Jump to content
Not connected, Your IP: 54.81.58.140

Staff

Staff
  • Content Count

    10486
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    1747

Reputation Activity

  1. Like
    Staff got a reaction from airvpn.teiuxcg in Upgrades for Eddie?   ...
    Hello!
     
    As you may have seen, all of your requests have been implemented in Eddie 2.8.8. Enjoy AirVPN!
     
    Kind regards
  2. Like
    Staff got a reaction from Wolf666 in PfSense keeps disconnecting: TLS: tls_process: killed expiring key   ...
    Hello!
     
    It's not a disconnection, it's a TLS re-keying through DHE. See also Perfect Forward Secrecy: https://en.wikipedia.org/wiki/Forward_secrec
     
    The re-keying occurs with overlapping windows: until the re-keying has not completed, the old key pair is used to encrypt the Data Channel, so no interruption of the throughput occurs and there's no time pressure.
     
    You can't disable this feature, otherwise you would suffer a disconnection every hour. You can lower the key expiration time, although we believe that one hour already provides a fair security.
     
    Kind regards
  3. Like
    Staff got a reaction from InactiveUser in 2015 EU VAT regulations   ...
    Hello!
     
    It's totally unnecessary. In case the information is not gathered for any reason VAT must be paid in the country of the company, according to European Commission guidelines.
     
    Kind regards
  4. Like
    Staff got a reaction from InactiveUser in Question about Privacy   ...
    Hello,
     
    to hide to Air VPN servers your IP address you could connect OpenVPN over Tor:
    https://airvpn.org/tor
     
    Kind regards
  5. Like
    Staff reacted to Opayq in External shell script bug - AirVPN Eddie Client 2.8.8   ...
    Thanks for the reply. The above mentioned work around successfully executes my script. But for some reason, the DNS check fails. The VPN connection immediately gets disconnected and tries again. This goes on forever. The script simply echoes test to a text file so I don't see how that should interfere with DNS checking.
     
    At the moment I found another work around that works for me. In the VPN pre event script I've added a "at" command. For example "at now + 1 min < path/to/text/file.txt" where the text file contains the command to execute. This would run just after the VPN is up. Not the best solution but at least it's working for me.
  6. Like
    Staff got a reaction from OmniNegro in Why don't Air offer the full range of OpenVPN protocols?   ...
    Hello!
     
    ECC is not in OpenVPN main branch. Additionally, there are some unsolved questions and doubts, see Bruce Schneier for example, that we feel to take into highest consideration. We will take ECC into consideration only when it's in the main branch and if implemented without being based on parameters/constants which could have been manipulated by NSA to insert artificial weaknesses, i.e. only curves not based on the NIST recommended parameters etc., because they have been created by Solinas working for NSA and because there are some weird choices which trigger our... paranoia...?

    See also this interesting discussion:
    https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters

    Before going into ECC, you ought to be sure to use non-influenced by NSA elliptic curves. Ideally, you should also know how and to which extent NSA influenced the development and implementation of ECC through NIST standards and recommendations.
     
    Is there any reason for which you are going into ECC with such a light heart, almost "unconsciously" we would dare to say? Which curve parameters is the service you cite using?
     
    About performance, there can't be substantial operative difference between elliptic curves and integer discrete based ciphers for the Data Channel, and even less for the Control Channel, so any performance gain or loss can't be caused by that.
     
    Kind regards
  7. Like
    Staff got a reaction from TotalKheops in Pidgin   ...
    https://www.pidgin.im/
    Accounts -> Manage Accounts -> Add...

    Under Basic:

    Protocol: XMPP
    Username:
    Domain: xmpp.airvpn.org
    Resource:
    Password:

    Under Advanced ensure that Connection security is set to Require encryption.
  8. Like
    Staff got a reaction from URL260 in Request: routing to Switzerland   ...
    Hello!
     
    We will consider this option in the near future. In the meantime, you could connect both devices to the same server, provided that you don't need remote port forwarding. Just connect the devices to different ports to prevent conflicts. For example, device 1 to port 443 (UDP) and device 2 to port 80 (UDP).
     
    Kind regards
  9. Like
    Staff reacted to avpnhome in Problem with Zaurak (Ukraine)?   ...
    This is working fine now, I marked as resolved.
     
    Thanks,
    Eric
  10. Like
    Staff got a reaction from vpnair33 in WebRTC vulnerability   ...
    EDIT: a deeper study of improperly called "WebRTC leak" has brought up how the initial approach by a wide part of communities discussing it has been totally wrong, has missed the core reasons and has proposed "solutions" which are questionable. Please see here to get a more balanced and informed view of the so called "problem".
     
    http://www.clodo.it/blog/an-alternative-approach-to-so-called-webrtc-leaks
     
     
    WARNING: the following post was written hours after "WebRTC leak" hit the news. It is now to be considered outdated. It is also inappropriate when it uses the word "vulnerability". However, the way to prevent applications to talk outside the tunnel is the same, enable Network Lock or set proper firewall rules. It is absolutely nothing new, just like the whole fabricated "WebRTC leak" affair.
     
     
    ============================================================================
     
    Hello!
     
    Browsers supporting WebRTC run in a Windows-environment can seriously compromise the security of VPN-tunnels by allowing the true IP address of the user to be read. https://en.wikipedia.org/wiki/WebRTC#Concerns

    WebRTC is supported in the following browsers:
    https://en.wikipedia.org/wiki/WebRTC#Support
     
    According to our tests we can at this moment confirm that Linux and OS X appear to be not affected. EDIT: OS X users please see here, according to this report OS X is vulnerable as well. https://airvpn.org/topic/13490-vpn-security-flaw-does-this-affect-airvpn/?do=findComment&comment=24757
     
    You can test your system here: http://ipleak.net
     
    Windows users can fix the vulnerability in one of the following ways:
     
    - by enabling "Network Lock" in our free and open source client Eddie
    - by configuring a firewall to prevent leaks. In our "How-To" section we have guides for Comodo and Windows Firewall
    - by disabling WebRTC on the browser (WARNING: you can't do that in Google Chrome desktop edition, you'll need an extension). This page seems quite accurate https://www.browserleaks.com/webrtc#webrtc-disable
    EDIT: in the above linked page, the extension recommended for Chrome does not really prevent leaks
    - by running a browser which does not support WebRTC
     
     
    Kind regards
    AirVPN Support Team
  11. Like
    Staff got a reaction from Billy_Boy in What is Dynamic DNS?   ...
    What is Dynamic DNS?
    "Dynamic DNS or DDNS is a method of updating, in real time, a Domain Name System (DNS) to point to a changing IP address on the Internet. This is used to provide a persistent domain name for a resource that may change location on the network."
    Wikipedia, http://en.wikipedia.org/wiki/Dynamic_DNS
     
    Premium Members can choose up to 20 names in their Forwarded Ports page, accessible from the left tabs of their "Client Area".
     
    Just for comfort, a name is associated to a forwarded port.

    When a Premium member connects to an Air VPN server, the .airdns.org DNS record is updated to the exit-IP address of that server. Therefore, be aware that this service may be unusable when you establish multiple connections to different servers from different devices with the same account (in such cases, you need to point directly to the exit-IP address of the server, or use some third-party DDNS which you manually set).

    This service can be useful when you need a domain name, which must be persistent across all Air VPN servers, for a service you need to run "behind Air VPN". For example: if you want to host a game server, you can communicate to the players the DNS name and freely switch Air VPN servers.

    Notes:TTL (Time-To-Live) is one hour. If you change VPN server, one hour may be needed before other users can resolve correctly your domain name. A longer time might be necessary: some public DNS (for example Google DNS) sometimes ignore TTL in their caching system.DNS are created or updated when a connection to an Air server is performed. They are deleted only if you disable the system (i.e. you delete the name from the forwarded ports panel). The latest IP address is NOT removed during disconnection or connection retry.
  12. Like
    Staff got a reaction from InactiveUser in Password questions   ...
    Hello!
     
    After the TLS Authorization, authentication with the VPN servers is performed through double certificates and keys, not with some username and password.
     
    If you change your account password, that will not change the mentioned files because they are not generated from that password. The encryption keys for the OpenVPN Data Channel are negotiated at each new connection and every 60 minutes through Diffie Hellmann Exchange (DHE) - complying to Forward Secrecy. https://en.wikipedia.org/wiki/Forward_secrecy
     
    Authentication based only on login and password with a static key common to every user is not a setup to be taken into consideration if security is required on a VPN service. Not only it will not allow Perfect Forward Secrecy, but it poses some serious security risks: any man in the middle could decrypt your data simply by downloading the key; additionally, an attacker could impersonate the VPN server. Incredibly, some VPN services adopt this method.
     
    Kind regards
  13. Like
    Staff got a reaction from OldThor in AirVPN stopped working on 1 of my 2 PCs   ...
    Hello!
     
    Please make sure to run OpenVPN or OpenVPN GUI with adminstrator privileges. You might also like to use our free and open source client Eddie.
     
    Kind regards
  14. Like
    Staff got a reaction from InactiveUser in Password questions   ...
    Hello!
     
    After the TLS Authorization, authentication with the VPN servers is performed through double certificates and keys, not with some username and password.
     
    If you change your account password, that will not change the mentioned files because they are not generated from that password. The encryption keys for the OpenVPN Data Channel are negotiated at each new connection and every 60 minutes through Diffie Hellmann Exchange (DHE) - complying to Forward Secrecy. https://en.wikipedia.org/wiki/Forward_secrecy
     
    Authentication based only on login and password with a static key common to every user is not a setup to be taken into consideration if security is required on a VPN service. Not only it will not allow Perfect Forward Secrecy, but it poses some serious security risks: any man in the middle could decrypt your data simply by downloading the key; additionally, an attacker could impersonate the VPN server. Incredibly, some VPN services adopt this method.
     
    Kind regards
  15. Like
    Staff got a reaction from InactiveUser in Password questions   ...
    Hello!
     
    After the TLS Authorization, authentication with the VPN servers is performed through double certificates and keys, not with some username and password.
     
    If you change your account password, that will not change the mentioned files because they are not generated from that password. The encryption keys for the OpenVPN Data Channel are negotiated at each new connection and every 60 minutes through Diffie Hellmann Exchange (DHE) - complying to Forward Secrecy. https://en.wikipedia.org/wiki/Forward_secrecy
     
    Authentication based only on login and password with a static key common to every user is not a setup to be taken into consideration if security is required on a VPN service. Not only it will not allow Perfect Forward Secrecy, but it poses some serious security risks: any man in the middle could decrypt your data simply by downloading the key; additionally, an attacker could impersonate the VPN server. Incredibly, some VPN services adopt this method.
     
    Kind regards
  16. Like
    Staff got a reaction from rickjames in WebRTC vulnerability   ...
    Hello,
     
    in our client Eddie, is "Force DNS" ticked in "AirVPN" -> "Preferences" -> "Advanced"?
     
    Kind regards
  17. Like
    Staff got a reaction from Just a Fred in AirVPN does not recognize ICANN authority anymore   ...
    AIRVPN DOES NOT RECOGNIZE ANYMORE VERISIGN, AFILIAS AND ICANN AUTHORITY. OUR COMMITMENT AGAINST UNITED STATES OF AMERICA UNFAIR AND ILLEGAL DOMAIN NAMES SEIZURES.

    The United States of America authorities have been performing domain names seizures since the end of 2010. The seizures have been performed against perfectly legal web-sites and/or against web-sites outside US jurisdiction.

    Administrators of some of those web-sites had been previously acquitted of any charge by courts in the European Union.

    The domain name seizures affect the world wide web in its entirety since they are performed bypassing the original registrar and forcing VeriSign and Afilias (american companies which administer TLDs like .org, .net, .info and .com) to transfer the domain name to USA authorities property. No proper judicial overview is guaranteed during the seizure.

    Given all of the above, we repute that these acts:

    - are a violation of EU citizens fundamental rights, as enshrined in the European Convention on Human Rights;
    - are an attack against the Internet infrastructure and the cyberspace;
    - are a strong hint which shows that decision capacities of USA Department of Justice and ICE are severely impaired;

    and therefore from now on AirVPN does not recognize VeriSign, Afilias and/or ICANN authority over domain names. AirVPN refuses to resolve "seized" domain names to the IP address designated by USA authorities, allowing normal access to the original servers' websites / legitimate Ip addresses.

    In order to fulfil the objective, we have put in place an experimental service which is already working fine. If you find anomalies, please let us know, the system will surely improve in time.

    Kind regards
    AirVPN admins
  18. Like
    Staff got a reaction from P1rates in Using AirVPN with OpenVPN for Android   ...
    Install OpenVPN for Android.Hosted on GitHub: https://github.com/schwabe/ics-openvpn Note: if you don't have access to Google Play Store, you can download "OpenVPN for Android" apk here: https://airvpn.org/repository/ics-openvpn-latest-stable.apk Launch your internet browser.NOTE: don't use the default Android browser because it has an unresolved bug.
    Chrome and Opera have been tested by us and work.
    Connect to AirVPN website, login and create the configuration files from our Config Generator.Choose Linux as platform (only direct TCP and UDP connections are supported) and finally click the "Generate" button to download it.
    Downloaded .ovpn files may be imported directly into the application but the behavior depends on many factors (employed browser, files manager, Android version, etc).For simplicity's sake, we assume in this guide that you saved .ovpn generated files under the Download directory in the Android filesystem.
    Open OpenVPN for Android and tap the top right "Import" button:
    Click on the import button of the prompt dialog:
    Browse to *.ovpn files:
    Select your configuration of choice:
    Confim the import with the top right button:
    Click on the imported profile to connect:
    Confirm the Android's security prompt dialog:
    Wait for the bootstrap sequence:
    The VPN tunnel is now established:
    When you need to disconnect from the VPN click on the "Disconnect" button from the app's notification:
    Confirm the prompt dialog:
  19. Like
    Staff got a reaction from Bubba1988 in You provide Remote Port Forwarding, what is it?   ...
    You provide Remote Port Forwarding, what is it?
     
    "Remote port forwarding" forwards traffic coming from the Internet to our VPN server ports to a specified local port of your client.

    By default, your account has no forwarded ports, and this is good as long as you don't wish to have a service reachable from the Internet. For example, suppose that you want to run a web server behind our VPN, or that you wish to receive incoming connections to your BitTorrent client in order to improve p2p performance, or to seed a file. Without at least one remotely forwarded port, your service could not be reached from the outside, because our VPN server would reject the proper packets to your service.

    Usually this is a good security measure against attacks, but it prevents your services to be reached from the Internet.

    When you remotely forward an inbound port, our servers will open that port (TCP, UDP or both, according to your selection) and will properly forward incoming packets to you on that port. The service will be reachable from the exit-IP address of the VPN server your system is connected to.

    You can forward up to 20 ports simultaneously. You can do that on our website, in your account "Client Area". You can't forward ports lower than 2048.

    You can map a remotely forwarded port to a different local port: this is useful for a variety of cases, for example when your service listens to a port lower than 2048 or when the port is already reserved. More details about it here below.

    Once you reserve an inbound remote port for your account, you have two options:

    1) Leave the "Local" field empty. In this case, packets arriving to the VPN server exit-IP address port n will be forwarded to your machine IP address inbound local port with the very same number n

    2) Fill in the "Local" field with a different port number x. In this case packets arriving to port n will be forwarded to your system inbound local port x.

    In both cases you need to reach the service on the VPN server exit-IP address port n.


    IMPORTANT: do NOT forward on your router the same ports you use on your listening services while connected to the VPN. Doing so exposes your system to correlation attacks and potentially causes unencrypted packets to be sent outside the tunnel from your client. However, if you connect a router (for example DD-WRT, Tomato based firmware router) an additional step is required, please see https://airvpn.org/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables/  
    NOTE: you can't reach your listening service(s) through the VPN server exit-IP address from the very same machine that's running it/them and is connected to a VPN server, or from any other machine connected to that same VPN server.
  20. Like
    Staff reacted to AnonSyn in Trying to connect continuously but fail   ...
    (solved restarting DHCP Service)
  21. Like
    Staff got a reaction from Just a Fred in AirVPN does not recognize ICANN authority anymore   ...
    AIRVPN DOES NOT RECOGNIZE ANYMORE VERISIGN, AFILIAS AND ICANN AUTHORITY. OUR COMMITMENT AGAINST UNITED STATES OF AMERICA UNFAIR AND ILLEGAL DOMAIN NAMES SEIZURES.

    The United States of America authorities have been performing domain names seizures since the end of 2010. The seizures have been performed against perfectly legal web-sites and/or against web-sites outside US jurisdiction.

    Administrators of some of those web-sites had been previously acquitted of any charge by courts in the European Union.

    The domain name seizures affect the world wide web in its entirety since they are performed bypassing the original registrar and forcing VeriSign and Afilias (american companies which administer TLDs like .org, .net, .info and .com) to transfer the domain name to USA authorities property. No proper judicial overview is guaranteed during the seizure.

    Given all of the above, we repute that these acts:

    - are a violation of EU citizens fundamental rights, as enshrined in the European Convention on Human Rights;
    - are an attack against the Internet infrastructure and the cyberspace;
    - are a strong hint which shows that decision capacities of USA Department of Justice and ICE are severely impaired;

    and therefore from now on AirVPN does not recognize VeriSign, Afilias and/or ICANN authority over domain names. AirVPN refuses to resolve "seized" domain names to the IP address designated by USA authorities, allowing normal access to the original servers' websites / legitimate Ip addresses.

    In order to fulfil the objective, we have put in place an experimental service which is already working fine. If you find anomalies, please let us know, the system will surely improve in time.

    Kind regards
    AirVPN admins
  22. Like
    Staff reacted to LazyLizard14 in Trouble using share-online   ...
    Either they blacklist the whole range of commercial servers or indeed suspect some multihosters running their servers within the AirVPN network.
    Of course it is not acceptable from them to do so as they should sort out accountsharing based on accounts and not whole IP ranges.
  23. Like
    Staff got a reaction from aldebaran in Issues with torrents   ...
    @aldebaran
     
    Hello!
     
    Since you run Eddie, if you don't want to go into details, you could just go to "AirVPN" -> "Preferences" -> "Protocols", select some OpenVPN over SSH mode, click "Save" and re-connect to some VPN server.
     
    For your purpose, we would also recommend that you test OpenVPN over SSL. In Eddie "Protocols" tab, this is called "SSL Tunnel - Port 443". Technically, OpenVPN over SSL can be less efficient than OpenVPN over SSH [sTRIKE THROUGH: INCORRECT], but in case that your ISP does not shape only port 443 (because it does not want to make the shaping appear to customers using https) and port 80 (for http) then OpenVPN over SSL can provide higher throughput than OpenVPN over SSH (we do not provide SSH to port 443).
     
    Kind regards
  24. Like
    Staff reacted to InactiveUser in SSH Tutorial for Android???   ...
    I have been able to connect via SSH with the following prerequisites:

    - Cyanogenmod 11 (or any other rom that ships with command-line ssh client)
    - OpenVPN for Android (available in F-Droid)
    - Terminal Emulator (preinstalled in CM; available in F-Droid)
     
    1. use the AirVPN generator to create config files for Linux (not Android!)
        - pick a specific server
        - choose SSH as connection mode
        - i recommend checking "Resolved hosts in .ovpn file"

    2. run the shell script in your Android terminal emulator to make the ssh connection
    3. import the .ovpn file in "OpenVPN for Android" and initiate the connection

    Now, how do we get there on stock Android?
    You can skip reading my following musings; I've figured out an easier way. Read the tutorial in my next post.
    [EDIT: split for clarity - go to https://airvpn.org/topic/13486-ssh-tunneled-vpn-on-stock-android/?do=findComment&comment=24983 ]
     
    It should be possible; none of the steps require root. The only problem is: While there are countless (GUI) SSH apps in F-Droid and the Play Store, you would need one that lets you
    - use a key file for SSH authentification
    - open a local listening port (ssh -L)

    I do not use Google's Play Store on my devices so my own "research" stops there. If I were to try any apps - "Better Terminal Emulator Pro" looks promising as it includes a command-line SSH client.

    If that app doesn't work or, like me, you don't want to use the Play Store, you might want to try KBOX2 in order to get a true cli ssh client:
    http://kevinboone.net/kbox2.html
    If I find some free time (and if KBOX2 turns out to be a viable alternative), I will write a follow-up post.
     
    EDIT 1:
    Apparently, ConnectBot (in F-Droid and Play Store) can handle key files and forwarding but I have yet to be able to get it to work.
    EDIT 2:
    1st road bump with KBOX2: It looks like the dropbear ssh client doesn't like our keyfile format. Solution: convert keyfile with "dropbearconvert":
    dropbearconvert openssh dropbear sshtunnel.key id_rsa.db
    (Install dropbear on a linux desktop, run the command, then change the AirVPN .sh script, swapping out "sshtunnel.key" with "id_rsa.db")
    EDIT 3:
    My KBOX2 experiment seems to work. I can't say for sure because I'm working in the Android emulator - which won't let OpenVPN create a tun device, but I don't see any connection-related issues... I'm fairly certain it'd work on a real Android device.
    EDIT 4:
    Alright, all this KBOX2 nonsense is unnecessary! ConnectBot can port-forward and use the keyfile too, much easier than setting up KBOX2. Read the tutorial below.
  25. Like
    Staff got a reaction from aldebaran in Issues with torrents   ...
    @aldebaran
     
    Hello!
     
    Since you run Eddie, if you don't want to go into details, you could just go to "AirVPN" -> "Preferences" -> "Protocols", select some OpenVPN over SSH mode, click "Save" and re-connect to some VPN server.
     
    For your purpose, we would also recommend that you test OpenVPN over SSL. In Eddie "Protocols" tab, this is called "SSL Tunnel - Port 443". Technically, OpenVPN over SSL can be less efficient than OpenVPN over SSH [sTRIKE THROUGH: INCORRECT], but in case that your ISP does not shape only port 443 (because it does not want to make the shaping appear to customers using https) and port 80 (for http) then OpenVPN over SSL can provide higher throughput than OpenVPN over SSH (we do not provide SSH to port 443).
     
    Kind regards
×
×
  • Create New...