Staff

In the meantime happy 10th anniversary!
Kind regards
 

Hello!

We outline that we don't block the mentioned web site. It's the final service (the web server on imgsrc.ru) which sends the 403 message (forbidden access). The administrators have blocked some (but not all) of our VPN servers. Inside Amanah, some servers are still unblocked. See also:
https://airvpn.org/routes/?q=https%3A%2F%2Fimgsrc.ru

Kind regards
 

Hello!

For the readers: the problem got solved after removing the character % from the username (initially, OP username contained it). Eddie Android edition developer is already aware of the issue for additional investigation.
EDIT: bug detected, % is interpreted as a string formatting character. It will be fixed. In the meantime you may consider not to use % as a character in the username.

Kind regards
 

Hello!

The following network interface:
2022.09.10 16:15:52 - Using WinTun network interface "VPN - VPN Client (VPN Client Adapter - VPN)"

is causing a critical error to OpenVPN:
2022.09.10 16:15:58 - OpenVPN > There are no TAP-Windows nor Wintun adapters on this system.  You should be able to create an adapter by using tapctl.exe utility.
2022.09.10 16:15:58 - OpenVPN > Exiting due to fatal error

You should be able to resolve the problem in the following way:
please select Settings > Networking enter "Eddie" (without quotes) in the VPN interface name field (see also https://www.clodo.it/host/images/f625221af86ac02e33238f0aaaffca81bae26bbf.png ) click "Save" and test again a connection
Alternatively, you can remove that problematic network interface. As a further option, you can connect with WireGuard. To do so, please select Settings > Protocols and pick WireGuard. (WireGuard will not use the interface detected by Eddie for OpenVPN).

Kind regards
 

Hello!

We're glad to inform you that all VPN servers are now connected to 1 Gbit/s or 10 Gbit/s full duplex lines and their hardware can use the full available bandwidth, even thanks to software optimization, load balancing and widespread WireGuard usage. To reflect project completion we have modified the real time servers monitor accordingly.
https://airvpn.org/status

The displayed throughput is again the sum of the total throughput (up+down bandwidth) as usual, but the total available bandwidth is the total up+down bandwidth which the server is, from now on, really capable to use. As usual, if you need a more detailed overview, including stats, history and distinction of up and down bandwidth, you can click the server name.

Kind regards & datalove
AirVPN Staff
 

Hello and welcome aboard!

Remote port forwarding is a server side feature which is not affected by the software you run to connect. You can manage remote inbound ports for your clients in your AirVPN account control panel. Please check the documentation as well:
https://airvpn.org/faq/port_forwarding/

Kind regards
 

Hello!

The error here is different. OpenSSL 3 doesn't accept certificates signed through SHA1. Since 2017 we have been signing client certificates with SHA512 and you have a pair generated in 2016. We don't force the renewal to avoid sudden and unexpected disconnections to our unaware users. Thank you, you're a long time customer indeed!

Please:
log your AirVPN account in to the web site click "Client Area" from the upper menu click the "Devices" button click your client/key pair "Details" button click "Renew" from Eddie main window uncheck "Remember me", log your account out and then in again (you will have to re-enter your AirVPN account credentials) and the problem will get resolved. (*)
(*) If you don't run Eddie, from the Configuration Generator generate new configuration files for the software you run to connect to AirVPN.

Detailed instructions here:
https://airvpn.org/forums/topic/26209-how-to-manage-client-certificatekey-pairs/

Kind regards
 

Hello!

We did not want to imply that. IPsec is widespread and remains a protocol suite of paramount importance. Together with some tunneling protocol such as L2TP it also provides a variety of VPN solutions both in a host-to-host transport mode and in a network tunneling mode. Under many aspects, IPsec offers a variety of solutions which OpenVPN does not offer (WireGuard can not even be mentioned as it is too rudimentary). AirVPN does not need them, but they are very important for so many companies.

Unfortunately, even nowadays, legitimate suspicions that IPsec was targeted by the Bullrun program suggest a very cautious approach to IPsec. AirVPN discarded IPsec in 2010 for legitimate suspicions which became more and more substantiated after Snowden's "revelations" (AirVPN predicting the risks of IPsec three years in advance was a mixture of careful inside considerations and luck/ability to select the correct rumors among the background noise in 2009 and 2010). See for example https://en.wikipedia.org/wiki/IPsec#Alleged_NSA_interference

Kind regards
 

Hello!

We're very glad to hear that the suggestion by support team worked.
We don't know for sure, and we can imagine three potential, alternative explanations:

1) All the bootstrap servers IP addresses have become known and they are blocked. Unlikely explanation: if you have tested our "secret" bootstrap servers, we think that T-Mobile can not know them.

2) The specific connection used by Eddie (HTTP) is blocked when the underlying payload is encrypted. Eddie encrypts data to the bootstrap servers and then sends them over plain HTTP: in the past it was a good method to bypass certain blocks. Of course data coming back are encrypted by the servers.

3) Direct access via HTTP(S) to IP addresses (in place of domain names) is blocked (not uncommon in various filter methods). To cross-check you may enter a name as secret bootstrap server (for example airvpn.org) in Eddie's Android edition settings.

Kind regards

Hello!

We're very glad to hear that the suggestion by support team worked.
We don't know for sure, and we can imagine three potential, alternative explanations:

1) All the bootstrap servers IP addresses have become known and they are blocked. Unlikely explanation: if you have tested our "secret" bootstrap servers, we think that T-Mobile can not know them.

2) The specific connection used by Eddie (HTTP) is blocked when the underlying payload is encrypted. Eddie encrypts data to the bootstrap servers and then sends them over plain HTTP: in the past it was a good method to bypass certain blocks. Of course data coming back are encrypted by the servers.

3) Direct access via HTTP(S) to IP addresses (in place of domain names) is blocked (not uncommon in various filter methods). To cross-check you may enter a name as secret bootstrap server (for example airvpn.org) in Eddie's Android edition settings.

Kind regards

Hello!

From the support team in reply to a ticket mentioning this problem with T-Mobile:
 

Kind regards
 

@AVPN0815

Hello!

That's not entirely correct because we use RAM disks. It is true that an HDD or SSD is used to boot, and it contains a working boot record, grub software or similar, used in turn to load a kernel which must provide TCP/IP, network and basic services support, but anything else is downloaded via network (after the network is up, obviously).

At each (re)boot the server can not start, because it is barred from downloading any relevant file until we authorize the reboot, so it will miss even the essential configuration files, scripts, keys... This allows us to check the kernel (once the network is up) and any relevant storage file against a pristine copy, especially if the reboot is unexpected. Once the TCP/IP stack, the network and their essential services have come up, and a manual authorization has been dispatched by AirVPN management, the server starts downloading any other file needed for normal operations, and all of that remains in RAM disks.

Kind regards
 

Hello!

The paper re-launches the anti-censorship abilities of OpenVPN over SSH which we proposed 13 years ago! It had a filter rate of 0.32, the third best outcome in the world, very remarkable and putting AirVPN in the top 3 worldwide best filtering escaping VPN. As usual we anyway recommend Tor with private obfs bridges to reach filter rates next to 0. We have invested a lot on Tor and the solution is free for everyone. In Iran and Russia Tor obfs and private bridges are instrumental against blocks.

Kind regards
 

Hello!

Multiple keys allow you to:
selectively pick remotely forwarded inbound ports by device/key connect multiple devices to the same VPN server by using a different key on each device have different, device-specific DNS block lists
A dedicated panel to manage your client certificates and keys is accessible in our web site.
 
In order to access the main control panel click Client Area while your account is logged into the AirVPN web site.
 
The Devices button provides you with access to a panel to administer your client certificate/key pairs. The panel lets you use a multi-certificate/key support from AirVPN, a comfortable and convenient feature. You can have multiple pairs, renew them and issue completely new ones. From each device of yours you will be free to use any pair you like. Therefore you can keep all of your certificates and keys under control, administer them and also connect multiple devices to the same server and port by using a different key on each device. Eddie 2.13.6 or higher version is required.

In Eddie's Overview window a menu which will let you choose a key before you start a connection will appear automatically when you create a new certificate/key par from your account control panel (note: restart Eddie and log your account out and in again if such menu does not appear). To create a new certificate/key pair click the button labeled Add a new device.
 
The Configuration Generator has been modified as well, in order to let you generate configuration files with the certificate/key pair you wish.
 
Let's see in details how to use the "Devices/Keys" options.
 
Device Name and Description: these are free name and description which you can associate to any pair for your comfort. Click the pencil icon to edit.

Details opens a window showing various information: Type, Creation date, Last renew date and Last VPN connection. In the same window you can find the following actions: Renew: when you click this action button, the corresponding certificate will be revoked, and a new certificate/key pair will be issued. Delete: this action button will revoke the corresponding certificate, without issuing a new one. DNS: this action button will let you enter the DNS block list panel for that specific certificate/key pair to let you define, activate or de-activate specific DNS block lists, exceptions and additions, which will apply to that pair only.
View history and View Active will toggle with each other to provide you with any relevant information on the history of your actions about keys and the current active list.   
Some caution when using the aforementioned features:
if you revoke or renew a certificate/key pair which is being used by some connected device, that device will soon be disconnected
in Eddie Desktop edition, you will need to log your account out and then in again to force Eddie to pick a different pair (new or old) (*) - in Eddie Android edition this is not necessary
to use new pairs, you will need to re-generate and import configuration files if you use them with some third-party software, or if you run OpenVPN or Wireguard directly
(*) unchecking "Remember me" is necessary in older Eddie versions  
Kind regards and datalove
AirVPN Staff

Hello!

The paper re-launches the anti-censorship abilities of OpenVPN over SSH which we proposed 13 years ago! It had a filter rate of 0.32, the third best outcome in the world, very remarkable and putting AirVPN in the top 3 worldwide best filtering escaping VPN. As usual we anyway recommend Tor with private obfs bridges to reach filter rates next to 0. We have invested a lot on Tor and the solution is free for everyone. In Iran and Russia Tor obfs and private bridges are instrumental against blocks.

Kind regards
 

Hello!

We're very glad to inform you that two new 1 Gbit/s full duplex servers located in Miami, Florida, are available: Gudja and Kang,

The AirVPN client will show automatically the new servers; if you use any other OpenVPN or WireGuard client you can generate all the files to access them through our configuration/certificates/key generator (menu "Client Area"->"Config generator").

The servers accept connections on ports 53, 80, 443, 1194, 2018 UDP and TCP for OpenVPN and ports 1637 and 47107 UDP for WireGuard.

Gudja and Kang support OpenVPN over SSL and OpenVPN over SSH, TLS 1.3, OpenVPN tls-crypt and WireGuard.

Full IPv6 support is included as well.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.

You can check the status as usual in our real time servers monitor:
https://airvpn.org/servers/Gudja/
https://airvpn.org/servers/Kang/
 
Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

@AVPN0815

Hello!

That's not entirely correct because we use RAM disks. It is true that an HDD or SSD is used to boot, and it contains a working boot record, grub software or similar, used in turn to load a kernel which must provide TCP/IP, network and basic services support, but anything else is downloaded via network (after the network is up, obviously).

At each (re)boot the server can not start, because it is barred from downloading any relevant file until we authorize the reboot, so it will miss even the essential configuration files, scripts, keys... This allows us to check the kernel (once the network is up) and any relevant storage file against a pristine copy, especially if the reboot is unexpected. Once the TCP/IP stack, the network and their essential services have come up, and a manual authorization has been dispatched by AirVPN management, the server starts downloading any other file needed for normal operations, and all of that remains in RAM disks.

Kind regards
 

Yep, that was the issue. I have network lock activated now.

yes. Thank you very much, now it work perfectly. 

@OpenSourcerer

Hello!

Thanks a lot. It seems a bug indeed @Clodo - feel free to report it on the Eddie 2.23 testing thread, where we try to gather all the detected bugs.

@britishstyle
Can you see the "Activate Network Lock" button on Eddie's main window?

Kind regards
 

В принципе всё равно куда скачивать файл, надо только найти потом)

И ещё, в этом форуме основной язык – английский. Прошу писать по-английскому чтобы другие понимали о чём речь без переводчика. Могу предложить личные сообщения на русском если проблемы с английском есть (но это не официально)).


For the readers, the gist is that there is a slight confusion as to where to save the downloaded profile as newer Android versions don't use /sdcard anymore. It was noted that it can be saved anywhere.

Hello!

Paper of Tunnelcrack attack: https://www.usenix.org/system/files/usenixsecurity23-xue.pdf

First quick reply, we might add information in the future. The Tunnelcrack can be finalized with two different attacks: LocalNet and ServerIP, provided that:
the victim connects to a network fully controlled by the attacker (for Localnet attack) the victim DNS queries are poisoned and the attacker has all the features of an "on path" attacker (for ServerIP attack)  
LocalNet attack
If you are in a WiFi unencrypted or not trusted (even if encrypted) network, or you are in an untrusted network in general (including Ethernet) prevent LocalNet attack by not allowing communications within the local network. This is default option in Eddie's Network Lock (please make sure that Allow LAN is not checked in Preferences > Network Lock settings window), while the AirVPN Suite for Linux allows this traffic by default so do not use it in untrusted network until we implement the option to block local network. Eddie Android edition forbids local traffic by default but you can enable this option in the Settings. Make sure you do NOT enable it when the device is connected to an untrusted network.
 
ServerIP attack
ServerIP attack requires DNS poisoning/spoofing, so Eddie Desktop Edition and Bluetit/Goldcrest are immune. It's mainly up to the local system to use reliable DNS (consider DNS over TLS or DNS over HTTPS) and protect the queries, but for additional safety use profiles with only IP addresses, and not host names, if you run directly OpenVPN, WireGuard, Hummingbird, or any other software needing profiles. Our CG will generate profiles with country domain names, so avoid country selection but prefer single server selection, or secure your DNS queries. When you select specific servers, the CG will insert IP addresses for the servers and not names. Eddie Android edition and the AirVPN Suite resolve domain names if you order a connection to a country, so avoid this type of connection. It is planned that next release will no more use country domain names.
Once inside the VPN, ServerIP attack variation with "route hijack" (described in an old paper) fails in AirVPN (even if you query the VPN DNS) because the DNS server address matches the VPN gateway address.
 
TL;DR
The Tunnelcrack attack can be easily defeated by not allowing communications with the local network when you are in an untrusted network and by using secure DNS or direct IP addresses to point to VPN servers when you start the VPN connection. All of the above can be easily obtained with our service or it is already implemented by default.

Kind regards

Hello!

Yes, what you write is substantially true, although a server reboot is not needed. The matter has become a FAQ and we added an answer to this FAQ here:
https://airvpn.org/faq/wireguard/

In the answer you can see how we patch a specific problem, how you can act through our tools to improve your privacy when you run WireGuard, and all by not breaking original WireGuard compatibility. However OpenVPN under this respect remains widely superior, so consider it according to your threat model and the amount of annoyance you would get to generate new keys after each WireGuard session.

Kind regards
 

Hello!

Currently it is not in our interest to accept it, we are sorry.

Kind regards
 

@galbeedee

Thank you for your review!

We would like to point out some features of our service that you probably missed according to your review, so that you will be able to use them.
 
You can use per-session WireGuard key, to overcome the questionable design of WireGuard under this respect (WireGuard does not offer dynamic address management at all). It's not very important that your private key is held by you when WireGuard demands that, server side, each public key is linked in files to the VPN IP address and to the public IP address of the client. Therefore, thanks to our design, you are able to use a one session key if necessary. You can renew your key either through the web site or through the API in order to patch this problem. On our side, we actively remove WireGuard entries to public IP addresses when a session is over. We do not understand the link you claim between the key and your browser, feel free to clarify if you wish so.
 
File names of the generated profiles are very descriptive and they reflect community requirements. Community majority currently prefers descriptive file names and wants that the system is not tweaked to accommodate terrible WireGuard design under this respect (WireGuard wants to name the virtual interface with the file name regardless of the system limits). This is an understandable point of view and we will respect it. We will change according to community suggestions. Far from being "best practice", in our opinion, and in the current opinion of the community, that would be the practice to lower a service standard to meet the terrible design of somebody else, something reminding the old, awful but widespread, practice to develop flawed web sites to circumvent Internet Explorer bugs and accommodate its non-W3C compliant dialect. That said, we can of course add some options to make life more comfortable for anyone who should be wearied by the exhausting effort of renaming a set of files. The QR code anyway is already available for Android and iOS (in the Configuration Generator), so you don't need renaming in mobility, just shoot the code from inside wg.
 
This is a key which is necessary when you want an additional encryption layer, and this is a great WireGuard feature. Useful for example in a post-quantum world, when a decent cryptographic algorithm is found (as the wg core has ciphers hard coded by design). Read the WireGuard documentation for more details. Currently pre-shared keys are implemented because a significant part of the community insisted that we got prepared to beat powerful quantum computers, not because we strongly believe that a post-quantum world is imminent. Relevant considerations on the topic can be found here: https://airvpn.org/forums/topic/45608-quantum-computing-and-encryption/?do=findComment&comment=218988 It is anyway considered best practice by various experts to get prepared. Since you mention Mullvad as your opinion of service operating in accordance with best practices, then be informed that pre-shared keys have been recently implemented by them too.
 
We offered this option 13 years ago, well before WireGuard or many other VPN companies even existed. Then they were inspired by our CG. You can pick zip, 7zip, tarball, and compressed tarballs (tar.gz, tar.xz, tar.bz2). You can operate either through the API or web site, as you prefer, to generate and download the package(s) containing the profiles. Note that today the button which would let you select all the servers at once is disabled because of work in progress, but it will be re-enabled very soon.
 
It's a good performance in our infrastructure, but you can improve it (check the top user speed table in the server status page and open a ticket to fine tune WireGuard).

About the infrastructure, in 2009 the industry standard was between 20 and 100 Mbit/s, and we are very careful to offer an excellent balance between price and service quality. Since you mention iVPN as an example to follow, please compare AirVPN prices with theirs. Lupus in fabula, the following message by one of our fans reminds us of the consequences of an unwise investment policy. https://airvpn.org/forums/topic/56425-two-new-1-gbits-servers-available-us/?do=findComment&comment=223857 Remember that AirVPN is the only one offering a rigorous no overselling commitment shown by a transparent and verifiable server monitor, that's why most users enjoy higher throughput than with any competitor, and after all we are pleased to see that you are an unsatisfied customer but with 600 Mbit/s throughput and with some requirements for features that are already available. Criticisms help us improve our service, except when required features are already available, as in that case we can't implement them twice.

Kind regards