sheivoko

Answer to question 1)
 
There are two different types of credentials:
- your AirVPN account / password (the client is able to save these credentials)
- your Mint user account password (the client can't save this password. Every time you launch the client, it needs to ask the OS for root privileges)

If you want to launch the client automatically on system boot, add it to Mint's autostart list (but you'd still have to enter your sudo password).

If you want to run the client without having to enter your sudo password, that's possible too (but slightly tricky if you're totally unfamiliar with the process).

I've already detailed both of these procedures with screenshots / commands in another thread:
https://airvpn.org/topic/12797-from-windows-7-to-linux-problem/
 
 
Answer to question 2)
 
Linux uses the /etc/resolv.conf file which contains all DNS servers that the system may use. If it contains any other than AirVPN servers (which have IPs like 10.X.0.X), that would be the cause of your leaks. The AirVPN client offers options to manage the resolv.conf file, check the client menu, "Advanced" section.
To see if it did its job, connect to AirVPN and then check the contents of the /etc/resolv.conf file.

I'll be honest, when i first encountered firewalld I had the same reflex, trying to go back to iptables. But it's not that different if you make use of the "direct configuration" mode.
You can either use the "Firewall" GUI to write/edit your rules...
 

 
 
... or use the command line. I will list the commands / rules that I personally use.
I should add that I don't use the Eddie client, I connect directly via NetworkManager.
The following content is not a step by step guide. I am merely presenting a few rule examples and some general tips and tricks that I personally make use of. I achieve blocking non-VPN traffic by whitelisting AirVPN's entry servers and blocking all other direct traffic.

- firewalld commands to directly alter permanent rules -
 
#allow loopback firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT #allow lan (out) and broadcasting/dhcp firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 255.255.255.255 -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 255.255.255.255 -j ACCEPT # allow tun device to communicate firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 998 -o tun+ -j ACCEPT # optional masquerade rule (NAT/ports) firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o tun+ -j MASQUERADE # finally, drop outgoing ipv4 (if not specifically allowed by other rules) firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 999 -j DROP # optionally, block incoming ipv4 firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 999 -j DROP # drop all ipv6 firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -j DROP   firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -j DROP # example: allow outgoing ipv4 to a specific AirVPN entry server firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -d 82.118.16.175 -j ACCEPT # alternatively, lock it down to specific port and protocol: firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport=443 -d 82.118.16.175 -j ACCEPT # add such a rule for every AirVPN entry server you need to connect to   Don't forget to restart firewalld to apply the new permanent rules:
 
systemctl restart firewalld   
 
 
- tips and tricks -
 

If you intend to use most / all AirVPN servers, it would be tedious to add rules one by one. Here are some hints on how to automate the process.
 
1. Generate .ovpn file containing all servers:
 

 
 
 
2. bash one-liner to generate firewall rules for all IPs
 
grep "remote " AirVPN_All-servers_UDP-443.ovpn | awk {'print $2'} | tr '\n' '\0' | xargs -0 -L1 -I '$' echo 'firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport=443 -d $ -j ACCEPT' > firewalld-commands  Breaking down all parts of this one-liner:
 
grep "remote " AirVPN_All-servers_UDP-443.ovpn   
...find all lines that contain an entry IP
 
 
awk {'print $2'}   
...only print the 2nd column of the lines to get the IPs by themselves
 
 
tr '\n' '\0'   
...translate the newline character so that xargs can parse the lines correctly
 
 
xargs -0 -L1 -I '$' echo 'firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport=443 -d $ -j ACCEPT'   
...for each line, xargs will echo a string (the firewall command) and replace each "$" with the IP we pipe into xargs    
 
 
> firewalld-commands   
...finally, save the output (the generated firewall rules) as a file called "firewalld-commands


You can then run this file (as root) to execute the generated rules all at once:
 
bash firewalld-commands   
Don't forget to restart firewalld for the new permanent rules to take effect:
 
systemctl restart firewall   
You can print all permanent rules using:
 
firewall-cmd --direct --get-all-rules   
 
General advice
 
- Don't forget to test your firewall rules!
- Don't copy my rules! They're just an example! Adapt them to your situation!
- Remember that AirVPN occasionally withdraws and also adds servers. Maintain your rules to reflect changes.
- Don't forget to correctly configure DNS resolution in order to avoid DNS leaks. Especially when using NetworkManager.

I'll be honest, when i first encountered firewalld I had the same reflex, trying to go back to iptables. But it's not that different if you make use of the "direct configuration" mode.
You can either use the "Firewall" GUI to write/edit your rules...
 

 
 
... or use the command line. I will list the commands / rules that I personally use.
I should add that I don't use the Eddie client, I connect directly via NetworkManager.
The following content is not a step by step guide. I am merely presenting a few rule examples and some general tips and tricks that I personally make use of. I achieve blocking non-VPN traffic by whitelisting AirVPN's entry servers and blocking all other direct traffic.

- firewalld commands to directly alter permanent rules -
 
#allow loopback firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT #allow lan (out) and broadcasting/dhcp firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 255.255.255.255 -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 255.255.255.255 -j ACCEPT # allow tun device to communicate firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 998 -o tun+ -j ACCEPT # optional masquerade rule (NAT/ports) firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o tun+ -j MASQUERADE # finally, drop outgoing ipv4 (if not specifically allowed by other rules) firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 999 -j DROP # optionally, block incoming ipv4 firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 999 -j DROP # drop all ipv6 firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -j DROP   firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -j DROP # example: allow outgoing ipv4 to a specific AirVPN entry server firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -d 82.118.16.175 -j ACCEPT # alternatively, lock it down to specific port and protocol: firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport=443 -d 82.118.16.175 -j ACCEPT # add such a rule for every AirVPN entry server you need to connect to   Don't forget to restart firewalld to apply the new permanent rules:
 
systemctl restart firewalld   
 
 
- tips and tricks -
 

If you intend to use most / all AirVPN servers, it would be tedious to add rules one by one. Here are some hints on how to automate the process.
 
1. Generate .ovpn file containing all servers:
 

 
 
 
2. bash one-liner to generate firewall rules for all IPs
 
grep "remote " AirVPN_All-servers_UDP-443.ovpn | awk {'print $2'} | tr '\n' '\0' | xargs -0 -L1 -I '$' echo 'firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport=443 -d $ -j ACCEPT' > firewalld-commands  Breaking down all parts of this one-liner:
 
grep "remote " AirVPN_All-servers_UDP-443.ovpn   
...find all lines that contain an entry IP
 
 
awk {'print $2'}   
...only print the 2nd column of the lines to get the IPs by themselves
 
 
tr '\n' '\0'   
...translate the newline character so that xargs can parse the lines correctly
 
 
xargs -0 -L1 -I '$' echo 'firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport=443 -d $ -j ACCEPT'   
...for each line, xargs will echo a string (the firewall command) and replace each "$" with the IP we pipe into xargs    
 
 
> firewalld-commands   
...finally, save the output (the generated firewall rules) as a file called "firewalld-commands


You can then run this file (as root) to execute the generated rules all at once:
 
bash firewalld-commands   
Don't forget to restart firewalld for the new permanent rules to take effect:
 
systemctl restart firewall   
You can print all permanent rules using:
 
firewall-cmd --direct --get-all-rules   
 
General advice
 
- Don't forget to test your firewall rules!
- Don't copy my rules! They're just an example! Adapt them to your situation!
- Remember that AirVPN occasionally withdraws and also adds servers. Maintain your rules to reflect changes.
- Don't forget to correctly configure DNS resolution in order to avoid DNS leaks. Especially when using NetworkManager.

I have checked my hosts file and it does not have any duplicate lines in it.
(I compared the linecount of "cat /etc/hosts | wc -l" versus "cat /etc/hosts | sort | uniq | wc -l").
 
What do you mean by "they don't list the output of the compiled list of blocked hosts"?
The resulting hosts file already is a "hosts friendly file" - it's plain text!  
 
You can set a custom path for the resulting file in the rc.conf:
 
 
# FINAL HOSTSFILE. The final hosts file that combines together all downloaded # blocklists. If not using a dns caching daemon like dnsmasq, this should be # /etc/hosts. Include hosts file entries which you want to maintain in the # "hostshead" entry, such as your loopback device (e.g. 127.0.0.1 localhosts) hostsfile="/etc/hosts.block" #hostsfile="/etc/hosts" # If not using a dns caching daemon   
 
I am not aware of any fundamental differences between the Windows and Linux implementations of the hosts file standard. I would imagine that you could use hostsblock on a Linux box or VM and sync it over to your other Windows/OS X machines. If these machines need to keep some custom entries you might need to append to the existing hosts file, not replace it.
That could be achieved easily by copying the machine-specific lines into a separate file, then using a little script to append hostsblock's synced-over hosts file, save the resulting file as \system32\drivers\etc\hosts (or wherever Windows expects its hosts file to be).

"this is not my real IP, no-one knows who I am"

I wouldn't be so definitive about that.
As you know, browsers are usually very fingerprintable:
http://panopticlick.eff.org/

Consider this scenario:
- You use AirVPN
- You don't block ads / trackers (but regularly delete cookies)
- You use Facebook/Twitter/Google/ other services that know your identity
- You browse the web

In this case, and as far as my understanding goes, trackers on Facebook etc. would be able to link your fingerprint (no cookies needed for that) to your identity and track your fingerprint around the web.

----

For your "poll", I'll detail my browsing setup. Most of my precautions are aimed at improving security; as a side effect, some of them also help against tracking.

hostsblocks - this tool auto-updates my /etc/hosts file to block most ads / trackers. Very configurable. You mentioned that common  adblockers slow you down - you may want to try this one instead!
http://gaenserich.github.com/hostsblock

Sandboxing via firejail - Firefox does not see any other processes on the system and can't access certain personal directories (my web browser does not need access to my bank receipts, does it?)
The same can be achieved by properly using SELinux but firejail is easier to configure (I know, shame on me).
http://l3net.wordpress.com/projects/firejail/
 
No Flash/Java plugins installed. YouTube still works just fine with HTML5.
 
Firefox addons:

Adblock Edge + Element Hiding Helper
I already block ad/tracker servers via hostsblock, but it's still useful for hiding certain parts of websites that I don't ever want to see.

NoScript
I only enable JavaScript for very few sites, never for 3rd parties.

Self-Destructing Cookies
If a site no longer has any open tabs, delete its cookies.
 
Cookie Monster
I use it to whitelist a few cookies so they won't get auto-deleted. Works great in combination with Self-Destructing Cookies.

HTTPS-Everywhere
Automatically switches from http to https whenever possible.

RefControl
No website needs to know how I got there. Some sites protect against hotlinking - RefControl can be used to send a forged referer to those sites, pointing to the site itself (or actually sending the real referer).

RequestPolicy
All requests to 3rd-party domains get blocked by default. I imagine this would be very annoying for most people, but I don't want any 3rd parties while I'm browsing a 2nd party. Many sites use centralized services or CDNs - you can't use them wihout selectively enabling 3rd parties - that will definitely slow you down your browsing experience, similar to the frustrations of running NoScript.
----

Rant on why I use such a frustrating setup, including NoScript and RequestPolicy:

It's not just about privacy or security. I hate the modern web. I don't ever want to login to sites using some social network. I don't need fancy. I want information. The amazing property of the world wide web used to be the fact that everyone has the power to host their own site. Nowadays, sites flock towards centralized services like Wordpress, Cloudflare, Google.  I want the internet to be decentralized and independent.

Another one of my related pet peaves:
JavaScript should be an addition to, not a replacement for HTML.
If you host a website, you must provide a basic version via pure HTML and if you think it's necessary, go nuts and improve it using JavaScript. Sites that can't even display basic information without the use of (often embedded, 3rd-party) JavaScript (or, even worse, Java/Flash) can go to hell.
 
----
 
Happy Christmas!

"this is not my real IP, no-one knows who I am"

I wouldn't be so definitive about that.
As you know, browsers are usually very fingerprintable:
http://panopticlick.eff.org/

Consider this scenario:
- You use AirVPN
- You don't block ads / trackers (but regularly delete cookies)
- You use Facebook/Twitter/Google/ other services that know your identity
- You browse the web

In this case, and as far as my understanding goes, trackers on Facebook etc. would be able to link your fingerprint (no cookies needed for that) to your identity and track your fingerprint around the web.

----

For your "poll", I'll detail my browsing setup. Most of my precautions are aimed at improving security; as a side effect, some of them also help against tracking.

hostsblocks - this tool auto-updates my /etc/hosts file to block most ads / trackers. Very configurable. You mentioned that common  adblockers slow you down - you may want to try this one instead!
http://gaenserich.github.com/hostsblock

Sandboxing via firejail - Firefox does not see any other processes on the system and can't access certain personal directories (my web browser does not need access to my bank receipts, does it?)
The same can be achieved by properly using SELinux but firejail is easier to configure (I know, shame on me).
http://l3net.wordpress.com/projects/firejail/
 
No Flash/Java plugins installed. YouTube still works just fine with HTML5.
 
Firefox addons:

Adblock Edge + Element Hiding Helper
I already block ad/tracker servers via hostsblock, but it's still useful for hiding certain parts of websites that I don't ever want to see.

NoScript
I only enable JavaScript for very few sites, never for 3rd parties.

Self-Destructing Cookies
If a site no longer has any open tabs, delete its cookies.
 
Cookie Monster
I use it to whitelist a few cookies so they won't get auto-deleted. Works great in combination with Self-Destructing Cookies.

HTTPS-Everywhere
Automatically switches from http to https whenever possible.

RefControl
No website needs to know how I got there. Some sites protect against hotlinking - RefControl can be used to send a forged referer to those sites, pointing to the site itself (or actually sending the real referer).

RequestPolicy
All requests to 3rd-party domains get blocked by default. I imagine this would be very annoying for most people, but I don't want any 3rd parties while I'm browsing a 2nd party. Many sites use centralized services or CDNs - you can't use them wihout selectively enabling 3rd parties - that will definitely slow you down your browsing experience, similar to the frustrations of running NoScript.
----

Rant on why I use such a frustrating setup, including NoScript and RequestPolicy:

It's not just about privacy or security. I hate the modern web. I don't ever want to login to sites using some social network. I don't need fancy. I want information. The amazing property of the world wide web used to be the fact that everyone has the power to host their own site. Nowadays, sites flock towards centralized services like Wordpress, Cloudflare, Google.  I want the internet to be decentralized and independent.

Another one of my related pet peaves:
JavaScript should be an addition to, not a replacement for HTML.
If you host a website, you must provide a basic version via pure HTML and if you think it's necessary, go nuts and improve it using JavaScript. Sites that can't even display basic information without the use of (often embedded, 3rd-party) JavaScript (or, even worse, Java/Flash) can go to hell.
 
----
 
Happy Christmas!

"this is not my real IP, no-one knows who I am"

I wouldn't be so definitive about that.
As you know, browsers are usually very fingerprintable:
http://panopticlick.eff.org/

Consider this scenario:
- You use AirVPN
- You don't block ads / trackers (but regularly delete cookies)
- You use Facebook/Twitter/Google/ other services that know your identity
- You browse the web

In this case, and as far as my understanding goes, trackers on Facebook etc. would be able to link your fingerprint (no cookies needed for that) to your identity and track your fingerprint around the web.

----

For your "poll", I'll detail my browsing setup. Most of my precautions are aimed at improving security; as a side effect, some of them also help against tracking.

hostsblocks - this tool auto-updates my /etc/hosts file to block most ads / trackers. Very configurable. You mentioned that common  adblockers slow you down - you may want to try this one instead!
http://gaenserich.github.com/hostsblock

Sandboxing via firejail - Firefox does not see any other processes on the system and can't access certain personal directories (my web browser does not need access to my bank receipts, does it?)
The same can be achieved by properly using SELinux but firejail is easier to configure (I know, shame on me).
http://l3net.wordpress.com/projects/firejail/
 
No Flash/Java plugins installed. YouTube still works just fine with HTML5.
 
Firefox addons:

Adblock Edge + Element Hiding Helper
I already block ad/tracker servers via hostsblock, but it's still useful for hiding certain parts of websites that I don't ever want to see.

NoScript
I only enable JavaScript for very few sites, never for 3rd parties.

Self-Destructing Cookies
If a site no longer has any open tabs, delete its cookies.
 
Cookie Monster
I use it to whitelist a few cookies so they won't get auto-deleted. Works great in combination with Self-Destructing Cookies.

HTTPS-Everywhere
Automatically switches from http to https whenever possible.

RefControl
No website needs to know how I got there. Some sites protect against hotlinking - RefControl can be used to send a forged referer to those sites, pointing to the site itself (or actually sending the real referer).

RequestPolicy
All requests to 3rd-party domains get blocked by default. I imagine this would be very annoying for most people, but I don't want any 3rd parties while I'm browsing a 2nd party. Many sites use centralized services or CDNs - you can't use them wihout selectively enabling 3rd parties - that will definitely slow you down your browsing experience, similar to the frustrations of running NoScript.
----

Rant on why I use such a frustrating setup, including NoScript and RequestPolicy:

It's not just about privacy or security. I hate the modern web. I don't ever want to login to sites using some social network. I don't need fancy. I want information. The amazing property of the world wide web used to be the fact that everyone has the power to host their own site. Nowadays, sites flock towards centralized services like Wordpress, Cloudflare, Google.  I want the internet to be decentralized and independent.

Another one of my related pet peaves:
JavaScript should be an addition to, not a replacement for HTML.
If you host a website, you must provide a basic version via pure HTML and if you think it's necessary, go nuts and improve it using JavaScript. Sites that can't even display basic information without the use of (often embedded, 3rd-party) JavaScript (or, even worse, Java/Flash) can go to hell.
 
----
 
Happy Christmas!

Would AirVPN consider setting up a warrant canary https://en.wikipedia.org/wiki/Warrant_canary
LiquidVPN  https://www.liquidvpn.com/ is the only VPN service I'm aware of that offer's this...https://www.liquidvpn.com/billing/canary/canary
This would be a great feature, another layer of security and the ultimate in piece of mind.

Two steps:
- Tell the AirVPN client to automatically connect when launched
- Add the AirVPN client to Mint's "Startup Applications".
​
Here's a screenshot detailing all the steps:

I tried this with Mint 17.1 MATE, but the Cinnamon edition features the same "Startup Applications" tool, afaik.

Caveat: You still have to enter your sudo/user password every time AirVPN starts.
If that bothers you, you can edit the "sudoers" file to let you run AirVPN as root without having to enter any password.
If you're totally new to sudo and its sudoers file, I'd recommend reading Ubuntu's documentation first:
​https://help.ubuntu.com/community/Sudoers
​The paragraph "Shutting Down From The Console Without A Password" describes a similar use case to what we're doing here.
The only way to edit sudoers is on the command line using:
 
sudo visudo Add the following line to the very end of that file (replace the word "user" with your own user name):
 
user ALL=(ALL) NOPASSWD: /usr/bin/airvpn Exit visudo with ctrl-x.
 
​
Go back into Mint's "Startup Applications", edit the AirVPN entry.
Change its command from ..
/usr/bin/airvpn to ..
sudo /usr/bin/airvpn and reboot.

​https://www.youtube.com/watch?v=dNZrq2iK87k
 
If you haven't seen this yet - this is a 2+ hour, must-watch presentation about the current state of data collection / analysis / surveillance / targeting, held by (right-wing, anti-Snowden!) private investigator Steven Rambam at the HOPE X conference.


Money quotes:

"If this stuff had existed during the American Revolution, all of the leaders of the revolution would have been identified and arrested."

"It's a double-edged sword. Undercover agents, people risking their lives assuming identities, what do they do about this? (..) It's a nightmare now. (..) Motorcycle gangs now have membership applications. And they hire private investigators to check them out."

"All of this stuff is being done to catalog us, pigeonhole us - is it actually translating (..) to a reduction in crime rates, catching of terrorists, finding missing persons? No. Not at all."


This presentation is a great reminder that yes, we need technological solutions like VPNs and Tor but the real problem lies so much deeper. It doesn't matter how hard we try, we can't escape or avoid "the system". We have to change it and it's not just some crooked governments or a few misguided corporations: it's the current, global mindset that enables these violations and this wrong way of thinking.

Hello!
 
The implications of the paper are completely different than what the message seems to suggest. In particular how did you get the idea that "If you use TOR, there's a 81.6% chance someone knows your real IP." from the paper? It says quite the opposite, i.e. that even if the attack was successful, the likelihood to get your real IP address is astronomically low.
 
Besides paper reading, https://blog.torproject.org/blog/traffic-correlation-using-netflows can help. Do not miss the comments from the paper authors themselves.It looks like several persons are taking this paper implications at the exact opposite of what they are. Urban legends seem to spread very fast even nowadays.
 
Kind regards

​https://www.youtube.com/watch?v=dNZrq2iK87k
 
If you haven't seen this yet - this is a 2+ hour, must-watch presentation about the current state of data collection / analysis / surveillance / targeting, held by (right-wing, anti-Snowden!) private investigator Steven Rambam at the HOPE X conference.


Money quotes:

"If this stuff had existed during the American Revolution, all of the leaders of the revolution would have been identified and arrested."

"It's a double-edged sword. Undercover agents, people risking their lives assuming identities, what do they do about this? (..) It's a nightmare now. (..) Motorcycle gangs now have membership applications. And they hire private investigators to check them out."

"All of this stuff is being done to catalog us, pigeonhole us - is it actually translating (..) to a reduction in crime rates, catching of terrorists, finding missing persons? No. Not at all."


This presentation is a great reminder that yes, we need technological solutions like VPNs and Tor but the real problem lies so much deeper. It doesn't matter how hard we try, we can't escape or avoid "the system". We have to change it and it's not just some crooked governments or a few misguided corporations: it's the current, global mindset that enables these violations and this wrong way of thinking.

On a rooted device, you should check out the excellent open source iptables frontend AFWall+:
 
https://f-droid.org/repository/browse/?fdid=dev.ukanth.ufirewall
 
In its preferences, enable "VPN control" to give you fine-grained control over every app's connectivity (allow app traffic via: WiFi / Mobile Data / only via VPN / none).
 
Another interesting setting to consider would be "Fix Data Startup Leak" which prevents Android from sending any packets before AFWall's iptables rules are loaded. Be careful with this option, it's incompatible with certain devices, preventing them from booting. It's happened to me with several devices so I leave this option disabled. As a workaround (which may or may not be effective), I put my devices in airplane mode prior to rebooting.

On a rooted device, you should check out the excellent open source iptables frontend AFWall+:
 
https://f-droid.org/repository/browse/?fdid=dev.ukanth.ufirewall
 
In its preferences, enable "VPN control" to give you fine-grained control over every app's connectivity (allow app traffic via: WiFi / Mobile Data / only via VPN / none).
 
Another interesting setting to consider would be "Fix Data Startup Leak" which prevents Android from sending any packets before AFWall's iptables rules are loaded. Be careful with this option, it's incompatible with certain devices, preventing them from booting. It's happened to me with several devices so I leave this option disabled. As a workaround (which may or may not be effective), I put my devices in airplane mode prior to rebooting.

Overview

We host a XMPP (Jabber) server, with A-A security rating. We recommend to use only OTR compatible client.

It's available for free to every member of this website.

This forum is open to already available or new guides, tutorials or discussions (even about XEP).


Recommended client

OS X: Adium
Windows, Linux: Pidgin
Android: Xabber

Lots of different questions, let's try and untangle this:
 
A firewall that's deployed on your computer can be configured to filter all packets coming into (ingress filtering) and/or originating from (egress filtering) your computer's network interfaces.Whenever your network interfaces try to communicate, the firewall will look at the packets (destination, target, port, protocol, ..) and decide whether to allow, deny, modify or redirect them.
Also, nothing connects to a firewall; it's a transparent layer that either lets you through or not.
 
 
If you establish a connection from your computer to a VPN server, your computer - not the router - is the endpoint of the tunnel.
Of course, your router is still part of the route, so if there's a firewall on your router, that will affect your computer too. Many routers are configured to not allow incoming traffic and/or port forwarding by default.
 
Unless you use AirVPN's Port Forwarding, a port scan of an AirVPN IP will not reveal any of your computer's services / ports.
 
Regardless of whether you use VPNs or not, it is generally recommended to have your computer's firewall deny incoming traffic by default and selectively open ports for incoming traffic when such a need arises.
 
With regard to VPNs, the talk about firewalls is usually about egress filtering: Configuring the firewall to deny outgoing traffic by default, only allowing communication to AirVPN entry servers. This will prevent accidental, unsecured communication.

Leaked XKeyscore selectors:
http://daserste.ndr.de/panorama/xkeyscorerules100.txt
If this document is authentic, any interest in Tor will mark you as an extremist:
 
- Asking bridges@torproject.org for a bridge IP:
Which means that the NSA gains knowledge about the non-public entry nodes and those who use them.Isn't it unbelievable that dissidents using Tor in China, Iran, repressive countries all over the world become NSA targets? Marked as extremists by the land of the free?
 
- Googling for..
Welcome to the NSA database, extremist! 
- Using Tor hidden services:
If you run hidden services, don't consider them "hidden". Expect exploitation attempts. 
Do not let them scare you off Tor. Yes, it's scary, but if you think about the rotten goals of NSA/GCHQ/BND, it's not a shocking revelation - it had to be expected. So, the only conclusion should be: Use the heck out of Tor, now more than ever! You can't escape ubiquitous surveillance, but you can make it harder! Run nodes! Fund nodes! Stop voting for parties that don't act against the surveillance state! Make yourself heard!

Leaked XKeyscore selectors:
http://daserste.ndr.de/panorama/xkeyscorerules100.txt
If this document is authentic, any interest in Tor will mark you as an extremist:
 
- Asking bridges@torproject.org for a bridge IP:
Which means that the NSA gains knowledge about the non-public entry nodes and those who use them.Isn't it unbelievable that dissidents using Tor in China, Iran, repressive countries all over the world become NSA targets? Marked as extremists by the land of the free?
 
- Googling for..
Welcome to the NSA database, extremist! 
- Using Tor hidden services:
If you run hidden services, don't consider them "hidden". Expect exploitation attempts. 
Do not let them scare you off Tor. Yes, it's scary, but if you think about the rotten goals of NSA/GCHQ/BND, it's not a shocking revelation - it had to be expected. So, the only conclusion should be: Use the heck out of Tor, now more than ever! You can't escape ubiquitous surveillance, but you can make it harder! Run nodes! Fund nodes! Stop voting for parties that don't act against the surveillance state! Make yourself heard!

The owner of one of the TOR directory servers himself confirmed he had seen the source code of XKeyscore and saw his server's IP hardcoded in there. The server is located in Nürnberg, Germany, and is called Gabelmoo.
 
Id est: XKeyscore logged every attempt to access his server. Additionally, comments made in the source code show that everyone who is accessing the directory server is made an "extremist" - at least in the terminology of the NSA.
 
In the source code the student hasn't seen any proof that TOR relay servers are exposed to the same risk. This task might be allotted to another application...
 
Source#1
 
Source#2
 
excellent addition by sheivoko - the XKeyscore rules!

It's about their monetization strategy. Since APB introduced their opt-out "Acceptable Ads", people have questioned their integrity.  
"In an article for mobilegeeks.de, blogger Sascha Pallenberg accuses the developers of the popular AdBlock Plus (ABP) browser plugin of maintaining business connections to "strategic partners in the advertising industry". Pallenberg goes as far as calling ABP a "mafia-like advertising network"."

source: http://web.archive.org/web/20131208011244/http://www.h-online.com/newsticker/news/item/Serious-accusations-against-AdBlock-Plus-1897360.html
 
The following quote is kind of ironic and oh-so on-topic; it's from a 2009 ABP blog post on the "monetization dilemma":
 
"I know that some other extension developers have their extension as a full-time job and that makes them dependent on money sources. Given the market value of their user base, it is hard not to sell out."
 
source: https://adblockplus.org/blog/the-monetization-dilemma

Hello! 
We have never been asked by TorrentFreak to sponsor them.
 
About your 2nd question, we can't answer now, an answer should come from the Air founders collective agreement. We have never invested a cent in direct advertising. We preferred to invest very much on supporting compatible with our mission, independent projects, and on quality of service, but things of course are not immutable, and nowadays all types of investments can be no more mutually exclusive.
 
Kind regards

Hello!
 
We're very glad to inform you that a new payment processor for Bitcoin is available: BitPay. From now on, you can more comfortably pay in Bitcoin with an automated order in our web site. During the checkout, just select "Bitcoin (via BitPay)" and follow the quick & easy instructions! Paying in Bitcoin effectively enhances your privacy and improves the anonymity layer provided by our service.
 
We would like to remind you that ONE and ONLY ONE authorized AirVPN reseller currently exists (12-Feb-2014), bitcoincodes.com. Anybody else selling or proposing AirVPN subscriptions or selling coupon codes is NOT authorized by us (12-Feb-2014).
 
Kind regards and datalove
AirVPN Staff

https://www.torproject.org/

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis

 
Funding Exit nodes.
Also with our monthly recurring donations, TorServers.net powers relays on top of the Tor Network Status - Bandwidth Ranking

Funding Relay nodes.
We are hosting Relay nodes under our control.
Incoming and outgoing data encrypted form does not allow us to discriminate.

For a full list of our Relay nodes, look at the Mission page.

Notes
All TOR nodes managed by us redirect to this topic, if their homepage is requested.

According to https://dan.me.uk/tornodes Velorum's exit IP is a TOR exit node. Therefore access to dan.me.uk is restricted.
 
 
Please stop running TOR exit nodes!!..

Some of the newer features of UFW haven't arrived with the version you are
using. And although the GUI version of UFW is nice the command-line version
is much more advanced.

In the following quick tutorial I will try to give
you some guidance to get a simple setup (hopefully) working. This is only
for general guidance. Adjust addresses, port numbers and protocols as
needed. E.g. If your router is on a different IP-address then adjust the
rule to fit to your needs. Also if you want to connect to a different
VPN-server use the IP-address of the server you wish to use. The IP numbers
used here are only as an example.

Keep in mind that rule ordering is
important and the first match wins! The rule which is entered first will end
up higher in the list. At the end I will explain more about this (see point
8).

1.  Open an terminal window and enter the following commands and adjust them
    to your needs.
    Use su to log in as root if you haven't or place sudo before every command.
    the $ represents the prompt in the terminal.

2.  Enable UFW.

    $ ufw enable
    
    This will enable the firewall and now you can add rules.

3.  Set the default behavior to deny all incoming and out going traffic.

    $ ufw default deny out
    $ ufw default deny in
    
    Now all in- and outgoing traffic will be blocked.

4.  Add a rule to allow traffic to your router (only if this is needed).

    $ ufw allow out to 192.168.178.0/24
    
    This will allow traffic to the router/internal network which in this
    case is located on 192.168.178.0/24. If your computer has multiple
    network interfaces you can add the interface which you want to use. E.g.
    
    $ ufw allow out on eth0 to 192.168.178.0/24

    This will allow only connections to the internal network/router on eth0.
    If eth0 is not connected and you use for example the wlan0 connection
    UFW will block the traffic and you will not be able to connect to the
    router/internal network, because only traffic from eth0 is allowed to
    connect to 192.168.178.0/24.

5.  Add a rule to allow traffic to 46.19.137.114 on port 443 with UDP
    traffic. This is the AirVPN_CH-Virginis_UDP-443 server.

    $ ufw allow out to 46.19.137.144 port 443 proto udp
    
    This will allow UDP traffic on port 443 to the Virginis server
    (=46.19.137.144). This is needed to connect to the VPN-server. You can
    add more than one VPN-server by repeating the above rule and adjust the
    IP-address to the server which you want to add. It is also possible to
    specify different port numbers. Just change the port number to the port
    number which is needed to connect to the VPN server. If the proto udp
    part is omitted then tcp and udp traffic is allowed and if it's changed
    to proto tcp then only tcp traffic is allowed.

6.  Add a rule to allow in- and outgoing traffic over tun0. This is the
    traffic from and to the VPN-server.

    $ ufw allow out on tun0
    
    Now it's possible for an application like the browser to connect to
    different sites on the web. All the traffic will go through the vpn
    server.

7.  In the case that you use a bit-torrent client, you will also need to
    allow incoming traffic from the port which is specified by you in the
    bittorrent client (this is the port which is needed to allow peers/seeders
    to connect to the bit-torrent client (NAT).

    $ ufw allow in on tun0 from any to any port 54321
    
    This will enable incoming traffic which is coming from different
    IP-addresses (the peers/seeders which want to connect to your client) to
    connect through the VPN-server connection (which is tun0 here). In this case
    port number 54321 is used, adjust it the correct port number!

8.  If you now enter.

    $ ufw status verbose
    
    You will get a numbered list which something like:
    
        Status: active
        Logging: off
        Default: deny (incoming), deny (outgoing)
        New profiles: skip

        To                         Action      From
        --                         ------      ----
        54321 on tun0              ALLOW IN    Anywhere

        192.168.178.0/24           ALLOW OUT   Anywhere
        46.19.137.114 443          ALLOW OUT   Anywhere
        Anywhere                   ALLOW OUT   Anywhere on tun0
        
    This shows you which rules are applied and what the status of the
    firewall is. When you enter:
    
    $ ufw status numbered
    
    You will get a numbered list. It will look something like this:
    
        Status: active

             To                         Action      From
             --                         ------      ----
        [ 1] 192.168.178.0/24           ALLOW OUT   Anywhere (out)
        [ 2] 46.19.137.114 443          ALLOW OUT   Anywhere (out)
        [ 3] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
        [ 4] 54321 on tun0              ALLOW IN    Anywhere
        
    This is a numbered list. It is important to know that the order of the
    rules is important. If you allow something with rule number 1 which
    allows for example all incoming and outgoing traffic, all the other
    rules which are specified after that will have no effect!

    And as a final notice I will also point to the possibility to delete and
    insert rules. If you enter:
 
    $ ufw delete 1 # and confirm of course
    
    Rule number 1 will be deleted and all the other rules which followed
    rule 1 will shift up in this example the list will look something like
    this (after $ ufw status numbered):
    
        Status: active

             To                         Action      From
             --                         ------      ----
        [ 1] 46.19.137.114 443          ALLOW OUT   Anywhere (out)
        [ 2] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
        [ 3] 54321 on tun0              ALLOW IN    Anywhere
        
    And if you want to add a rule on a specific spot it is possible by using
    the insert command. E.g. we want to add a second VPN-server so we can
    choose a different one in the case one is down (could happen you know
    :-)) or if we want options. The command would look like this;
    
    $ ufw insert 2 allow out to 119.81.1.122 port 443 proto tcp   
    
    # this will add the SG-Sagittarii server
    
    Now on spot number 2 there is a new rule inserted. The other rules will
    shift down. We can generate a new list:
    
    $ ufw status numbered
    
    And the list will look like:
        Status: active

             To                         Action      From
             --                         ------      ----
        [ 1] 46.19.137.114 443          ALLOW OUT   Anywhere (out)
        [ 2] 119.81.1.122 443/tcp       ALLOW OUT   Anywhere (out)
        [ 3] Anywhere                   ALLOW OUT   Anywhere on tun0 (out)
        [ 4] 54321 on tun0              ALLOW IN    Anywhere

This concludes the tutorial. Use it to you benefit and I hope some things
get a little bit clearer. Make the appropriate changes for you setup and
expand on it. And again the GUI version is nice, but the command-line
version is beter, it only takes a little bit of time to get used to it.