InactiveUser

Use the "Config Generator", check all the servers you want to use (you can check a whole region / country).
You have to enable "Advanced Mode" and "Resolved hosts in .ovpn file".
This will give you an .ovpn file containing the entry IPs in the form of
remote 1.2.3.4
remote 1.2.3.5
remote 1.2.3.6
...
 
You can then manually create UFW commands for these IPs, or write a Bash one-liner to automate the process, similar to what I did here for Fedora's firewall:
https://airvpn.org/topic/13064-block-all-non-vpn-traffic-in-fedora-21-firewalld/?p=22926
That post also contains screenshots for the "Config Generator".
 
You should also keep an eye on Air's News and Announcements section. Whenever Air withdraws a server, you should remove its entry IP from your firewall configuration.

Hello!

We're very glad to inform you that a new 1 Gbit/s servers located in the Czech Republic is available: Becrux.
 
The AirVPN client will show automatically the new server, while if you use the OpenVPN client you can generate all the files to access it through our configuration/certificates/key generator (menu "Client Area"->"Config generator").
 
Becrux accepts connections on ports 53, 80, 443, 2018 UDP and TCP.

Just like every other Air server, Becrux supports OpenVPN over SSL and OpenVPN over SSH.

As usual no traffic limits, no logs, no discrimination on protocols and hardened security against various attacks with separate entry and exit-IP addresses.
 
Do not hesitate to contact us for any information or issue.

Kind regards and datalove
AirVPN Team
 

You mentioned your threat level but you haven't explicitly stated your threat model - the goal of anonymous research includes several adversaries, i.e. family/co-workers, network admins, ISP/VPN provider, government, spooks, Google, trackers, website admins.
Specifying who you're trying to protect against helps to give more precise answers.
 
I assume by "login" you mean VPN session - there is no link between sessions but you don't magically get a new "identity/persona" either:

- if you visit the same site twice and you don't clear out cookies, the site can obviously link both visits to the same persona.
- if you do clear cookies but use the same browser with its probably unique fingerprint, the site can confidently assume that it's the same persona.
- if you change your fingerprint but use the same IP, the site might make a reasonable assumption that both visits are linked to one persona. Same goes for the reverse (change IP but not fingerprint)
- if you both change your fingerprint and use a different VPN server, it's unlikely that the site would be able to link the two visits, but, in certain edge cases, not entirely impossible.
 
With all that said, I would highly recommend using Tor Browser (on top of your VPN connection) for your research:
- Tor provides a bigger, more diverse pool of IPs
- Tor Browser's fingerprint is used by millions of people, blending you in with the crowd
- the Tor network's onion routing provides some additional protection against certain adversaries, making it harder to link source and destination

Of course, using Tor comes with a couple of drawbacks:
- a few sites block Tor altogether
- significant hits on your bandwidth and latency (but very much usable)
- captcha hell, most notably on sites that are powered by the shameful "Cloudflare" CDN
 
 
If this didn't answer your question, please be more precise about who you don't want to make any links. I wasn't exactly sure how to reply because your stated goal of anonymous research involves much more than preventing a website from linking two sessions (which served as your main example).

NEVER say this! Please.
Did you hear of new interesting laws making their way into Switzerland's legislation, giving intelligence agencies quite extensive possibilities to monitor people's telecommunciation there? As soon as I find the article I will post it here. Not an (April Fools') joke, by the way.

I don't think you can make the key any smaller, but you could try the Tomato firmware. According to these instructions, it detects the 5GHz band after resetting NVRAM and rebooting twice. Numerous posts in this thread also suggest changing the country code in order to get 80MHz channels @ 5GHz.
 

I don't think you can make the key any smaller, but you could try the Tomato firmware. According to these instructions, it detects the 5GHz band after resetting NVRAM and rebooting twice. Numerous posts in this thread also suggest changing the country code in order to get 80MHz channels @ 5GHz.
 

I'm not part of the team but since you haven't received any replies yet I'll chime in:
 
It doesn't matter which application you use.
AES-256-CBC refers to the cipher mode of the OpenVPN tunnel between you and AirVPN's VPN server.
4096 bit is the length of your RSA private key (user.key) that is used to authenticate yourself to the VPN server.

Both of these parameters only concern the VPN tunnel itself.
Any other encryption layer that gets established within that tunnel - for example, SSL/TLS encryption between your browser and some website is a totally separate matter.

Browsers and web servers both have a set of supported/preferred cipher suites and negotiate the one they want to use. If I go to about:config in my Firefox and type in "security.ssl3", I get a list of disabled and enabled ciphers, I'm sure Safari provides a similar facility. By the way, you can also click on the "lock" icon in your browser bar to find out more about your current SSL/TLS connection to whatever website you're on.
Because the web server at https://airvpn.org does support AES_256_GCM, I could theoretically force Firefox to use that cipher by disabling all the other 128-bit ciphers (but I would run into problems with other websites that might only support AES-128).
In reality and in this instance, AES-256 would not make any difference because the key exchange would still rely on a 2048-bit RSA key which is currently considered standard / recommended
 
 
TL;DR / conclusion:
- AirVPN provides you with an AES-256 encrypted VPN tunnel between you and AirVPN but that doesn't impact how (or even if) your browser encrypts communication with any websites
- AirVPN's website will usually negotiate AES-128 SSL/TLS encryption but it wouldn't make sense to use AES-256 unless their CA supported 4096-bit keys. Also, AES-128 / RSA 2048 is still considered secure for decades to come.

More data as I am able to play around.  
 
I do not have flash enabled on this browser, so can't use speedtest.net.  AirVPN speed test consistently gives results that are not consistent with the speed that I am seeing.  Typical download speeds using AirVPN test are 3 Mbit/sec out of tunnel, 0.25 Mbit/sec inside tunnel.  Uploads being 1 Mbit/sec outside, 0.05 Mbit/sec inside.  Does not match with either the "feel" of the speed I am getting (ie. no delay in any page loading or streaming video) or the numbers I get from downloading individual files.  Tried several HTML5 download monitors, no consistency between data.  So am using the poor man's version of a speed test, in downloading moderate and larger sized files from debian mirrors, which should at least give an approximation of speed.  (caveats of server load, distance from me, etc.)  Also, note caveat of being on Wifi and not direct ethernet.
 
Using AirVPN SSL (which doesn't get throttled by my ISP), which I typically get 40/10 Mbit/sec on an i7 laptop.  
Data on Raspberry Pi 2 with AirVPN SSL 
 
 pi@rpi ~ $ wget http://ftp.us.debian.org/debian/pool/main/a/abiword/abiword-dbg_2.9.2+svn20120603-8_amd64.deb
--2015-03-24 14:27:43--  http://ftp.us.debian.org/debian/pool/main/a/abiword/abiword-dbg_2.9.2+svn20120603-8_amd64.debResolving ftp.us.debian.org (ftp.us.debian.org)... 64.50.233.100, 64.50.236.52, 128.61.240.89, ...Connecting to ftp.us.debian.org (ftp.us.debian.org)|64.50.233.100|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 32409168 (31M) [application/x-debian-package]Saving to: `abiword-dbg_2.9.2+svn20120603-8_amd64.deb.13' 100%[======================================>] 32,409,168  3.29M/s   in 14s      2015-03-24 14:27:57 (2.26 MB/s) - `abiword-dbg_2.9.2+svn20120603-8_amd64.deb.13' saved [32409168/32409168]2015-03-24 14:28:16 (2.46 MB/s) - `abiword-dbg_2.9.2+svn20120603-8_amd64.deb.14' saved [32409168/32409168]2015-03-24 14:28:32 (2.58 MB/s) - `abiword-dbg_2.9.2+svn20120603-8_amd64.deb.15' saved [32409168/32409168]2015-03-24 14:28:51 (2.14 MB/s) - `abiword-dbg_2.9.2+svn20120603-8_amd64.deb.16' saved [32409168/32409168]2015-03-24 14:30:34 (2.71 MB/s) - `abiword-dbg_2.9.2+svn20120603-8_amd64.deb.17' saved [32409168/32409168] Average of 2.43 MB/s (19.44 Mbit/sec) A bigger file (139M) pi@rpi ~ $ wget http://ftp.us.debian.org/debian/pool/main/b/blender/blender-dbg_2.73.a+dfsg0-1_i386.deb--2015-03-24 14:33:12--  http://ftp.us.debian.org/debian/pool/main/b/blender/blender-dbg_2.73.a+dfsg0-1_i386.debResolving ftp.us.debian.org (ftp.us.debian.org)... 64.50.233.100, 64.50.236.52, 128.61.240.89, ...Connecting to ftp.us.debian.org (ftp.us.debian.org)|64.50.233.100|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 145255554 (139M) [application/x-debian-package]Saving to: `blender-dbg_2.73.a+dfsg0-1_i386.deb' 100%[==========================================>] 145,255,554 1.62M/s   in 60s      2015-03-24 14:34:13 (2.29 MB/s) - `blender-dbg_2.73.a+dfsg0-1_i386.deb' saved [145255554/145255554]2015-03-24 14:37:07 (2.23 MB/s) - `blender-dbg_2.73.a+dfsg0-1_i386.deb.1' saved [145255554/145255554] Average of 2.26 MB/sec (18.08 Mbit/sec) This stresses the processor more, and between openVPN and stunnel they are usually at 80-90% load.  So likely not going to get too much more than this.  But overall, a nice improvement (18-19 Mbit/sec) from the original Raspberry Pi (~6.5 Mbit/sec). mlp

1. There is no need to open any ports on your router, in fact, exposing the same ports you forward through AirVPN might open you up to correlation attacks (read Air's P2P FAQ)
 
2. aMule lets you choose the "Standard TCP Port" but the UDP port is always set to TCP port + 3 (if your TCP port is set to 30500, UDP port will be 30503). Use the "Suggest a range of sequential free ports" tool on airvpn.org/ports to find 4 free, sequential ports.
 
3. According to the P2P FAQ you should also avoid remapping Air ports to different local ports (example: don't forward Air port 30500 to local port 34012, just go with the default, straight forwarding).
 
4. After configuring both ports I instantly received a "High ID" on every eMule server I tried. I also tried both US and Swedish AirVPN servers, no issues.

1. There is no need to open any ports on your router, in fact, exposing the same ports you forward through AirVPN might open you up to correlation attacks (read Air's P2P FAQ)
 
2. aMule lets you choose the "Standard TCP Port" but the UDP port is always set to TCP port + 3 (if your TCP port is set to 30500, UDP port will be 30503). Use the "Suggest a range of sequential free ports" tool on airvpn.org/ports to find 4 free, sequential ports.
 
3. According to the P2P FAQ you should also avoid remapping Air ports to different local ports (example: don't forward Air port 30500 to local port 34012, just go with the default, straight forwarding).
 
4. After configuring both ports I instantly received a "High ID" on every eMule server I tried. I also tried both US and Swedish AirVPN servers, no issues.

Sure, VPNs get blacklisted too but it's not quite the same. In my browsing experience, I see way more captchas (or get denied access altogether) when using Tor.
I don't see any merits of hybrid VPN/Tor servers outweighing the drawbacks. Also, AirVPN already runs two middle relays and funds a TorServers.net exit:
https://airvpn.org/mission/

Google.com PREF cookies in Firefox  (and here) -Mozilla bug which hasn't been fixed for years
 
How to get rid of these cookies
 
 
SourceForge tricks (the author of this revelation is the developer of sqlitebrowser)

Regarding this thread: https://airvpn.org/topic/13595-trouble-using-share-online/
Meanwhile I got the confirmation from their support that they blocked various IP ranges used by the AirVPN servers cos these servers were used by "other providers that practice account sharing" (multihoster I assume).
You can still log in to your account, extend your subscription or even set up a new account without error. BUT you will find all downloads started timing out without further notice or error.
A very questionable way how they act, even voilating their own terms.
Also in the support chat it was revealed that they, unlike written in their terms, NOT delete logs within 60 minutes after a successfull download! They keep the IP's of each successful login for at least a few days.
Many european servers from AirVPN are already affected (germany, netherlands, ...). Latvia is still working
I recommend to avoid them cos of their business practice.

Chromium: it's impossible to keep Google out of it.
 
If you doubt me, read this old thread on superuser.com or try it yourself:
change search engine to DDG set a blank homepage disable "phishing/malware protection" (aka Safe Browsing) disable "reports to Google" disable "webservice to resolve navigation errors" disable "prediction service"  
With these settings, would you expect Chromium to immediately contact Google? I didn't. Yet, when launching Chromium, I instantly see connection attempts to 5 Google servers:
 
SYN-SENT   173.194.46.64:443
SYN-SENT   173.194.46.67:443
SYN-SENT   216.58.216.74:443
SYN-SENT   173.194.46.72:443
SYN-SENT   173.194.46.66:443
 
Why? What for?
I'll stick with Firefox, thanks!

Chromium: it's impossible to keep Google out of it.
 
If you doubt me, read this old thread on superuser.com or try it yourself:
change search engine to DDG set a blank homepage disable "phishing/malware protection" (aka Safe Browsing) disable "reports to Google" disable "webservice to resolve navigation errors" disable "prediction service"  
With these settings, would you expect Chromium to immediately contact Google? I didn't. Yet, when launching Chromium, I instantly see connection attempts to 5 Google servers:
 
SYN-SENT   173.194.46.64:443
SYN-SENT   173.194.46.67:443
SYN-SENT   216.58.216.74:443
SYN-SENT   173.194.46.72:443
SYN-SENT   173.194.46.66:443
 
Why? What for?
I'll stick with Firefox, thanks!

I wouldn't worry with 10 Mbit/s. Tbh I think my alarm clock could power openvpn @ 10 Mbit/s lol. If what you have works just use it, I don't think you'll have issues with openvpn speeds. And as sheivoko said recommending anything is difficult when standard pci slots are required.
 
FWiW:
I have 2 mobos with embeded quad core celeron baytrails @2.0Ghz/2.4Ghz @10W with no AES that easily run pfsense + openvpn + suricata.
 
Hell after the first pfsense build I was so impressed with the crazy low power usage and decent speed that I built a second machine for dev/coding work using the same motherboard + 8gb of ram + linux. I'm typing from it now and its connected via ssh + openvpn. I also have vlc open playing music and xbmc 'xbox media center' open on another monitor/tv.
 
However this setup has 2 pci express and one 1 x pci express 2.0 x16 in x1 mode, not pci. But it uses standard or low voltage ddr3 and can run 100% fanless.
This is the mobo -> http://www.newegg.com/Product/Product.aspx?Item=N82E16813157513
 
If you do plan on upgrading it might be worth spending a little cash on intel 1gb pci-E cards. Having a 'green' system using 10 watts or less when idling is really nice. With my setup these two machines payed for themselves in about 4 electric bills lol...
-But my dev box was a i980x with a gtx780. Just turning it on made my power meter do cartwheels and ate up my weekly beer fund.

I find it difficult to recommend any platform for a self-built box because of your requirement of 2 PCI slots / 3x 1Gbit NICs - that rules out small, energy-efficient systems like AMD's AM1 (Jaguar/Kabini) or Intel Bay Trail / ARK Atom.

I do have an alternative idea:
€299 firewall box - explicitly built for OPNSense / pfSense, claiming "~80Mbps (AES256)", 3x 1Gbit ports.

That's probably a bit more than you intended to spend but you have to factor in power consumption. That firewall will only consume 10W. On a self-built box you're looking at anywhere from 25-55W (or more) just for the CPU alone.

Hello!
 
It's totally unnecessary. In case the information is not gathered for any reason VAT must be paid in the country of the company, according to European Commission guidelines.
 
Kind regards

Hello,
 
to hide to Air VPN servers your IP address you could connect OpenVPN over Tor:
https://airvpn.org/tor
 
Kind regards

go558a83nk:
YoutubeCenter https://github.com/kkapsner/CanvasBlocker/issues/7
Random Agent Spoofer (only if RAS is also set to block canvas) https://github.com/kkapsner/CanvasBlocker/issues/16
There shouldn't be too many other issues but I found it odd that it would affect other extensions at all. For example, using NoScript obviously doesn't stop other extensions using JavaScript internally.

Microsoft turning bugs into backdoors before fixing them:
http://techrights.org/2013/06/15/nsa-and-microsoft/

Stealth Windows updates:
https://www.informationweek.com/microsoft-updates-windows-without-user-permission-apologizes/d/d-id/1059183?

Apple circumventing its own security measures (i.e. supposedly encrypted backups), using undocumented iOS functions:
http://arstechnica.com/security/2014/07/undocumented-ios-functions-allow-monitoring-of-personal-data-expert-says/

HP's root backdoor to storage devices:
http://news.dice.com/2013/07/11/hp-keeps-installing-secret-backdoors-in-enterprise-storage/

"undocumented test interfaces" remote backdoors in Cisco routers:
http://www.csoonline.com/article/2136221/network-security/cisco-confirms-undocumented-backdoor.html

Undocumented, hardcoded backdoor accounts in Barracuda network appliances:
http://www.networkcomputing.com/network-security/barracuda-security-equipment-contains-hardcoded-backdoors/d/d-id/1108344?

Google's GTalkService / Google Play (remote app installation):
https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/
https://jon.oberheide.org/blog/2010/06/28/a-peek-inside-the-gtalkservice-connection/
https://www.duosecurity.com/blog/when-angry-birds-attack-android-edition

Samsung Galaxy backdoor, allowing remote file i/o (disputed):
https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor

Hardware vendors providing HDD firmware source code to NSA & friends:
http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216
The last one is not a built-in backdoor, but arguably even worse:
Enabling the agencies to craft undetectable firmware modifications.


Using proprietary software always means losing control over your hardware. The scary thing is: the most important kind of software - firmware - is almost always proprietary and / or inaccessible to the user. It's not going to get better anytime soon: Potential for CPU microcode backdoors

Microsoft turning bugs into backdoors before fixing them:
http://techrights.org/2013/06/15/nsa-and-microsoft/

Stealth Windows updates:
https://www.informationweek.com/microsoft-updates-windows-without-user-permission-apologizes/d/d-id/1059183?

Apple circumventing its own security measures (i.e. supposedly encrypted backups), using undocumented iOS functions:
http://arstechnica.com/security/2014/07/undocumented-ios-functions-allow-monitoring-of-personal-data-expert-says/

HP's root backdoor to storage devices:
http://news.dice.com/2013/07/11/hp-keeps-installing-secret-backdoors-in-enterprise-storage/

"undocumented test interfaces" remote backdoors in Cisco routers:
http://www.csoonline.com/article/2136221/network-security/cisco-confirms-undocumented-backdoor.html

Undocumented, hardcoded backdoor accounts in Barracuda network appliances:
http://www.networkcomputing.com/network-security/barracuda-security-equipment-contains-hardcoded-backdoors/d/d-id/1108344?

Google's GTalkService / Google Play (remote app installation):
https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/
https://jon.oberheide.org/blog/2010/06/28/a-peek-inside-the-gtalkservice-connection/
https://www.duosecurity.com/blog/when-angry-birds-attack-android-edition

Samsung Galaxy backdoor, allowing remote file i/o (disputed):
https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor

Hardware vendors providing HDD firmware source code to NSA & friends:
http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216
The last one is not a built-in backdoor, but arguably even worse:
Enabling the agencies to craft undetectable firmware modifications.


Using proprietary software always means losing control over your hardware. The scary thing is: the most important kind of software - firmware - is almost always proprietary and / or inaccessible to the user. It's not going to get better anytime soon: Potential for CPU microcode backdoors

I think I know what's happening:
AirVPN client runs as root (via sudo) it saves log file in $HOME/Desktop/ because it's running as root, $HOME = /root/ while you're expecting it to be /home/yourname/  
Workaround:
In the file save dialog, click on "My computer", then "HDD" (if you have more then one, find the system drive), then navigate to /home/yourname/  
I think Air devs could fix this by getting the $HOME variable before asking for root permissions. If they miss this thread, try opening a ticket.

Microsoft turning bugs into backdoors before fixing them:
http://techrights.org/2013/06/15/nsa-and-microsoft/

Stealth Windows updates:
https://www.informationweek.com/microsoft-updates-windows-without-user-permission-apologizes/d/d-id/1059183?

Apple circumventing its own security measures (i.e. supposedly encrypted backups), using undocumented iOS functions:
http://arstechnica.com/security/2014/07/undocumented-ios-functions-allow-monitoring-of-personal-data-expert-says/

HP's root backdoor to storage devices:
http://news.dice.com/2013/07/11/hp-keeps-installing-secret-backdoors-in-enterprise-storage/

"undocumented test interfaces" remote backdoors in Cisco routers:
http://www.csoonline.com/article/2136221/network-security/cisco-confirms-undocumented-backdoor.html

Undocumented, hardcoded backdoor accounts in Barracuda network appliances:
http://www.networkcomputing.com/network-security/barracuda-security-equipment-contains-hardcoded-backdoors/d/d-id/1108344?

Google's GTalkService / Google Play (remote app installation):
https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/
https://jon.oberheide.org/blog/2010/06/28/a-peek-inside-the-gtalkservice-connection/
https://www.duosecurity.com/blog/when-angry-birds-attack-android-edition

Samsung Galaxy backdoor, allowing remote file i/o (disputed):
https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor

Hardware vendors providing HDD firmware source code to NSA & friends:
http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216
The last one is not a built-in backdoor, but arguably even worse:
Enabling the agencies to craft undetectable firmware modifications.


Using proprietary software always means losing control over your hardware. The scary thing is: the most important kind of software - firmware - is almost always proprietary and / or inaccessible to the user. It's not going to get better anytime soon: Potential for CPU microcode backdoors

Microsoft turning bugs into backdoors before fixing them:
http://techrights.org/2013/06/15/nsa-and-microsoft/

Stealth Windows updates:
https://www.informationweek.com/microsoft-updates-windows-without-user-permission-apologizes/d/d-id/1059183?

Apple circumventing its own security measures (i.e. supposedly encrypted backups), using undocumented iOS functions:
http://arstechnica.com/security/2014/07/undocumented-ios-functions-allow-monitoring-of-personal-data-expert-says/

HP's root backdoor to storage devices:
http://news.dice.com/2013/07/11/hp-keeps-installing-secret-backdoors-in-enterprise-storage/

"undocumented test interfaces" remote backdoors in Cisco routers:
http://www.csoonline.com/article/2136221/network-security/cisco-confirms-undocumented-backdoor.html

Undocumented, hardcoded backdoor accounts in Barracuda network appliances:
http://www.networkcomputing.com/network-security/barracuda-security-equipment-contains-hardcoded-backdoors/d/d-id/1108344?

Google's GTalkService / Google Play (remote app installation):
https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/
https://jon.oberheide.org/blog/2010/06/28/a-peek-inside-the-gtalkservice-connection/
https://www.duosecurity.com/blog/when-angry-birds-attack-android-edition

Samsung Galaxy backdoor, allowing remote file i/o (disputed):
https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor

Hardware vendors providing HDD firmware source code to NSA & friends:
http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216
The last one is not a built-in backdoor, but arguably even worse:
Enabling the agencies to craft undetectable firmware modifications.


Using proprietary software always means losing control over your hardware. The scary thing is: the most important kind of software - firmware - is almost always proprietary and / or inaccessible to the user. It's not going to get better anytime soon: Potential for CPU microcode backdoors