InactiveUser

You need not worry - DRIPA will be back soon, because DANGER, DANGER, TERRORISM! Thousands of lives at risk after High Court rules snooping powers unlawful
 
One particular phrase piqued my spidey senses:
 
 
Oh, I see! You say you need all this access to solve crime and prevent terrorism, but you also use it for "non-crime enquiries"?
I have no further questions, your honor

They are relevant, but in agreement with rainmakerraw, I would say they're poorly argued:
 
1. Whonix blog's target audience must surely already know that you can't equate VPN providers with anonymity networks.   
 
2. I think it's indeed a safe assumption that many VPN users have a "false sense of security", but it's hypocritical to then talk about "anonymity guarantees of Tor". Tor Project can't, never has, and never will guarantee anything. The use of the word "guarantee" suggests a false sense of security - which, ironically, was supposed to be the author's main argument. Certainly, Tor has many valuable properties that VPNs can't offer, but not a single one of them is "guaranteed" - the author might want to remember what happened to Silk Road 2:
 
Tor Project security advisory:
 
 
Later that year, FBI/DHS affidavit:
 
 
Coincidence? I think not!
 
3. Whether or not VPNs make sense for someone depends on their threat model.
Tor is excellent but not the right tool for every job - or every person.

Yeah, because the identities of TOR users haven't routinely been compromised by three letter agencies via TOR bundle exploits, redirecting target traffic to malicious nodes, remote code execution etc...
 
OpenVPN has its limits, especially publicly available services from anonymous individuals/corporations/entities. After all, you only have the word of AirVPN - for example - that they are 'privacy hacktivists' and not actually just another node in the NSA's swathe of operations. There are no names, addresses, offices and transparency operations to audit and you only have the word of the provider that they are who they say they are, and that they provide the non-logging service that they do. In fact I'd be amazed if the NSA et al. haven't already made it a mission objective to establish a hugely popular VPN service to amass as much plain text data foreign and domestic citizens would rather stayed private for whatever reason. Given the apparent concern over encryption and 'national security' it would seem rather backwards to not do such a thing - especially with an effectively unlimited budget and people willing to actually pay you to subsidise the operation(s)!
 
Some providers, such as PIA, allege to not only keep no logs but to maintain a 'zero knowledge network. They say they don't even know if or when users are connected and have no meaningful way to separate out user identities, especially retrospectively. Other providers such as Proxy.sh have stated they keep no logs but are able and willing to live monitor (amongst other things) to identify serious breaches of their ToS to identify (and if necessary report) those users responsible. 
 
"You pays your money [or not] and makes your choice", as they say. For me OpenVPN is the superior option, especially if further obfuscated via TOR and/or alternative methods. That blog seems like nothing more than an ill formed, unreferenced fanboyism to me. But what do I know?

Hi all,
I have just stumbled across http://witch.valdikss.org.ru/ and https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413
I run Eddie on Arch Linux using UDP over port 53 - mostly when I visit the first link the Witch script ran and correctly confirmed this - all but the port number. This script worked well when I connect using SSL over port 433.
Is there a way to configure Eddie to fool Witch ?
 

Hello,
 
first of all, if you just want the click-and-go solution just use the Windows Firewall and click "Network Lock" button on our Windows client Eddie, which is also free and open source. See here: https://airvpn.org/topic/12175-network-lock
 
Eddie implements Network Lock even for OS X and Linux, of course.
 
These guides come from the community and we are very happy about them because they provide alternative, community-driven solutions, instead of centralized solutions proposed by ourselves (which are anyway available).
 
We kindly ask you to get documentation before you write in our public forums. You will contribute to forum cleanness and readability and will avoid to write foolishness like the quoted sentence.
 
Kind regards

This thread is at risk of getting out of hand, so I'll keep my arguments as concise and neutral as possible:

1. Asking for an unbiased comparison in one of the competitor's forums is not ideal. This sort of topic is better discussed on a neutral platform.

2. No matter which VPN provider you choose; no matter which jurisdiction they're in, there are a few constants:
they're all companies, compelled to make money and abide law   you have to trust them: you're unable to get an inside look of their operation (which you would need for a proper evaluation) which means: some aspects of your evaluation will be based on opinion/experience/conjecture, but not fact 3.
 
Sure, three laws in particular:
 
18 U.S. Code § 3123 - Issuance of an order for a pen register or a trap and trace device:
 
 
Also, 18 U.S. Code § 2703 - Required disclosure of customer communications or records.
 
And, most worrying, 18 U.S. Code § 2709 - Counterintelligence access to telephone toll and transactional records (commonly known as "National Security Letter" / gag order):
 
 
While these laws are designed to subpoena individual customer records, their application will likely and regularly affect the whole customer base. Remember Lavabit:
"The service suspended its operations on August 8, 2013 after US government ordered it to turn over its Secure Sockets Layer (SSL) private keys" (affecting all Lavabit users).

4.
 
They only publish warrants they're allowed to publish, see 18 U.S. Code § 2703. Companies are much more likely to behave like Hushmail (silently comply) than to behave like Lavabit (resist and be forced to close shop). There is no middle ground.
 
5. I am convinced that European Union data protection laws provide a better environment for VPN providers.
 
6. I am not convinced that it makes a huge difference to be located outside of the US. It would be a fallacy to assume "US = bad, Non-US = good":
similar laws exist in all jurisdictions governments tend to ignore legal restraints anyway

This thread is at risk of getting out of hand, so I'll keep my arguments as concise and neutral as possible:

1. Asking for an unbiased comparison in one of the competitor's forums is not ideal. This sort of topic is better discussed on a neutral platform.

2. No matter which VPN provider you choose; no matter which jurisdiction they're in, there are a few constants:
they're all companies, compelled to make money and abide law   you have to trust them: you're unable to get an inside look of their operation (which you would need for a proper evaluation) which means: some aspects of your evaluation will be based on opinion/experience/conjecture, but not fact 3.
 
Sure, three laws in particular:
 
18 U.S. Code § 3123 - Issuance of an order for a pen register or a trap and trace device:
 
 
Also, 18 U.S. Code § 2703 - Required disclosure of customer communications or records.
 
And, most worrying, 18 U.S. Code § 2709 - Counterintelligence access to telephone toll and transactional records (commonly known as "National Security Letter" / gag order):
 
 
While these laws are designed to subpoena individual customer records, their application will likely and regularly affect the whole customer base. Remember Lavabit:
"The service suspended its operations on August 8, 2013 after US government ordered it to turn over its Secure Sockets Layer (SSL) private keys" (affecting all Lavabit users).

4.
 
They only publish warrants they're allowed to publish, see 18 U.S. Code § 2703. Companies are much more likely to behave like Hushmail (silently comply) than to behave like Lavabit (resist and be forced to close shop). There is no middle ground.
 
5. I am convinced that European Union data protection laws provide a better environment for VPN providers.
 
6. I am not convinced that it makes a huge difference to be located outside of the US. It would be a fallacy to assume "US = bad, Non-US = good":
similar laws exist in all jurisdictions governments tend to ignore legal restraints anyway

1. Whatever you read about proxies does not apply to VPNs, they operate in a different way.
VPNs operate on data link / network layer, making it possible to:
use them as a network tunnel for your whole internet traffic (that's how you use AirVPN!) access remote network resources (think of a company's intranet remotely accessed by employees via a VPN) Proxies on the other hand (at least the kind of proxy these websites are talking about), work on the application layer:
configure a browser to establish HTTP connections through an HTTP proxy 2. There is no clear definition for the term "transparent proxy".

Most common definition
A proxy that's transparent to the user. The user has not configured a proxy but their connections transparently go through a proxy server at some point of the route. Such a proxy might be run internally by your ISP for caching purposes, for example to cache and speed up DNS requests.

IPLeak.net's definition
IPLeak.net is unable to determine whether your connection is going through a proxy - meaning if you're indeed using a proxy, it is "transparent" to IPLeak.net.

xroxy's definition
... is not even worth talking about, it's a terribly incorrect website.
What they mean by proxies "that provide anyone with your real IP address": Some HTTP proxies modify your HTTP headers to include your real IP in the "X-Forwarded-For" field.
Again, you don't have to concern yourself with that, AirVPN's servers aren't HTTP proxies.

https is a joke?

There have already been multiple threads about this. Staff statements here and here.

There have already been multiple threads about this. Staff statements here and here.

I consider The NoScript Misnomer to be a very important article.

By "exploiting" an entry on NoScript's whitelist, the author shines light on several pitfalls that not every NoScript user might be fully aware of:
NoScript comes with a default, enabled whitelist. whitelists are inherently flawed, even more so if you don't even maintain them yourself if you use a security tool without fully understanding its operation and configuration, you lull yourself into a false sense of security blocking all malicious scripts is unrealistic - you will need to think about defense in depth and sandboxing I personally use NoScript in combination with uBlock Origin in its advanced dynamic filtering mode. I also sandbox applications like Firefox, Thunderbird, Pidgin using Firejail, a small application that provides a convenient interface to built-in Linux kernel features (seccomp, namespaces, caps).
 
Ideally, I would be using Qubes OS for better isolation, but it's not like hypervisors are somehow magically flawless, either.

rickjames, thanks, that's a valuable hint: libnetfilter-conntrack3 is installed in my Mint VM (the package is part of a default Ubuntu 14.04, according to .manifest), but not in one of my minimal Arch installs - thus, no conntrack enabled there.
conntrackd, contrack-tools are not part of any default Mint/Ubuntu/Fedora install. To my understanding, you only need those for interfering with or monitoring tracked connections, but not for the actual conntracking.
 
Edit:
ufw uses state-tracking as a fallback. On my conntrack-less Arch:
iptables-save | grep state
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
 

All valid points, especially if OP already uses Eddie.
 
One note about ufw/gufw and conntrack: even if you don't see it in the GUI(s), ufw does use conntrack by default:
 
iptables-save | grep conntr
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN

Thanks for that great information! I was actually able to limit the matches as you suggested by adding a 0-byte at the end of the pattern:
 
-A OUTPUT -p udp --dport 53 -m string --hex-string "|03|vpn|06|airdns|03|org|00|" --algo bm -j ACCEPT We can even get stricter and only allow requests of type A (a host address):
3.2.2. TYPE values TYPE fields are used in resource records. Note that these types are a subset of QTYPEs. TYPE value and meaning A 1 a host address NS 2 an authoritative name server MD 3 a mail destination (Obsolete - use MX) MF 4 a mail forwarder (Obsolete - use MX) CNAME 5 the canonical name for an alias SOA 6 marks the start of a zone of authority MB 7 a mailbox domain name (EXPERIMENTAL) MG 8 a mail group member (EXPERIMENTAL) MR 9 a mail rename domain name (EXPERIMENTAL) NULL 10 a null RR (EXPERIMENTAL) WKS 11 a well known service description PTR 12 a domain name pointer HINFO 13 host information MINFO 14 mailbox or mail list information MX 15 mail exchange TXT 16 text strings Source: http://www.ietf.org/rfc/rfc1035.txt 
By including those 2 bytes, which results in the following line for /etc/ufw/before.rules:
 
-A OUTPUT -p udp --dport 53 -m string --hex-string "|03|vpn|06|airdns|03|org|00 00 01|" --algo bm -j ACCEPT Edit: Format

Just download the config files with advanced + Resolved hosts in .ovpn file checked. Then no resolution is needed at connection time.
 
However It sounds like you're using the air client. If that's the case the network lock feature will make rules for you.
I only briefly looked at that firestarter guide but I don't see connection tracking in there anywhere. The air client uses basic connection tracking / states ect. Even the basic version is better than nothing.
 
I won't pretend to be familiar with these gui's as I'm a big believer in less is more. But after seeing the rules the air client makes, I wouldn't hesitate to run it. My network environment just won't work with it. If I could use it I would, if only for simplicity.

I am not really sure why to do all these workarounds, when you can call an easier solution.
First, {country}.vpn.airdns.org does not just return a random server, it returns the best server in each
300 seconds timeframe. I believe the DNS backend that Air uses, has some sort of load balancing that
queries the API in the backend.
 
Now let's get to the API.
iptables allows custom scripts to be executed, which means you can query the API directly to find the best
server. Under some circumstances, it might even find a better server for you than the dns resolution.
Those circumstances are when you are quering some ISP DNS servers that might cache records and so on.

Thank you.
I was unaware it had that capability.
 
Does it install conntrack conntrackd libnetfilter-conntrack3 by default? I don't have any machines running ufw atm. Sorry for being lazy lol. Its just easier to ask than setup a vm.

rickjames, thanks, that's a valuable hint: libnetfilter-conntrack3 is installed in my Mint VM (the package is part of a default Ubuntu 14.04, according to .manifest), but not in one of my minimal Arch installs - thus, no conntrack enabled there.
conntrackd, contrack-tools are not part of any default Mint/Ubuntu/Fedora install. To my understanding, you only need those for interfering with or monitoring tracked connections, but not for the actual conntracking.
 
Edit:
ufw uses state-tracking as a fallback. On my conntrack-less Arch:
iptables-save | grep state
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
 

All valid points, especially if OP already uses Eddie.
 
One note about ufw/gufw and conntrack: even if you don't see it in the GUI(s), ufw does use conntrack by default:
 
iptables-save | grep conntr
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN

This software shows the IP and country flag in tray icon. At launch and every time the network gets changed (availability or new address).
​This is useful for those who are not using the AirVPN Client (for example when you entered your VPN in your router) but still want to be able to quickly see if the VPN is active.
It's poorly written in VB.NET. You can polish it if you want.
​
​Runs in windows computer only.
​You need .NET framework 4.5 or higher to use this software and Visual Studio 2013 or higher to compile the source code. Please see 'LICENSE.TXT' as this software uses third party icons.
 
Changelog:
[1.1]
+ Uses MaxMind Geo2IP OFFLINE database to resolve the country. Please take care of the updated license.txt about thirdparties. For updates of the database visit http://dev.maxmind.com/geoip/geoip2/geolite2/
+ Added a close button to context menu
+ Left click on icon shows current IP and country
! Network change event was not fired when for example vmware network adapters are installed. It has been replaced by a timer checking every 2 seconds of network adapter changes.
- Removed whatismyipadress, removed ip2country
 
Due to AirVPN file size restriction you need to download the 1.1 executable from an external site (or download the source from here and compile it by yourself):
http://www11.zippyshare.com/v/1k6ZlRQ0/file.html
 
CRC32: ABE78AD3
MD5: 6EB04D609FDB256D97E92C7305A9B9D5
SHA-1: EEAE81144A01DB444B34A6B919557D46DBFEF27B
IPCheck_source.zip
IPCheck_executable.zip

IPCheck_sourcev1.1.zip

I consider The NoScript Misnomer to be a very important article.

By "exploiting" an entry on NoScript's whitelist, the author shines light on several pitfalls that not every NoScript user might be fully aware of:
NoScript comes with a default, enabled whitelist. whitelists are inherently flawed, even more so if you don't even maintain them yourself if you use a security tool without fully understanding its operation and configuration, you lull yourself into a false sense of security blocking all malicious scripts is unrealistic - you will need to think about defense in depth and sandboxing I personally use NoScript in combination with uBlock Origin in its advanced dynamic filtering mode. I also sandbox applications like Firefox, Thunderbird, Pidgin using Firejail, a small application that provides a convenient interface to built-in Linux kernel features (seccomp, namespaces, caps).
 
Ideally, I would be using Qubes OS for better isolation, but it's not like hypervisors are somehow magically flawless, either.

I consider The NoScript Misnomer to be a very important article.

By "exploiting" an entry on NoScript's whitelist, the author shines light on several pitfalls that not every NoScript user might be fully aware of:
NoScript comes with a default, enabled whitelist. whitelists are inherently flawed, even more so if you don't even maintain them yourself if you use a security tool without fully understanding its operation and configuration, you lull yourself into a false sense of security blocking all malicious scripts is unrealistic - you will need to think about defense in depth and sandboxing I personally use NoScript in combination with uBlock Origin in its advanced dynamic filtering mode. I also sandbox applications like Firefox, Thunderbird, Pidgin using Firejail, a small application that provides a convenient interface to built-in Linux kernel features (seccomp, namespaces, caps).
 
Ideally, I would be using Qubes OS for better isolation, but it's not like hypervisors are somehow magically flawless, either.

No, you shouldn't rename it to .conf, that's only necessary if you put the file in /etc/openvpn for use with openvpn in system daemon mode.
By the sound of the error message I assume Britman tries to use the NetworkManager GUI.

1. Most likely, the package network-manager-openvpn-gnome is missing
 
sudo apt-get install network-manager-openvpn-gnome 2. Not related to your error message, but still worth mentioning: I'm pretty sure NetworkManager is still unable to handle inline keys/certs.
Air's Config Generator has the option "Separate keys/certs from .ovpn file" (in Advanced Mode).
 

​Yes, there is. It has to be configured per network connection, not per network interface.
Launch nm-connection-editor (GUI name: "Network Connections" - it's part of NetworkManager, if you can't find it, start it from the commandline).
Choose your WiFi or LAN connection, click "Edit", select the "General" tab.
There, you can enable "Automatically connect to VPN when using this connection". It will let you choose from NetworkManager's list of VPN connections.

Screenshot attached: