminated and killed) by using the usual process control tools. The programs started by cuckoo are assigned to the user who started cuckoo.

As a final note, in order to work properly, the following permissions must be granted to cuckoo and they are always checked at each run.
Owner: root
Group: airvpn
Permissions: -rwsr-xr-x (owner can read, write, execute and setuid; group can read and execute, others can read and execute)
Note on Web Browsers
 
Firefox and Chromium will not be able to resolve names in the aircuckoo namespace, not even when you run a unique instance of them inside the network namespace itself, in some Ubuntu systems. We are investigating this behavior. Brave, Opera and Konqueror are not affected by this problem, but please consider that due to how browser instances are tied to each other, you might get unexpected behavior if you run the same browser in both namespaces from the same user.
For example, if the browser has been started in the default namespace while there is an active AirVPN connection, the traffic will flow to the connected AirVPN server and from the associated VPN IP address from any future apparent instance launched by the same user, and vice-versa. The second instance may detect the first, delegate the task to it and exit, so you will have a new window but not another instance.
In order to circumvent the issue, at this stage you may tale care to run programs in the aircuckoo namespace via cuckoo only from airvpn account, and programs whose traffic must be tunneled from your ordinary account. In other words, to add security, do not add your ordinary account to the airvpn group if you plan to use traffic splitting, so your ordinary account will not be able to run cuckoo by accident.
 
Download AirVPN Suite 2.0.0 alpha 2:
https://eddie.website/repository/AirVPN-Suite/2.0-alpha2/AirVPN-Suite-x86_64-2.0.0-alpha-2.tar.gz $ sha512sum AirVPN-Suite-x86_64-2.0.0-alpha-2.tar.gz c70f7b553d5489e02233a3e326c175c047c085dac7d4f36289ffc07e0bf0d86c98df4c49f4258d3d83b4fde96c81efbccc394f326260a1ac80d2f7892b825b79 AirVPN-Suite-x86_64-2.0.0-alpha-2.tar.gz  
Kind regards & Datalove
AirVPN Staff

Hello!
 
We're very glad to announce a special promotion on our long term Premium plans for the end of Summer or Winter, according to the hemisphere you live in.
 
You can get prices as low as 2.06 €/month with a three years plan, which is a 70% discount when compared to monthly plan price of 7 €.
  If you're already our customer and you wish to stay aboard for a longer period, any additional subscription will be added on top of already existing subscriptions and you will not lose any day.

Please check plans special prices on https://airvpn.org and https://airvpn.org/buy
All reported discounts are computed against the 7 EUR/month plan.

Kind regards & datalove
AirVPN Staff

I am here since 2014 and happily extended for another 3 years - thanks & keep up the great work!

Hello!
 
We're very glad to announce a special promotion on our long term Premium plans for the end of Summer or Winter, according to the hemisphere you live in.
 
You can get prices as low as 2.06 €/month with a three years plan, which is a 70% discount when compared to monthly plan price of 7 €.
  If you're already our customer and you wish to stay aboard for a longer period, any additional subscription will be added on top of already existing subscriptions and you will not lose any day.

Please check plans special prices on https://airvpn.org and https://airvpn.org/buy
All reported discounts are computed against the 7 EUR/month plan.

Kind regards & datalove
AirVPN Staff

Hello!

Currently it is not in our interest to accept it, we are sorry.

Kind regards
 

Hello!

The following network interface:
2022.09.10 16:15:52 - Using WinTun network interface "VPN - VPN Client (VPN Client Adapter - VPN)"

is causing a critical error to OpenVPN:
2022.09.10 16:15:58 - OpenVPN > There are no TAP-Windows nor Wintun adapters on this system.  You should be able to create an adapter by using tapctl.exe utility.
2022.09.10 16:15:58 - OpenVPN > Exiting due to fatal error

You should be able to resolve the problem in the following way:
please select Settings > Networking enter "Eddie" (without quotes) in the VPN interface name field (see also https://www.clodo.it/host/images/f625221af86ac02e33238f0aaaffca81bae26bbf.png ) click "Save" and test again a connection
Alternatively, you can remove that problematic network interface. As a further option, you can connect with WireGuard. To do so, please select Settings > Protocols and pick WireGuard. (WireGuard will not use the interface detected by Eddie for OpenVPN).

Kind regards
 

Hello!

We're glad to inform you that AirVPN from now on accepts payments via Amazon Pay too. The new gateway will let users with an Amazon account to get AirVPN plans quickly and swiftly by using their own Amazon account.

Amazon Pay is added on top of PayPal and 2Checkout/Avangate (Verifone) gateways in order to offer a thorough range of payment methods which include bank transfers and all the most widespread credit cards.

Once again we remind you anyway that for better privacy purposes we accept directly (without intermediaries) cryptocurrencies, which remain the favorite choice if you need to prevent disclosure of your AirVPN purchase to financial entities or human rights hostile regimes.

Kind regards & datalove
AirVPN Staff
 

Hello!

The VPN server names have changed into <server name>.airservers.org. The old <server name>.airvpn.org has been preserved for the old servers which had it, for backward compatibility and smoother transition. New servers added after the change have only <server name>.airservers.org. As usual, only entry-IP address 1.

Kind regards
 

@Shitsko  @wnorcus and @pdannolfo  resolved their respective problems which had different causes on the client side and not strictly related to route check. Nothing useful for the readers on this thread unfortunately, we're going to lock the thread and we recommend to follow the suggestion by @OpenSourcerer here above.

Kind regards



 

Hello!

We're very sorry, at the moment we support automatic payments only via PayPal and not via Stripe. You may consider, during the next month, to use your credit card via PayPal (no PayPal account needed) and pick "PayPal subscription" payment option.

Kind regards
 

Hello!

We have been informed about an imminent relocation of our VPN servers in London. They will be migrated to a different datacenter. IP addresses will remain the same.
 
Migration will start on Thursday, 14 Sept 2023, 22:00 UTC +1 and will end on Friday, 15 Sept 2023, 06:00 UTC +1 (London Time)
  Expected Duration: the migration is anticipated to take 8 hours, during which there will be a full interruption of services. We recommend that you connect to different VPN servers (in UK or elsewhere), not located in London, during the mentioned time frame.

Kind regards
AirVPN Staff

Hello!

We have been informed about an imminent relocation of our VPN servers in London. They will be migrated to a different datacenter. IP addresses will remain the same.
 
Migration will start on Thursday, 14 Sept 2023, 22:00 UTC +1 and will end on Friday, 15 Sept 2023, 06:00 UTC +1 (London Time)
  Expected Duration: the migration is anticipated to take 8 hours, during which there will be a full interruption of services. We recommend that you connect to different VPN servers (in UK or elsewhere), not located in London, during the mentioned time frame.

Kind regards
AirVPN Staff

Just a quick digression on this matter: no, it would not make any difference. Alleged usage of p2p protocols or even usage of p2p to share copyrighted content never causes an IP address to be included in a black list according to our 14 years approaching experience. By blocking torrenting we would also block VoIP, distribution of free and open source software, update systems of various software houses based on p2p and more without touching the problem you mention at all. We would betray our mission for no good side effect at all.

Nowadays the main reasons of blocks against VPN IP addresses are a different kind of abuse and, even more importantly, an a priori refusal of connections coming from any privacy enhancing system which hurts personal data harvesting and reselling. We are in the presence of the thorny issue of services that grant access only if the user is willing to give up his or her privacy, be it for personal data harvesting or for definite geo-location for any intellectual monopoly related issue.

That said, we also work daily to remove our IP addresses from the most important black lists around the world and we also make an important exception (since AirVPN birth, so it was decided in cold blood and deemed ex ante as the only acceptable violation of Net Neutrality) to the mission by blocking outbound port 25.
 
Only time will tell whether you're right or not: in the last 13 years the amount of ISPs willing to take VPNs on their datacenters has increased significantly. AUP which forbade consumer VPN activity just 7-8 years ago have been rewritten to allow it (the discrimination remains against Tor in some cases, though). In any case our mission comes first, so it's not a matter to tweak the service and accept disgraceful compromises for us, but it's a matter to either providing the service according to the mission or not providing it at all. The customers and users only will reward or punish our commitments.

Kind regards
 

Hello!

Yes, new 10 Gbit/s servers in the USA are planned according to userbase growth. If the current rhythm is maintained (but this is a big big if, in our business) you might see news on November.

Kind regards
 

Hello!

Noted, thank you very much. It will be put under the attention of Eddie Android edition devs.

Kind regards
 

@htpc

Hello!

The list of available "devices" (client certificate/key pairs) should appear beside the login credentials, on the main window. If it doesn't, please try to uncheck "Remember me", log your AirVPN account out and log it in again (you will need to re-enter your account credentials).

Kind regards