InactiveUser

When generating config files for a region, check the option "All servers for area region" as shown in my screenshot.
Currently, you're connecting to america.vpn.airdns.org which will return the "best" server for that region.
After enabling that option, you'll be connecting to america.airvpn.org  which will return a random one.
Staff has explained the difference in this post:
https://airvpn.org/topic/11022-server-details/?p=15524
 
You can additionally enable "Resolved hosts in .ovpn file" which will put all the actual IPs in your config file and add the "remote-random" instruction to tell your OpenVPN client / NetworkManager to pick a random one. Pro: You don't need working DNS to get a connection. Con: When AirVPN adds new servers to the region, you would have to get a new config file to make use of them.

Hello!
 
After the TLS Authorization, authentication with the VPN servers is performed through double certificates and keys, not with some username and password.
 
If you change your account password, that will not change the mentioned files because they are not generated from that password. The encryption keys for the OpenVPN Data Channel are negotiated at each new connection and every 60 minutes through Diffie Hellmann Exchange (DHE) - complying to Forward Secrecy. https://en.wikipedia.org/wiki/Forward_secrecy
 
Authentication based only on login and password with a static key common to every user is not a setup to be taken into consideration if security is required on a VPN service. Not only it will not allow Perfect Forward Secrecy, but it poses some serious security risks: any man in the middle could decrypt your data simply by downloading the key; additionally, an attacker could impersonate the VPN server. Incredibly, some VPN services adopt this method.
 
Kind regards

I haven't run arch in a really long time and tbh have no clue how its currently handling forwarding.
 
You could install something like jnettop and run it on tun0 and wlp3s0 in separate terminals. From there you should be able to see packet travel ect.
 
jnettop -n -i wlp3s0
^ wlp3s0 should only show your wlp3s0 ip connecting to the airvpn server/port.
jnettop -n -i tun0
^ will show the tun0 ip connecting to site ip's ect.
 
Other than that if you're not getting openvpn startup or connection errors and all the ip/dns test are clean, run it.
 
 
-The only other thing I might add to that script or a script is a resolv.conf rewrite. Just making sure the dns servers are the air dns servers while the vpn is connected.

Yup np. jnettop is good stuff. 
If you toss it all in the terminator terminal its sexy time for linux lol.

 
-note my res and dpi are a bit wonky, downside to a large lcd.

What you're trying to do is theoretically possible but currently neither recommended nor supported by Tails. Before trying anything else, I would recommend taking a step back, getting a bit more familiar with Tails.

Read both the FAQ
https://tails.boum.org/support/faq/
and the documentation
https://tails.boum.org/doc/
 
Tails is a "live" distro, any changes you make will be gone upon reboot You can configure a persistent volume to store some changes you make but it's limited and very different from how you usually customize your OS Tails is meant to be an out-of-the-box secure, firewalled solution for exiting through Tor. Configuring a VPN on top would diametrically go against the design of Tails, you would potentially risk breaking Tails' secure setup.

Probably because they decided not to use women and children as suicide bombers, or fire rockets indiscriminately into civilian areas.
But this isn't really the place to discuss it. 

Tutorial: SSH-Tunneled VPN on Stock Android
 
0. Notes
 
- no proprietary / commercial apps required. FOSS only! (Free and Open Source Software)
- no root / custom ROM required
- tested on Android 4.4.4
- minimum requirement: Android 4.x
 
 
1. Required apps
 
- OpenVPN for Android
- ConnectBot (any advanced SSH client will work, )
- CyanogenMod File Manager (or pick any file manager you like)
I highly recommend installing all of these apps via F-Droid, a Free Open Source Software platform:
https://f-droid.org/

In order to install F-Droid, you may need to temporarily "Allow installation of apps from unknown sources" in Android's security settings.
 
 
2. Generate config files

Use the AirVPN Generator (https://airvpn.org/generator/) to create SSH config files for Linux (not Android).
Only pick one specific server.
Screenshot #1: http://i.imgur.com/FWcuXH2.jpg


3. Transfer config files
 
We only need 2 out of the 3 generated files:
    - sshtunnel.key
    - the .ovpn profile
 
Screenshot #2: http://i.imgur.com/p2L7T0l.jpg
Transfer both of them to your Android's sdcard.
Also, open the .ovpn file in a text editor and look for a line that starts with "route", it contains the server's IP - we will need it in step 5.
Example:
 
route 199.19.94.12 255.255.255.255 net_gateway
That's the IP we will need.
 
 
4. Import key file in ConnectBot

Launch ConnectBot. Go into menu and "Manage Pubkeys".
Screenshot #3: https://i.imgur.com/uGT3UgC.jpg
Import the sshtunnel.key file.
Screenshot #4: https://i.imgur.com/ZPYhI6V.jpg
 
 
5. Configure SSH connection in ConnectBot

Go to ConnectBot's main screen.
At the bottom of the screen, enter:

sshtunnel@199.19.94.12
(Notice, that's the IP we took note of in step 3).
Screenshot #5A: http://i.imgur.com/ludTDgv.jpg

If the default port 22 is blocked, you can try an alternative port by appending it at the end:
sshtunnel@199.19.94.12:80
or
sshtunnel@199.19.94.12:53

- Press Enter on your keyboard. It will try to connect and ask you to continue. Choose "Yes".
Screenshot #5B: http://i.imgur.com/UJNpB9n.jpg

- Cancel the connection, we need to configure it now.
Long-press the newly created connection and choose "Edit host".
Screenshot #6: https://i.imgur.com/n3OtM2D.jpg

- Change "Use pubkey authentication" to "sshtunnel.key".
Screenshot #7: https://i.imgur.com/CwfFSoO.jpg

- Disable the option "Start shell session"
Screenshot #8: https://i.imgur.com/l2niHqG.jpg
- Consider enabling the option "Stay connected".
 
 
6. Configure SSH port forwarding
 
- Go to ConnectBot's main screen.
- Long-press the new connection again, but this time choose "Edit port forwards". "Add port forward" with the following values:
 
Type: Local
Source port: 1412
Destination: 127.0.0.1:2018
Screenshot #9: https://i.imgur.com/TBnsKQx.jpg
- Press "Create port forward".
Configuration of the SSH connection is now complete.
- Go back to ConnectBot's main screen and tap the connection entry to establish a connection.
Leave the ConnectBot app using your "home" button.
 
 
7. Import OpenVPN config

- Launch "OpenVPN for Android"
- Tap the folder icon. In the "Open from" dialog, choose "File Manager"
  Screenshot #10: https://i.imgur.com/Nhc6fDa.jpg
 
- Pick the AirVPN_...SSH-22.ovpn file
- OpenVPN will present you with an "import log", tap the "Save" file to accept.
- You may want to dive into the new profile's settings,
go to "ROUTING" and enable "Use default route".
- in the ALLOWED APPS tab, find and select ConnectBot to exclude it from OpenVPN's routing
 
 
8. Start OpenVPN connection
 
- In OpenVPN's main screen, tap the VPN profile to establish the connection.
- Provided that the SSH connection is still running, OpenVPN will be able to connect. Congratulations
 
 
9. How to connect / disconnect from now on

When establishing a connection, always
- start the SSH connection first
- then launch OpenVPN
When disconnecting, always
- disconnect the OpenVPN connection first
- then disconnect SSH in ConnectBot
 
 
10. Thoughts on reliabilty and firewalling

If avoiding network leaks is important to you: be careful on Android, especially on unreliable mobile or WiFi networks that might cause the connection to collapse quite often.

I don't have a solution for this potential issue on stock Android, but if you're on a rooted device, you should absolutely consider installing AFWall+ (available in F-Droid).
AFWall+ allows you to firewall individual apps, restricting their network access to VPN-only.    
(You have to dive into its settings to enable VPN mode).
 
 
Finally: Good luck!

I have been able to connect via SSH with the following prerequisites:

- Cyanogenmod 11 (or any other rom that ships with command-line ssh client)
- OpenVPN for Android (available in F-Droid)
- Terminal Emulator (preinstalled in CM; available in F-Droid)
 
1. use the AirVPN generator to create config files for Linux (not Android!)
    - pick a specific server
    - choose SSH as connection mode
    - i recommend checking "Resolved hosts in .ovpn file"

2. run the shell script in your Android terminal emulator to make the ssh connection
3. import the .ovpn file in "OpenVPN for Android" and initiate the connection

Now, how do we get there on stock Android?
You can skip reading my following musings; I've figured out an easier way. Read the tutorial in my next post.
[EDIT: split for clarity - go to https://airvpn.org/topic/13486-ssh-tunneled-vpn-on-stock-android/?do=findComment&comment=24983 ]
 
It should be possible; none of the steps require root. The only problem is: While there are countless (GUI) SSH apps in F-Droid and the Play Store, you would need one that lets you
- use a key file for SSH authentification
- open a local listening port (ssh -L)

I do not use Google's Play Store on my devices so my own "research" stops there. If I were to try any apps - "Better Terminal Emulator Pro" looks promising as it includes a command-line SSH client.

If that app doesn't work or, like me, you don't want to use the Play Store, you might want to try KBOX2 in order to get a true cli ssh client:
http://kevinboone.net/kbox2.html
If I find some free time (and if KBOX2 turns out to be a viable alternative), I will write a follow-up post.
 
EDIT 1:
Apparently, ConnectBot (in F-Droid and Play Store) can handle key files and forwarding but I have yet to be able to get it to work.
EDIT 2:
1st road bump with KBOX2: It looks like the dropbear ssh client doesn't like our keyfile format. Solution: convert keyfile with "dropbearconvert":
dropbearconvert openssh dropbear sshtunnel.key id_rsa.db
(Install dropbear on a linux desktop, run the command, then change the AirVPN .sh script, swapping out "sshtunnel.key" with "id_rsa.db")
EDIT 3:
My KBOX2 experiment seems to work. I can't say for sure because I'm working in the Android emulator - which won't let OpenVPN create a tun device, but I don't see any connection-related issues... I'm fairly certain it'd work on a real Android device.
EDIT 4:
Alright, all this KBOX2 nonsense is unnecessary! ConnectBot can port-forward and use the keyfile too, much easier than setting up KBOX2. Read the tutorial below.

1. Adblocking:
An elegant solution would be to use a DNS server that blacklists ad/tracking networks. Maybe worth asking staff how they feel about providing an alternative configuration option.
 
2. IPsec:
As you mentioned the hash function, I assume you mean how reliable the cryptography/implementation of IPsec is?

The current consensus seems to be:
- IPsec itself is (probably) not broken yet
- NSA and friends attack it by:
    - stealing the keys off compromised servers / endpoints
    - breaking/brute-forcing weak key exchanges

Mitigations:
- PFS/Perfect Forward Secrecy (ask your provider)
- don't authenticate with Pre-Shared-Keys (passwords)
- if you have to use a PSK, at least choose one that's harder to brute-force

Detailed information on this topic:
https://nohats.ca/wordpress/blog/2014/12/29/dont-stop-using-ipsec-just-yet/
 
3. Fingerprinting on iOS:
Actually, fingerprinting on iOS should be a lesser issue when compared with desktop fingerprinting. iOS users using the default browser should all look alike, shouldn't they?
Same OS, architecture, browser, version, fonts, ..
Unless Apple grants access to unique device identifiers - which I believe they only do for apps, not websites.
 
4. Using Tor on iOS:
You didn't ask about it, but I'll share my thoughts anway.
Don't rely on any iOS app for strong privacy/anonymity. Fighting for freedom on a locked-down platform is a lost cause.
I'd still suggest taking a look at "Onion Browser" which utilizes Tor, but keep in mind that it's not endorsed by or in any way related to the official Tor Project.
Here's the developer's website: https://mike.tig.as/onionbrowser/
The last time I used it (years ago), it felt limited, but usable. The developer seems quite humble about what the browser can and cannot do, which is a good sign. They've also had a code audit last year.

There's another Tor-powered browser called "Red Onion" that I don't know anything about. However, I do know that the same developer also sells an app called "Fart Call" - ouch. 

1. Adblocking:
An elegant solution would be to use a DNS server that blacklists ad/tracking networks. Maybe worth asking staff how they feel about providing an alternative configuration option.
 
2. IPsec:
As you mentioned the hash function, I assume you mean how reliable the cryptography/implementation of IPsec is?

The current consensus seems to be:
- IPsec itself is (probably) not broken yet
- NSA and friends attack it by:
    - stealing the keys off compromised servers / endpoints
    - breaking/brute-forcing weak key exchanges

Mitigations:
- PFS/Perfect Forward Secrecy (ask your provider)
- don't authenticate with Pre-Shared-Keys (passwords)
- if you have to use a PSK, at least choose one that's harder to brute-force

Detailed information on this topic:
https://nohats.ca/wordpress/blog/2014/12/29/dont-stop-using-ipsec-just-yet/
 
3. Fingerprinting on iOS:
Actually, fingerprinting on iOS should be a lesser issue when compared with desktop fingerprinting. iOS users using the default browser should all look alike, shouldn't they?
Same OS, architecture, browser, version, fonts, ..
Unless Apple grants access to unique device identifiers - which I believe they only do for apps, not websites.
 
4. Using Tor on iOS:
You didn't ask about it, but I'll share my thoughts anway.
Don't rely on any iOS app for strong privacy/anonymity. Fighting for freedom on a locked-down platform is a lost cause.
I'd still suggest taking a look at "Onion Browser" which utilizes Tor, but keep in mind that it's not endorsed by or in any way related to the official Tor Project.
Here's the developer's website: https://mike.tig.as/onionbrowser/
The last time I used it (years ago), it felt limited, but usable. The developer seems quite humble about what the browser can and cannot do, which is a good sign. They've also had a code audit last year.

There's another Tor-powered browser called "Red Onion" that I don't know anything about. However, I do know that the same developer also sells an app called "Fart Call" - ouch. 

How are sites likes Deepdotweb supposed to know how trustworthy any given VPN provider is?
(They can't even get their facts* straight.)
On a scale of journalistic quality I'd even rank naïve-sensationalist TorrentFreak higher than Deepdotweb. In some way, I'm even happy that AirVPN won't get a lot of traffic from these places.
 
Again, kudos to AirVPN for not participating in advertisement campaigns on such sites. Not finding any bullshit marketing or "sponsored" reviews was one of the main reasons that I ended up here.



* When judging trustworthiness of VPN providers, you don't deal with facts. This is all you have available:
- unverifiable claims by the provider
- the provider's track record, history, milieu and behavior
With this limited set of information, you draw your conclusions. Which don't quite fit into a spreadsheet.

IRC: I am against Freenode because they discriminate against Tor users. Oddly enough, "Anonops" has an even worse Tor policy! From the instructions on their site on how to connect via Tor: "You must have a registered nick which has been active for 3 days on our network."
OFTC has none of these restrictions, allowing channel mods to decide on their own Tor policy.
 
XMPP: My guess would be that IRC is still more popular, but I like the idea! I'll be idling in lounge@conference.xmpp.airvpn.org

How are sites likes Deepdotweb supposed to know how trustworthy any given VPN provider is?
(They can't even get their facts* straight.)
On a scale of journalistic quality I'd even rank naïve-sensationalist TorrentFreak higher than Deepdotweb. In some way, I'm even happy that AirVPN won't get a lot of traffic from these places.
 
Again, kudos to AirVPN for not participating in advertisement campaigns on such sites. Not finding any bullshit marketing or "sponsored" reviews was one of the main reasons that I ended up here.



* When judging trustworthiness of VPN providers, you don't deal with facts. This is all you have available:
- unverifiable claims by the provider
- the provider's track record, history, milieu and behavior
With this limited set of information, you draw your conclusions. Which don't quite fit into a spreadsheet.

Dear Staff,
There must be a way to do it, probably manually with a ticket.
 
Here are examples of "neighbours" that have custom PTRs:
 
http://bgp.he.net/net/199.19.95.0/24#_dns
 
 
if the hosted-by* PTRs can be cleared out, it can only do good for the users that don't want a hosting PTR to appear in website logs.

Actually WebRTC/STUN can use the help of ALG and UPnP functions of consumer routers in order to get that information.
Thats why they are generally unsafe, since those features are either on by default, or have a very non-intuitive way to disable them.
 
There are some workarounds for disabling this on Chrome and Firefox, but if you want a more global secure solution just disable those router features.
Also, STUN works on port 3478/udp, you might want to block that with a rule, if all the above fails.

See https://diafygi.github.io/webrtc-ips/

without noscript this site did indeed see my real WAN IP address.
I you're using Firefox, set 'media.peerconnection.enabled' to false to prevent it.

IRC: I am against Freenode because they discriminate against Tor users. Oddly enough, "Anonops" has an even worse Tor policy! From the instructions on their site on how to connect via Tor: "You must have a registered nick which has been active for 3 days on our network."
OFTC has none of these restrictions, allowing channel mods to decide on their own Tor policy.
 
XMPP: My guess would be that IRC is still more popular, but I like the idea! I'll be idling in lounge@conference.xmpp.airvpn.org

You have to differentiate between using Tor and running Tor server infrastructure:
Using Tor cannot and will not lead to sites blocking AirVPN servers. It is, as you said, a legitimate use of AirVPN.
However, running Tor servers through AirVPN is nonsensical.
Not only does it cause disruption for other Air users, AirVPN already runs/sponsors dedicated Tor exits which are much faster than any of the exits that have been run by users through AirVPN.
https://airvpn.org/mission/
 
 
 
It's the only solution available.
No matter what VPN provider / proxy / onion routing service you use, it always means that you're using a shared connection to the internet. You will always face these kinds of problems.
 
Yes. Make your point in a friendly manner. Tell them how and why their anti-spam/ddos measures are inefficient and what side effects they cause for privacy-aware users like yourself. If they don't react at least sympathetically to your cause, find a better resource for what you're looking for - they obviously don't care about their users so why should you care abot them?

IRC: I am against Freenode because they discriminate against Tor users. Oddly enough, "Anonops" has an even worse Tor policy! From the instructions on their site on how to connect via Tor: "You must have a registered nick which has been active for 3 days on our network."
OFTC has none of these restrictions, allowing channel mods to decide on their own Tor policy.
 
XMPP: My guess would be that IRC is still more popular, but I like the idea! I'll be idling in lounge@conference.xmpp.airvpn.org

I like the idea of an AirVPN "chat lounge" of some sort. However, I wouldn't choose Freenode for two reasons:
- restrictive Tor policy (you can't connect via Tor unless you're registered, which they don't allow you to do via Tor).
- they've blocked AirVPN (and other VPNs) in the recent past:
https://airvpn.org/topic/9399-freenode-bans-airvpn-users/

The OFTC network - also the home of Tor's channels - might be a better fit, what do you think?

In any case, for such a channel to "take off" AirVPN would have to mention it on its site, so let's hear how staff feels about an IRC channel.

When they stop using bot detection scripts apparently written by halfwit interns I'll jump on that bandwagon with you. And the mass blacklisting of ip blocks doesn't = security. At best it minimizes some bot traffic.

I like the idea of an AirVPN "chat lounge" of some sort. However, I wouldn't choose Freenode for two reasons:
- restrictive Tor policy (you can't connect via Tor unless you're registered, which they don't allow you to do via Tor).
- they've blocked AirVPN (and other VPNs) in the recent past:
https://airvpn.org/topic/9399-freenode-bans-airvpn-users/

The OFTC network - also the home of Tor's channels - might be a better fit, what do you think?

In any case, for such a channel to "take off" AirVPN would have to mention it on its site, so let's hear how staff feels about an IRC channel.

10.4.0.1 should be reachable regardless of connection method (port / protocol).
The full list of internal addresses can be found at the bottom of this page:
https://airvpn.org/specs/

The question mark is related to NetworkManager's connectivity check.
Periodically - and whenever a connection's status changes - NetworkManager tries to contacts a website. If it doesn't get an "OK" response, the question mark appears.
This means that there's either no connectivity at all or there is connectivity but DNS doesn't resolve.
On a side note, for F21, the config file for the connectivity check can be found at:
 
/etc/NetworkManager/conf.d/20-connectivity-fedora.conf Steps you should take:
1. connect to VPN
2. run
ip addr | grep tun0 and see if your tun0 has been assigned an "inet" address (10.x.x.x)
3. run
ip route the first line should be a default route pointing at the VPN device:
default via 10.x.x.x dev tun0 (..)
4. run
cat /etc/resolv.conf to see what DNS servers you're using. For testing purposes, you can edit this file directly (changes take effect immediately). For persistent changes, you would need to edit the NetworkManager (Air)VPN connection profile to put in the correct AirVPN DNS server 10.x.0.1 - example: If your tun0 address is 10.4.x.x, the DNS IP would be 10.4.0.1, if it is 10.7.x.x, the DNS IP would be 10.7.0.1.)

5. check your firewall rules.
firewall-cmd --direct --get-all-rules Compare them to my current rules:
I grayed out those rules that shouldn't be of any importance with regard to connectivity.
For the sake of brevity, I also deleted all but one AirVPN entry server rules. The one I left in there (192.96.200.18) would allow you to connect to Arrakis. The numbers you see after INPUT/OUTPUT indicate rule position/priority. I haven't actually tested if it makes a difference but AFAIK, DROP rules should be added last, that's why you see 999 in my rules. Read "man firewalld.direct", the "priority" section and the "EXAMPLE" a bit further down in that document.


6. Lastly, you can also investigate
 
journalctl -x -u NetworkManager --since=-10minutes which will show you all NetworkManager logs (including the openvpn module) of the last 10 minutes.


Important note:
If you can't resolve the problem on your own, it would be helpful to see the output of all the commands I mentioned above BUT:
Inspect all output before posting it. Remove, if you find any, identifying info like: non-local/non-AirVPN IP addresses, host names, MAC addresses, ...

Greetings,
 
After numerous tests with 2 different VPN providers ( including AirVPN ) I've come to the conclusion that Shaw ( a prominent Canadian ISP ) is throttling UDP/TCP VPN traffic.
 
My internet plan is for 50Mbps of which I get roughly 48Mbps on speedtest.net while connected via UDP or TCP VPN to Canadian/USA servers or any countries for that matter i'm locked at 3.5Mbps consistently some times 4Mbps.
 
The only solution I was able to find was a service that seems only few VPN providers offer ( AirVPN being one of them ) is SSL Tunneling, after using SSL Tunneling I was able to get 20 - 30Mbps ( of which I find acceptable as download managers can improve this )
 
Just wanted to share this tid bit of knowledge with any other AirVPN Canadian subscribers.
 
Thanks and have a great day !