Search the Community

There is a better idea, and it can actually be suitable cross-device as an extra benefit. Most of the residential connections in China are sub-2Mbit/s, so this means you can take a TP-Link MR3020, flash OpenWRT+OpenVPN on it and enjoy those speeds behind a NAT connection with a full-VPN access point. A RaspPI A/B+ can give even better throughput. The benefit from this implementation is great, you are not device dependant, and this small USB box can do faster crypto than an average iOS/Android device. Ofcourse you can also connect a laptop or a whole LAN behind it, a RaspPI can handle a stable OpenVPN link with SHA1+AES256 (AirVPN) at about 2-4Mbit (300-500KBps). Also, read this post with live benchmarks: http://www.tuug.fi/~toni/blog/?p=69

I always suggest SSL when dealing with China or similar circumstances. Not sure if iOS has an app to do SSL tunneling, but check out SSLDroid for Android and see if iOS has something similar as that does what you need. Then use a vanilla OpenVPN client through the tunnel. You might get away with SSH tunneling, if it is better supported by iOS apps. Failing that, maybe share connection from an OS that can do this. The Great Firewall has more recently been cracking down on OpenVPN. These are 2 methods supported by AirVPN to try to beat it.

Hello All, Do you have any suggestions for somewhat-reliable connection to AirVPN servers using iOS devices in China? I ask this because OpenVPN connections over land-based ISPs barely work here without an SSL tunnel. Connection to servers using SSL tunneling through Eddie works great... but that's only for Linux/MacOS/Windows. Here are the ideas I have so far; can you please add if you have any suggestions? 1. Connections over cell service are much more reliable than land-based ISPs. The downside here is that I have to use my data plan, and doesn't work with my Wifi-only iPad. 2. I could hardwire a laptop to my router then try to share my connection through wifi with my iOS devices once the SSL tunnel is established. Has anyone tried this? This of course would only work when I'm at home. That's all I can think of. Any ideas? Thanks!

I am now in Central China. My ISP is China Telecom, which which I can only use SSL tunnelling. With the SSL option airVPN connections to all servers are sometimes not even usable. The speed is so slow that I can't even open a webpage.

Hi @Killacam, my experience is the same. The IPs for HADAR are very well-known, and have been in place quite a long time. So SSH connections (at least) to these IPs are pretty comprehensively blocked from the mainland. But it seems to me that despite having the best VPN solution for mainland China users, AirVPN isn't really interested in doing anything about it. If you want to keep using AirVPN, just use a more distant access point.

They've only had issues in the USA before, and I've always used UK servers to torrent. I would personally say the UK servers are definitely fine - not sure about Singapore though, I'd probably avoid as they have a limited choice of hosts and other users that are censored in China etc will need those. For the most part, I wouldn't worry about what servers you are using. Afterall, AirVPN pride themselves in allowing you to do anything on any server, don't change it.

Additional Step #27: Put Skype in an Apparmor Box If you must install Skype (do you really need it?), put this hostile binary in chains. Follow these steps for Linux: https://airvpn.org/topic/15181-how-to-put-skype-in-a-box-linux/ Additional Step #28: Created a Hardened Firefox Profile Follow the instructions here to create a new user.js profile that tears out a couple of hundred (?) privacy/security related weaknesses in FF 41.0.2: https://airvpn.org/topic/15769-how-to-harden-firefox-extreme-edition/ Additional Step #29: Securely Configure Thunderbird for Desktop Email & Create a 4096 bit PGP Encryption Key-pair RESOURCES https://www.futureboy.us/pgp.html https://ssd.eff.org/en/module/how-use-pgp-linux https://www.securityinabox.org/en/guide/thunderbird/windows https://alexcabal.com/creating-the-perfect-gpg-keypair/ https://www.gnupg.org/faq/gnupg-faq.html https://micahflee.com/2014/06/the-universe-believes-in-encryption/ https://prism-break.org/en/subcategories/gnu-linux-email-accounts/ http://www.prxbx.com/email/ https://support.mozilla.org/en-US/kb/configuration-options-security INTRODUCTION Edward Snowden was recently quoted as acknowledging people must take back their universal human rights with the power of mathematics (encryption), rather than wait for hopelessly outdated laws - and corrupt political systems - to be reformed: Thus, lets look at the basic steps to configure Thunderbird desktop email client securely on your new GNU/Linux system and use the laws of the universe to our benefit. It is relatively simple to create a strong PGP encryption key-pair for your email account to at least protect its content and attachments, but unfortunately not its meta-data. INSTALL THUNDERBIRD / GnuPG / ENIGMAIL - Thunderbird is your desktop email client - a modified Firefox browser - GnuPG is the software which uses the open PGP encryption standard - Enigmail is the plug-in for Thunderbird which will allow us to encrypt/decrypt and digitally sign emails In Linux Mint, run the following in a terminal: For Debian users, Icedove is simply rebranded Thunderbird, so you can run: Debian users can just replace 'Thunderbird' with 'Icedove' in the following instructions and everything should still work okay. CREATE A PSEUDO-ANONYMOUS EMAIL ACCOUNT As recommended by prism-break.org: So, choose an alternative from the following list that preferably is free, is accessible via free mail clients, strips IP in sent mail/server logs, has encrypted data storage, a good SSL rating and other features you like. It is even better if you can create a new account via Tor; not all providers will allow this. http://www.prxbx.com/email/ Use a 7-word (minimum) diceware passphrase for your password. Do not choose anything in the email account name that is linked to you or identifies you or your preferences/history/background in anyway. For example, ManchesterUnitedFan@xyz.com is bad opsec. * Don't forget that common providers GMail, Yahoo and Hotmail are all part of NSA's PRISM program, meaning your shit goes straight to the Death Star. Choose not to be assimilated. Setting up Thunderbird with gmail also requires special settings due to two-factor authentification. See: https://support.google.com/mail/answer/1173270?hl=en ADD NEW EMAIL ACCOUNT When you run Thunderbird the first time, it can set up existing email addresses for most popular free email services. When it offers a new email address, select: Enter your new (fake) name, email address and diceware passphrase. Uncheck "Remember password" and hit 'done'. If you are lucky, your configuration will automatically be found in the Mozilla ISP database and you will be faced with the choice of IMAP (remote folders on email server) or POP3 (mail is kept on your computer). Most users will want to use IMAP, since it is generally considered more secure and will allow many different email clients or interfaces to access emails on remote servers, rather than the inconvenience of one computer. Further, IMAP elimates the risk of a stolen/lost laptop with a treasure trove of emails inside. If you need to manually set up your account, check with the provider's website re: standard SMTP and IMAP settings. You will need to know for IMAP: For SMTP (outgoing server), you'll need to know: STRENGTHEN GENERAL THUNDERBIRD SECURITY SETTINGS 1. Disable "Global Search and Indexer" feature to optimize performance: 2. Disable the Preview Pane (can triger malicious code in emails): 3. Disable HTML (threats similar to malicious web pages): 4. Under Menu | Options, click the security tab and check box for 'suspected email scam' 5. Confirm remote content is turned off (this is the default setting). Remote content leaks details about what app/platform you are using, your current rough IP approximation, that your email address is active ('alive'): If the Allow remote content in messages checkbox is ticked, UNCHECK IT. 6. Don't use Thunderbird for anything else but email i.e. no browsing, news groups etc. 7. Configure what should happen to messages flagged as junk (for an account) - set to trash can and immediately delete on remote server: 8. Consider setting SpamAssassin or SpamPal headers for junk mail filtering* * Possible risk on Fedora/FreeBSD with setuid set to root? Check manually. 9. Configure what should happen to messages flagged as junk (for local folders - set to immediately delete as best practice): 10. Under Account Server Settings, check "When I delete a message - Remove it immediately" & "Message Storage - Empty Trash on Exit": 11. Configure Cookies (you shouldn't need this, as you won't be browsing with Thunderbird, but set it to kill cookies anyway): Specify which sites are allowed to set cookies (none): 12. View or delete passwords for email accounts: 13. (Re)configure any encryption settings for sending messages that you don't like (for the selected identity once it is set up by the Wizard): 14. Do NOT synchronize or store messages for the account on your local computer (this is the default setting) 15. Do NOT send return receipts (potential privacy/security risk): 16. Debian users should enforce the icedove apparmor profiles that ships with Jessie by default (check the profile names, I'm guessing here)* e.g: *Advanced users can port this profile to Linux Mint by making minor changes to the available Icedove apparmor profiles (don't reinvent the wheel). If so, post it here in the forums so we can all use it. Hint, hint: OmniNegro, Troubadour, Mirimir and other geniuses.... CREATE A 4096-BIT ENCRYPTION KEY Now we have a fresh email account, a strong passphrase and a solid email client to work with. We should check GnuPG was successfully installed, our Enigmail add-on is present, and we can create a suitable large encryption key to protect our future communications and attachments at our leisure. All going well on your first run of Thunderbird, you will be offered an Enigmail Setup Wizard to allow for the creation of keys. If not, click on the 'hamburger menu' (three horizontal lines button in top right of screen) and manually select "Enigmail" -> "Setup Wizard". If this is not present, select 'Add-ons' from the same hamburger menu and re-install Enigmail. Also double check that GnuGP is found by Thunderbird under the /usr/bin/gpg folder (see Enigmail preferences tab to confirm). Wizard basic steps: 1. Choose "Convenient auto encryption" or "Don't encrypt messages by default" 2. Choose "Don't sign all my messages by default"* 3. Allow Thunderbird to change default settings to make Enigmail work better (disables flowed text, view message body in plain text, never compose HTML messages)** 4. Review changes and select OK button. * Encryption protects content, but digital signing confirms that the contents of the message were not tampered with in transit and that the sender is not a imposter. NOTE: It is dangerous to signal to others that you use PGP (even with signing only) in parts of the world where encryption for personal use is illegal e.g. China, Iran, Belarus, some Middle-East states. ** HTML can cause problems in encryption/decryption of your email. However, you lose the ability to send bold, underlined, coloured text etc. 5. Select "I want to create a new key pair for signing and encrypting my email" (since we have a fresh new account and don't wish to import existing keys) 6. Choose a very strong passphrase for your new encryption keys - a 10 word diceware passphrase (approximating 400 bits+ in strength) should keep the computers at bay for a while 7. Choose a 4096 bit length key and lifespan of 5 years (should be set by default)* * If you think that in your life-time, you won't lose your key, stop using PGP, or allow hostile/malicious parties unauthorised access to your private key, then by all means extend this lifespan to a greater length or even "never expire" 8. Key generation can take several minutes to complete at this stage. Well done! You have generated your private-public encryption keys (stored in the browser). 9 When it has finished, confirm that you DO want a revocation certificate for your key (if you ever lose your key or want to revoke it, this certificate is essential). Save the revocation certificate in a safe place e.g. USB or encrypted disk and back it up. KEY IDS 1. Identify both your short (8-digit), long (16-digit) and key ID fingerprints (40 digit) by selecting "Key Management" under Enigmail options. 2. Your name, email and short "Key ID" will be displayed by default. The short (public key) ID will be something like: 3. Select the small button next to the "Key ID" column and choose "Fingerprint". 4. Drag the width of this column to display your last 16 digits of your ID, and then your entire 40 digit fingerprint. Your ID should look something like: Note that the long and short key IDs (of any key) are just the last 16 or 8 digits of its respective fingerprint. OPTIONAL STEP - INCREASE THE STRENGTH OF YOUR PGP ENCRYPTION KEYS * This also means that if you're encrypting to several people at the same time, you can only use the strongest algorithm that the weakest person uses! 1. View gpg algorithms supported by gpg in terminal: The output will look something like: 2. Modify your public key's preferences by interactively editing your key: 3. At the gpg prompt, check your current algorithm preferences with: You will see something like: Protocols listed first are used first. 4. Set far stronger preferences with the setpref command.* * This decision is informed by personal preferences for stronger hashes and more modern ciphers as per the GnuPG FAQ sections 7 & 8. Choose your own poison if you are not happy with the above selections. 5. Enter your encryption password to confirm your updated choice of algorithms. Check that it worked by entering the command: 5. Enter the command: To make your changes permanent. BEFORE SENDING ENCRYPTED EMAIL Learn from the resources list how to: - Send you public key as an attachment to an email - Import a correspondent's public key - Validate and sign a key pair safely (does the key really belong to the person who supposedly sent it? You MUST check digital fingerprints with eachother over VOIP or similar first!) - Search for keys on the public key servers attached to specific email addresses - Upload a public key to a key-server (not generally advisable) Learn about critical encryption practices: https://www.futureboy.us/pgp.html#GoodPractices WARNING - Meta-data is not protected by encryption! Subject lines, times/dates of emails etc are vulnerable! - Using inline PGP for attachments sends the names of the attached files in clear text! - Use PGP/MIME option to ensure all email text, attached files and their names are encrypted and hidden - Encryption AND digital signatures are necessary. Without signing, you can't be sure if someone is the 'real sender' they claim to be (could be spoofed) and whether the message has been tampered with on its way through the Matrix! - Your private key is precious. Don't export the public-private key pair and have it sitting in your home folder or somewhere else retarded. If it is lost, stolen or likely fiddled with by an adversary, consider the keys tarnished, and start all over again (revoking the old pair). - PGP is far safer from the terminal than from a GUI and Enigmail CAN be buggy. If you don't want to run a fancy plug-in that poses more attack vectors and potential data leakage than necessary, than manually encrypt/decrypt your messages and attachments from the terminal with this simple guide: https://www.futureboy.us/pgp.html#ManuallyEncrypting - Standard attachments encrypted with PGP/MIME or S/MIME can fail or best lost if the recipients email client can't handle them! Prevent this possibility by using ASCII-armored OpenPGP blocks in the email body, so any email client can handle it. For example, at the terminal: Best of luck!

We cross-checked the reports of dozens of our customers with Virgin Media UK, asking them to resolve "airvpn.org" on two of Virgin DNS servers. Since all the reports matched exactly throughout one year, we can safely assume that the reports are reliable. It is also worth mentioning that DNS poisoning of airvpn.org is intermittent, and when contacted directly about the issue, Virgin Media responded to us that it was a technical problem, totally unintentional. How are we supposed to know? All in all even the cyber workers of the government of China are interested in our web site, not only with DNS poisoning but also IP blocking. Who knows, maybe it's really just an obscure technical error that re-occurs periodically. Kind regards

I'm currently in China and use airvpn. According to iplocation.net and similar sites, it seems like I'm browsing from Europe. The issue is that local (Chinese) banners occur when I open some of the European sites. I've tried everything I could think of - history, cookies, etc have been removed on several occasions, computer and browsers restarted as well, while the VPN browsing is always performed in a private window. In addition, I often get the local search results. Tools like Chrome's "Close All & Clean" also don't help at all in this case. Does it mean that this VPN is not functional and are there any steps to resolve this issue? Or should I not be worried at all? Thank you

Connections from several places and several different ISPs within mainland China to HADAR continue to be either blocked or very unstable. SSH tunnelling to other servers works, but there can be a big performance penalty. As a newbie, I'm uncertain how to get some attention within AirVPN to the HADAR issue. Any advice anyone?

It amuses me to use a vpn server in Hong Kong (Hadar) because HK has its own legal system and policing, but also connections back to the British colony days, and national security and "political stability" the responsibility of the Peoples Republic of China. So it is a sort of "no mans land"/"contested territory"/"buffer state" between US/EU and China. Both "camps" are against Islamic terrorism, so am I. There used to be a cartoon series (in Mad Magazine ?) called Spy vs Spy, and I can imagine them searching for and stealing each others spyware, and substituting it with counterspyware, etc. Good for a bigger budget next year, and promotions, eh agency boys and girls ;-) ?

No, it doesn't depend on your tin foil hat, it depends on principles. Well, I "trust" AirVPN slightly more than my internet providers, but that's about it. I don't foster any false belief in VPN providers, where did I give this impression? I recommend Tor instead of VPNs every chance I get. Responding point by point: 1) I don't care where your OpenVPN Connect originally came from. It's distributed as proprietary software on a proprietary platform, containing who knows what, bound to all kinds of crazy clauses and restrictions. I don't use proprietary apps or proprietary platforms. I know exactly where my OpenVPN is coming from - compiled from source myself or compiled by someone who I have solid reason to trust. Give me one reason why I should trust Apple's platform with that task. Especially given all the recent hoopla about mandatory government crypto backdoors. iOS app installations are bound to your account. If you're personally targeted, it's very easy to deploy backdoored versions exactly and only to your account. This alone should be reason enough to avoid any sort of personalized app store. 2) "who cares" means you don't care. I do. If I use inherently untrustable applications on top of my VPN usage, everything I did was for nought. 3) In today's age, everyone is a suspect. Just talking about VPNs or Tor makes you a suspect. If your government cares about Tor, they also care about VPNs - see China. We weren't talking about avoiding being a suspect, but avoiding OpenVPN-blocking firewalls. Tor may sometimes be a way to accomplish that. I wasn't saying anything more or anything less than that. 4) Not sure what you mean by "reliable". Yes, AirVPN has been reliable for me. Mobile networks have not and that's why I use Tor on mobile instead, because in my experience, Tor handles network hiccups more gracefully than OpenVPN. Nothing more, nothing less. 5) True. Where exactly did I claim otherwise? Who torrents on a mobile data budget? 6) Agree, exactly what I said. Jailbreaks eek out a little bit of configurability on a hostile platform, at the cost of security. And at the cost of exploring alternative platforms instead. 7) I know about their audit. Great they fixed bugs, but what about all the security holes since freakin' March this year? I mean, great, they had their source code audited - but how do you know the audited source code equals your binary obtained from the app store? You don't and you can't. Also, the Onion Browser developer might be in contact with Tor Project, but they certainly are not involved. On Tor Project's site, there is an official reference to Orbot. None to Onion Browser or iOS (for good reason). Onion Browser is in no way condoned, recommended or referenced to by Tor Project. 8) Anonymity on mobile platforms is a hard problem to solve. That's why you haven't seen an offcial mobile version of Tor Browser. That's why you will never see an official version for iOS, especially if you take into consideration the licensing problems I mentioned. Guardian Project's Orfox for Android is on its way, though.

Hi, I use a public AP which I believe it only allows http and https traffic because I am unable to connect to any VPN. I tried all ports on TCP and UDP and OpenVPN over SSH (failed to connect to ssh). I don't know how to setup OpenVPN over SSL on Android so that's because I didn't try it yet. Any suggestions? P.D: airvpn.org is blocked but airdns.org isn't. My ovpn has its server's IP on it. The AP is made by Cisco (who helped China to make the GFC). PPTP is also blocked. Greetings.

With a fast internet connection and tools like Masscan, it only takes anywhere from a few minutes to a few hours to scan the entire internet for open ports. This means that you can expect every port that's open to the internet to see some unexpected traffic rather sooner than later. That, in itself, is nothing to worry about unless you're running vulnerable services or weak authentication. You might have picked a port especially interesting to some scanners, which may explain why you haven't seen such activity on your other ports (yet). The connection attempt you saw is not related to APNIC, they are just the registry for that block of IPs. Here's the actual whois info for your IP: netname: UNICOM-BJ descr: China Unicom Beijing province network Some trivia: Besides the private bulletin board on port 443 (~ 20.000 registered users), the Linux server at IP 221.220.155.170 runs a number of other services: SSH, FTP, VNC, Telnet, and a Synology web interface. Looks like someone's personal server to me, or perhaps a server shared by a number of people. The FTP server greets you with a somewhat amusing message: 220 PLS DISCONNECT IF U HAVE NO IDEA WHERE U R AT!

HADAR is still very flaky. AirVPN works very well to other servers, excluding ANTARES in Singapore. But you pay a performance penalty because of distance. HADAR again seems to have high packet loss and excessive ping times from within mainland China.

Guess what? As of yesterday sometime, HADAR works from mainland China, at least some places! 非常好！

Hi Staff, and thank you for your response. I totally understand the DSIBAN withdrawal, and am not suggesting you reverse that decision or change your mission-based policy. I support it and this is one reason I am a AirVPN user. If you read what is said, I suggested some ways of making HADAR more useful from within mainland China. SSH connections to HADAR are blocked, on both the primary and secondary IPs, from at least some major cities in mainland China. Could you please review my suggestions below? submergency

Do you notice how low the utilisation is on HADAR? It has the best ping times and lowest utilisation of any server close to mainland China, yet seems to never have very many users. I'm a developer and tech supporter who commutes in and out of China. Ever since I started spending a significant part of my working life in China, a couple of years back, I've been using various VPN offerings. I've watched the Darwinian struggle between the Great Firewall and VPN providers with interest. As a developer, I need access to GitHub and Google infrastructure, both of which are generally pretty comprehensively blocked on the mainland. So being able to find VPNs that work is a very important health factor for my stomach-lining. I have come to realise that the issues with VPN-use in China are considerably more nuanced than most people (and VPN solution providers) often understand. It depends very much on your ISP, for instance. Especially if you are using mobile cellular or mobile wifi, it will be easier to get at the outside world than if you are on a large corporate, academic or government network. Also your geographic area influences things a lot. There are different policies on net access say in Shenzhen or Shanghai than in many other areas. The GFW isn't really a firewall. Traffic doesn't traverse a minimal set of GFW gateways in and out of China. There is enormous central logging. Some of the best big data work is being done in China today for not totally unrelated reasons. But that is an asynchronous data feed that is analysed later, not in real time, and not in a way that impacts the performance of the traffic in and out of China. The GFW is mostly implemented in a distributed fashion at the local ISP / POP / gateway router-level, through DNS poisoning and routing rules, which are updated based on automated and manual research, based on the outputs of a range of tools, including deep packet inspection and other techniques, carried out by a large and clever and competent group of people. The GFW uses deep packet inspection out of a desire for maximum control and minimum disruption. For instance, the way that un-stealthed OpenVPN connections are generally blocked is through DPI detection of OpenVPN starting a TLS authentication negotiation. There is an idiosyncratic signature that identifies the traffic as an OpenVPN session starting up. Depending on local policies, routers may be programmed to temporarily block source ips that offend. The problem is, the other favourite method of blocking VPNs is through protocol / port / ip address specific blocks. If you look, HADAR, the Hong Kong-based natural choice for AirVPN users in China, is usually very lightly loaded. This is because it is generally impossible to successfully establish an SSH session to either the primary or alternate IP addresses associated with HADAR from within mainland China. Same with the Singapore-based ANTARES. AirVPN will quite happily try over and over to open the SSH session, taking ages to time out of the SSH set-up, but never moving down the list. You have to manually block the ones that don't work, hence, I suggest, the low load on HADAR. As far as I can see, at least for the geographic locations available to me, no-one on the mainland can successfully use SSH / OpenVPN into HADAR. I bet the majority of actual HADAR users are Hong-Kong-based. AirVPN currently has a major competitive advantage. To the best of my knowledge, nobody else effectively automates the use of OpenVPN inside an SSH or SSL tunnel. VPN use in China is enormous. So much of China's economy relies on export and international trade. These businesses are very extensive users of VPN connections. Business VPN use hasn't a lot to do with politics, it's to do with international trade and finance. In the mainland Chinese context, AirVPN also has a major competitive disadvantage. Because of AirVPN's POP selection strategy, as a GFW target, AirVPN POPs keep very, very still. Entry IPs are public and few, and also apparently stable. They don't change. They are easy to find out - just look in the DNS. The result is that for mainland China AirVPN users, HADAR and ANTARES are old and well-known GFW targets and consequently largely useless. This is why DSIBAN in South Korea was important. For various reasons, mostly to do with entertainment and media, there is enormous bandwidth between mainland China and South Korea. So DSIBAN performed beautifully for users coming from inside China. Because it was new, the GFW apparently hadn't been updated yet to block it. I re-examined the problems with HADAR, and confirmed that from several major cities in China, HADAR use through SSH is currently blocked. It's sooo frustrating! The best VPN for use in mainland China, at the moment, is crippled performance-wise, because you have to go half way around the world to find an accessible server! As far as I can find out, most VPN users in China use VPN POPs in Hong Kong, Taiwan, Japan, South Korea, Singapore and Malaysia. So it seems to me that AirVPN must be losing out on a major piece of the very very large market for VPNs in mainland China. I wish that AirVPN would find a way of having a much more dynamic and extensive set of alternate entry IPs for its POPs. Also, consider the possibility of not making it so easy to find out what IPs are currently in use, like via the public DNS. That would make it a much more difficult target, and therefore much more resilient and useful for users in China. If AirVPN wanted to try an experiment, it could find a way of changing the primary and alternate entry IPs on HADAR, say once a week, for a few months, and see what happens to the utilisation level. It doesn't have to be very dynamic to work, since the GFW research and update process is not that fast. If there is anything I can do to help with testing or whatever, I'm absolutely up for it. I have a vested interest, you might say.

@submerged: Very interesting with an inside POV of Air's service vs China's Great Firewall. I see you understand and agree with the fact that Air can't really afford to start enlisting data centers that perform censorship since It would ruin their reputation as a VPN company with stellar integrity. Their attempt at a South Korean server shows that they are trying to get a new server up in the region though, so hopefully they will find a country and a company that is compatible with Air's mission of net neutrality

This topic set me using https://startpage.com and searched for "ip proxy" and used the https://ixquick-proxy.com link to look at the ip proxy services. So now I am wondering about if the AirVPN client Eddie accepted a user selected proxy ip address (in dot notation) to set up a https outer tunnel - around the usual openvpn functionality, and the client check of account status to airvpn. Seems it should allow more options to get around ip address blocking, and hide vpn inside https port 443. Probably poorer performance for "p2p pirates" but useful for people in China, Australia,Turkey, India, S Korea ... with paranoid/puritanical/corrupt state apparatus. FU Rupert, Tony.

@FromTheWalls, I'm a developer and tech supporter who commutes in and out of China. If i'm not in China, i'm in Australia. You might say I'm an Australian who commutes to work in Tianjin. Ever since I found I had to spend a significant part of my working life in China, I've been using various VPN offerings. I believe I could write a competitive evaluation of the major ones in use in China quite easily. I've watched the Darwinian struggle between the Great Firewall and VPN providers with interest. I have come to realise that the issues with VPN-use in China are considerably more nuanced than most people (and VPN solution providers) often understand. It depends very much on your ISP and their compliance with Chinese policies and software. Especially if you are using mobile cellular or mobile wifi, it will be easier to get at the outside world than if you are on a large corporate, academic or government network. Also your geographic area influences things a lot. It is different using the net in Shenzhen or Shanghai than in many other areas. The GFW uses deep packet inspection, out of a desire for maximum control and minimum disruption. For instance, the way that OpenVPN connections are generally blocked is through a DPI detection of OpenVPN starting a TLS authentication negotiation. The problem is, the other favourite method of blocking VPNs is through protocol / port / ip address specific blocks. If you look, HADAR, the HongKong-based natural choice for AirVPN users in China, is usually very lightly loaded. This is because it is generally impossible to open an SSH session to either the primary or alternate IP addresses associated with HADAR. Same with the Singapore-based Antares. AirVPN will quite happily try over and over to open a session, taking ages to time out of the SSH set-up, but never moving down the list. You have to manually block the ones that don't work, hence the low load on HADAR. So AirVPN currently has a major competitive advantage. To the best of my knowledge, nobody else automates the use of OpenVPN inside an SSH or SSL tunnel. In the Chinese context, it has a major disadvantage. Because of it's policy of minimal, very high quality POPs, it effectively keeps very, very still. That makes it an easy target for China's GFW deep packet inspection tools. Making HADAR and ANTARES useless. This is why DSIBAN in South Korea was important. There is enormous bandwidth between mainland China and South Korea. So DSIBAN performed beautifully for users coming from inside China. Now it is gone, and so we have to look for other solutions. I wish that AirVPN would find a way of having a much more dynamic and extensive set of alternate entry IPs for its POPs. That would make it much more resilient and useful in China. Many of the competitors say they are developing "stealth mode" for their OpenVPN offerings. So AirVPN's overwhelming advantage may evaporate quite soon. Which is good for users, but bad news for the best VPN offering currently available for use from China.

Never say never but South Korea is no friend of the free interwebs, something you'll be familiar with if you live in China: http://www.economist.com/blogs/economist-explains/2014/02/economist-explains-3

Hi, I appreciate the care and the integrity behind the decision to withdraw DSIBAN. Does this mean no servers in South Korea? I am in northeastern China, and it gave the best performance for me.

Will the Hadar Hong Kong server be back up ? It disappeared a few days ago with "high packet loss". From Australia, it gave the best ping times during business hours, okay for access to websites back in Australia, and the colocation in pacswitch on big pipes to China/USA/Japan/Korea/SEAsia seemed good for general global access. I have not really probed, but don't think HK has a tight blacklist regime etc, usually more after commercial gain, but perhaps pressure from China. I don't recommend a server in Australia - secret blacklist, and metadata retention laws, on ISP Internet access providers, court orders to disclose user id details, and a coming law to force carriers to obey security directives from the "secret police" which could include monitoring taps/backdoors etc. There is speculation there will be restrictions on use of VPNs if/when they figure out a scheme.

Maybe it's just a DNS based block like many things in Mainland China? Because in this case its possible to circumvent the blocks by a forcing the server to use some remote Amazon Air's resolver.