Search the Community

Hello! First of all, it's important to note that the sentence in bold is totally wrong, and it's strange that a VPN provider claims that (maybe it's just a misunderstanding with TorrentFreak). It would be GREAT if it was true, but it isn't. OpenVPN traffic to port 443 TCP is profoundly different from "standard http over SSL" traffic. One of the differences is that OpenVPN performs a packet wrapping with some important additional data (for packets re-ordering etc.) which makes the OpenVPN traffic discriminable from https or pure SSL/TLS through Stateful or Deep Packet Inspection. That's why it's possible to easily discern the typical OpenVPN traffic "fingerprint" and block it, like they do in China, and that's why we offer OpenVPN over SSL. We wish to underline that, because otherwise you could think that we're "stupid" to provide OpenVPN over SSL or SSH with the purpose to bypass OpenVPN disruptions in China and Iran. Encapsulating OpenVPN traffic into http by default would be a major breakthrough (at the expense of an important performance hit, probably) which is being discussed for possible implementation in the next paramount release, OpenVPN 3, which might see the light in 2015. However, there are important problems to be considered for this implementation, so it is uncertain whether it will be supported in OpenVPN 3 or not. We provide to option to connect to ports 53, 80, 443 and 2018, all of which with protocols TCP and UDP, according to your preferences. We also provide the option to connect OpenVPN over SSH to ports 22, 80 and 53 (only TCP, obviously) and OpenVPN over SSL to port 443 TCP. PPTP has been discarded even before the official birth of AirVPN. We have never supported it and we will most probably never support it. IPsec has been discarded as well, although for very different reasons. Kind regards

Hello! We're sorry, Tunnelblick can't be used to connect OpenVPN over SSH or SSL. You need to run stunnel first from one shell, and then OpenVPN from another, please see the instructions. Adding an additional SSL or SSH layer is an option we introduced for special cases, i.e. when OpenVPN connections are disrupted, as it happens in China. In every other case it should be avoided because it does not add security and hits performance. Kind regards

Hello! About OpenVPN over SSH, our servers listen to ports 22, 53 and 80 of the entry-IP address, and to port 22 of the Alternative Entry-IP address. About OpenVPN over SSL, our servers listen to port 443 of the entry-IP address. About OpenVPN "direct" or "over a proxy", our servers listen to ports 53, 80 and 443 both of the Entry-IP and the Alternative Entry-IP address. In Comodo, for OpenVPN over SSH/SSL you need, on top of the rules described in our guide for Comodo to prevent lekas, to allow communications from "Any IP Address" to 10.50.0.0/255.255.0.0 and from 10.50.0.0/255.255.0.0 to "Any IP Address" (Comodo will display "Any IP address" as "MAC Any" in the rules). There is no generally valid recommendation about which port to choose: if your ISP performs port shaping on some ports, some ports can provide better performance than others. Keep in mind that OpenVPN over SSH or over SSL should be used ONLY if your ISP disrupts OpenVPN communications, because the additional SSH/SSL tunnel causes a performance hit without increasing security. OpenVPN over SSH/SSL have been implemented originally for China only, where OpenVPN connections are disrupted. The purpose of SSH/SSL is to encrypt the OpenVPN typical fingerprint, not to increase significantly the security. There is no such a thing as a non-tunneled connection in our service, unless you explicitly decide to reject the pushed routes by our servers. Kind regards

Hello! Thanks for the information about your DNS. In China, OpenVPN connections are disrupted through OpenVPN fingerprint identification, therefore OpenVPN over SSH/SSL is mandatory. In your case, it was a completely different problem: your DNS does not resolve *.airdns.org names. You can connect directly with OpenVPN (you do not need OpenVPN over SSL). We thought it was a problem limited to OpenDNS but if you don't use OpenDNS then we were wrong. Kind regards

Result! I'm connected. I'm wondering why I needed those advanced options though e.g. I'm not in China, as it suggested I might need them for. Re: DNS. Didn't even know what OpenDNS was. I'm using my regular ISP's as far as I know. Anyway, notwithstanding the confusing directions, thanks for the support.

I am not that concerned that I will become a target of surveillance. But as someone with a technical background I have to shake my head that "people in charge" still think it is a good idea to have back doors into products "just in case we ever need it". It is this kind of thinking that lead to the situation described in this CERT alert: https://www.us-cert.gov/ncas/alerts/TA13-207A The description there may not sound very alarming. But if you follow the links to the summary page by the guy who discovered the problem (Dan Farmer - famous in security circles), you may get a better appreciation: http://fish2.com/ipmi/itrain-gz.html The title is "IPMI: Express Train to Hell". And the last paragraph is, "In any case, good luck. We may all need it." If there is back door in Windows, no matter how secure they may think this back door is, I have to think this is begging for trouble. UPDATE: This link by Farmer may not be that easy to find: http://fish2.com/ipmi/ There is another line there (at the end) that caught my eye, "It's interesting to note the ubiquity of China in all of these."

Hi Timofei, If you look closely, every government has such laws, the most invasive is UK and their Tempora program of the GCHQ, second one is US which forces the NSA and FCC plant backdoors in hardware and software, third one is probably China, and of course Russia would have something similar too. It is very naive to believe in "free speech and 100% anonymity) when most of todays communications are done via the internet, IMO. However, most of us probably use VPNs for P2P, more tracking-less browsing and instant messaging, and nothing illegal that governments would have be interested in, and in that case (DMCA, RIAA) I would really like to see a Russian server in AirVPN.

Hello, mix unencrypted and unimportant traffic with encrypted traffic. However, this problem is still unconfirmed and we might delete it, do you have something to add or note about it? If so, feel free to update the thread. Kind regards I am not experiencing interruption and I am running almost all encrypted traffic from inside China.

Hello! Instructions for Windows, Linux and OS X can be found here: https://airvpn.org/ssh Remember that OpenVPN over SSH should be used only when absolutely necessary, for example when a direct OpenVPN connection is not possible (China residential and mobile lines, Iran). When a direct OpenVPN connection is possible and not throttled, OpenVPN over SSH should not be used. Kind regards AirVPN Support Team

Any one else working on an SSH Tunnelled OpenVPN connection on DD-WRT? I have the SSH Tunnel standing up correctly and the OpenVPN connection connecting correctly. HOWEVER, no port 80 traffic. Only pings, traceroute, etc. Ideas? Suggestions? Once I have it working I will write up a how to. If you are in China you need this info!

Hello, tested and working connections in China are OpenVPN over SSL and OpenVPN over SSH. You must not use Tunnelblick because it does not support this OpenVPN feature, please run OpenVPN directly: https://airvpn.org/topic/9325-development-of-os-x-airvpn-client Best performance is achieved on Singapore servers. Kind regards

Does anyone in China have suggestions on servers and configurations to use? I am currently trying all sorts of configurations using Tunnelblick, but most of them won't get past the "Making TCP connection" stage. I've been primarily testing out servers in Canada and the United States, though I've also tested some UK and Singapore servers. I've been trying regular VPN options, as well as SSH and SSL tunnels. So far, I haven't been able to connect at all using SSH and SSL tunnel configurations, even though that seems to be what's recommended for China. Am I doing something wrong here? Or has someone figured out that magic configuration that works really well?

Dear AirvPN team, I think it would be a great feature for most China located users to have a background script that downloads random files from public HTTP mirrors, for example Linux OS distributions. That way the Great Firewall counts the ratio between encrypted and non-encrypted traffic and since naturally the ISOs are over 1GB of size, a single download per day should be enough for most users. A simple bash script that saves a file to /dev/null can be done even now, but a better feature would be possibly implementing it in the Air client. "Camouflage mode"

(Reuters) Sunday 30 June 2013 - The United States taps half a billion phone calls, emails and text messages in Germany in a typical month and has classed its biggest European ally as a target similar to China, according to secret U.S. documents quoted by a German newsmagazine. The revelations of alleged U.S. surveillance programs based on documents taken by fugitive former National Security Agency contractor Edward Snowden have raised a political furor in the United States and abroad over the balance between privacy rights and national security. Exposing the latest details in a string of reputed spying programs, Der Spiegel quoted from an internal NSA document which it said its reporters had seen. The document Spiegel cited showed that the United States categorized Germany as a "third-class" partner and that surveillance there was stronger than in any other EU country, similar in extent to China, Iraq or Saudi-Arabia. "We can attack the signals of most foreign third-class partners, and we do it too," Der Spiegel quoted a passage in the NSA document as saying. It said the document showed that the NSA monitored phone calls, text messages, emails and internet chat contributions and has saved the metadata - that is, the connections, not the content - at its headquarters. On an average day, the NSA monitored about 20 million German phone connections and 10 million internet data sets, rising to 60 million phone connections on busy days, the report said. A Spiegel report on Saturday that the NSA had spied on European Union offices caused outrage among EU policymakers, with some even calling for a suspension to talks for a free trade agreement between Washington and the EU. In France, Der Spiegel reported, the United States taps about 2 million connection data a day. Only Canada, Australia, Britain and New Zealand were explicitly exempted from spy attacks. Full article: http://www.reuters.com/article/2013/06/30/us-usa-germany-spying-idUSBRE95T04B20130630

I think its important to make clear as a general rule that VPNs can be useful for some of the following things: Encrypting traffic that can be monitored by your ISP Encrypting traffic that can be monitory by your nation (bypassing China firewall for instance) Encrypting the origin address of your traffic (only when combined with other obfuscation resources) VPN will not help with encrypting your final data payload or anyones ability to monitor that, if the connection was not secured to beign with. However, if the connection was then it would have been masked from your ISP regardless (the payload, not the point of origin) of whether you were using VPN or not. So, to answer your exact question: Any unencrypted data has the potential to be gathered by any adversary, especially at a national level. Originating IPs can be masked and obfuscated with a combination of multiple techniques widely available both on the web and this web site.

Hello! 1. Yes. Special setup is required in China and Iran, see https://airvpn.org/ssh and https://airvpn.org/ssl 2. It is not logged anywhere. You need to enable sessions stats in your control panel, which by default is turned off. Log in the web site, click "Client Area" from the upper menu, click "Settings" from the left tabs, turn "Collected history and statistics about my sessions:" box from "No" to "Yes", finally click "Save settings". From that moment, every subsequent session stat (total traffic in and out, start date and time, end date and time) will be logged and will be accessible in your "Client Area". Kind regards

Hello! It is probably normal, connecting over OpenVPN over SSH/SSL implies a severe performance hit. If your ISP allows that (i.e. if you're not in China or Iran, in general - of course there can be particular cases) try OpenVPN directly, no SSH, no SSL. 5 Mbit/s is anyway an excellent performance for OpenVPN over SSH. Kind regards

Hello! Sorry, they should not show up, you apparently have a DNS leak. Please fix it following our guides. For the records, we are building a knowledge base to understand why our customers are willing to use OpenVPN over SSL, which should be avoided if not strictly necessary (like it is in China and Iran, where anyway OpenVPN over SSH may be better), if it's all right with you, would you please tell us why you need to connect over OpenVPN over SSL? Feel free not to answer or to answer only in private. Kind regards

Thanks for adding more and more servers. I hate to sound whiny but do you have any plans for servers in Asia north of Singapore? Obviously mainland China is out but have you ever considered Hong Kong?

Hello! We're very glad to introduce native support for OpenVPN over SSL and OpenVPN over SSH, and a completely re-designed configuration generator which includes exciting, additional AirVPN services and features. Our service becomes more censorship resistant and easier to use with a wide range of OpenVPN GUIs and wrappers. UPDATE OCT 2014: EDDIE CLIENT AirVPN client version 2, codename Eddie, gets out of the beta testing with version 2.6. Free and open source, it is a major breakthrough from client versions 1.x. Available for Linux, Windows and OS X Mavericks and Yosemite. Eddie includes Network Lock, full integrated TOR support for OpenVPN over TOR, support for OpenVPN over SSL and SSH, "intelligent" anti-censorship circumvention technique, "intelligent" VPN servers efficiency and rating calculations and much, much more. https://airvpn.org/topic/12464-eddie-27-available Currently the only open source OpenVPN wrapper in the world which allows OpenVPN over TOR connections without middle boxes or VM on three different OS. NEW SERVICES: OPENVPN OVER SSL - OPENVPN OVER SSH OpenVPN over SSL and OpenVPN over SSH will allow you to bypass OpenVPN connections disruption. Known ISP countries where the disruption takes place are China, Iran, Syria, Egypt. The connection disruption is possible because OpenVPN connections have a typical fingerprint which lets Deep Packet Inspection discern them from pure SSL/TLS connections. Connecting OpenVPN over SSL or OpenVPN over SSH will make your connection undiscernable from pure SSL or SSH connections, rendering DPI fingerprint identification powerless. OpenVPN over SSL/SSH is included in every Premium subscription without any additional payment. Use OpenVPN over SSL/SSH only when necessary: a slight performance hit is the price to pay. The performance hit is kept as low as possible because the "double-tunneling" is performed directly on our servers without additional hops. NEW FEATURES A new system for host resolution (not available for Windows) and dynamic VPN server choice is available. This will let you have OpenVPN configuration files which will try connections to various servers (according to your preferences) if one or more servers are unavailable. A new connection port (2018) is now available on all Air VPN servers. A new, alternative entry-IP address is now available on all Air VPN servers. NEW CONFIGURATION GENERATOR FEATURES - You can now select servers by countries, continents and planets (currently only one planet) or any combination between single servers and countries. - You can now select an alternative entry-IP address. Each Air server has now an additional entry-IP address to help you bypass IP blocking. - You can now choose a wide variety of compressing options: zip, 7zip, tar, tar & gzip, tar & bzip2. - You can now choose not to compress the files and download them uncompressed one by one NEW CONFIGURATION GENERATOR "ADVANCED MODE" FEATURES - Total connection ports range available, including new port 2018 in addition to 53, 80, 443 and (for SSH) 22. - Option to generate non-embedded configuration files, mandatory if you use network-manager as OpenVPN wrapper under Linux or just in case you use any wrapper that does not support embedded with certificates and keys OpenVPN configurations. - Option to generate files and scripts for OpenVPN over SSL/SSH connections by clicking on "Advanced Mode" - Option to select "Windows" or "Linux and others". Make sure you select the correct option according to your OS, because connections over SSL/SSH in Windows require different files than those required for Linux, *BSD and Unix-like / POSIX compliant systems such as Mac OSX. - New options to generate configuration files that support proxy authentication for OpenVPN over a proxy connections, particularly useful if you're behind a corporate or college proxy which requires authentication. A significant example of usage of OpenVPN over a proxy is OpenVPN over TOR: https://airvpn.org/tor Instruction page for OpenVPN over SSL (only if you don't run our client Eddie): https://airvpn.org/ssl Instruction page for OpenVPN over SSH (only if you don't run our client Eddie): https://airvpn.org/ssh Please do not hesitate to contact us for any additional information. Kind regards & Datalove AirVPN admins

"airvpn.org" blocked (DNS poisoning) Solution: hosts file edit OpenVPN connections are frequently disrupted (reported in Shangai and Beijing) Solution: OpenVPN over SSL works just fine UNCONFIRMED: momentary blocks of Internet domestic lines if a high percentage of encrypted traffic is detected

Hi, i'd like to know why this is happening.. Is this server really located in China? Thanks in advance!

Hello! When that option is enabled, the configuration generator will generate .ovpn file(s) which include already resolved names. If the option is disabled, the names are not resolved. Having unresolved names allows the client to rotate between servers according to DNS resolution with multiple records (example: nl.airvpn.org resolves to all the NL servers). This option is available only for "Linux and others" because of some Windows limitations in DNS resolution when a name has multiple records which make this option unusable with it. Windows configuration files will therefore always have resolved names into IP addresses. If airvpn.org is censored/DNS poisoned by your ISP (as it is in every China ISP), you MUST select this option even with Linux or any other OS in order to bypass the censorship. Kind regards

Hello! Today we're very glad to introduce native support for OpenVPN over SSL and OpenVPN over SSH, and a completely re-designed configuration generator which includes exciting, additional AirVPN services and features. Our service becomes more censorship resistant and easier to use with a wide range of OpenVPN GUIs and wrappers. NEW SERVICES: OPENVPN OVER SSL - OPENVPN OVER SSH OpenVPN over SSL and OpenVPN over SSH will allow you to bypass OpenVPN connections disruption. Known ISP countries where the disruption takes place are China, Iran, Syria, Egypt. The connection disruption is possible because OpenVPN connections have a typical fingerprint which lets Deep Packet Inspection to discern them from pure SSL/TLS connections. Connecting OpenVPN over SSL or OpenVPN over SSH will make your connection undiscernable from pure SSL or SSH connections, rendering DPI fingerprint identification powerless. OpenVPN over SSL/SSH is included in every Premium subscription without any additional payment. Use OpenVPN over SSL/SSH only when necessary: a slight performance hit is the price to pay. The performance hit is kept as low as possible because the "double-tunneling" is performed directly on our servers without additional hops. NEW FEATURES A new system for host resolution (not available for Windows) and dynamic VPN server choice is available. This will let you have OpenVPN configuration files which will try connections to various servers (according to your preferences) if one or more servers are unavailable. A new connection port (2018) is now available on all Air VPN servers. A new, alternative entry-IP address is now available on all Air VPN servers. NEW CONFIGURATION GENERATOR FEATURES - You can now select servers by countries, continents and planets (currently only one planet) or any combination between single servers and countries. - You can now select an alternative entry-IP address. Each Air server has now an additional entry-IP address to help you bypass IP blocking. - You can now choose a wide variety of compressing options: zip, 7zip, tar, tar & gzip, tar & bzip2. - You can now choose not to compress the files and download them uncompressed one by one NEW CONFIGURATION GENERATOR "ADVANCED MODE" FEATURES - Total connection ports range available, including new port 2018 in addition to 53, 80, 443 and (for SSH) 22. - Option to generate non-embedded configuration files, mandatory if you use network-manager as OpenVPN wrapper under Linux or just in case you use any wrapper that does not support embedded with certificates and keys OpenVPN configurations. - Option to generate files and scripts for OpenVPN over SSL/SSH connections by clicking on "Advanced Mode" - Option to select "Windows" or "Linux and others". Make sure you select the correct option according to your OS, because connections over SSL/SSH in Windows require different files than those required for Linux, *BSD and Unix-like / POSIX compliant systems such as Mac OSX. - New options to generate configuration files that support proxy authentication for OpenVPN over a proxy connections, particularly useful if you're behind a corporate or college proxy which requires authentication Instruction page for OpenVPN over SSL: https://airvpn.org/ssl Instruction page for OpenVPN over SSH: https://airvpn.org/ssh Please do not hesitate to contact us for any additional information. Kind regards & Datalove AirVPN admins

Hello! In general, if you use OpenVPN directly or the OpenVPN GUI you don't need those lines. There are some exceptions: those lines will help circumvent some DNS-poisoning censorship against our websites (in vast areas of China airvpn.org web site is censored), additionally they provide a "failover" in case one of the two frontends fails to respond, so we would recommend to add them in any case. Not exactly: once this is done, your system can't resolve names with DNS queries outside the VPN. The connectivity to the Internet is not broken. If you wish that your system can't connect to the Internet when disconnected from the VPN you can set your firewall, we recommend Comodo, please see our guide here: https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142 No, you don't need to modify the DNS addresses set in your router. Those DNS will be used by devices connected to the router only if those devices send DNS queries to your router DNS. Kind regards