Search the Community

Yes, I'm in China now. The China Great Firewall is the most vexing. You remind me of it. Thank you. It is able to connect with OpenVPN over UDP/SSL/SSH by using Eddie. OpenVPN over TCP have no effect. And, I want to know: though OpenVPN over UDP can work and its Net Speed so fast, but it generate a lot of "TLS Error" per second. So, does it affect system performance or eat large amounts of memory?

You are in China? And are you able to connect? Because the Great Firewall is likely trying to intercept here, causing the log lines to occur in the first place. Yes, OpenVPN over SSL is slow but it's working.

No firewall, No QoS, No “Packet Acceleration”. In face, I never connect successfully to Eddie with TCP in China where I have worked since 2015 . So, I don't know what errors will happen. However, though SSL/SSH are able to work, but they are very slowly. And then UDP is so fast.

So what do governments (executive, police, military, ...) and large corporations do about internet insecurity ? The US TLAs seem to have a free hand to spy outside the USA and US corporations for "economic benefits" as explicit policy (and to justify bigger budgets, and offer "insider deals" for "donors"). And one could expect China to do more. I do not follow infosec professional insider forums, etc but they have to justify their consultancy fees and survive third party security audits, etc. Airbus has to compete with Boeing, Siemens with GE, Toyota with GM, Ericcson with Huawei, ...

I kinda agree Their client is conflicting with Eddie, you have to reinstall the TAP driver (better uninstall ProtonVPN, then TAP, then reinstall), I've pushed it to them. But I don't think they'll stuck with these ports simply because as a big mail provider, they'll have lot of clients from Iran, UAE etc.. already using Protonmail so they'll need to change it and probably adding layers of stealth because of that (adding SSL,SSH maybe?) If they do not take this road, I'll never subscribe to it. We'll see but with what they said about their competitors (https://protonmail.com/blog/best-vpn-service/) naming them I hope for them that they'll be robusts The level of transparency ProtonMail has given so far with this information is somewhat promising. But if they do not add obfuscation, i cannot subscribe to them as my main provider. While it is commonly used for restrictive countries such as Iran, China etc. They are still very useful for restrictive networks in the US and the UK where corporations, public wifi and others try to lock down users into censorship and surveillance. Fix their client, and add obfuscation such as Obfs4 or SSL/SSH tunnels and i might switch over if it seems promising. And i'll pay too, i don't care if its technically free or not, ill donate and contribute that way instead.

I'm not sure if they are completely against VPNs or simply banning IPs of hackers/griefers. Maybe they also block VPN users from China because of the country laws, I don't know. My experience: I use VPN simply for the security & privacy. Now when a VPN server is blocked by the minecraft login servers, my login gets rejected and it looks like the login details were wrong but they aren't. Some AirVPN servers do work. We could list the working servers here but I don't know if it is a good idea because of potential abuse. What do you think? Anyway, you should be able to find a working server with no more than 3 attempts at the moment.

Technically it seems rather easy to detect abnormal operating system or driver code or app code and capture a trace of its execution. And then reverse engineer to analyse the algorithms. So it seems reasonable to expect that these sort of "agents" can be detected and captured by other national security agencies in Russia, China, India, UK etc, and that they can honeypot and "pirate" from each other. In addition, "white hat" commercial security staff may find these things, and be tempted by a big money deal on the "dark market". As well as the usual "russian hacker" gangs after new tricks. A cocaine import/distro gang in Sydney was busted by an undercover agent, but in court evidence they only discussed "business" by all stripping down to swimming briefs and swimming out into the harbor to avoid "bugs".

Here is a forum where users "Aractus" and "John Citizen" recommend private vpn from China: "Safe vpn for business access" https://forums.whirlpool.net.au/archive/2480843 I remember other blog comment etc mentions, somewhere ... Commercial side of OpenVPN Technologies, Inc. has web based admin, support: "All OpenVPN Access Server downloads come with 2 free client connections for testing purposes." "$15.00 License Fee Per Client Connection Per Year. Support & Updates included. 10 Client minimum purchase." https://openvpn.net/index.php/access-server/pricing.html Searching for "openvpn server" https://duckduckgo.com/html?q=openvpn%20server finds various howtos: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 Note "Uncomment push "redirect-gateway def1 bypass-dhcp" so the VPN server passes on clients' web traffic to its destination." Some howtos assume only for access to internal network via server. A lot of doco on the OpenVPN Community website: https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide I have not done this myself, and no real need, but hopefully some use for these refs after a bit of time investigating. A bit off topic from specific Netflix access, but how to avoid some spying and censoring and georestriction and ...

I have seen comments on other forums about setting up a "home vpn" using the openvpn software. This then allows one to access content from your home ip address/geolocation server from a client wherever. Some technical expertise required, and not for just a one week holiday away from it all. Requires a fixed IP address from your ISP. But useful for people who travel or have overseas postings or need better personal security. Similar to the setup of a commercial business for secure remote access by staff. Australians working in China do this to get through the Great Firewall and access uncensored English language and georestricted content such as ABC iView, as well as any home subscriptions for streaming content.

I have to say that's false and quite a worrying statement coming from you, the supposed Founder. The very notion that trust is required, serves as a weak point, as the trust is merely a substitute for actual verifiable assurance. The less explicit "trust" required, the better. There's been plenty of cases where closed-source software has caused problems. Not just with security, but with other things too. Your misuse of the word "paranoid" serves only to undermine legitimate security and privacy concerns. A network analyzer also won't help if the software contains malware which doesn't need network communications. If the client is so simple as you say, then it should also be a simple matter of making it open-source, no? Then the "truly paranoid" will have even more avenues of auditing and trust in the client will increase.So while you could argue the case of closed source software being alright, I think you picked the wrong brand of software to do it on, since it's security-related and open-source is one of the building blocks of a secure system. You claim the "truly paranoid" could simply use a network analyzer tool, but I think that's a bad argument, seeing as the "truly paranoid" would avoid your software altogether, upon finding out it's closed. Thus you're left with users who can't or won't check such things - which seems irresponsible, given not all users will know the significance of closed vs open source software and thus might unknowingly put their security or privacy at risk. Security isn't just 1 product after all - as you said, there's other factors one should be concerned about. Well, the client is one of them. Someone around here made a thread which showed that a client from another VPN provider acted in some very malicious ways too. I'll concede that the use of the word "paranoid" is misplaced, however I respectfully disagree on your other points. Using the "its closed source so it could contain malware" is misguided for multiple reasons: 1. The binary you download doesn't have to be built from the same source code that's published. At the very least, you won't have a code signing certificate publicly available, so the binary checksum will always be different. 2. Malware will have to do something, and exfiltrate sensitive data from your machine. That's something you can detect with a network analyzer. 3. VPN client sends all your activity through a server which is a black box to everyone except the operator. Your open source client will do nothing if it connects to an actively malicious server that then injects malware into HTTP requests. That would also be virtually undetectable and much more clever than stuffing malware into the executable. With the way how all VPNs function right now, trust is unfortunately required. Having an open source client is certainly a step in the right direction, and we do have plans to eventually open source it once we reach 2.0 (maybe), however this is just a token gesture that is largely irrelevant as the main problem with VPNs is the fact that the server operator holds all the cards. Security through obscurity is rarely a good thing, and some things should always be open source, like protocols. Running a VPN company involves a lot of "cat and mouse" games, where your website, api, servers themselves are blocked in random places, using various methods, etc. Our upcoming update of the application has a ton of new features, however more importantly it has procedural domain generation which uses a programatically generated domain names, which are not hardcoded (to prevent them from being extracted if you decompile the app) and are generated daily, to access our API and ensure people can use our app in China, Iran, your local school with an overzealous network admin. Having this code be public knowledge would render it useless, and prevent people who need a VPN the most from having access to it. That's just one example.

Yeah, while it lasted. Two days Must have been the shortest active periode of all AirVPN servers ever introduced! Air's South Korean server(s) lasted only a few days IIRC. Not sure how useful this would be, but perhaps instead of AU, Air could consider putting a server up in Hawai`i. They have datacenters I think. This has already been previously answered. There are indeed datacenters in Hawaii, however they are routed through the US west coast, making them ineffective for South East Asia. Users in regions such as China and Australia would actually have an easier time using a server in Los Angeles rather than Honolulu.

"Antares ... will almost certainly explode as a supernova,[26] probably within the next few hundred thousand years. For a few months, the Antares supernova could be as bright as the full moon and be visible in daytime." https://en.wikipedia.org/wiki/Antares and so might the other one in Singapore, it is at 71% with 162 users at 2am in Australia, with all the users in E Asia, Asean, India, Pak, Aus, NZ on a Friday night. One could guess that the big increase in YouTube, Facebook, Kodi etc streaming is upping the bandwidth needed, maybe it means higher costs and subs for an adequate service. I am just torrenting Wild Orchid 2 (Zalman King, can't pirate the dead) etc because I am fascinated by artefacts expressing/reflecting Trumpistan, so not really time critical. As already commented, I would not vouch for Singapore not to assist national security / major crime agencies from Australia, China, India, USA, etc but not a concern for many users. But adding another 1G server in an existing facility in an existing country should be simpler. Sent using Arcturus HK which is only at 26%.

Wow. thanks for these quick and in-detail answers. I think this feature would be especially useful for customers in China. Thus a server in Singapore on the WestCoast of the US would make the most sense. Preferably the latter for Netflix use

Hello, I'm unable to resolve chinese domains via the airvpn internal DNS server and also unable to connect to websites hosted in China. For example: no resolve: baidu.com qq.com 360totalsecurity.com no connection: alipay.com 360.cn tmall.com This is only a small list, I have the feeling that it affects almost every chinese hosted website / domain. I tested it on the Dutch and Swiss servers, both have the same results. Are AirVPN's ips blocked by the Great Firewall of China so that you cannot even connect to chinese websites? Is it possible for you guys to reroute chinese traffic via an internal server?

Honestly I could, but The effort would be pointless by now. Anyone in this forum can edit their posts after the fact. Even if you didn't, your attitude alone makes this thread a waste of time. And I'm not going to grace it with any more of my time and energy.You know, I wrote up a reply several times over, but each time I decided that if he/she cannot see his/her words by themselves, there is no point speaking to them. But for you I will post two quotes. Unedited quotes. Did someone say name calling? "Trump is racist. The Republican Party is racist. As you said, the wall will fix nothing. The drug cartels will laugh and go over, under, around or through it. As you pointed out they're already in Texas as well as every other state. Only one thing will end the cartels: remove the profit motive. How do you do that? Decriminalize drugs. Making drugs illegal has never worked (think Prohibition). Drug cartels didn't exist until Nixon declared the 'war on drugs' in 1971. Since then they've continually grown and become richer and more powerful. Whenever something that large numbers of people want is made illegal, criminal gangs will arise to provide it and reap the enormous profits. The Mafia only became really powerful as a result of the money generated by Prohibition. The only solution: legalize, regulate, educate." How about more name calling? "I'm not aware of any holidays for homosexuals. There are gay pride festivals in most democratic countries (not repressive countries like China or Russia) where people are free to celebrate as they please. But these are not official holidays. It certainly sounds like you do not like homosexuals and that's your choice. It's amusing that you're irritated by 'gay pride' stuff. Why is it so annoying for you to acknowledge that gays and gay sexuality exists? No one is insisting that you participate. I've always wondered if OmniNegro was in fact Negro. I'm guessing yes. Nearly all African countries are extremely homophobic. It's well known that the African American community is traditionally rather anti-gay. That's changing after Obama's election when the NAACP finally officially supported equal rights for gays. I've always felt that there ought naturally to be a kind of understanding, sympathy and solidarity between the two groups, gays and blacks, that have both been oppressed by mainstream cultures, but that hasn't been the case. I don't think that equality can be parceled out in different measure to different groups. Equal means equal...for everyone. It's a great thing for people of different backgrounds to try to understand and empathize with each other. I recently saw the film "Fences". Amazing play and film, highly recommended." I could go on, but why bother? I think he/she has a mental issue that prevents him/her from accepting any phrase they use that is an accusation. Therefore the only reply anyone will ever get is that it never happened. But we have better things to do with our time.

Well it wasn't justified. It's a sovereign country - do you condemn that? That's kind of the equivalent of someone attacking the US in order to fight the Bloods or the Cribs gangs or the KKK. In relation to DT, he could use the same logic to start conflicts with China, as you also previously mentioned being worried about, rightly so. So I think we have to take a hard look at legality here and other concepts such as "innocent until proven guilty", instead of just bombing the ones who look mean. I mean, if applied to ourselves, Trump could say "if you use a VPN then you're guilty of xyz", even more so than is already the case now. Same thing for genders/religions. I don't think he can ban Muslims either, because he would have to make it into a law. Which then requires congress and since many need to get re-elected for various positions next year, they can't risk it. But he did ban or limit entry from a few select countries yes. Sent to you from me with datalove Actually Trump can and will (very shortly according to reports) ban Muslims from several countries by executive order...no law needed. So before he was going to ban all Muslims, now it's just Muslims from certain countries. I have a very close Muslim friend who travels to her home country every year with her kids. They're all US citizens, but the way Trump was talking I was afraid they might take a trip and not be allowed to return home. Fortunately they're not from any of the banned countries. The war in Afghanistan was completely justified. Al Queda (with the support of the Taliban government of Afganistan) attacked the U.S and killed 3500 innocent civilians, that's an act of war. Its internationally legal to respond with force....not to mention it's common sense to defend yourself.

Well it wasn't justified. It's a sovereign country - do you condemn that? That's kind of the equivalent of someone attacking the US in order to fight the Bloods or the Cribs gangs or the KKK. In relation to DT, he could use the same logic to start conflicts with China, as you also previously mentioned being worried about, rightly so. So I think we have to take a hard look at legality here and other concepts such as "innocent until proven guilty", instead of just bombing the ones who look mean. I mean, if applied to ourselves, Trump could say "if you use a VPN then you're guilty of xyz", even more so than is already the case now. Same thing for genders/religions. I don't think he can ban Muslims either, because he would have to make it into a law. Which then requires congress and since many need to get re-elected for various positions next year, they can't risk it. But he did ban or limit entry from a few select countries yes. Sent to you from me with datalove

@Serenacat. Thanks for your post. For now I'm just going to say that I agree that the Trumpets are a threat. As I said in an earlier post, I'm afraid Trump will start WW3 playing chicken with China. However defending South Korea and Japan with a missile defense system hardly seems like a threat to Russia or China. Missile defenses are not offensive weapons, they can only (and not all that well) try to stop incoming missiles. And if I remember correctly they're useless against ICBMs.

If I can just politely remind Americans there is more going down that involves them than the distractions of "culture wars" and "party" politics. " Russian media outlets lost no time to explain that the DF-41 was a three-stage solid-fueled missile reported to have a maximum range of up to 15,000 kilometers (9,320 miles) and a top speed of Mach 25 (19,030 mph). DF-41 (also known by its NATO name CSS-X-10) is said to be capable of carrying up to 10 warheads and its launch preparation time was estimated at 3-5 minutes. Russian analysts and media outlets argued that China’s missile deployment seemed to be a response to US missile defenses in the Asia-Pacific. Moscow and Beijing share concerns that the US missile defense system in Japan and South Korea, officially designed to contain North Korea, was in fact aimed at Russia and China." http://www.atimes.com/article/russia-says-unperturbed-chinas-missile-deployment/ Most of Asia (including me) see the Trumpets as more and more a menace on various fronts. "U.S. environmental employees were soon joined by similar "alternative" Twitter accounts originating from various science and health agencies, including the Food and Drug Administration, the National Institutes of Health, the Centers for Disease Control and Prevention and the National Weather Service. Many of their messages carried Twitter hashtags #resist or #resistance." http://www.reuters.com/article/us-usa-trump-resist-idUSKBN15A0DI “These felony charges are bizarre and essentially unheard of when it comes to journalists here in America who were simply doing their job,” said Suzanne Nossel, the executive director of Pen America." https://www.nytimes.com/2017/01/25/business/media/journalists-arrested-trump-inauguration.html The battle for control of hearts and minds is also being fought on the Internet in 2017. VPN users will not be innocent bystanders and outside the lines of fire.

So, i read something interesting today, and it's something i have heard of over quite some time now. It would seem that many companies implement local certificates on their employees machines to effectively prevent any form of private communication on the machine by decrypting all forms of SSL traffic, which may perhaps also apply to SSH, however i am not sure. The side effect of this SSL decryption is that they block any connection they cannot read. If say, China decided to have every computer in China sold with this sort of configuration, couldn't they effectively kill Tor and VPN completely? I have always heard people on forums across the internet trying to reassure people that SSL (aka stunnel or SSL Tunnel) can never be blocked or filtered because it would effectively kill all services using HTTPS. With widespread adoption of these MiTM firewalls, VPN's and Tor can be blocked without disrupting normal HTTPS web services. The caveat however, is that these systems i believe must be installed on the users machine in order for them to work. But if places that provide wifi such as Schools, Universities and Workplaces require this implementation before being permitted to access the network, what choice do you have? Doing so, these places could force their employee's, students etc. to go elsewhere on another network to make private communications. If somehow implemented across a country such as China, you would effectively have no choice but to submit your private information visible to the eyes of the government. Nothing could escape the Great Firewall. https://it.slashdot.org/story/14/03/05/1724237/ask-slashdot-does-your-employer-perform-https-mitm-attacks-on-employees http://security.stackexchange.com/questions/104576/my-college-is-forcing-me-to-install-their-ssl-certificate-how-to-protect-my-pri PS: i apologize if this post may seem like FUD, but i wanted to raise awareness of this technology and the consequences of its implementation now and in the future.

This new amendment only matters for local businesses which operate and are registered in mainland China. A similar law was passed around 2010, and it's called website compliance license, which means if you wanted to host a website on port 80/443 and Chinese IPs, you must obtain one: https://en.wikipedia.org/wiki/ICP_license This made some websites move to alternatives ports until a solution was found, since they were blocked until the license was acquired. I am not sure how such Firewall unblocking companies operated until now legally. Hong Kong based providers are not affected by this.

It's very different in this case. Netflix can just allow only IP addresses that are assigned to residential ISPs, and this method is very effective for a centralized server that needs to filter inbound connections. From China, it is not applicable, because any end-service does NOT run on machines connected to residential ISPs. Enforcing the same block would be equivalent to shut down the whole Internet for any service outside (and several inside) China. Not that it's impossible, but the economic consequences would be catastrophic even for the establishment. China faces the opposite problem: block outbound connections to an arbitrary amount of servers, not inbound connections to a single service from an arbitrary amount of clients. This does not mean anyway that we do not expect that China will implement more sophisticated ways to disrupt connections to VPN servers abroad. Kind regards

If Netflix can block Vpns, I imagine China can It's a repressive regime ruling a country without human rights law trying to keep it's citizens ignorant.

Now depending on who you ask, HK is not the same as mainland China . Much the same with Taiwan, as they do things differently in many regards, including when it comes to internet censorship. (Oh and by the way, I wasn't laughing at you, I just suddenly thought of PIA for some reason, when China was mentioned!) no no i didn't think you were. I just thought the article should be brought to the attention of people on here just in case no one knew about it

Now depending on who you ask, HK is not the same as mainland China . Much the same with Taiwan, as they do things differently in many regards, including when it comes to internet censorship. (Oh and by the way, I wasn't laughing at you, I just suddenly thought of PIA for some reason, when China was mentioned!)