InactiveUser

guppy, I've run into this myself - the config generator has changed recently.
Unless I missed something, you can't get a single .ovpn file anymore that contains multiple server addresses.

The only way to do this now:
manually pick a selection of servers let the config generator spit out individual config files for all the servers you picked download the files and extract the relevant "remote $ip $port" lines from all the ovpn files  - for example by using: grep -h 'remote ' *.ovpn create a new ovpn file (or simply modify one of the downloaded ones), put in all the "remote 1.2.3.4 443" lines you just extracted add the directive remote-random to your ovpn file (else, openvpn would try to connect to the servers in order, not randomly) There is one major caveat:
A single ovpn file must not contain more than 64 remote addresses, so don't pick more than 64 servers.

Air already has 82 servers in total and currently 50 in Europe alone, so it makes sense for Air to ensure that the Config Generator would not generate invalid ovpn files. On the other hand, the Config Generator could be smarter. Simplified pseudocode example:

if picked_servers <= 64:
    generate_individual_files()
    generate_combined_file()
else:
    generate_individual_files()
    display_warning("You picked more than 64 servers. Pick no more than 64 if you need a multi-server ovpn file")
 
I will suggest this later today by opening a support ticket, unless we get a staff member to comment on this thread first.

Hello,
 
the cited feature has never been implemented in AirVPN forum and of course it will never be implemented. As far as we can see, questionable data mining is not implemented in plug-ins for the Invision version running in our servers.
 
We will never allow TapaTalk to send out our database e-mail addresses entries. While TapaTalk accesses the database (to allow users' log in our web site from TapaTalk) no transmission of such data to remote TapaTalk servers is allowed. There's no code on the TapaTalk we run that can do it. We can say this for sure because we analyze the source code of several applications in our servers, including the TapaTalk plug-in.
 
The questionable data mining code is implemented in the latest version of Invision TapaTalk plugin, not yet running on our server. Our developers will purge this code before applying the plugin, if it will ever be deployed.
 
We disagree that we infringe their license if we do not allow collection of e-mail addresses: we consider any contractual agreement infringing the EU legal framework on data protection and privacy as invalid (as well as any other contractual agreement causing infringements of the law), and we consider e-mail addresses as data covered by the scope of the relevant Directives on privacy and data protection. Since we are based in Italy and the forum servers are physically based inside the EU, there's no doubt that the applicable law on the matter is EU law, not USA law. According to the contract, if a clause is invalid due to the law, all other non-illegal clauses remain into effect.

Kind regards
AirVPN Staff

Firefox started to behave bad as well... Shoved us that WebRTC thing by default, then started with all the DRM and EME.
Later added some Telefonica call-home by default, some Cisco stuff
 
I used to like Firefox, but recently completely dropped it in favor of IceCat.
 
Forgot to mention, avoid downloading "Free software" from Sourceforge as well. That free software will come bundled with malware.

It doesn't help if you install Chromium on Linux

Hey there, 
 
i just found the news that tapatalk, used also by airvpn, is sending user details to servers run by tapatalk. And they can give them away. 
They can get: Username, mail address, etc.
 
You can disable it by change the config "mobiqou/config/config.php"  the parameters "allow_trending" to "0"
 
Is it known by the staff?
 
 
See: http://heise.de/-2716662 (german)
---edit---
They can even send mails to users of the forum if they are not using tapatalk.
 
http://www.hardwareluxx.de/index.php/news/software/anwendungprogramme/35790-tapatalk-nur-mit-modifikationen-sicher.html (still only german)

guppy, I've run into this myself - the config generator has changed recently.
Unless I missed something, you can't get a single .ovpn file anymore that contains multiple server addresses.

The only way to do this now:
manually pick a selection of servers let the config generator spit out individual config files for all the servers you picked download the files and extract the relevant "remote $ip $port" lines from all the ovpn files  - for example by using: grep -h 'remote ' *.ovpn create a new ovpn file (or simply modify one of the downloaded ones), put in all the "remote 1.2.3.4 443" lines you just extracted add the directive remote-random to your ovpn file (else, openvpn would try to connect to the servers in order, not randomly) There is one major caveat:
A single ovpn file must not contain more than 64 remote addresses, so don't pick more than 64 servers.

Air already has 82 servers in total and currently 50 in Europe alone, so it makes sense for Air to ensure that the Config Generator would not generate invalid ovpn files. On the other hand, the Config Generator could be smarter. Simplified pseudocode example:

if picked_servers <= 64:
    generate_individual_files()
    generate_combined_file()
else:
    generate_individual_files()
    display_warning("You picked more than 64 servers. Pick no more than 64 if you need a multi-server ovpn file")
 
I will suggest this later today by opening a support ticket, unless we get a staff member to comment on this thread first.

Two steps:
- Tell the AirVPN client to automatically connect when launched
- Add the AirVPN client to Mint's "Startup Applications".
​
Here's a screenshot detailing all the steps:

I tried this with Mint 17.1 MATE, but the Cinnamon edition features the same "Startup Applications" tool, afaik.

Caveat: You still have to enter your sudo/user password every time AirVPN starts.
If that bothers you, you can edit the "sudoers" file to let you run AirVPN as root without having to enter any password.
If you're totally new to sudo and its sudoers file, I'd recommend reading Ubuntu's documentation first:
​https://help.ubuntu.com/community/Sudoers
​The paragraph "Shutting Down From The Console Without A Password" describes a similar use case to what we're doing here.
The only way to edit sudoers is on the command line using:
 
sudo visudo Add the following line to the very end of that file (replace the word "user" with your own user name):
 
user ALL=(ALL) NOPASSWD: /usr/bin/airvpn Exit visudo with ctrl-x.
 
​
Go back into Mint's "Startup Applications", edit the AirVPN entry.
Change its command from ..
/usr/bin/airvpn to ..
sudo /usr/bin/airvpn and reboot.

Hi, I found this report of UC Browser https://citizenlab.org/2015/05/a-chatty-squirrel-privacy-and-security-issues-with-uc-browser/ and it seems it leaks any kind of information such as  IMSI, IMEI and location (this last one, only on chinese version) in plain text! 
 
Have you ever used this browser on your Android/Xiaomi device

Hi.
 
I have recently commenced using AirVPN, and I must commend you for having one of the most accessible pieces of software I've ever seen for users who are fully blind or vision impaired.
 
One issue I've encountered is that I'm not able to access the button or icon that I need to click in order to get to the advanced settings area.
 
It would be great if this could be addressed, as it's proving frustrating to get to the advanced features of this fabulous software package.
 
Otherwise, I'm very happy with your speeds from Australia and it's great that you offer the ability for users to be able to download the files necessary to use your service with Viscosity or any other open VPN client.
 
Cheers.

The developers use their private key to create the signature.
In order to verify a signature, gpg needs to have the corresponding public key.
Take a closer look at gpg's output:
 
gpg --verify file.tar.sig
gpg: assuming signed data in `file.tar' gpg: Signature made $some_date using RSA key ID 1234ABCD gpg: Can't check signature: public key not found It tells you the ID of the key you need to import:

gpg --recv-keys 1234ABCD
gpg: key 1234ABCD: public key "John Doe" imported Now gpg will be able to verify the signature:
 
gpg --verify file.tar.sig
gpg: assuming signed data in `file.tar' gpg: Signature made $some_date using RSA key ID 1234ABCD gpg: GOOD signature from "John Doe" There is, as you may have guessed, a major problem here: How do you know this key actually belongs to the person you think it does? If your download of both file and signature had been man-in-the-middled, you might have imported a fake key and blindly accepted a spoofed "GOOD signature" result.

That's a somewhat tricky problem to address.
Ideally, you would have a "Web of Trust", meaning that people you already trust have signed this key.

Practical example: here are two keys, both claiming to belong to "Erinn Clark <erinn@torproject.org>":
 
Key #1:
 
 

Key #2:
 

 
Weird, right? Over the years, one key has been signed by many people from Debian, Tor, Guardian Project, while the other key has no sigs at all.
Of course, all of Key #2's sigs could be fake too, but ideally you would find at least one among them that you already trust - that's the whole idea of the Web of Trust.
But even without a proper WoT, you can easily spot the suspicious key in this particular case.

If you want to spend even more time thinking about this problem, the Tails Project has elaborated on some interesting ideas on how to trust their signing keys.    

What to use for file/folder encryption on Linux:
I use gpg / gpg-zip, it's not the most convenient solution but I don't need it a lot. Truecrypt or one of its hopefully trustworthy forks is probably still the most secure and convenient solution. EncFS is also worth a look (doesn't Ubuntu use it for /home/ encryption?) but its security audit wasn't exactly cheerful.

First of all, I think it's better to avoid the term "kill switch" as it describes a (bad) idea that's completely different from a firewall setup such as AirVPN's network lock feature.

Now to address your question, please clarify what you are trying to do:
a. use the AirVPN client and its network lock feature b. don't use the client (instead, connect through NetworkManager, or use openvpn directly) and configure iptables yourself, in a way that resembles AirVPN's network lock feature In case of option a, you don't need to touch iptables yourself! The AirVPN ("Eddie") client will do that each time you run it. If you want to use Eddie, there's no need at all to read the rest of my answer.

In case of option b, your iptables rules must contain the following:
a general rule set (allow local traffic, allow tunnel forwarding, block traffic by default, ...) exceptions for all of the VPN servers you want to connect to The rules you quoted from Air's website would serve just fine as your general rule set. Now you only need to manually create exceptions for the servers' entry IPs.

There are two ways to get a hold of these entry IPs:
DNS lookup, very convenient, as explained by AirVPN staff here use the Config Generator, tick all the servers you want to use, enable both "Advanced Mode" and "Resolved hosts in .ovpn file", then check the config file for the "remote " IPs Here's an example: Let's pretend you wanted to use the servers Nihal, Pavonis and Rastaban. You would issue the following commands to get the entry IPs
 
dig +short nihal.airvpn.org dig +short pavonis.airvpn.org dig +short rastaban.airvpn.orgto get back the following IPs
 
46.182.35.14 149.255.33.154 62.102.148.135 You would then create iptables rules to allow outgoing connections to these IPs:
 
iptables -A OUTPUT -d 46.182.35.14 -j ACCEPT iptables -A OUTPUT -d 149.255.33.154 -j ACCEPT iptables -A OUTPUT -d 62.102.148.135 -j ACCEPT That's basically it.

If you decide to roll your own firewall configuration, be sure to test it properly! It's usually better to use Eddie's network lock. The biggest difference (and reason why some people prefer their own setup over Eddie): Eddie's network lock gets activated when you launch the program (and deactivated when you quit the program) whereas your own iptables configuration would be activated as part of your system's boot process.

What is the feasibility of adding the server's status (online, offline, imminent withdrawal, etc.) as a new Attribute name in an XML formatted API call?  This would be very helpful for those of us wishing to rank servers and then select one for connection via openvpn.  Thank you.
 

Hello!
 
We had to remove that option because OpenVPN can't handle configuration files with more than 64 "remote" directives. Now, with the growth of our infrastructure, we now have various areas with more than 64 servers. The only other option we had to generate correct configuration files  would have been to over-complicate the generator, adding warnings for each case exceeding 64 remote directives and stopping the generation in such cases. We have evaluated that this would have caused confusion to a lot of customers. The advanced users who need this option can anyway easily circumvent the problem, as you have noticed. Just remember that with your method, if you build a .ovpn file including more than 64 "remote" directives, you'll end up with a non-usable configuration file.
 
Kind regards

The virus claim on that page is pretty much nonsense.
What's actually happening is that CloudFlare, a CDN used by a worrying number of sites, "uses threat data from a variety of sources to build a reputation for every visitor online". Using shared networks like a VPN or Tor will always lower your "reputation" in their eyes.

CloudFlare is a severe hindrance for privacy-conscious users. There's not much you can do other than:
letting CloudFlare know how unreliable their "threat data" is and how severe the side effects are letting websites know how much you struggle to access their content due to their use of CloudFlare

Tutorial: SSH-Tunneled VPN on Stock Android
 
0. Notes
 
- no proprietary / commercial apps required. FOSS only! (Free and Open Source Software)
- no root / custom ROM required
- tested on Android 4.4.4
- minimum requirement: Android 4.x
 
 
1. Required apps
 
- OpenVPN for Android
- ConnectBot (any advanced SSH client will work, )
- CyanogenMod File Manager (or pick any file manager you like)
I highly recommend installing all of these apps via F-Droid, a Free Open Source Software platform:
https://f-droid.org/

In order to install F-Droid, you may need to temporarily "Allow installation of apps from unknown sources" in Android's security settings.
 
 
2. Generate config files

Use the AirVPN Generator (https://airvpn.org/generator/) to create SSH config files for Linux (not Android).
Only pick one specific server.
Screenshot #1: http://i.imgur.com/FWcuXH2.jpg


3. Transfer config files
 
We only need 2 out of the 3 generated files:
    - sshtunnel.key
    - the .ovpn profile
 
Screenshot #2: http://i.imgur.com/p2L7T0l.jpg
Transfer both of them to your Android's sdcard.
Also, open the .ovpn file in a text editor and look for a line that starts with "route", it contains the server's IP - we will need it in step 5.
Example:
 
route 199.19.94.12 255.255.255.255 net_gateway
That's the IP we will need.
 
 
4. Import key file in ConnectBot

Launch ConnectBot. Go into menu and "Manage Pubkeys".
Screenshot #3: https://i.imgur.com/uGT3UgC.jpg
Import the sshtunnel.key file.
Screenshot #4: https://i.imgur.com/ZPYhI6V.jpg
 
 
5. Configure SSH connection in ConnectBot

Go to ConnectBot's main screen.
At the bottom of the screen, enter:

sshtunnel@199.19.94.12
(Notice, that's the IP we took note of in step 3).
Screenshot #5A: http://i.imgur.com/ludTDgv.jpg

If the default port 22 is blocked, you can try an alternative port by appending it at the end:
sshtunnel@199.19.94.12:80
or
sshtunnel@199.19.94.12:53

- Press Enter on your keyboard. It will try to connect and ask you to continue. Choose "Yes".
Screenshot #5B: http://i.imgur.com/UJNpB9n.jpg

- Cancel the connection, we need to configure it now.
Long-press the newly created connection and choose "Edit host".
Screenshot #6: https://i.imgur.com/n3OtM2D.jpg

- Change "Use pubkey authentication" to "sshtunnel.key".
Screenshot #7: https://i.imgur.com/CwfFSoO.jpg

- Disable the option "Start shell session"
Screenshot #8: https://i.imgur.com/l2niHqG.jpg
- Consider enabling the option "Stay connected".
 
 
6. Configure SSH port forwarding
 
- Go to ConnectBot's main screen.
- Long-press the new connection again, but this time choose "Edit port forwards". "Add port forward" with the following values:
 
Type: Local
Source port: 1412
Destination: 127.0.0.1:2018
Screenshot #9: https://i.imgur.com/TBnsKQx.jpg
- Press "Create port forward".
Configuration of the SSH connection is now complete.
- Go back to ConnectBot's main screen and tap the connection entry to establish a connection.
Leave the ConnectBot app using your "home" button.
 
 
7. Import OpenVPN config

- Launch "OpenVPN for Android"
- Tap the folder icon. In the "Open from" dialog, choose "File Manager"
  Screenshot #10: https://i.imgur.com/Nhc6fDa.jpg
 
- Pick the AirVPN_...SSH-22.ovpn file
- OpenVPN will present you with an "import log", tap the "Save" file to accept.
- You may want to dive into the new profile's settings,
go to "ROUTING" and enable "Use default route".
- in the ALLOWED APPS tab, find and select ConnectBot to exclude it from OpenVPN's routing
 
 
8. Start OpenVPN connection
 
- In OpenVPN's main screen, tap the VPN profile to establish the connection.
- Provided that the SSH connection is still running, OpenVPN will be able to connect. Congratulations
 
 
9. How to connect / disconnect from now on

When establishing a connection, always
- start the SSH connection first
- then launch OpenVPN
When disconnecting, always
- disconnect the OpenVPN connection first
- then disconnect SSH in ConnectBot
 
 
10. Thoughts on reliabilty and firewalling

If avoiding network leaks is important to you: be careful on Android, especially on unreliable mobile or WiFi networks that might cause the connection to collapse quite often.

I don't have a solution for this potential issue on stock Android, but if you're on a rooted device, you should absolutely consider installing AFWall+ (available in F-Droid).
AFWall+ allows you to firewall individual apps, restricting their network access to VPN-only.    
(You have to dive into its settings to enable VPN mode).
 
 
Finally: Good luck!

The developers use their private key to create the signature.
In order to verify a signature, gpg needs to have the corresponding public key.
Take a closer look at gpg's output:
 
gpg --verify file.tar.sig
gpg: assuming signed data in `file.tar' gpg: Signature made $some_date using RSA key ID 1234ABCD gpg: Can't check signature: public key not found It tells you the ID of the key you need to import:

gpg --recv-keys 1234ABCD
gpg: key 1234ABCD: public key "John Doe" imported Now gpg will be able to verify the signature:
 
gpg --verify file.tar.sig
gpg: assuming signed data in `file.tar' gpg: Signature made $some_date using RSA key ID 1234ABCD gpg: GOOD signature from "John Doe" There is, as you may have guessed, a major problem here: How do you know this key actually belongs to the person you think it does? If your download of both file and signature had been man-in-the-middled, you might have imported a fake key and blindly accepted a spoofed "GOOD signature" result.

That's a somewhat tricky problem to address.
Ideally, you would have a "Web of Trust", meaning that people you already trust have signed this key.

Practical example: here are two keys, both claiming to belong to "Erinn Clark <erinn@torproject.org>":
 
Key #1:
 
 

Key #2:
 

 
Weird, right? Over the years, one key has been signed by many people from Debian, Tor, Guardian Project, while the other key has no sigs at all.
Of course, all of Key #2's sigs could be fake too, but ideally you would find at least one among them that you already trust - that's the whole idea of the Web of Trust.
But even without a proper WoT, you can easily spot the suspicious key in this particular case.

If you want to spend even more time thinking about this problem, the Tails Project has elaborated on some interesting ideas on how to trust their signing keys.    

What to use for file/folder encryption on Linux:
I use gpg / gpg-zip, it's not the most convenient solution but I don't need it a lot. Truecrypt or one of its hopefully trustworthy forks is probably still the most secure and convenient solution. EncFS is also worth a look (doesn't Ubuntu use it for /home/ encryption?) but its security audit wasn't exactly cheerful.

Thanks for the guide.
"You may want to dive into the new profile's settings, go to "ROUTING" and enable "Use default route".
I'm on Android 5.1.1 If I have this checked, the VPN will connect, but there will be no traffic and eventuzlly the VPN will disconnect. Leave the settings 'as is' in the .ovpn settings and everything works. Confirmed with dnsleakstest.

Arresting him for being a troll that's definitely dumb, however another poster here said he was outright harrassing her and I wasn't looking that close. It comes to no surprise to me that there are people against same-sex relationships, I'm lesbian myself and I must admit those comments didn't exactly make me cheerful. But there is a difference between trolling and harrassing, trolling is just mean but harrassment by default is intended to make the other part fear you and possibly others so for that reason I think it was a good move to arrest him, a screen shouldn't protect him against that. But again trolling and harrassing is 2 different things and I do support freedom of speech but I do not support freedom of terror

Do feel free to use Tor on top of AirVPN for improved anonymity and tracking resistance.
Don't run Tor exit nodes on AirVPN - doing so would put AirVPN servers on certain blacklists, causing problems for your fellow AirVPN users, such as constant captcha challenges on many websites or even blocked services. However, AirVPN won't stop you from running Tor exit nodes.
 
Do feel free to use any kind of P2P network.
Don't violate ToS.
 
I don't think there's anything else you should be particularly wary of. If you encounter a site or service that seems to block you for using a particular AirVPN server, try other AirVPN servers until you find one that works.
There are some anti-fraud detection systems that you may trigger by using VPNs (for example, think of banks or online shops trying to figure out if your login is legitimate). Such problems are relatively rare (most anti-fraud systems are smarter than that).

For your career it's not possible. When you make a call, your phone is connected to an antenna and your career know witch one and how good is your connection to this antenna so he can easily know your position.
In Top of that, they are able (but it's not legal in most country) to know every person in a place. This is what the Ukrainian gov did during the revolution. They used all antennas to recolt the number of the those who were at the Maïdan place.

I appreciate you providing input in a non-confrontational way. I am thinking that I am an open-minded individual and I will check them out. However, after skimming through their Terms of Services I am not interested. I was going to sit down an read it more thoroughly but I would rather not obsess about what is right or wrong. That is just for me.
 
The Realist might very well use TorGuard but I am an Idealist and think I will pass.

I'm not sure what exactly you want to test for but you can use a site like http://ipleak.net/ to verify that your traffic is routed through the VPN. It'll also inform you about WebRTC or DNS leaks.
You could also verify that the correct default route (via the tun interface, gateway address 10.x.x.x) has been set, I believe the correct OS X Terminal command would be:
route -n get default  
I'd recommend enabling Eddie's network lock feature. It will configure your Mac's PF firewall to only allow tunneled traffic while Eddie is running.

The last, underlined part is important to keep in mind:
As soon as you close Eddie, your Mail client, browser, OS updater, P2P app and so on will happily transfer data outside the tunnel. Same goes for reboots: If some application auto-starts on boot it will communicate outside the tunnel - as long as you haven't launched Eddie yet.
There are a few techniques with varying degrees of efficiency (and difficulty) to avoid this:
don't have your internet applications auto-start on boot disable your network interfaces before reboots, re-enable them only after starting Eddie and verifying that network lock is active, then start your internet apps use your own (permanent) PF firewall rules (advanced topic! this post might get you started) run OpenVPN & firewall on a router / network appliance (OpenWRT, DD-WRT, PFSense, etc. - advanced topic!)

Less tabloidy source: http://www.theguardian.com/technology/2015/apr/18/jack-monroe-quits-twitter-over-homophobic-abuse
 
I agree that this one tweet, while hateful, should not warrant an arrest. However, you'd be wrong in claiming that this arrest was related to "exercise of free speech":
 

So he didn't just send off one single tweet, he kept harassing her and that's clearly not covered under the exercise of free speech. He was not arrested for merely voicing his opinion.

Use the "Config Generator", check all the servers you want to use (you can check a whole region / country).
You have to enable "Advanced Mode" and "Resolved hosts in .ovpn file".
This will give you an .ovpn file containing the entry IPs in the form of
remote 1.2.3.4
remote 1.2.3.5
remote 1.2.3.6
...
 
You can then manually create UFW commands for these IPs, or write a Bash one-liner to automate the process, similar to what I did here for Fedora's firewall:
https://airvpn.org/topic/13064-block-all-non-vpn-traffic-in-fedora-21-firewalld/?p=22926
That post also contains screenshots for the "Config Generator".
 
You should also keep an eye on Air's News and Announcements section. Whenever Air withdraws a server, you should remove its entry IP from your firewall configuration.

Less tabloidy source: http://www.theguardian.com/technology/2015/apr/18/jack-monroe-quits-twitter-over-homophobic-abuse
 
I agree that this one tweet, while hateful, should not warrant an arrest. However, you'd be wrong in claiming that this arrest was related to "exercise of free speech":
 

So he didn't just send off one single tweet, he kept harassing her and that's clearly not covered under the exercise of free speech. He was not arrested for merely voicing his opinion.