Staff

Hello!
 
Yes, in most cases it will be faster. Additionally you will have no protocol limitations like in TOR. However, it's not as secure as TOR over VPN, or VPN over TOR. As usual, it depends on the balance between security and performance that you want to achieve. Such balance can be correctly evaluated only by yourself, carefully, according to the sensitiveness of the data you need to receive or impart.
 
Probably the easiest way to connect over a VPN over a VPN is through a VM attached via NAT (important!) to the host machine. The host connects to VPN1. The VM connects to VPN2. On the VM all the traffic will be tunneled over VPN2 over VPN1. This solution has also some nice side-effects, the usual advantages of running a VM: disasters and attacks isolation, portability, option to keep the virtual disk encrypted with the assurance that no unencrypted data can be written without your knowledge outside the virtual machine disk.
 
Kind regards

Hello!
 
Yes, in most cases it will be faster. Additionally you will have no protocol limitations like in TOR. However, it's not as secure as TOR over VPN, or VPN over TOR. As usual, it depends on the balance between security and performance that you want to achieve. Such balance can be correctly evaluated only by yourself, carefully, according to the sensitiveness of the data you need to receive or impart.
 
Probably the easiest way to connect over a VPN over a VPN is through a VM attached via NAT (important!) to the host machine. The host connects to VPN1. The VM connects to VPN2. On the VM all the traffic will be tunneled over VPN2 over VPN1. This solution has also some nice side-effects, the usual advantages of running a VM: disasters and attacks isolation, portability, option to keep the virtual disk encrypted with the assurance that no unencrypted data can be written without your knowledge outside the virtual machine disk.
 
Kind regards

Hello!
 
No problems at all, please link them to https://airvpn.org/ddwrt and use the configuration generator to provide them with the appropriate files. Please remember that those who are given your user.key can connect to any Air VPN server with your account.
 
Behind a router you can connect as many devices as you wish, our system will always see just one account and a single connection.
 
Kind regards

Hello!
 
About OpenVPN over SSH, our servers listen to ports 22, 53 and 80 of the entry-IP address, and to port 22 of the Alternative Entry-IP address.
 
About OpenVPN over SSL, our servers listen to port 443 of the entry-IP address.
 
About OpenVPN "direct" or "over a proxy", our servers listen to ports 53, 80 and 443 both of the Entry-IP and the Alternative Entry-IP address.
 
In Comodo, for OpenVPN over SSH/SSL you need, on top of the rules described in our guide for Comodo to prevent lekas, to allow communications from "Any IP Address" to 10.50.0.0/255.255.0.0 and from 10.50.0.0/255.255.0.0 to "Any IP Address" (Comodo will display "Any IP address" as "MAC Any" in the rules).
 
There is no generally valid recommendation about which port to choose: if your ISP performs port shaping on some ports, some ports can provide better performance than others.
 
Keep in mind that OpenVPN over SSH or over SSL should be used ONLY if your ISP disrupts OpenVPN communications, because the additional SSH/SSL tunnel causes a performance hit without increasing security. OpenVPN over SSH/SSL have been implemented originally for China only, where OpenVPN connections are disrupted. The purpose of SSH/SSL is to encrypt the OpenVPN typical fingerprint, not to increase significantly the security.
 
There is no such a thing as a non-tunneled connection in our service, unless you explicitly decide to reject the pushed routes by our servers.
 
Kind regards

Hello!
 
No, it's closed source (but your are not forced to use it: you can run OpenVPN directly or any OpenVPN wrapper/GUI you wish in order to connect to the Air VPN servers). The next client release, "Eddie", will be free and open source (very probably under GPLv3).
 
Kind regards

I agree with virtualization being an additional layer of security.
I disagree with TBB being "highly exploitable". The leaked presentation clearly shows that digging up native FF vulns is a pain in the ass, even for the NSA.
So, they won't waste such vulns for wide-spread attacks against Joe Blow users. ¹ ³
 
Also, VirtualBox is not a security product and it's maintained by Oracle, a commercial vendor with an awful track record wrt to code quality and security management. ²
 
---
 
¹ Case in point: The FF vuln recently used by FBI for their "Torsploit" was no 0day, it was long patched - which either means they didn't have a better vuln for a more effective exploit - or they didn't want to waste it for this particular attack. 
² https://www.whonix.org/wiki/Advanced_Security_Guide#About_VirtualBox
³ "The good news is that they went for a browser exploit, meaning there's no indication they can break the Tor protocol or do traffic analysis on the Tor network. (..) you can target individuals with browser exploits, but if you attack too many users, somebody's going to notice." from: https://blog.torproject.org/blog/yes-we-know-about-guardian-article

Hello!

We're very glad to inform you that a new 100 Mbit/s server located in France is available: Furud.

The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").
 
The server accepts connections on ports 53, 80, 443, 2018 UDP and TCP.
 
Just like every other Air server, Furud supports OpenVPN over SSL and OpenVPN over SSH.
 
As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.
 
Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

HOW TO FORWARD PORTS TO YOUR DEVICES WITH IPTABLES
 
You need to create a basic DNAT on your router. Remember that the router GUI forwards ports from the WAN to LAN. When connected to the VPN you must forward ports from TUN to LAN. Therefore, it is imperative that you do NOT forward ports in the GUI of the router.
 
Assuming that:
destIP is the IP address of the destination device port is the port you wish to forward to that device tun1 is the tun interface of your router (please check! on some routers it can be tun0, on Tomato it can be tun11) you need to forward both TCP and UDP packets you need to add the following rules. Please note that the following rules do NOT replace your already existing rules, you just have to add them.
 
iptables -I FORWARD -i tun1 -p udp -d destIP --dport port -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d destIP --dport port -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport port -j DNAT --to-destination destIP
iptables -t nat -I PREROUTING -i tun1 -p udp --dport port -j DNAT --to-destination destIP
 
Note: if your router firmware iptables supports the multiport module you can use --match option to make your rules set more compact. Please see here, thanks to Mikeyy https://airvpn.org/topic/14991-asuswrt-merlin-multiple-ports/?do=findComment&comment=31221
 
Kind regards

Hi, thanks for the answer, everything works. I use the following DNS servers:
91.80.36.137
91.80.37.101
 
 

Hello!
 
Try to allow airvpn.org IP address if you run the Air client. The Air client connects to airvpn.org in order to download the servers list etc. Also edit your hosts file in order to allow airvpn.org resolution with no need of a DNS query (which would be dropped by the firewall).
 
Kind regards

AIRVPN DOES NOT RECOGNIZE ANYMORE VERISIGN, AFILIAS AND ICANN AUTHORITY. OUR COMMITMENT AGAINST UNITED STATES OF AMERICA UNFAIR AND ILLEGAL DOMAIN NAMES SEIZURES.

The United States of America authorities have been performing domain names seizures since the end of 2010. The seizures have been performed against perfectly legal web-sites and/or against web-sites outside US jurisdiction.

Administrators of some of those web-sites had been previously acquitted of any charge by courts in the European Union.

The domain name seizures affect the world wide web in its entirety since they are performed bypassing the original registrar and forcing VeriSign and Afilias (american companies which administer TLDs like .org, .net, .info and .com) to transfer the domain name to USA authorities property. No proper judicial overview is guaranteed during the seizure.

Given all of the above, we repute that these acts:

- are a violation of EU citizens fundamental rights, as enshrined in the European Convention on Human Rights;
- are an attack against the Internet infrastructure and the cyberspace;
- are a strong hint which shows that decision capacities of USA Department of Justice and ICE are severely impaired;

and therefore from now on AirVPN does not recognize VeriSign, Afilias and/or ICANN authority over domain names. AirVPN refuses to resolve "seized" domain names to the IP address designated by USA authorities, allowing normal access to the original servers' websites / legitimate Ip addresses.

In order to fulfil the objective, we have put in place an experimental service which is already working fine. If you find anomalies, please let us know, the system will surely improve in time.

Kind regards
AirVPN admins

You cannot do application-level rules with ufw.Iptables has an "--uid-owner" option, which isn't application-level either, but you could use it like this: - create a user account "p2puser"- launch your p2p apps with this new user account - deny traffic coming from user id "p2puser" on eth0/wlan0- allow all other traffic on eth0/wlan0 (eth0 / wlan0 as examples for your non-VPN network interfaces). I have not tried this myself, I loathe iptables. Good luck, I hope someone else has a better idea than this

Hello! 
By default (when you register an account) it's already off. You must specifically turn it on if you wish it. It can be useful for troubleshooting, in case of issues, or to monitor the traffic volume (for example for users on a traffic-volume-limited connection).
 
Kind regards

This was a JavaScript exploit of an outdated browser targeted at a single operating system. Even then it would not have worked if you were behind a VPN. In this scenario it would be more useful to talk about how to stop your website from getting hacked.

There was a post on the Silkroad forum from someone who claimed to have obtained an internal document of the Australian Federal Police from a family member. In this document the police say their worst nightmare is if everyone started using PGP.

The other thing that needs to happen is that people need to understand what free software is, why it is important and the difference between free and open source. The world is ruled by evil psychopaths. These people are almost entirely responsible for financing the malware industry. Either you control the software or they will control you through their DRM-locked backdoored systems.

Hello!

We're very glad to inform you that a new 100 Mbit/s server located in France is available: Furud.

The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").
 
The server accepts connections on ports 53, 80, 443, 2018 UDP and TCP.
 
Just like every other Air server, Furud supports OpenVPN over SSL and OpenVPN over SSH.
 
As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.
 
Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team

EDIT: provider pulled back the request. Server online.
 
Hello,
 
we regret to inform you that due to irreconcilable contrasts with the provider, the server POLLUX will be withdrawn and relocated, or replaced with a different USA server. We recommend that you disconnect from the server as soon as possible, because either we or the provider will bring down the server in the nearest future.
 
The reason of the contrasts originated from the request by the provider, inviting us to discriminate against a range of protocols (in particular, p2p protocols), which is contrary to our mission and a breach of our agreements in an allegedly network neutral datacenter.
 
Kind regards

Hello! 
We're glad to know that you discovered where the problem lied.
 
The button works just fine. When you pressed that button, your device reconnected automatically (and correctly) in a matter of seconds. That's why you and us saw different connection times, and why the web page never refreshed. Everything has been explained now.
 
Kind regards

Hello!
 
Yes, stay tuned!
 
There was some long delay but in the end the server we paid 5-6 weeks ago is almost ready to be configured. We will probably be able to start configuring it in less than a week. Configuration will take just 10-20 minutes, after that we'll keep the server on testing mode for a couple of days, and finally, if everything goes well, we'll announce it and put it public.
 
Kind regards

Hello,
 
sorry, there is a delay due to unforeseen problems. The micro-routing Ubertechie has detected a bug in the micro-routing system and has been fixing it. Additionally, we have an annoying delay (for unknown reasons at the moment) on the delivery of another server in France which would have helped us in the testings AND that in our plans will be employed in the near future as a full VPN server (if it will pass all the tests).
 
Hopefully you should see news soon.
 
Kind regards

@Royee
 
Not exactly, partition of trust and all the discussed topic refer to the trust that you put on us. If you can't afford to trust us, or even if you can trust us but you can't afford to trust the datacenter personnel our servers are in (*), you have the tools to strengthen the anonymity layer.
 
About the backend servers, it's another topic, although you're right that it's actually related, and it is important as well, because in this way we do not keep any account data, including user keys, on any VPN server, and above all we can in this way keep location of the clustered database totally private and unknown to anyone, which is also an additional protection against a wide range of attacks.
 
(*) When we founded AirVPN we thought about how the anonymity layer of a person in need to disseminate information on organized crime, or the anonymity layer of a whistleblower, could be protected even from ourselves, so that those persons were not forced to trust blindly a single entity.
 
Kind regards

Hi, so I think it's sorted. I've forwarded 2 ports and assigned one to a Tor relay and another to uTorrent. The relay is working now and I maxed out my connection whilst torrenting. Thanks for the help!

I use my Raspberry Pi as a Proxy (And some other stuff, of course). It is always connected to the VPN and runs stable.
 
When on the go I use SSH with Port Forwarding. Works like charm.
At home I can just connect locally via Socks5.
 
It is fast at home but can take some time when on the go, still acceptable though.

Hi AirVpn does work at almost full speed for a VM 120 connection http://www.speedtest.net/my-result/2952551578.
 
There are however a few caveats my speed does vary sometimes It goes as low as 12 Mb/s. In peak times it is common to see it at about 50Mb/s. I suspect this is part due to virgin and in part due to air.
 
It is worth noting that virgin tends to handle congestion on a per thread/connection basis. So at a congested time you may only get 60Mb/s on a single connection/thread but if you have two you will still be able to get 120Mb/s. It is my assumption that the AirVPN VPN tunnel is effectively a single connection in the VM world so even if we run two threads over the VPN tunnel it is slowed as if it were a single VM connection. In the past (years ago when I last looked) Speedtest used two connections to test speed, so I would not be surprised to see airvpn running at half VM speed at a peak VM time. Congestion on VM can of course vary massively minute to minute. It is also worth noting this slow down will effect bittorent with its multitude of threads even more significantly.
 
Secondly OpenVPN is cpu intensive. On my tomato router (asus rt-N16) it was limited to about 8Mb/s, I doubt the asus rt-N66U or 56 would be much faster. Even an intel i860 caps at about 90Mb/s. My SandyBridge 2500K can handle full speed 120, either using the airclient or a virtual pfSense router.
 
I would also expect any cheap all you can eat VPN to be limited at peak times, or become so as people discovered it. 
 
Please take my comments with a pinch of salt I'm not a network expert, nor have I had my views confirmed. They are just the way I figure things to be, any reasoned corrections would be welcome.

Hello,
 
it's enabled by default in our service. OpenVPN works in TLS mode with TLS re-keying at each new connection and every 60 minutes. This is an answer given on some tickets a few minutes ago, as a reply to worried inquiries following the new articles on The New York Times and other publications.
 
Hello!

[Looking deeper into papers and more technical articles, already available] NSA can decrypt only encrypted data for which NSA already has the keys (through back doors or just by getting the keys) or for weak, obsolete ciphers.

That's why it's very important to use services (like ours ) which do not possess your key and comply to Perfect Forward Secrecy. For example, when your OpenVPN client establishes a connection to one of our servers, a new TLS key is negotiatied (Diffie-Hellman/Perfect Forward Secrecy) AND and a new TLS re-keying occurs every 60 minutes.

Additionally, AirVPN is based on OpenVPN, which is free and open source, and have been and is being under intensive crypto-experts peer-reviews since its birth more than 10 years ago. No backdoor has ever been found.

We run OpenVPN with the following ciphers:

OpenVPN Data Channel: AES-256-CBC
OpenVPN Control Channel: HMAC SHA1
RSA keys: 2048 bit size
OpenVPN in TLS mode (Perfect Forward Secrecy: re-keying at each connection and re-keying every 60 minutes)

Now let's assume that NSA (or any other very malignant adversary) breaks into your system or into our secret backend servers and obtain your user.key (the user.key is not kept in the VPN servers, and the location of the backend servers is unknown to everyone except the Air founders; the clients and the VPN servers never communicate directly with the backend servers). Now, the user.key is used to authenticate your client, but the TLS key is re-negotiated. So NSA or that malignant entity could use our VPN with your account, assuming that they get also the certificates (so they can save 7 EUR a month and get a free ride with our service ), but it would not be able to decrypt your communications with our servers.
 
Kind regards

 

Here's a step-by-step of how I've setup an AirVPN OpenVPN connection on a Synology DS211j running DSM 4.2-3202:
Generate the configuration and cert/key files on the AirVPN web site:
Choose your Operating System: select Linux (see ChooseOS.jpg attachment)
Pick a server
Under Connection Modes: select Advanced Mode, select Direct, protocol UDP, port 53 and select Separate keys/certs from .ovpn file (see ConnectionModes.jpg)
Accept both then click on Generate
Click on ZIP to download a ZIP archive containing all files (see DownloadFiles.jpg); unzip the contents to a work folder; the archive should contain the following files:
AirVPN_XXXXX_UDP-53.ovpn; XXXXX reflects the server selected above
ca.crt
user.crt
user.key
Create an OpenVPN connection in the Synology diskstation's VPN control panel (see VPN.jpg):
use anything for the IP, user and password as they will be changed/removed manually below anyways
import the ca.crt certificate you extracted into the work folder above (see VPNGeneral.jpg)
set advanced settings as desired
apply changes
as a result the following files will get created in the /usr/syno/etc/synovpnclient/openvpn folder on the diskstation (see Files.jpg):
ca_oXXXXXXXX.crt client_oXXXXXXXX
ovpn_oXXXXXXXX.conf, where XXXXXXXX is a number assigned automatically when the OpenVPN connection is saved (probably an Id for the connection)
Modify the Synology configuration file created above:
telnet into the Synology diskstation using a telnet/ssh app such as Putty, login as root, which should have the same password as the admin user change directory to the openvpn folder using this command:
cd /usr/syno/etc/synovpnclient/openvpn
 
use a command like below to copy the client_oXXXXXXXX described above to a diskstation shared folder to be able to open and change it with a text editor: cp client_oXXXXXXXX /volume1/SharedFolder/
where you substitute your specific numbers for XXXXXXXX and your specific volume and folder name for /volume1/SharedFolder
open the file you copied to the shared folder with your favourite text editor (e.g. Notepad or Notepad++) and make the following changes to merge the configuration file generated and downloaded from the AirVPN web site into it: remove all the lines from the client_oXXXXXXXX file except the 3 below:
float
reneg-sec 0
plugin /lib/openvpn/openvpn-down-root.so /etc/ppp/ip-down
then insert all lines from the AirVPN_XXXXX_UDP-53.ovpn into the file and save it optionally, if you wish to have a client connection log file for debugging/troubleshooting purposes, you can also include a line like this (with your own folder and file name):
log-append /volume1/SharedFolder/AirVPN.log
at this point the file should look something like this: # --------------------------------------------------------
# Air VPN | https://airvpn.org | Wednesday 4th of September 2013 12:07:47 AM
# OpenVPN Client Configuration
# AirVPN_Server_UDP-53
# --------------------------------------------------------

client
dev tun
proto udp
remote some.server.address.here 53
resolv-retry infinite
nobind
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
explicit-exit-notify 5
ca ca_oXXXXXXXX.crt
cert user.crt
key user.key
script-security 2
redirect-gateway
float
reneg-sec 0
plugin /lib/openvpn/openvpn-down-root.so /etc/ppp/ip-down

with the proper values for the server and numeric connection id instead of the placeholders "some.server.address.here" and "XXXXXXXX" I've included above
in the telnet app, while continuing to be positioned in the /usr/syno/etc/synovpnclient/openvpn folder, copy the modified client_oXXXXXXXX file back to that folder using a command like: cp /volume1/SharedFolder/client_oXXXXXXXX .
using similar commands, also copy the user.crt and user.key files over to the /usr/syno/etc/synovpnclient/openvpn folder:  
cp /volume1/SharedFolder/user.crt .
cp /volume1/SharedFolder/user.key .
done  
NOTES:
any VPN configuration changes made and saved through the Synology VPN control panel will result in the client_oXXXXXXXX file being overwritten and reset to its original state before the manual edits described above, which basically renders the configuration unusable with AirVPN; if this happens the file should be restored from a previously saved backup using a cp (copy) command like the ones above; so when you get the configuration working, create a backup of the client_XXXXXXXX file somewhere safe; multiple entries for different AirVPN servers can be created by downloading the configuration and key files for each server from the web site and re-doing the above steps for each entry; the proper ca.crt certificate file should be used for each entry; I believe the user.crt and user.key are the same for all servers as they are user-specific rather than server-specific and therefore they can be reused for all connections (they don't need to be copied over to the usr/syno/etc/synovpnclient/openvpn folder multiple times - last step above, before "done").