Search the Community

Nope, didn't work. And every time I try to open any version of openvpn or airvpn it hangs and it is impossible to force quit. I have to restart my PC to quit it. Is there perhaps an operating system I can buy from China that works?

Hello! From the first shell, cd to the directory where you have the .sh file and issue the command ./nameofthefile.sh After that, open another shell as root, cd to the directory where you have the .ovpn file pertaining to OpenVPN over SSH and type the command: openvpn "name of the .ovpn file" Try to use OpenVPN over SSH only when absolutely unavoidable (for example in China and Iran). Kind regards

Hi I have been using AirVPN for 6 months now, works great. However I need to travel to China occasionally and regular OpenVPN just will not work. I have been trying to setup a SSL as explained in https://airvpn.org/ssl/ but I just cannot seem to work out exactly what the last step means openvpn "AirVPN <..> - SSL <..>.ovpn"I have no idea what file the "AirVPN <..>" file is though I can guess that the ovpn file is the same as that selected in the previous step to setup the stunnel.exe. In addition openvpn is expecting a double dash "--" not a single dash "-" It would help emensly if you could clarify and update your webpage for others. I am doing this in windows 7 bty. Thanks for a great service. Best R

Hello! We're very sorry, it's not possible to have OpenVPN connect over SSL/SSH or over a proxy when Tunnelblick is the wrapper. You should run OpenVPN directly. Anyway, OpenVPN over SSH/SSL should be used only when absolutely unavoidable (for example from China; since your connection works fine with direct OpenVPN, it's probably a waste of time and resources (but also an interesting didactic exercise ) to connect OpenVPN over SSH. Kind regards

Is there an AirVPN client for use in China, yet?

viewdns.info refuses connections from Menkib, DEWezen, DESeginus, DENashira, UKSerpentis, SEIt's a pity because I find this service extremely useful and easy to read. Have things like whois and DNS lookup but also China and Iran firewall lookups. Fixed.

I've tried a number of different sites, notably Google's DNS servers and this one here http://censurfridns.dk. Can you recommend any DNS suppliers that work a little better with AirVPN? Also, this may sound like a real noob question, but I have the DNS set in the static ip address config, is this the correct place to put this info and if not, where should I be designating it? Thanks for your reply! Hello, Google DNS (as well as OpenNIC and any other public DNS we have tested) have no problems in resolving our names and this suggests that your ISP is hijacking DNS queries (please see below). For example: dig @8.8.8.8 asia.vpn.airdns.org ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @8.8.8.8 asia.vpn.airdns.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52404 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;asia.vpn.airdns.org. IN A ;; ANSWER SECTION: asia.vpn.airdns.org. 300 IN A 119.81.1.125 ;; Query time: 647 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Jan 3 02:09:04 2014 ;; MSG SIZE rcvd: 53 It might be that your DNS queries are hijacked in any case REGARDLESS of the DNS server you try to reach. This occurs with some ISPs around the world (for example Vodafone) AND it might occur with several ISPs in China. In this case, please do not use names at all. Insert directly the entry-IP address of the server you wish to connect to. For example, instead of asia.vpn.airdns.org, insert the entry-IP address of one of the Singapore servers. Kind regards

Hello, OpenVPN packets have a typical fingerprint (basically due to additional information on the packets headers for error correction) which make OpenVPN protocol different from pure SSL/TLS. Usage of OpenVPN is perfectly normal and widespread, therefore it's not a reason of concern unless your ISP decides to cap or disrupt OpenVPN connections (as it happens in China). In this case, you can use OpenVPN over SSL/SSH to encapsulate OpenVPN packets inside SSL or SSH tunnel (you can find the instructions by clicking "Enter" from the upper menu of our web site). In case your ISP does not perform this discrimination, you should connect directly with OpenVPN for better performance. Kind regards

Hello! OpenVPN over SSL connections will be probably supported in the final Eddie release (the next client version). Remember that you should never use OpenVPN over SSL except for extreme cases. This is an additional, free of charge service originally designed for China only. In order to easily switch servers over SSL, first prepare all the files you need for all the servers you wish to connect to, so that you can switch them in a matter of seconds. The Configuration Generator accepts multiple choices so you will need just 30 seconds for the initial generation (once and for all), we fail to see why it should be such a pain for you. About your problem, it might be a DNS issue, since the logs look just fine. While your system is connected to a VPN server, please open a command prompt (with administrator privileges), issue the following commands and send us the output: ipconfig /flushdns tracert google.com ping 10.4.0.1 ping 8.8.8.8 Kind regards

Hello! We're sorry, Tunnelblick can't be used to connect OpenVPN over SSH or SSL. You need to run stunnel first from one shell, and then OpenVPN from another, please see the instructions. Adding an additional SSL or SSH layer is an option we introduced for special cases, i.e. when OpenVPN connections are disrupted, as it happens in China. In every other case it should be avoided because it does not add security and hits performance. Kind regards

Hello! About OpenVPN over SSH, our servers listen to ports 22, 53 and 80 of the entry-IP address, and to port 22 of the Alternative Entry-IP address. About OpenVPN over SSL, our servers listen to port 443 of the entry-IP address. About OpenVPN "direct" or "over a proxy", our servers listen to ports 53, 80 and 443 both of the Entry-IP and the Alternative Entry-IP address. In Comodo, for OpenVPN over SSH/SSL you need, on top of the rules described in our guide for Comodo to prevent lekas, to allow communications from "Any IP Address" to 10.50.0.0/255.255.0.0 and from 10.50.0.0/255.255.0.0 to "Any IP Address" (Comodo will display "Any IP address" as "MAC Any" in the rules). There is no generally valid recommendation about which port to choose: if your ISP performs port shaping on some ports, some ports can provide better performance than others. Keep in mind that OpenVPN over SSH or over SSL should be used ONLY if your ISP disrupts OpenVPN communications, because the additional SSH/SSL tunnel causes a performance hit without increasing security. OpenVPN over SSH/SSL have been implemented originally for China only, where OpenVPN connections are disrupted. The purpose of SSH/SSL is to encrypt the OpenVPN typical fingerprint, not to increase significantly the security. There is no such a thing as a non-tunneled connection in our service, unless you explicitly decide to reject the pushed routes by our servers. Kind regards

Hello! Thanks for the information about your DNS. In China, OpenVPN connections are disrupted through OpenVPN fingerprint identification, therefore OpenVPN over SSH/SSL is mandatory. In your case, it was a completely different problem: your DNS does not resolve *.airdns.org names. You can connect directly with OpenVPN (you do not need OpenVPN over SSL). We thought it was a problem limited to OpenDNS but if you don't use OpenDNS then we were wrong. Kind regards

Result! I'm connected. I'm wondering why I needed those advanced options though e.g. I'm not in China, as it suggested I might need them for. Re: DNS. Didn't even know what OpenDNS was. I'm using my regular ISP's as far as I know. Anyway, notwithstanding the confusing directions, thanks for the support.

I am not that concerned that I will become a target of surveillance. But as someone with a technical background I have to shake my head that "people in charge" still think it is a good idea to have back doors into products "just in case we ever need it". It is this kind of thinking that lead to the situation described in this CERT alert: https://www.us-cert.gov/ncas/alerts/TA13-207A The description there may not sound very alarming. But if you follow the links to the summary page by the guy who discovered the problem (Dan Farmer - famous in security circles), you may get a better appreciation: http://fish2.com/ipmi/itrain-gz.html The title is "IPMI: Express Train to Hell". And the last paragraph is, "In any case, good luck. We may all need it." If there is back door in Windows, no matter how secure they may think this back door is, I have to think this is begging for trouble. UPDATE: This link by Farmer may not be that easy to find: http://fish2.com/ipmi/ There is another line there (at the end) that caught my eye, "It's interesting to note the ubiquity of China in all of these."

Hi Timofei, If you look closely, every government has such laws, the most invasive is UK and their Tempora program of the GCHQ, second one is US which forces the NSA and FCC plant backdoors in hardware and software, third one is probably China, and of course Russia would have something similar too. It is very naive to believe in "free speech and 100% anonymity) when most of todays communications are done via the internet, IMO. However, most of us probably use VPNs for P2P, more tracking-less browsing and instant messaging, and nothing illegal that governments would have be interested in, and in that case (DMCA, RIAA) I would really like to see a Russian server in AirVPN.

Hello, mix unencrypted and unimportant traffic with encrypted traffic. However, this problem is still unconfirmed and we might delete it, do you have something to add or note about it? If so, feel free to update the thread. Kind regards I am not experiencing interruption and I am running almost all encrypted traffic from inside China.

Hello! Today we're very glad to introduce native support for OpenVPN over SSL and OpenVPN over SSH, and a completely re-designed configuration generator which includes exciting, additional AirVPN services and features. Our service becomes more censorship resistant and easier to use with a wide range of OpenVPN GUIs and wrappers. NEW SERVICES: OPENVPN OVER SSL - OPENVPN OVER SSH OpenVPN over SSL and OpenVPN over SSH will allow you to bypass OpenVPN connections disruption. Known ISP countries where the disruption takes place are China, Iran, Syria, Egypt. The connection disruption is possible because OpenVPN connections have a typical fingerprint which lets Deep Packet Inspection to discern them from pure SSL/TLS connections. Connecting OpenVPN over SSL or OpenVPN over SSH will make your connection undiscernable from pure SSL or SSH connections, rendering DPI fingerprint identification powerless. OpenVPN over SSL/SSH is included in every Premium subscription without any additional payment. Use OpenVPN over SSL/SSH only when necessary: a slight performance hit is the price to pay. The performance hit is kept as low as possible because the "double-tunneling" is performed directly on our servers without additional hops. NEW FEATURES A new system for host resolution (not available for Windows) and dynamic VPN server choice is available. This will let you have OpenVPN configuration files which will try connections to various servers (according to your preferences) if one or more servers are unavailable. A new connection port (2018) is now available on all Air VPN servers. A new, alternative entry-IP address is now available on all Air VPN servers. NEW CONFIGURATION GENERATOR FEATURES - You can now select servers by countries, continents and planets (currently only one planet) or any combination between single servers and countries. - You can now select an alternative entry-IP address. Each Air server has now an additional entry-IP address to help you bypass IP blocking. - You can now choose a wide variety of compressing options: zip, 7zip, tar, tar & gzip, tar & bzip2. - You can now choose not to compress the files and download them uncompressed one by one NEW CONFIGURATION GENERATOR "ADVANCED MODE" FEATURES - Total connection ports range available, including new port 2018 in addition to 53, 80, 443 and (for SSH) 22. - Option to generate non-embedded configuration files, mandatory if you use network-manager as OpenVPN wrapper under Linux or just in case you use any wrapper that does not support embedded with certificates and keys OpenVPN configurations. - Option to generate files and scripts for OpenVPN over SSL/SSH connections by clicking on "Advanced Mode" - Option to select "Windows" or "Linux and others". Make sure you select the correct option according to your OS, because connections over SSL/SSH in Windows require different files than those required for Linux, *BSD and Unix-like / POSIX compliant systems such as Mac OSX. - New options to generate configuration files that support proxy authentication for OpenVPN over a proxy connections, particularly useful if you're behind a corporate or college proxy which requires authentication Instruction page for OpenVPN over SSL: https://airvpn.org/ssl Instruction page for OpenVPN over SSH: https://airvpn.org/ssh Please do not hesitate to contact us for any additional information. Kind regards & Datalove AirVPN admins

We all know there are certain sites out there that love to track you. In addition they love to provide you "extra security" by making sure no bad guys get into your account. I know for example if Gmail sees a foreign IP log into your account, it may think its a bad guy and give you a warning. They do track the timing of these things to so that if you are traveling its smart enough to know that you don't travel between the US and China at the speed of light, but if there's 12 hour diff, you're OK. I've seen this traveling myself. Is it going to be problematic for someone to use Gmail at home over a AirVPN foreign server and then once they leave home and use Gmail over a cellphone which uses the local carrier? Are there other sites with these kind of smarts that will be problematic to use? Like Facebook? Would love to use my cell over VPN. Does this just protect all the data streams (wifi, 3g, 4g, etc.) and not the voice? I assume to do so would mean I could have one device my router and then a plus one for each mobile device that leaves that router's presence. Or can I route everything thru the home router somehow?

Hello! Instructions for Windows, Linux and OS X can be found here: https://airvpn.org/ssh Remember that OpenVPN over SSH should be used only when absolutely necessary, for example when a direct OpenVPN connection is not possible (China residential and mobile lines, Iran). When a direct OpenVPN connection is possible and not throttled, OpenVPN over SSH should not be used. Kind regards AirVPN Support Team

Any one else working on an SSH Tunnelled OpenVPN connection on DD-WRT? I have the SSH Tunnel standing up correctly and the OpenVPN connection connecting correctly. HOWEVER, no port 80 traffic. Only pings, traceroute, etc. Ideas? Suggestions? Once I have it working I will write up a how to. If you are in China you need this info!

Hello, tested and working connections in China are OpenVPN over SSL and OpenVPN over SSH. You must not use Tunnelblick because it does not support this OpenVPN feature, please run OpenVPN directly: https://airvpn.org/topic/9325-development-of-os-x-airvpn-client Best performance is achieved on Singapore servers. Kind regards

Dear AirvPN team, I think it would be a great feature for most China located users to have a background script that downloads random files from public HTTP mirrors, for example Linux OS distributions. That way the Great Firewall counts the ratio between encrypted and non-encrypted traffic and since naturally the ISOs are over 1GB of size, a single download per day should be enough for most users. A simple bash script that saves a file to /dev/null can be done even now, but a better feature would be possibly implementing it in the Air client. "Camouflage mode"

I think its important to make clear as a general rule that VPNs can be useful for some of the following things: Encrypting traffic that can be monitored by your ISP Encrypting traffic that can be monitory by your nation (bypassing China firewall for instance) Encrypting the origin address of your traffic (only when combined with other obfuscation resources) VPN will not help with encrypting your final data payload or anyones ability to monitor that, if the connection was not secured to beign with. However, if the connection was then it would have been masked from your ISP regardless (the payload, not the point of origin) of whether you were using VPN or not. So, to answer your exact question: Any unencrypted data has the potential to be gathered by any adversary, especially at a national level. Originating IPs can be masked and obfuscated with a combination of multiple techniques widely available both on the web and this web site.

Hello! 1. Yes. Special setup is required in China and Iran, see https://airvpn.org/ssh and https://airvpn.org/ssl 2. It is not logged anywhere. You need to enable sessions stats in your control panel, which by default is turned off. Log in the web site, click "Client Area" from the upper menu, click "Settings" from the left tabs, turn "Collected history and statistics about my sessions:" box from "No" to "Yes", finally click "Save settings". From that moment, every subsequent session stat (total traffic in and out, start date and time, end date and time) will be logged and will be accessible in your "Client Area". Kind regards

Hello! It is probably normal, connecting over OpenVPN over SSH/SSL implies a severe performance hit. If your ISP allows that (i.e. if you're not in China or Iran, in general - of course there can be particular cases) try OpenVPN directly, no SSH, no SSL. 5 Mbit/s is anyway an excellent performance for OpenVPN over SSH. Kind regards