Royee reacted to Staff in Importance of partition of trust for critical data exchanges ...
Not exactly, partition of trust and all the discussed topic refer to the trust that you put on us. If you can't afford to trust us, or even if you can trust us but you can't afford to trust the datacenter personnel our servers are in (*), you have the tools to strengthen the anonymity layer.
About the backend servers, it's another topic, although you're right that it's actually related, and it is important as well, because in this way we do not keep any account data, including user keys, on any VPN server, and above all we can in this way keep location of the clustered database totally private and unknown to anyone, which is also an additional protection against a wide range of attacks.
(*) When we founded AirVPN we thought about how the anonymity layer of a person in need to disseminate information on organized crime, or the anonymity layer of a whistleblower, could be protected even from ourselves, so that those persons were not forced to trust blindly a single entity.
Royee reacted to Staff in Spy Files 3 ...
it's enabled by default in our service. OpenVPN works in TLS mode with TLS re-keying at each new connection and every 60 minutes. This is an answer given on some tickets a few minutes ago, as a reply to worried inquiries following the new articles on The New York Times and other publications.
[Looking deeper into papers and more technical articles, already available] NSA can decrypt only encrypted data for which NSA already has the keys (through back doors or just by getting the keys) or for weak, obsolete ciphers.
That's why it's very important to use services (like ours ) which do not possess your key and comply to Perfect Forward Secrecy. For example, when your OpenVPN client establishes a connection to one of our servers, a new TLS key is negotiatied (Diffie-Hellman/Perfect Forward Secrecy) AND and a new TLS re-keying occurs every 60 minutes.
Additionally, AirVPN is based on OpenVPN, which is free and open source, and have been and is being under intensive crypto-experts peer-reviews since its birth more than 10 years ago. No backdoor has ever been found.
We run OpenVPN with the following ciphers:
OpenVPN Data Channel: AES-256-CBC
OpenVPN Control Channel: HMAC SHA1
RSA keys: 2048 bit size
OpenVPN in TLS mode (Perfect Forward Secrecy: re-keying at each connection and re-keying every 60 minutes)
Now let's assume that NSA (or any other very malignant adversary) breaks into your system or into our secret backend servers and obtain your user.key (the user.key is not kept in the VPN servers, and the location of the backend servers is unknown to everyone except the Air founders; the clients and the VPN servers never communicate directly with the backend servers). Now, the user.key is used to authenticate your client, but the TLS key is re-negotiated. So NSA or that malignant entity could use our VPN with your account, assuming that they get also the certificates (so they can save 7 EUR a month and get a free ride with our service ), but it would not be able to decrypt your communications with our servers.
Royee reacted to phantasteek in How to configure a Synology device ...
Here's a step-by-step of how I've setup an AirVPN OpenVPN connection on a Synology DS211j running DSM 4.2-3202:
Generate the configuration and cert/key files on the AirVPN web site:
Choose your Operating System: select Linux (see ChooseOS.jpg attachment)
Pick a server
Under Connection Modes: select Advanced Mode, select Direct, protocol UDP, port 53 and select Separate keys/certs from .ovpn file (see ConnectionModes.jpg)
Accept both then click on Generate
Click on ZIP to download a ZIP archive containing all files (see DownloadFiles.jpg); unzip the contents to a work folder; the archive should contain the following files:
AirVPN_XXXXX_UDP-53.ovpn; XXXXX reflects the server selected above
Create an OpenVPN connection in the Synology diskstation's VPN control panel (see VPN.jpg):
use anything for the IP, user and password as they will be changed/removed manually below anyways
import the ca.crt certificate you extracted into the work folder above (see VPNGeneral.jpg)
set advanced settings as desired
as a result the following files will get created in the /usr/syno/etc/synovpnclient/openvpn folder on the diskstation (see Files.jpg):
ovpn_oXXXXXXXX.conf, where XXXXXXXX is a number assigned automatically when the OpenVPN connection is saved (probably an Id for the connection)
Modify the Synology configuration file created above:
telnet into the Synology diskstation using a telnet/ssh app such as Putty, login as root, which should have the same password as the admin user change directory to the openvpn folder using this command:
use a command like below to copy the client_oXXXXXXXX described above to a diskstation shared folder to be able to open and change it with a text editor: cp client_oXXXXXXXX /volume1/SharedFolder/
where you substitute your specific numbers for XXXXXXXX and your specific volume and folder name for /volume1/SharedFolder
open the file you copied to the shared folder with your favourite text editor (e.g. Notepad or Notepad++) and make the following changes to merge the configuration file generated and downloaded from the AirVPN web site into it: remove all the lines from the client_oXXXXXXXX file except the 3 below:
plugin /lib/openvpn/openvpn-down-root.so /etc/ppp/ip-down
then insert all lines from the AirVPN_XXXXX_UDP-53.ovpn into the file and save it optionally, if you wish to have a client connection log file for debugging/troubleshooting purposes, you can also include a line like this (with your own folder and file name):
at this point the file should look something like this: # --------------------------------------------------------
# Air VPN | https://airvpn.org | Wednesday 4th of September 2013 12:07:47 AM
# OpenVPN Client Configuration
remote some.server.address.here 53
plugin /lib/openvpn/openvpn-down-root.so /etc/ppp/ip-down
with the proper values for the server and numeric connection id instead of the placeholders "some.server.address.here" and "XXXXXXXX" I've included above
in the telnet app, while continuing to be positioned in the /usr/syno/etc/synovpnclient/openvpn folder, copy the modified client_oXXXXXXXX file back to that folder using a command like: cp /volume1/SharedFolder/client_oXXXXXXXX .
using similar commands, also copy the user.crt and user.key files over to the /usr/syno/etc/synovpnclient/openvpn folder:
cp /volume1/SharedFolder/user.crt .
cp /volume1/SharedFolder/user.key .
any VPN configuration changes made and saved through the Synology VPN control panel will result in the client_oXXXXXXXX file being overwritten and reset to its original state before the manual edits described above, which basically renders the configuration unusable with AirVPN; if this happens the file should be restored from a previously saved backup using a cp (copy) command like the ones above; so when you get the configuration working, create a backup of the client_XXXXXXXX file somewhere safe; multiple entries for different AirVPN servers can be created by downloading the configuration and key files for each server from the web site and re-doing the above steps for each entry; the proper ca.crt certificate file should be used for each entry; I believe the user.crt and user.key are the same for all servers as they are user-specific rather than server-specific and therefore they can be reused for all connections (they don't need to be copied over to the usr/syno/etc/synovpnclient/openvpn folder multiple times - last step above, before "done").
Royee reacted to hashtag in Skype start to block VPN Providers ? ...
Skype with care – Microsoft is reading everything you write
Microsoft’s tweaks to Skype could facilitate wiretapping
NSA leaks hint Microsoft may have lied about Skype security
If you have to use VoIP there are Skype alternatives on PRISM Break.
Royee reacted to fribeiro123 in How to block all traffic with DD-WRT if VPN connection fails ...
This post is to everyone that have openvpn configured in a dd-wrt router and wants to block all connections through the ISP if the VPN connection fails, avoiding leaking our real ISP IP.
I setup the connection to AIRVPN servers using the tutorial in https://airvpn.org/ddwrt and then insert following line to the firewall rules: "iptables -I FORWARD -i br0 -o vlan2 -j DROP"
- br0 is the bridge with my lan ports & wireless
- vlan2 is my WAN port connected to the modem ISP
So if there is any connection starting from my lan or wifi to the wan port the firewall of the router blocks the connection.
My firewall rules are like this:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
[sTAFF EDIT] In case you apply Policy Based Routing, please see here as well:
Check the interface names and make sure to enter the correct names (in your firmware the tun interface might be tun1 or tun0, etc.).
Royee reacted to drakon in airvpn with tomato shibby router ...
The first link seems to work... Paste those rules into Administration->Scripts->Firewall.. Save it.. I'm not sure if you need to reboot, but i did. To test.. go to OpenVPN and disable it. You should not be able to access the internet now (before you could without the rules). Re-enable your VPN.
When I go to https://www.dnsleaktest.com/ I get "0 DNS servers listed." Not sure what this means. I set AirVPN as my first DNS and went to OpenNIC for a couple more.
Royee reacted to Staff in Using AirVPN over TOR ...
A - If you connect any application to the same TOR proxy OpenVPN connects to, that application traffic will be tunneled over TOR only. That's normal and correct.
B - Normal again.
1. The question is a little unclear. Anyway, a packet tunneled over OpenVPN over TOR will be encrypted by OpenVPN and then by TOR. The TOR encryption will be no more when the packet gets out of the TOR exit-node to reach the Air server. The OpenVPN encryption will be no more when the packet gets out of the AirVPN server. When passing through all the TOR nodes, your packet "real" payload and header will be still encrypted by OpenVPN.
2. Yes, basically, oversimplifying: your node->TOR entry->TOR relay->TOR exit->Air server->the Internet
3. Assuming that with TOR -> VPN you mean "OpenVPN over TOR": if OpenVPN is connected over TOR: NO. If OpenVPN is NOT connected over TOR: YES.
To say it with different words: if you wish TOR over OpenVPN (without using VM), connect OpenVPN directly, then use TOR. In this case remember that only applications configured to connect to the TOR proxy will have their traffic over TOR over OpenVPN, all the others will have their traffic over OpenVPN only.
Royee reacted to MrConducter in Is it possible to have Air over Tor with a DD-WRT setup? ...
Hi. I know how to run Air over Tor with the client, but am not sure how to run it with the vpn going through the router. Is it even possible? Thanks.
Royee reacted to drakon in airvpn with tomato shibby router ...
Previously, I was using AirVPN with Comodo Firewall on one computer. I decided to get a Tomato router so that anything connected to this router will go through the VPN. So far it is running. My question is... Do I need to mess with iptables to prevent DNS leaks? I don't want to allow any internet access if the VPN goes down.
Royee reacted to MapI6c in Logs, raids and monitoring ...
I think you should make transparency reports about government requests (if there have been any), similar to what twitter, facebook etc have.
Royee reacted to airtight in Newbie VPN questions ...
If you use bittorent there is a new client out there called NeoLoader which allows you to tell it which adapter your computer uses as vpn. If that connection is interrupted or disconnected the bittorent client immediately shuts down. Its the easiest client to set up in this fashion. I highly recommend it.
Royee reacted to Staff in Only want to use for Torrents.. ...
Yes, actually they are planned in Eddie, the next client release for Windows, Linux+Mono and OS X. Traffic splitting is not planned though.
At this point it's unclear whether you need leaks prevention or traffic splitting. The first will take just one minute configuration, the latter can be very simple or quite complex according to how you wish to split traffic (for example, the NaDre solution, which at the beginning seemed what you needed, will take just a couple of minutes - not considering basic network knowledge acquisition, that vary of course, but the guide is in itself a good lesson/course on the matter as well).
Royee reacted to hashtag in German Government Warns Not To Use Windows 8 ...
This may be a problem for anyone buying a new laptop. From what I have read Windows 8 is pre-installed on all of them and cannot be removed.
Royee reacted to Staff in AirVPN Client vs OpenVPN ...
Yes, to our frontend, not to the VPN servers. It's an ordinary https connection like a web site login. The Proxy option of the Air client is meant for OpenVPN, not for the client (remember that the client is an OpenVPN wrapper). If you don't want to disclose your IP address to the frontend server, just run OpenVPN directly (or OpenVPN GUI). We don't force (and we will never force) to run any proprietary software to connect to the VPN servers.
Royee got a reaction from user37 in Any suggestions for email providers? ...
There are not many sadly check here for more details on the few that remain
It would appear picking a email provider inside of US and UK and other english speaking countries is a big no no and under nsa
A few european email providers are still around, I still like hushmail but they have in the past handed over emails to authorities... Riseup is not taking any more people on board and you have to pass there test which some fail and are US based so sooner or later perhaps nsa get them also.
European ones seem best, obviously best to stay a million miles away from google mail, hotmail, yahoo.
also check here:
has other alternative and more stronger and safer emails, but these usualy involve much higher security but work more better.
Royee reacted to bayoumedic in NSA close to breaking AES encryption? ...
for added protection using truecrypt use some random file as a keyfile. But don't make a mistake i made and use a photo. I later was playing around with picasa and found out that it alters jpgs in some way, thus destroying the keyfile. (this also provides a good excuse as to why you cant give the feds access to the volume) Luckily I had a backup.
A tip for creating a 64 char password that you can remember. And it IS important to have a strong password. Take a phrase you can easily remember and a salt, something like +$+ replace all spaces with the salt then somewhere add a block of random characters that don't for a word, be sure to use caps somewhere.
Also in truecypt select never save history. Under settings there are options to auto-dismount including a set idle time to dismount. Check the preserve modification timestamp so you can say 'I haven't used that file in forever, i don't remember that password' You can also set hot key to force a dismount and then close truecrypt. If you are really worried about the security of your computer type in your password using the onscreen keyboard to bypass any keyloggers that may be installed without your knowledge.
One good use for a TC volume is to hold a virtual machine but if you don't want to go that route you can use sandboxie to run apps virtually inside the volume. If you were to run a p2p or browser in sandboxie then the browser history, cookies, acquired malware adware, virus and whatever else you suck off the net will be nicely contained inside your volume. If a program that is running inside of sandboxie opens up another program then it too is in the sand box. It's nice.
....sorry, my adderall just kicked in.