Royee got a reaction from OpenSourcerer in [Deprecated] Using AirVPN with Fritz!Box routers [new link inside] ...
Even on the top and latest Asus Routers with openVPN via tomato they are still hitting 8-12meg per sec
I was thinking while I am ok with it, in the future what if I upgrade to a faster connection.
I think the best idea is to build your own super router with 3ghz+ and 4gig with something like Pfsense live or one of the other free firewall software, this way once you add OpenVPN support and if your cpu supports AES instructions your cpu wont get much overhead with handling vpn either. This way I think in theory with your own super router one can get max speeds on your connection, no need to ever upgrade your router !
This also allows no limitiations on bandwith or slow downs with multiple users or when streaming HD even, your Super Router is king really.
This is all in theory mind.... but yeah will be interesting to hear actual numbers
Royee reacted to knicker in Installing a pfsense box with AirVPN ...
Here my CPU load on the XEOn while downloading large files from usenet. That's a big difference from the 91% load on the Celeron...
The AES NI instruction in the chipset and a quad core server processor capacity will do the trick...
@LionofOrange: I can highly recommend this set-up
Royee reacted to pj in Ive read this over at a professional IT Service , its about Airvpns privacy policies, read! ...
technically this is a very interesting question. In order to block p2p traffic in advance, disabling port forwarding is not enough. For example, torrent clients can work without port forwarding behind a NAT, with a performance hit and some limitations due to inability to receive incoming connections (so you can't start seeding for example, but this problem is not relevant for many users).
Blocking outbound and inbound ports commonly used for p2p is of course ineffective. With DHT, it's also ineffective to block access to trackers.
Blocking a wide range of outbound ports is a more realistic option, but again the risk is blocking many applications and protocols (experimental or not), not to mention that a block on outbound ports would be one of the most offensive behaviors against Net Neutrality and against an open Internet. What if some service on the Internet is listening to one of the blocked ports? The block would render the service unreachable.
The most effective way would be implementing Deep Packet Inspection, but in this case the provider would block also perfectly legitimate p2p traffic and would potentially risk some important collateral damages as well, for example a block of some VoIP applications, not to talk about remarkable, additional system load, unless expensive dedicated to DPI hardware is employed, which would inevitably require higher prices to the customers (with the absurd paradox that they would pay more to get blocked!).
In practice, according to users reports and interviews with VPN administrators, the most common method is to forbid "illegal" p2p on the Terms of Service and logging customers activity (simple logging, no DPI or SPI is required). Then, if those providers receive an alleged copyright infringement notice, they correlate (with the time stamps, IP and port reported on the notice) the allegedly infringing account and disable it, without any verification, see for example HideMyAss interview by schoolofprivacy.eu:
> and how do you generally handle requests from law enforcement and copyright agencies?
In case we receive any DMCA complains [sic] we locate and suspend the account which was originating the traffic in question and suspend it.
http://schoolofprivacy.eu/post/41190513699/short-interview-with-hide-my-ass (as a side note, this is an enlightening interview: if you know a little about OpenVPN and cipher suites, you will see that the interviewed HMA person does not even know what he/she is talking about when he/she answers to the question "What type of encryption do you use?" - which is quite worrying from someone who bases the most important part of a service on encryption).
Royee reacted to nolehce in Ive read this over at a professional IT Service , its about Airvpns privacy policies, read! ...
well I am about to erogate me some of this fine Air VPN service right now!
Royee reacted to Ernst89 in Installing a pfsense box with AirVPN ...
Going back to a post a while back you mentioned needing two dual NIC''s. One is all you need per pfSense installation. One port in from the Wan and the other port out to the Lan. If you need more Lan connections use a switch. pfSense isn't efficient as a LAN switch as the NICs can hit the CPU quite heavily with interrupts,
I run on a virtual machine using 1GB of ram and 2 cores of a i5 2500k. This can achieve 100Mb + over WAN OpenVPN, Its hard to tell whether the speed is limited by my cpu, my isp or airvpn but I have gotten pretty close to the speed of my connection.
As to cpu usage I think openvpn on pfSence is single threaded so 25% cpu may be openvpn maxing out a core,
I use my cpu for lots of stuff apart from the router. I highly recommend it and I imagine Knickers XEON is slightly more powerful. Two cores is probably enough for a router but its always nice to have 4 just in case you think of some other apps you need to run.
Royee reacted to knicker in How to prevent DNS leaks in pfsense ...
In the case of DNS leakage, within pfsense there's good way to prevent that from happening. In this case you don't need to tweak all your Windows machines ;-)
In pfsense navigate to Systems ------> General Setup and set everything as in the below picture. Use the DNS servers from AirVPN.
Note that with my settings (also described here and here), your internet will drop in case your vpn connection drops. Then you need to set the wan back to default manually.
That's it. No more dns leakage! (I had 6 and 2 from my isp)...
Royee reacted to knicker in How to port-forward pfsense using airvpn ...
If you want to port-forward and not use the upnp in pfsense, then follow this instruction:
In the pfsense browser navigate to Firewall ------> NAT -------> Port Forward Click on the Plus button and follow the instructions in the picture (in the Redirect Target IP section, fill in your client's IP (192.168.0.115 for example) running the program (utorrent for example) In the port sections fill in the forwarded port created on the airvpn website In the Filter rule association section select: create new associated filter rule (this will create a rule for the firewall automatically)
Click save and navigate to the Outbound tab and click on the lowest Plus button and follow instructions on the picture (in the Destination IP section, fill in your router's IP) (in the Redirect Target IP section, fill in your client's IP (192.168.0.115 for example) running the program (utorrent for example) In the port sections fill in the forwarded port created on the airvpn website
As you can see in the green light in the below picture, I'm connected: Up and running!
Royee reacted to knicker in Installing a pfsense box with AirVPN ...
I've build a pfsense router myself because I found that speeds were dramatically dropping through my Linksys router (EA6500) or through my client. By building my own router I had more control over the hardware and firmware. I have a 200 Mb/s - 10 Mb/s ISP connection. My router build as follows:
Shutlle DS61 V1.1 mini ITX barebone / socket 1155 / 2 x Gbit LAN 2 x 4 GB SO DDR3 Kingston HyperX Intel XEON E3-1230 V2 3.10 GHz (has no graphic chip) Kingston 60 GB SSD In order to get graphics (which I'll need for installation, since the mini ITX motherboard doesn't support an extra graphics card) I bought an old Celeron 2.70 GHz with graphic chip. Now pfsense is installed, I will be using the Celeron for a while in case something goes wrong in pfsense settings and I'll be needing graphics again. So after I'm done with installing packages, setting up everything, I will replace it with the XEON.
Speedtest with the Celeron while connected to VPN
I think that is pretty impressive since I had around 60 Mb/s - 9.5 Mb/s before I had this router. If you forget about the XEON and keep the Celeron (for 24/7 use, I'll take the XEON also because of it's 'AES NI' instruction within the chipset) it will cost you about 500 dollars or about 370 euro's. The XEON included adds an extra 250 dollars or 195 euro's.
This is a better investment than buying any other consumer router with a 600 MHz Broadcom processor.
This is a kick ass router!
For a proper installation of pfsense I can recommend this video:
(good packages: squid, havp, snort (get a paid oinkcode for 27 dollars/year, otherwise you'll have a 10 days delay in updates))
SET UP AIRVPN IN PFSENSE
Configure an airvpn *.ovpn file (use a region, airvpn will connect to the best server automatically) From the pfSense interface, navigate to the dropdown menus: System ---> Cert Manager and stay in the first tab. Click the button as seen here to create a new certificate. Give it a description like: cert airvpn. Ensure that "Import an existing certificate authority" is selected.
Open the *.ovpn file and copy/paste the first certificate (starting with: -----BEGIN CERTIFICATE----- and ending with: -----END CERTIFICATE-----) into the 1st field Click save (leave the orher field empty) Click on the tab Certificates and click on the plus button as seen here
Give it a description like: certificate airvpn. Ensure that "Import an existing certificate authority" is selected. Open the *.ovpn file and copy/paste the second certificate (starting with: ---- CERTIFICATE:----- and ending with: -----END CERTIFICATE-----) into the 1st field So in the file it looks like this:
-----END CERTIFICATE----- (end of the first certificate we've just imported)
The second copy/paste should start at: Certificate:
copy/paste the third certificate (starting with: -----BEGIN CERTIFICATE----- and ending with: -----END CERTIFICATE-----) into the 3d field Click save Navigate to the system dropdown menus: VPN ---> OpenVPN Click the Client tab and click on the Plus button Follow below settings in the pictures where: 1. serverhost or host adres can be found in the *.ovpn file ending with probably airvpn.org, 2.The serverport can be found in the top of the *ovpn file as well.
Navigate to the system dropdown menus Interfaces ----> (assign) and click on the Plus button
-Note in the previous screenshot you will notice a StrongVPN interface. you will NOT have that on your box yet, so dont worry.
After clicking on the plus button pfSense will tell you it has successfully added a new interface. the network port name will most likley be named
"ovpnc1". Ensure that the new interface is selected as "ovpnc1" (it could be ovpnc2, ovpnc3, etc... depends if you have other ovpn interfaces or not) navigate to the system dropdown menus Interfaces ---> OPT1 (or whatever your new interface from the previous step is) and follow steps in below picture
Click save Navigate to the system dropdown menus System ---> Routing and click on the Plus button
Follow the settings in the picture below
-Note 1: The ip seen in the picture 188.8.131.52 is the ip of OpenDNS
-Note 2: By selecting "Default Gateway", the connection to the internet drops if the VPN connection drops. You'll have to set the WAN as default manually in the case if you need an internet connection.
navigate to the system dropdown menus Firewall ---> Rules and click on the LAN tab Click on the Plus button to create a new rule Follow instructions in the picture below
Source: LAN Subnet
Description: LAN to Internet force through VPN
**IMPORTANT**: scroll down to "Gateway" under the "Advanced features" of the rule. Set gateway to your VPN interface (see above picture).
After Clicking save, you should see something like this
navigate to the system dropdown menus Firewall ---> NAT and click on the Outbound tab enable "Manual Outbound NAT rule generation" and select save.
Reboot the router and you're done... If you want to/need to start manually, go to Status -----> Services and click on the Play button next to the VPN interface status.
Check Status ------> Dashboard for connections as seen in the picture below (in the WAN section you'll see your ISP's IP, which is connection you're coming from to Airvpn (Note from AirVPN: We inevitably know it. Any reference will be deleted when the connection is closed). Don't worry, you're visible with a different IP on the internet.
The reason I choose a XEON is the 10% watt reduction and the AES NI instructions in the chip (AirVPN is 256 bit AES encrypted). This will lower my CPU usage and speed up the process. Below you find a picture with system loads while having 10 torrents running and downloading a large file at full speed from usenet (ssl encrypted)... See the CPU usage on the Celeron. That will change I think with a XEON.
Good luck and don't forget to install Snort, HAVP and Squit on your pfsense. Good guides out there on Google...
Royee reacted to Staff in Pfsense OpenVPN client settings ? ...
UDP or TCP according to your choice.
It depends on your router setup. Surely not local host.
53, 80 or 443.
The ca.crt file that you must download from the configuration generator.
The user.crt file that you must download form the configuration generator.
Royee reacted to Staff in Logs get deleted after disconnect so better to do regular? ...
Communication logs are not written at all. Until the disconnection, what is kept (in RAM) is the VPN IP address, your node IP address (obviously, otherwise there would be no communication at all with your node!). Additionally, the amount of exchanged data in that session and the duration time of the session itself. Finally, the average up and down "speed" of the last 60 seconds are calculated. All of these data do not affect privacy but at the same time help us to verify that a server is functioning properly. All of these data are lost forever when the client disconnects.
Only for troubleshooting purposes you can force the system (from your control panel) to keep logs of the total amount of exchanged data and duration time of each session for your user (if you decide to do so, you can anyway disable this function, which will cause deletion of those data). You can't anyway force the system to store your session IP addresses.
Royee reacted to Staff in VPNs: Is it OK to Monitor ‘Bad’ Users on Ethical Grounds? ...
well, not really: VPN 1 knows your real IP address but receives and sends totally encrypted traffic to/from a single end-point. VPN 2 can see your traffic (if not encrypted end-to-end) but does not know neither your identity (well, at least with services which accept Bitcoin etc.) nor your real IP address.
Or vice-versa, of course.
This increases the anonymity layer strength, no doubts. However, remember that you are partitioning trust between two parties only, which can know each other.
With the addition of TOR, you not only perform partition of trust with 4 parties, but you also establish new circuits, so that the parties are not known in advance, and each party ignores at least one other party (for example, with TOR over VPN: VPN server does not know TOR relay and TOR exit-node; TOR exit-node does not know VPN server and TOR entry, etc.).
Therefore, once again everything goes down to the basic questions: who can your adversary be? What is the value of your information, in terms of resources that an adversary can reasonably be ready to spend to disclose your identity?
True, this depends on which country you live in. If TOR usage triggers investigations, maybe it's better to try TOR over VPN.
Royee reacted to Hotrootsoup in Newbie VPN questions ...
Yeah, the no addons thing can be annoying, as I use quite a few of them myself.
You can just enable/disable flash in Firefox and then clear local flash data in between "regular" and VPN use. In fact, having 2 Firefox installs I don't think necessarily means 2 flash databases, so be careful.
As for tunneling 2 VPN's:
1.) It's a pain in the ass to set up.
2.) Downtime on either disrupts you.
3.) Twice as many disconnects, or more.
4.) Twice the amount of money.
5.) Twice as much bandwidth and CPU cost on the encryption. (Or 1/3rd more in the case of an HTTPS site I suppose)
Are those downsides worth it? Well, there is an upside.
You get an increase in anonymity, but not in privacy.
No matter what, one of the VPN's has to see your unencrypted traffic. This is simply how VPN's works. You send the VPN encrypted traffic, and then they decrypt it and pass it on to the site/server you were connecting to. This would be the change:
You -> (encrypted traffic) -> VPN -> (decrypted traffic) -> Website/server (Assuming no HTTPS, etc.)
You -> (double encrypted traffic) -> VPN 1 -> (single encrypted traffic) -> VPN 2 -> (decrypted traffic) -> Website/server
The advantage here is that if VPN 1 is raided, they can not read your traffic. If VPN 2 is raided, they can read your traffic, but as long as VPN 1 doesn't flop on you, they can't tell who sent it. (Assuming you signed up for VPN 2 while using your other VPN, used a burner email address, payed using a bitcoin account not even slightly linked to you (again, while under VPN 1), and have never logged in to VPN 2 without being connected to VPN 1.)
Again though, VPN 2 can still read your data, so if you ever send data that identifies you (logins, emails, etc.) VPN 2 will know who you are anyway.
Royee reacted to Staff in VPN chaining ...
Yes, in most cases it will be faster. Additionally you will have no protocol limitations like in TOR. However, it's not as secure as TOR over VPN, or VPN over TOR. As usual, it depends on the balance between security and performance that you want to achieve. Such balance can be correctly evaluated only by yourself, carefully, according to the sensitiveness of the data you need to receive or impart.
Probably the easiest way to connect over a VPN over a VPN is through a VM attached via NAT (important!) to the host machine. The host connects to VPN1. The VM connects to VPN2. On the VM all the traffic will be tunneled over VPN2 over VPN1. This solution has also some nice side-effects, the usual advantages of running a VM: disasters and attacks isolation, portability, option to keep the virtual disk encrypted with the assurance that no unencrypted data can be written without your knowledge outside the virtual machine disk.
Royee reacted to Staff in Pre-configured DD-WRT Routers with OpenVPN - Worth the investment? ...
No problems at all, please link them to https://airvpn.org/ddwrt and use the configuration generator to provide them with the appropriate files. Please remember that those who are given your user.key can connect to any Air VPN server with your account.
Behind a router you can connect as many devices as you wish, our system will always see just one account and a single connection.
Royee reacted to OpenSourcerer in [Deprecated] Using AirVPN with Fritz!Box routers [new link inside] ...
DEPRECATED. USE V2:
In the following I will describe the steps necessary to connect to and route all traffic through AirVPN using modified firmwares for Fritz!Box routers by AVM. AVM is a manufacturer of quite popular (and expensive) routers in German-speaking countries. Unfortunately it has it's restrictions - especially on older models there is absolutely no VPN software preinstalled. So how do we solve this problem?
The solution is called Freetz. Basically it's just a firmware modification kit with which you apply mods and packages to the original firmware. One of those packages is openvpn and this guide shows how to configure it to use with AirVPN.
Be aware that VoIP won't work properly with AirVPN since you'd need to forward more than 32 ports to make it work without issues.
1. Read the FAQ.
2. Read Freetz for beginners.
3. Read this how-to for an overview of what expects you.
All right? Let's go!
-- BUILDING THE FILESYSTEM --
1. Startup linux on VirtualBox. Checkout the recent freetz-trunk using
svn checkout http://svn.freetz.org/trunk freetz-develThis is really important, because recent trunks contain OpenVPN v2.3 which fixes serious routing problems on the Fritz!Box. cd to freetz-devel after completion.
2. Build your minimal firmware and flash it.
3. If everything went fine make yourself familiar with the web interface. Then proceed.
I) In Packages/Packages select OpenVPN with version (2.3.3), SSL library (OpenSSL), Enable Management Console, Optimize for size.
II) In Packages/Unstable select Iptables 184.108.40.206 (binary only, unstable) and Iptables-CGI 1.1.
The general Iptables kernel modules and Iptables shared libraries are automatically selected. For full fun consider selecting everything in Select kernel modules (IPv4), Select shared libraries (IPv4) and Select shared libraries (both IPv4 and IPv6).
III) Now build your firmware and flash it.
If everything worked fine proceed to the AirVPN config.
-- OPENVPN CONFIGURATION --
Go to the config generator to generate your configuration files. Choose Router or other, then your preferred server. Check Advanced, your preferred connection mode and then Separate keys/certs from .ovpn file (not necessary, but this one will make it easier to setup the keys/certificates).
Open every generated file with an editor like Notepad++. The config is only necessary to grab information you need, you are not going to upload it.
Look into the .ovpn file and set up everything like this:
Now you have to add the certificates. You can find the menu items I mention in the sidebar.
Copy the whole content from
1) user.crt into the box at Box Cert.
2) ca.crt into the box at CA Cert.
3) user.key into the box at Private Key.
4) ta.key into the box at Static Key.
Now start OpenVPN over the web interface. Your internet connection will drop but you will be able to connect to the Fritz!Box.
-- 301: INTERNET MOVED PERMANENTLY --
Don't worry. iptables will help you to get the internet connection back.
You just need to create one simple rule to nat all traffic to tun0. Now the Iptables-CGI comes into play.
1. Click on Iptables in the sidebar, check Automatic at "start type" and then press the start button.
2. Go to Editor in the sidebar. Check Add and pick from the drop-down menus:
Click on Submit.
Go back to Iptables and press the restart button. Now check at Rules whether iptables-save has saved your rule. It should have been done so. This might look different for you:
# Generated by iptables-save v220.127.116.11 on Tue Apr 15 23:43:28 2014 *nat :PREROUTING ACCEPT [75:4106] :POSTROUTING ACCEPT [27:4097] -t nat -o tun0 -j MASQUERADE :OUTPUT ACCEPT [10:3229] COMMIT # Completed on Tue Apr 15 23:43:28 2014 # Generated by iptables-save v18.104.22.168 on Tue Apr 15 23:43:28 2014 *filter :INPUT ACCEPT [461:31565] :FORWARD ACCEPT [45:2332] :OUTPUT ACCEPT [457:137328] COMMIT # Completed on Tue Apr 15 23:43:28 2014 You're done. The internet connection of all the devices in your network is routed through the tunnel.
Tested on AVM Fritz!Box Fon WLAN 7141 with firmware 41.04.77, Freetz version: freetz-devel-11941
Royee got a reaction from nunz in One AirVPN account --> Multiple VPN connections? ...
Massive thread and guide on using openVPN via the router
Just bare in mind your limited by your router cpu speeds, currently most are hitting 8-9meg per sec, so your sadly limited for myself its more then enough for now and I would rather loose speed any day of the week and have better encryption.
Asus RT-N16 router is perhaps one of the most stable and best routers, uses the Tomato firmware which has openvpn support.
I had teething issues at first but I found it my was network driver causing 90% issues, otherwise it works well and all connections are now encrypted.
Royee reacted to Corsair28 in Block non-VPN traffic oooor just use a VM? ...
This setup works very well. I have had to change several times due to the dynamics at work. I just wanted to add that using comodo firewall to make sure the VM only uses air and has no internet access once disconnected is easy to do you can use the same rule as utorrent
Royee got a reaction from Corsair28 in Block non-VPN traffic oooor just use a VM? ...
I hear many people run multiple virtual boxes if you own a quad cpu and 8gig+ or above you will be fine, whonix is a popular choice and runs under Tor network. You could also run Ubuntu in another vbox, if you setup truecrypt then even safer.
I think its a great idea, your normal windows is fine, any other logs and activities, windows logs will only see you opened virtualbox software. You can further run the latest version of ccleaner and privazer which supports cleanup of Windows logs (finally!) and also virtual box logs (set dod pass for non recovery) you can set them up on schedule daily even or upon boot, this way an adversary has nothing much to check into!
This way your linux torrents and surfing and any other activities remain in a virtual box and much better privacy and security. Just bare in mind when you shut down your virtual machines perhaps you may want it to not save any data/changes ? the other issue is an adversary could catch your system live and not encrypted and thus have full access to your drives and virtual boxes and see all the data and usage ! Just like AirVPN has a kill switch, maybe you require one also. I was thinking perhaps there maybe a screen lock or screen password to perhaps work inbetween this issue but not sure of one on linux.
Royee reacted to Staff in Stats vs. Privacy ...
By default (when you register an account) it's already off. You must specifically turn it on if you wish it. It can be useful for troubleshooting, in case of issues, or to monitor the traffic volume (for example for users on a traffic-volume-limited connection).
Royee reacted to the ineffable me in German Government Warns Not To Use Windows 8 ...
The latest releases of Linux Mint; versions 14 & 15 do support full disk encryption, you just need to upgrade the installer before initiating the installation process, and that's dead simple:
Download and save your desired version of Linux Mint as a bootable CD or USB stick, and boot it up. Open a terminal and issue the commands: sudo apt-get remove ubiquity
sudo apt-get update
sudo apt-get install ubiquity
The installer will now offer the option to install with full disk encryption