Staff

Hello and thank you for your tests!

Excellent. Kudos to the new WireGuard library too.
 
In the unit file targets you can see that systemd must start Bluetit only when the network is up (Wants=network-online.target). Bluetit also waits some more time for a valid gateway, see here:
The above log entry seems to confirm that systemd is right and the network is really up but of course the fact that the network is up does not guarantee that the system's upstream router has a valid Internet connection. If the router does not have Internet connectivity, the incident wouldn't be a systemd or bluetit fault. We will investigate. In which distribution do you experience this?
 
OK. By starting the connection with Goldcrest you may rely on the conn-stat-interval n option, where n is in seconds (please consult the user's manual for more details). You may also consider async for more tasks: the new asynchronous mode adds some interactivity, please check the new manual.

However conn-stat-interval  is not available in bluetit.rc. Thus, if you don't start a connection via Goldcrest, your approach is the way to go at a first glance. We'll consider your suggestion.

Thanks again, keep testing!

Kind regards
 

Quick feedback after using 2.0.0 Beta 1 for 10 days.

Just as stable as 1.3.0, no issue. Speed boost with Wireguard is significant.

The only minor inconvenience I experienced is that sometimes (occurred 4 times since May 14th out of 20+ suspend/resume in total), bluetit couldn't reconnect after resuming from suspend (log below). I had to restart the service manually with:
# systemctl restart bluetit.service else it seems that it would have been stuck forever (waited a few minutes). It seems that bluetit tries to reconnect too early after resuming and the network isn't up yet. Maybe this could be fixed by adjusting bluetit-resume.service?
  May 19 18:41:14 bluetit[848508]: Bluetit daemon started with PID 848508
May 19 18:41:14 bluetit[848508]: External network is reachable via IPv4 gateway 192.168.1.254 through interface eno1
May 19 18:41:14 bluetit[848508]: Successfully connected to D-Bus
May 19 18:41:14 bluetit[848508]: Reading run control directives from file /etc/airvpn/bluetit.rc
May 19 18:41:14 systemd[1]: Starting AirVPN Bluetit Daemon...
May 19 18:41:14 bluetit[848508]: IPv6 is available in this system
May 19 18:41:14 systemd[1]: bluetit.service: Can't open PID file /etc/airvpn/bluetit.lock (yet?) after start: No such file or directory
May 19 18:41:14 systemd[1]: Started AirVPN Bluetit Daemon.
May 19 18:41:14 bluetit[848508]: System country set to <redacted> by Bluetit policy.
May 19 18:41:14 bluetit[848508]: Default VPN type for AirVPN connections is set to WireGuard
May 19 18:41:14 bluetit[848508]: Bluetit successfully initialized and ready
May 19 18:41:14 bluetit[848508]: Enabling persistent network filter and lock
May 19 18:41:14 bluetit[848508]: Network filter and lock are using /bin/iptables-legacy
May 19 18:41:14 bluetit[848508]: iptables-nft rules found. Enabling iptables-nft save and restore modes.
May 19 18:41:14 bluetit[848508]: Kernel module iptable_filter is already loaded
May 19 18:41:14 bluetit[848508]: Kernel module iptable_nat is already loaded
May 19 18:41:14 bluetit[848508]: Kernel module iptable_mangle is already loaded
May 19 18:41:14 bluetit[848508]: Kernel module iptable_security is already loaded
May 19 18:41:14 bluetit[848508]: Kernel module iptable_raw is already loaded
May 19 18:41:14 bluetit[848508]: Kernel module ip6table_filter is already loaded
May 19 18:41:14 bluetit[848508]: Kernel module ip6table_nat is already loaded
May 19 18:41:14 bluetit[848508]: Kernel module ip6table_mangle is already loaded
May 19 18:41:14 bluetit[848508]: Kernel module ip6table_security is already loaded
May 19 18:41:14 bluetit[848508]: Kernel module ip6table_raw is already loaded
May 19 18:41:14 bluetit[848508]: Network filter successfully initialized
May 19 18:41:14 bluetit[848508]: Private network is allowed to pass the network filter
May 19 18:41:14 bluetit[848508]: Persistent network filter and lock successfully enabled. Private network is allowed.
May 19 18:41:14 bluetit[848508]: Starting AirVPN WireGuard boot connection
May 19 18:41:14 bluetit[848508]: AirVPN Manifest updater thread started
May 19 18:41:14 bluetit[848508]: Default AirVPN Manifest update interval is 15 minutes
May 19 18:41:14 bluetit[848508]: AirVPN Manifest update suspended: AirVPN boot connection initialization in progress
May 19 18:41:14 bluetit[848508]: Trying to load the local instance of AirVPN Manifest
May 19 18:41:14 bluetit[848508]: Persistent Network Lock and Filter is enabled
May 19 18:41:14 bluetit[848508]: Adding AirVPN bootstrap server 63.33.78.166/32 to network filter
May 19 18:41:14 bluetit[848508]: Adding AirVPN bootstrap server 52.48.66.85/32 to network filter
May 19 18:41:14 bluetit[848508]: Adding AirVPN bootstrap server 54.93.175.114/32 to network filter
May 19 18:41:14 bluetit[848508]: Adding AirVPN bootstrap server 63.33.116.50/32 to network filter
May 19 18:41:14 bluetit[848508]: Adding AirVPN bootstrap server 2a03:b0c0:0:1010::9b:c001/128 to network filter
May 19 18:41:14 bluetit[848508]: AirVPN bootstrap servers are now allowed to pass through the network filter
May 19 18:41:14 bluetit[848508]: Logging in AirVPN user 183aTr78f9o
May 19 18:41:14 bluetit[848508]: AirVPN Manifest successfully retrieved from local instance
May 19 18:41:14 bluetit[848508]: Updating AirVPN Manifest
May 19 18:41:14 bluetit[848508]: Trying connection to AirVPN bootstrap server at http://54.93.175.114
May 19 18:41:14 bluetit[848508]: Cannot connect host: Couldn't connect to server
May 19 18:41:14 bluetit[848508]: Trying connection to AirVPN bootstrap server at http://52.48.66.85
May 19 18:41:14 bluetit[848508]: Trying connection to AirVPN bootstrap server at http://52.48.66.85
May 19 18:41:14 bluetit[848508]: Cannot connect host: Couldn't connect to server
May 19 18:41:14 bluetit[848508]: Trying connection to AirVPN bootstrap server at http://63.33.116.50
May 19 18:41:14 bluetit[848508]: Cannot connect host: Couldn't connect to server
May 19 18:41:14 bluetit[848508]: Trying connection to AirVPN bootstrap server at http://63.33.78.166
May 19 18:41:14 bluetit[848508]: Cannot connect host: Couldn't connect to server
May 19 18:41:14 bluetit[848508]: Trying connection to AirVPN bootstrap server at http://63.33.78.166
May 19 18:41:14 bluetit[848508]: Cannot connect host: Couldn't connect to server
May 19 18:41:14 bluetit[848508]: Trying connection to AirVPN bootstrap server at http://82.196.3.205
May 19 18:41:14 bluetit[848508]: Cannot connect host: Couldn't connect to server
May 19 18:41:14 bluetit[848508]: Trying connection to AirVPN bootstrap server at http://63.33.116.50
May 19 18:41:14 bluetit[848508]: Cannot connect host: Couldn't connect to server
May 19 18:41:14 bluetit[848508]: AirVPN login error: Cannot connect host: Couldn't connect to server
May 19 18:41:14 bluetit[848508]: Cannot connect host: Couldn't connect to server
May 19 18:41:14 bluetit[848508]: Trying connection to AirVPN bootstrap server at http://54.93.175.114
May 19 18:41:14 bluetit[848508]: ERROR: AirVPN login failed for user 183aTr78f9o
May 19 18:41:14 bluetit[848508]: Cannot connect host: Couldn't connect to server
May 19 18:41:14 bluetit[848508]: Session network filter and lock rollback successful
May 19 18:41:14 bluetit[848508]: Persistent network filter and lock are enabled
May 19 18:41:14 bluetit[848508]: Sending event 'event_end_of_session'
May 19 18:41:14 bluetit[848508]: AirVPN Manifest successfully retrieved from local instance
May 19 18:41:14 bluetit[848508]: AirVPN Manifest update interval is now set to 30 minutes
May 19 18:41:26 bluetit[848508]: Requested method "version"
May 19 18:41:26 bluetit[848508]: Requested method "openvpn_info"
May 19 18:41:26 bluetit[848508]: Requested method "openvpn_copyright"
May 19 18:41:26 bluetit[848508]: Requested method "ssl_library_version"
May 19 18:41:26 bluetit[848508]: Requested method "wireguard_info"
May 19 18:41:26 bluetit[848508]: Requested method "network_lock_status -> Persistent Network Lock and Filter is enabled. (using iptables) Private network is allowed."
May 19 18:41:26 bluetit[848508]: Requested method "list_pushed_dns"
May 19 18:41:31 bluetit[848508]: Requested method "version"
May 19 18:41:31 bluetit[848508]: Requested method "openvpn_info"
May 19 18:41:31 bluetit[848508]: Requested method "openvpn_copyright"
May 19 18:41:32 bluetit[848508]: Requested method "ssl_library_version"
May 19 18:41:32 bluetit[848508]: Requested method "wireguard_info"
May 19 18:41:32 bluetit[848508]: Requested method "network_lock_status -> Persistent Network Lock and Filter is enabled. (using iptables) Private network is allowed."
May 19 18:41:32 bluetit[848508]: Requested method "list_pushed_dns"
May 19 18:41:37 bluetit[848508]: Requested method "version"
May 19 18:41:37 bluetit[848508]: Requested method "openvpn_info"
May 19 18:41:37 bluetit[848508]: Requested method "openvpn_copyright"
May 19 18:41:37 bluetit[848508]: Requested method "ssl_library_version"
May 19 18:41:37 bluetit[848508]: Requested method "wireguard_info"
May 19 18:41:37 bluetit[848508]: Requested method "network_lock_status -> Persistent Network Lock and Filter is enabled. (using iptables) Private network is allowed."
May 19 18:41:37 bluetit[848508]: Requested method "list_pushed_dns"
May 19 18:41:37 bluetit[848508]: Requested method "version"
May 19 18:41:37 bluetit[848508]: Requested method "openvpn_info"
May 19 18:41:37 bluetit[848508]: Requested method "openvpn_copyright"
May 19 18:41:37 bluetit[848508]: Requested method "ssl_library_version"
May 19 18:41:37 bluetit[848508]: Requested method "wireguard_info"
May 19 18:41:37 bluetit[848508]: Requested method "network_lock_status -> Persistent Network Lock and Filter is enabled. (using iptables) Private network is allowed."
May 19 18:41:37 bluetit[848508]: Requested method "list_pushed_dns"
May 19 18:41:38 bluetit[848508]: Requested method "version"
May 19 18:41:38 bluetit[848508]: Requested method "openvpn_info"
May 19 18:41:38 bluetit[848508]: Requested method "openvpn_copyright"
May 19 18:41:38 bluetit[848508]: Requested method "ssl_library_version"
May 19 18:41:38 bluetit[848508]: Requested method "wireguard_info"
May 19 18:41:38 bluetit[848508]: Requested method "network_lock_status -> Persistent Network Lock and Filter is enabled. (using iptables) Private network is allowed."
May 19 18:41:38 bluetit[848508]: Requested method "list_pushed_dns"
May 19 18:41:58 bluetit[848508]: Requested method "version"
May 19 18:41:58 bluetit[848508]: Requested method "openvpn_info"
May 19 18:41:58 bluetit[848508]: Requested method "openvpn_copyright"
May 19 18:41:58 bluetit[848508]: Requested method "ssl_library_version"
May 19 18:41:58 bluetit[848508]: Requested method "wireguard_info"
May 19 18:41:58 bluetit[848508]: Requested method "network_lock_status -> Persistent Network Lock and Filter is enabled. (using iptables) Private network is allowed."
May 19 18:41:59 bluetit[848508]: Requested method "list_pushed_dns"

On a different note: Any chance goldcrest could have a similar option than journalctl -f, --follow -f, --follow Show only the most recent journal entries, and continuously print new entries as they are appended to the journal.
This would be useful to monitor goldcrest --bluetit-status
I know I could use watch but unfortunately it doesn't play well with tailspin that I'm using for highlighting.
Currently I'm using a simple while loop but clearing the screen every few seconds isn't as readable as a "natural" refreshing: $ while true; do goldcrest --bluetit-status | tspin sleep 10 clear done

Hello!

mbedTLS does not support x509. It's not needed by the Suite but maybe the linker enters the error state anyway, or maybe the mbedTLS libraries and include files are misaligned in your system. Can you please try with OpenSSL (which is the default setting)? Please set SSL_LIB_TYPE variable to OPENSSL: SSL_LIB_TYPE=OPENSSL in the following scripts:
https://gitlab.com/AirVPN/AirVPN-Suite/-/blob/master/build-bluetit.sh?ref_type=heads
https://gitlab.com/AirVPN/AirVPN-Suite/-/blob/master/build-bluetit-static.sh?ref_type=heads

Kind regards
 

Hello!

It's a crack for some program unrelated to AirVPN or a malware. Our software does not need any crack, it is free and open source software which does not need the activation key they claim they give you. There's another "Air VPN" (with a space) in China using fraudulently this name but it was shut down recently. We will hide your link just in case it's malware. About NordVPN, yes, they have been cracked a couple of times and thousands of account were compromised in the past. By the way still unrelated to AirVPN.

Kind regards
 

Hello!

By enabling Location Services your device sends location information (including wireless access point information, cellular tower information, and precise GPS location if available) to Microsoft. It will also allow apps to use their device’s location and location history to deliver location-aware services and disclose your location to third-party entities. Frequently, this behavior is exactly what must be avoided when connected to a VPN for privacy purposes. It may weaken significantly the anonymity layer.

Kind regards
 

Hello!

Thank you very much for your tests! We're very pleased to receive confirmation that this version solves those problems.
 
Network Lock does not survive, but it is re-enforced before any new socket can be created, so no leak occurs. This is exclusively up to systemd: apart from writing correctly the suspend and resume unit files there's nothing else we can do, we're afraid.

Kind regards
 

Eddie 2.23.2 + Hummingbird 2.0.0 Beta 1 terminates connection in a loop at start due to ~/.config/eddie/*.tmp.ovpn file. Alpha 2 works.
. Eddie version: 2.23.2 / linux_x64, System: Linux, Name: Arch Linux, Version: Linux host 6.8.9-hardened1-2-hardened #1 SMP PREEMPT_DYNAMIC * x86_64 GNU/Linux, Framework: 6.12.0 (makepkg/0cbf0e290c3 Sat Mar  9 11:37:33 UTC 2024); Framework: v4.0.30319
. Command line arguments (2): path.resources="/usr/share/eddie-ui" path.exec="/usr/bin/eddie-ui"
. Raise system privileges
. Collect network information
. Reading options from /home/user/.config/eddie/default.profile
. OpenVPN - Version: 3.3.2 - Hummingbird - WireGuard/OpenVPN3 Client 2.0.0 beta 1 - 13 May 2024 (/usr/local/bin/hummingbird)
. SSH - Version: OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024 (/usr/local/bin/ssh)
. SSL - Version: 5.72 (/usr/bin/stunnel)
I Ready
. Collect information about AirVPN completed
! Activation of Network Lock - Linux nftables
. Collect information about AirVPN completed
I Session starting.
I Checking authorization ...
! Connecting to Xuange (Switzerland, Zurich)
. Routes, add 79.142.69.163/32 for interface "wlp3s0".
. Routes, add 79.142.69.163/32 for interface "wlp3s0", already exists.
. SSL > LOG6[ui]: Initializing inetd mode configuration
. SSL > LOG5[ui]: stunnel 5.72 on x86_64-pc-linux-gnu platform
. SSL > LOG5[ui]: Compiled with OpenSSL 3.2.1 30 Jan 2024
. SSL > LOG5[ui]: Running  with OpenSSL 3.3.0 9 Apr 2024
. SSL > LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
. SSL > LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,OCSP,PSK,SNI
. SSL > LOG6[ui]: Initializing inetd mode configuration
. SSL > LOG5[ui]: Reading configuration from file /home/user/.config/eddie/c99f82f1ac630c54507010a373bede3e83fd5823b241fe155d4cf82b4d573f48.tmp.ssl
. SSL > LOG5[ui]: UTF-8 byte order mark detected
. SSL > LOG5[ui]: FIPS mode disabled
. SSL > LOG6[ui]: Compression disabled
. SSL > LOG6[ui]: Initializing service [openvpn]
. SSL > LOG6[ui]: OpenSSL security level is used: 2
. SSL > LOG6[ui]: Session resumption enabled
. SSL > LOG6[ui]: Configured trusted server CA: C=IT, ST=Italy, L=Perugia, O=AirVPN, OU=stunnel, CN=stunnel.airvpn.org, emailAddress=info@airvpn.org
. SSL > LOG4[ui]: Service [openvpn] needs authentication to prevent MITM attacks
. SSL > LOG6[ui]: DH initialization skipped: client section
. SSL > LOG5[ui]: Configuration successful
. SSL > LOG6[ui]: Service [openvpn] (FD=9) bound to 127.0.0.1:61863
. SSL > LOG6[ui]: Accepting new connections
. SSL > LOG6[per-day]: Executing per-day jobs
. SSL > LOG6[per-day]: Per-day jobs completed in 0 seconds
. Hummingbird > Hummingbird - WireGuard/OpenVPN3 Client 2.0.0 beta 1 - 13 May 2024
. Hummingbird > OpenVPN core 3.9 AirVPN linux x86_64 64-bit
. Hummingbird > Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved.
. Hummingbird > OpenSSL 3.3.0 9 Apr 2024
. Hummingbird > WireGuard Client 1.0.0 AirVPN Linux x86_64 64-bit
. Hummingbird > System and service manager in use is systemd
E Hummingbird > ERROR: profile /home/user/.config/eddie/9b7c5dbb3f48811ec5344bd0d0829a2fd0bf83b650a4d99a2ebcc4f6cea4615e.tmp.ovpn not found
! Disconnecting
. Sending soft termination signal
. SSL > LOG5[ui]: Terminated
. SSL > LOG6[ui]: Terminating 2 service thread(s)
. SSL > LOG6[ui]: Service threads terminated
. Routes, delete 79.142.69.163/32 for interface "wlp3s0".
. Routes, delete 79.142.69.163/32 for interface "wlp3s0", not exists.
. Connection terminated.

Nice!

I've been using 2.0.0 Beta 1 for a few hours, so far so good. The issue I reported where bluetit wouldn't connect at boot with 2.0.0 alpha 2 despite using "airconnectatboot quick" is solved on my end. I couldn't reproduce after a few reboots (using Wireguard, default).

The new bluetit-suspend/bluetit.resume systemd units seem to work consistently after several resume/suspend.

After running this Bash script and then suspending, it seems that there isn't any DNS leak at all:
#!/usr/bin/env bash while true; do curl ifconfig.co/country >> output.txt sleep 0.5s done I did this multiple times and the output file only contains the country of the VPN server I was connected to. May I ask how the network lock somehow "survives" these: systemctl stop bluetit.service systemctl start bluetit.service considering that stopping bluetit.service manually disables the network lock?

Is real IP address really not briefly exposed just before suspending and right after resuming?

Will report back after a longer period of usage.

Thanks.

Hello!

We're glad to inform you that AirVPN Suite 2.0.0 Beta 1 is now available.
  What's new update of all libraries OpenVPN linked against OpenSSL 3 in every package (dynamically linked in non-legacy packages, statically linked (3.3.0) in legacy packages in order to operate on those systems still not offering OpenSSL 3) improved WireGuard support and management Goldcrest and Bluetit asynchronous connections and Network Lock suspend / resume service for Bluetit in systemd based systems rewritten network availability detection options autocompletion by pressing the TAB key on bash or zsh while entering a Goldcrest or Hummingbird command change of logic in the choice of servers in a specific country, no more using domain names (for additional safety against Tunnelcrack) ability to select whether Network Lock must allow or not communications within local network enhanced support to those IPv6-only networks, no more supporting IPv4 directly and working on IPv4->IPv6 address translation: Network Lock will now allow traffic to/from the translated addresses support for highly-hybridized systems running components causing a frequent mix up of nft and iptables rules (example: Fedora 39 and above) through Network Lock proper adjustments support for legacy 64 bit systems, both x86-64 and ARM (examples: Debian 11, Raspberry Pi OS 64 bit legacy) bug fixes
The list of changes and new features is very long! Please check the various changelogs, available in the first post of this thread. Also check the new readme.md to test and use the new features.

Kind regards & datalove
AirVPN Staff

 

Hello! There's a part of an old urban legend here. Eddie's source code is available on GitHub (including the current 2.22.2 which is still considered "beta", according to the unorthodox release cycle of Eddie), anyway the essence of the urban legend is assuming that a license enforces restrictions on future releases of a certain work on the copyright holders themselves.

The copyright holders are not restricted on future development or re-arrangement of a work of mind by any previous license since they are the "legal owners" (according to the international treaties which overlap intellectual monopoly with intellectual property and the EU legal framework on intellectual monopolies). On subsequent releases, the license of the current work always defines and/or restricts the rights of third parties, and not the rights of the legal owners. At the same time, the license we agreed to pick grants third parties that no retroactive restrictions are possible. 

If Eddie's developer decided to distribute an Eddie version without source code he would have the legal right to do so, provided that Eddie does not include third-party code licensed with restrictions against closed source code. It doesn't happen because of AirVPN mission (and Eddie's developer is also an AirVPN co-founder), but legally it would be Eddie's developer right.

An identical right is reserved to AirVPN Suite developers, and exercised on both senses. If you notice, when a Suite alpha or beta version is made available to community testers, the OpenVPN3-AirVPN library against which the Suite is linked is always open source, while the proprietary preview code is closed. It is then re-licensed and opened (usually under GPLv3 but we're not ruling out different, more permissive licenses, for the parts we have exclusive rights on) only when the development team considers the software as "stable". Even in this case, releasing a copyrighted software as a preview does not prevent the developers to re-license and open it in the future (so far to make it open source under GPL).
 
You did not miss anything. Eddie 2.22.2 is still the latest "experimental", but the testing work is over. If nothing serious comes out (fingers crossed) you will see a new stable release very soon.

Kind regards
 

Hello!

You can either use the OpenVPN version packaged with Eddie, Hummingbird, or another version, as you prefer.

To change OpenVPN version selected by Eddie, please install in your system the OpenVPN version you prefer; then, run Eddie and from its main window select "Preferences" > "Advanced". Beside the "OpenVPN custom path" field please click the file requester symbol to navigate through your file system and choose the proper OpenVPN binary file. Finally click "Save". Alternatively just type in the field the binary name with the complete, absolute path, and click "Save".

Kind regards
 

Hello!

As reported in the very informative and well written article, provided that unfortunately the adversary has the ability to crack your local network and install inside it an evil DHCP server, an excellent mitigation is based on firewall rules exactly as they are enforced by AirVPN's Network Lock.

Kill switches are ineffective as usual, nothing new here, but Network Lock greatly mitigates the problem. This mitigation is very hard to circumvent, as it would require traffic analysis first and more operations later (check "Problems with Firewall Rule Mitigations" in the article). Please note that traffic splitting MUST be avoided, otherwise firewall rules of Network Lock will have exceptions which can be in themselves a dangerous enlargement of the surface attack and that can be again exploited by TunnelVision.
 
As a double protection, you may consider to disable DHCP option 121, an option which can be reported even as “Disable Classless Static Route”. Without DHCP option 121 the attack lacks its essential pre-requisite. Check the downsides, though.

We will have the paper investigated by independent reviewers in the next days and if anything relevant on top of all of the above comes out we will publish it.

Kind regards
 

@valkyrie89

Hello!

Inbound remote port forwarding is a feature divorced from the VPN p-t-p communication protocol, it all relies on NAT configuration through packet mangling, so you can use it both with OpenVPN and WireGuard.

Kind regards
 

Hello!

As reported in the very informative and well written article, provided that unfortunately the adversary has the ability to crack your local network and install inside it an evil DHCP server, an excellent mitigation is based on firewall rules exactly as they are enforced by AirVPN's Network Lock.

Kill switches are ineffective as usual, nothing new here, but Network Lock greatly mitigates the problem. This mitigation is very hard to circumvent, as it would require traffic analysis first and more operations later (check "Problems with Firewall Rule Mitigations" in the article). Please note that traffic splitting MUST be avoided, otherwise firewall rules of Network Lock will have exceptions which can be in themselves a dangerous enlargement of the surface attack and that can be again exploited by TunnelVision.
 
As a double protection, you may consider to disable DHCP option 121, an option which can be reported even as “Disable Classless Static Route”. Without DHCP option 121 the attack lacks its essential pre-requisite. Check the downsides, though.

We will have the paper investigated by independent reviewers in the next days and if anything relevant on top of all of the above comes out we will publish it.

Kind regards
 

Hello!

On the systems, of course!

It is possible to disable it on the router too but that's ineffective in any case. If you don't control the router you just can't do it, as you correctly point out, but even if you control the router and then the rogue DHCP server is installed in your local network but it's a machine different from your router, it makes no difference that you disabled it on your own DHCP server (apart from the fact that if the attacker gains control of your router, he/she can re-enable all DHCP options).

Kind regards
 

According to this definition there is no censorship at all anywhere enforced by governments, not in North Korea, not in France, not in China...

Please note that your definition is pure fantasy, if not insulting. Censorship is exactly suppression of speech, public communication, or other information subversive of the "common good", or against a given narrative, by law or other means of enforcement. The fact that censorship is enforced by law or by a government body does not make it less censorship. Furthermore, historically censorship was an exclusive matter of some central authority (the first well documented case is maybe the censorship rules to preserve the Athenian youth, infringed by Socrates, for which he was put to death, although the etymology comes from the Roman Office of Censor which had the duty to regulate on citizens' moral practices) and today censorship by governments is predominant.  Even In modern times censorship through laws has been and is predominant and pervasive according to Britannica and many academic researches.

Then you can discuss ad nauseam whether censorship by law is "right" or "wrong", whether France's censorship is "better" than China's censorship, but you can't change the definition of censorship, otherwise this discussion will become delirious.

Kind regards
 

Hello!

The problem is Android-related and not VPN client related. However, Eddie has an option which will prevent this leak, "VPN Lock". Please note that this option will not allow Eddie to re-connect and/or re-configure the tunnel, which is the exact reason for which leaks are prevented. When Google solves this Android problem you can then disable "VPN lock" and rely again on Android built-in leaks prevention. Please note that "VPN Lock" is disabled by default, so you must activate it from the "Settings" > "VPN" view.

We totally agree with Mullvad when they write, in the article you linked,"Depending on your threat model this might mean that you should avoid using Android altogether for anything sensitive". Remember also that an overwhelming amount of evidence suggests that iOS and Android were designed to be primarily profiling and surveillance devices, so it's an antimony to use such a device to enhance privacy or create a layer of anonymity.

Kind regards
 

Hello!

Please try the following procedure to quickly resolve the problem:
run Eddie on Eddie's main window uncheck "Remember me" log your account out log your account in (you'll need to re-enter your AirVPN credentials) try again a connection Kind regards
 

According to this definition there is no censorship at all anywhere enforced by governments, not in North Korea, not in France, not in China...

Please note that your definition is pure fantasy, if not insulting. Censorship is exactly suppression of speech, public communication, or other information subversive of the "common good", or against a given narrative, by law or other means of enforcement. The fact that censorship is enforced by law or by a government body does not make it less censorship. Furthermore, historically censorship was an exclusive matter of some central authority (the first well documented case is maybe the censorship rules to preserve the Athenian youth, infringed by Socrates, for which he was put to death, although the etymology comes from the Roman Office of Censor which had the duty to regulate on citizens' moral practices) and today censorship by governments is predominant.  Even In modern times censorship through laws has been and is predominant and pervasive according to Britannica and many academic researches.

Then you can discuss ad nauseam whether censorship by law is "right" or "wrong", whether France's censorship is "better" than China's censorship, but you can't change the definition of censorship, otherwise this discussion will become delirious.

Kind regards
 

Hello!

The problem affects those users who run Eddie Desktop edition with OpenVPN and never logged out for more than a year, or use OpenVPN clients with configuration files generated before 2021. Since Eddie Desktop edition re-downloads certificates and keys only when the operator logs in, locally some certificates have expired because we extend their expiration date automatically at least one year in advance (three years normally).

Please try the following procedure to quickly resolve the problem:
run Eddie on Eddie's main window uncheck "Remember me" log your account out log your account in (you'll need to re-enter your AirVPN credentials) try again a connection Kind regards
 

Not only TikTok. For example the Bitcoin network can not be controlled so a transaction from an American citizen could potentially go to a citizen of a country that's "a menace" for the USA (definition of enemy and menace is discretionary, the used language seems fine tuned to allow scope enlargement at will without judiciary supervision). Since that's not controllable, we find it potentially possible that operators might be required to block "the Bitcoin network".

What's worse, according to a preliminary interpretation of the text, if in some way (difficult but personal and house search, pre-selected through the usual monitoring performed by USA ISPs, can help...) it can be proved that a USA citizen has used some tool like Tor or VPN to access any of the blocked network / services etc., that citizen will be prosecuted: civil liability up to a million of dollars, and criminal behavior subjected to up to 20 years in jail - which, if we're not mistaken, is worse than in China, Russia, and various countries controlled by human rights hostile regimes.

Kind regards
 

Hello!

We will consider seriously the suggestion, thank you.

Kind regards
 

@Greyzy

Hello!

The solution is relatively simple when you use a subnet calculator: you must tell WireGuard that some subnet (in this case your local network) must NOT fall into the VPN tunnel through the AllowedIPs directive.

The AllowedIPs directive in the WireGuard *.conf file lists the set of IP addresses that the local host should route to the remote peer through the WireGuard tunnel. By constructing from the global address space the complementary set of the range of your subnetwork you will solve the problem.

Please read the following thread for more complete explanations and definite solution:
https://airvpn.org/forums/topic/55801-wireguard-access-local-network/?tab=comments#comment-217411

Kind regards
 

@Undated8198


Hello,

we have no plans to remove port forwarding, quite the contrary: we are currently deploying resources to delay port exhaustion and find alternative, but comfortable, procedures to keep offering this service in anticipation of port exhaustion. As you can see we already limited to new customers the amount of bookable ports, in order to preserve advertised features to those who are already our customers. We are committed to avoid retro-active modifications of the service for pre-existing customers, when such modifications would be detrimental for the service or anyway betraying an advertised feature.

Kind regards
 

Hello!

In Eddie Android edition you can split traffic on an application basis. You can define "white" and "black" lists of apps. If a black list is defined, the apps included in the black list will have their traffic routed outside the VPN. Any other app will have its traffic routed into the VPN. If you define a white list, only the apps in the white list will have their traffic routed inside. Any other device traffic will be routed outside the VPN. Traffic splitting will work both on WireGuard and on OpenVPN.

In Eddie Desktop edition for Linux, Mac and Windows you can split traffic on a destination basis (IP addresses, IP addresses range, or host names). You can tell Eddie to send the traffic outside the VPN tunnel only for specific destinations, or you can tell Eddie to send all the traffic outside the tunnel except for specific destinations. Traffic splitting will work both on WireGuard and OpenVPN.

AirVPN Suite for Linux does not offer any traffic splitting ability, but we are considering to implement an app based traffic splitting feature in the near future.

Kind regards