Search the Community

Hello! About OpenVPN over SSH, our servers listen to ports 22, 53 and 80 of the entry-IP address, and to port 22 of the Alternative Entry-IP address. About OpenVPN over SSL, our servers listen to port 443 of the entry-IP address. About OpenVPN "direct" or "over a proxy", our servers listen to ports 53, 80 and 443 both of the Entry-IP and the Alternative Entry-IP address. In Comodo, for OpenVPN over SSH/SSL you need, on top of the rules described in our guide for Comodo to prevent lekas, to allow communications from "Any IP Address" to 10.50.0.0/255.255.0.0 and from 10.50.0.0/255.255.0.0 to "Any IP Address" (Comodo will display "Any IP address" as "MAC Any" in the rules). There is no generally valid recommendation about which port to choose: if your ISP performs port shaping on some ports, some ports can provide better performance than others. Keep in mind that OpenVPN over SSH or over SSL should be used ONLY if your ISP disrupts OpenVPN communications, because the additional SSH/SSL tunnel causes a performance hit without increasing security. OpenVPN over SSH/SSL have been implemented originally for China only, where OpenVPN connections are disrupted. The purpose of SSH/SSL is to encrypt the OpenVPN typical fingerprint, not to increase significantly the security. There is no such a thing as a non-tunneled connection in our service, unless you explicitly decide to reject the pushed routes by our servers. Kind regards

Hello! Thanks for the information about your DNS. In China, OpenVPN connections are disrupted through OpenVPN fingerprint identification, therefore OpenVPN over SSH/SSL is mandatory. In your case, it was a completely different problem: your DNS does not resolve *.airdns.org names. You can connect directly with OpenVPN (you do not need OpenVPN over SSL). We thought it was a problem limited to OpenDNS but if you don't use OpenDNS then we were wrong. Kind regards

Result! I'm connected. I'm wondering why I needed those advanced options though e.g. I'm not in China, as it suggested I might need them for. Re: DNS. Didn't even know what OpenDNS was. I'm using my regular ISP's as far as I know. Anyway, notwithstanding the confusing directions, thanks for the support.

I am not that concerned that I will become a target of surveillance. But as someone with a technical background I have to shake my head that "people in charge" still think it is a good idea to have back doors into products "just in case we ever need it". It is this kind of thinking that lead to the situation described in this CERT alert: https://www.us-cert.gov/ncas/alerts/TA13-207A The description there may not sound very alarming. But if you follow the links to the summary page by the guy who discovered the problem (Dan Farmer - famous in security circles), you may get a better appreciation: http://fish2.com/ipmi/itrain-gz.html The title is "IPMI: Express Train to Hell". And the last paragraph is, "In any case, good luck. We may all need it." If there is back door in Windows, no matter how secure they may think this back door is, I have to think this is begging for trouble. UPDATE: This link by Farmer may not be that easy to find: http://fish2.com/ipmi/ There is another line there (at the end) that caught my eye, "It's interesting to note the ubiquity of China in all of these."

Hi Timofei, If you look closely, every government has such laws, the most invasive is UK and their Tempora program of the GCHQ, second one is US which forces the NSA and FCC plant backdoors in hardware and software, third one is probably China, and of course Russia would have something similar too. It is very naive to believe in "free speech and 100% anonymity) when most of todays communications are done via the internet, IMO. However, most of us probably use VPNs for P2P, more tracking-less browsing and instant messaging, and nothing illegal that governments would have be interested in, and in that case (DMCA, RIAA) I would really like to see a Russian server in AirVPN.

Hello, mix unencrypted and unimportant traffic with encrypted traffic. However, this problem is still unconfirmed and we might delete it, do you have something to add or note about it? If so, feel free to update the thread. Kind regards I am not experiencing interruption and I am running almost all encrypted traffic from inside China.

Hello! Instructions for Windows, Linux and OS X can be found here: https://airvpn.org/ssh Remember that OpenVPN over SSH should be used only when absolutely necessary, for example when a direct OpenVPN connection is not possible (China residential and mobile lines, Iran). When a direct OpenVPN connection is possible and not throttled, OpenVPN over SSH should not be used. Kind regards AirVPN Support Team

Any one else working on an SSH Tunnelled OpenVPN connection on DD-WRT? I have the SSH Tunnel standing up correctly and the OpenVPN connection connecting correctly. HOWEVER, no port 80 traffic. Only pings, traceroute, etc. Ideas? Suggestions? Once I have it working I will write up a how to. If you are in China you need this info!

Hello, tested and working connections in China are OpenVPN over SSL and OpenVPN over SSH. You must not use Tunnelblick because it does not support this OpenVPN feature, please run OpenVPN directly: https://airvpn.org/topic/9325-development-of-os-x-airvpn-client Best performance is achieved on Singapore servers. Kind regards

Does anyone in China have suggestions on servers and configurations to use? I am currently trying all sorts of configurations using Tunnelblick, but most of them won't get past the "Making TCP connection" stage. I've been primarily testing out servers in Canada and the United States, though I've also tested some UK and Singapore servers. I've been trying regular VPN options, as well as SSH and SSL tunnels. So far, I haven't been able to connect at all using SSH and SSL tunnel configurations, even though that seems to be what's recommended for China. Am I doing something wrong here? Or has someone figured out that magic configuration that works really well?

Dear AirvPN team, I think it would be a great feature for most China located users to have a background script that downloads random files from public HTTP mirrors, for example Linux OS distributions. That way the Great Firewall counts the ratio between encrypted and non-encrypted traffic and since naturally the ISOs are over 1GB of size, a single download per day should be enough for most users. A simple bash script that saves a file to /dev/null can be done even now, but a better feature would be possibly implementing it in the Air client. "Camouflage mode"

(Reuters) Sunday 30 June 2013 - The United States taps half a billion phone calls, emails and text messages in Germany in a typical month and has classed its biggest European ally as a target similar to China, according to secret U.S. documents quoted by a German newsmagazine. The revelations of alleged U.S. surveillance programs based on documents taken by fugitive former National Security Agency contractor Edward Snowden have raised a political furor in the United States and abroad over the balance between privacy rights and national security. Exposing the latest details in a string of reputed spying programs, Der Spiegel quoted from an internal NSA document which it said its reporters had seen. The document Spiegel cited showed that the United States categorized Germany as a "third-class" partner and that surveillance there was stronger than in any other EU country, similar in extent to China, Iraq or Saudi-Arabia. "We can attack the signals of most foreign third-class partners, and we do it too," Der Spiegel quoted a passage in the NSA document as saying. It said the document showed that the NSA monitored phone calls, text messages, emails and internet chat contributions and has saved the metadata - that is, the connections, not the content - at its headquarters. On an average day, the NSA monitored about 20 million German phone connections and 10 million internet data sets, rising to 60 million phone connections on busy days, the report said. A Spiegel report on Saturday that the NSA had spied on European Union offices caused outrage among EU policymakers, with some even calling for a suspension to talks for a free trade agreement between Washington and the EU. In France, Der Spiegel reported, the United States taps about 2 million connection data a day. Only Canada, Australia, Britain and New Zealand were explicitly exempted from spy attacks. Full article: http://www.reuters.com/article/2013/06/30/us-usa-germany-spying-idUSBRE95T04B20130630

I think its important to make clear as a general rule that VPNs can be useful for some of the following things: Encrypting traffic that can be monitored by your ISP Encrypting traffic that can be monitory by your nation (bypassing China firewall for instance) Encrypting the origin address of your traffic (only when combined with other obfuscation resources) VPN will not help with encrypting your final data payload or anyones ability to monitor that, if the connection was not secured to beign with. However, if the connection was then it would have been masked from your ISP regardless (the payload, not the point of origin) of whether you were using VPN or not. So, to answer your exact question: Any unencrypted data has the potential to be gathered by any adversary, especially at a national level. Originating IPs can be masked and obfuscated with a combination of multiple techniques widely available both on the web and this web site.

Hello! 1. Yes. Special setup is required in China and Iran, see https://airvpn.org/ssh and https://airvpn.org/ssl 2. It is not logged anywhere. You need to enable sessions stats in your control panel, which by default is turned off. Log in the web site, click "Client Area" from the upper menu, click "Settings" from the left tabs, turn "Collected history and statistics about my sessions:" box from "No" to "Yes", finally click "Save settings". From that moment, every subsequent session stat (total traffic in and out, start date and time, end date and time) will be logged and will be accessible in your "Client Area". Kind regards

Hello! It is probably normal, connecting over OpenVPN over SSH/SSL implies a severe performance hit. If your ISP allows that (i.e. if you're not in China or Iran, in general - of course there can be particular cases) try OpenVPN directly, no SSH, no SSL. 5 Mbit/s is anyway an excellent performance for OpenVPN over SSH. Kind regards

Hello! Sorry, they should not show up, you apparently have a DNS leak. Please fix it following our guides. For the records, we are building a knowledge base to understand why our customers are willing to use OpenVPN over SSL, which should be avoided if not strictly necessary (like it is in China and Iran, where anyway OpenVPN over SSH may be better), if it's all right with you, would you please tell us why you need to connect over OpenVPN over SSL? Feel free not to answer or to answer only in private. Kind regards

Thanks for adding more and more servers. I hate to sound whiny but do you have any plans for servers in Asia north of Singapore? Obviously mainland China is out but have you ever considered Hong Kong?

Hello! We're very glad to introduce native support for OpenVPN over SSL and OpenVPN over SSH, and a completely re-designed configuration generator which includes exciting, additional AirVPN services and features. Our service becomes more censorship resistant and easier to use with a wide range of OpenVPN GUIs and wrappers. UPDATE OCT 2014: EDDIE CLIENT AirVPN client version 2, codename Eddie, gets out of the beta testing with version 2.6. Free and open source, it is a major breakthrough from client versions 1.x. Available for Linux, Windows and OS X Mavericks and Yosemite. Eddie includes Network Lock, full integrated TOR support for OpenVPN over TOR, support for OpenVPN over SSL and SSH, "intelligent" anti-censorship circumvention technique, "intelligent" VPN servers efficiency and rating calculations and much, much more. https://airvpn.org/topic/12464-eddie-27-available Currently the only open source OpenVPN wrapper in the world which allows OpenVPN over TOR connections without middle boxes or VM on three different OS. NEW SERVICES: OPENVPN OVER SSL - OPENVPN OVER SSH OpenVPN over SSL and OpenVPN over SSH will allow you to bypass OpenVPN connections disruption. Known ISP countries where the disruption takes place are China, Iran, Syria, Egypt. The connection disruption is possible because OpenVPN connections have a typical fingerprint which lets Deep Packet Inspection discern them from pure SSL/TLS connections. Connecting OpenVPN over SSL or OpenVPN over SSH will make your connection undiscernable from pure SSL or SSH connections, rendering DPI fingerprint identification powerless. OpenVPN over SSL/SSH is included in every Premium subscription without any additional payment. Use OpenVPN over SSL/SSH only when necessary: a slight performance hit is the price to pay. The performance hit is kept as low as possible because the "double-tunneling" is performed directly on our servers without additional hops. NEW FEATURES A new system for host resolution (not available for Windows) and dynamic VPN server choice is available. This will let you have OpenVPN configuration files which will try connections to various servers (according to your preferences) if one or more servers are unavailable. A new connection port (2018) is now available on all Air VPN servers. A new, alternative entry-IP address is now available on all Air VPN servers. NEW CONFIGURATION GENERATOR FEATURES - You can now select servers by countries, continents and planets (currently only one planet) or any combination between single servers and countries. - You can now select an alternative entry-IP address. Each Air server has now an additional entry-IP address to help you bypass IP blocking. - You can now choose a wide variety of compressing options: zip, 7zip, tar, tar & gzip, tar & bzip2. - You can now choose not to compress the files and download them uncompressed one by one NEW CONFIGURATION GENERATOR "ADVANCED MODE" FEATURES - Total connection ports range available, including new port 2018 in addition to 53, 80, 443 and (for SSH) 22. - Option to generate non-embedded configuration files, mandatory if you use network-manager as OpenVPN wrapper under Linux or just in case you use any wrapper that does not support embedded with certificates and keys OpenVPN configurations. - Option to generate files and scripts for OpenVPN over SSL/SSH connections by clicking on "Advanced Mode" - Option to select "Windows" or "Linux and others". Make sure you select the correct option according to your OS, because connections over SSL/SSH in Windows require different files than those required for Linux, *BSD and Unix-like / POSIX compliant systems such as Mac OSX. - New options to generate configuration files that support proxy authentication for OpenVPN over a proxy connections, particularly useful if you're behind a corporate or college proxy which requires authentication. A significant example of usage of OpenVPN over a proxy is OpenVPN over TOR: https://airvpn.org/tor Instruction page for OpenVPN over SSL (only if you don't run our client Eddie): https://airvpn.org/ssl Instruction page for OpenVPN over SSH (only if you don't run our client Eddie): https://airvpn.org/ssh Please do not hesitate to contact us for any additional information. Kind regards & Datalove AirVPN admins

"airvpn.org" blocked (DNS poisoning) Solution: hosts file edit OpenVPN connections are frequently disrupted (reported in Shangai and Beijing) Solution: OpenVPN over SSL works just fine UNCONFIRMED: momentary blocks of Internet domestic lines if a high percentage of encrypted traffic is detected

Hi, i'd like to know why this is happening.. Is this server really located in China? Thanks in advance!

Hello! When that option is enabled, the configuration generator will generate .ovpn file(s) which include already resolved names. If the option is disabled, the names are not resolved. Having unresolved names allows the client to rotate between servers according to DNS resolution with multiple records (example: nl.airvpn.org resolves to all the NL servers). This option is available only for "Linux and others" because of some Windows limitations in DNS resolution when a name has multiple records which make this option unusable with it. Windows configuration files will therefore always have resolved names into IP addresses. If airvpn.org is censored/DNS poisoned by your ISP (as it is in every China ISP), you MUST select this option even with Linux or any other OS in order to bypass the censorship. Kind regards

Hello! Today we're very glad to introduce native support for OpenVPN over SSL and OpenVPN over SSH, and a completely re-designed configuration generator which includes exciting, additional AirVPN services and features. Our service becomes more censorship resistant and easier to use with a wide range of OpenVPN GUIs and wrappers. NEW SERVICES: OPENVPN OVER SSL - OPENVPN OVER SSH OpenVPN over SSL and OpenVPN over SSH will allow you to bypass OpenVPN connections disruption. Known ISP countries where the disruption takes place are China, Iran, Syria, Egypt. The connection disruption is possible because OpenVPN connections have a typical fingerprint which lets Deep Packet Inspection to discern them from pure SSL/TLS connections. Connecting OpenVPN over SSL or OpenVPN over SSH will make your connection undiscernable from pure SSL or SSH connections, rendering DPI fingerprint identification powerless. OpenVPN over SSL/SSH is included in every Premium subscription without any additional payment. Use OpenVPN over SSL/SSH only when necessary: a slight performance hit is the price to pay. The performance hit is kept as low as possible because the "double-tunneling" is performed directly on our servers without additional hops. NEW FEATURES A new system for host resolution (not available for Windows) and dynamic VPN server choice is available. This will let you have OpenVPN configuration files which will try connections to various servers (according to your preferences) if one or more servers are unavailable. A new connection port (2018) is now available on all Air VPN servers. A new, alternative entry-IP address is now available on all Air VPN servers. NEW CONFIGURATION GENERATOR FEATURES - You can now select servers by countries, continents and planets (currently only one planet) or any combination between single servers and countries. - You can now select an alternative entry-IP address. Each Air server has now an additional entry-IP address to help you bypass IP blocking. - You can now choose a wide variety of compressing options: zip, 7zip, tar, tar & gzip, tar & bzip2. - You can now choose not to compress the files and download them uncompressed one by one NEW CONFIGURATION GENERATOR "ADVANCED MODE" FEATURES - Total connection ports range available, including new port 2018 in addition to 53, 80, 443 and (for SSH) 22. - Option to generate non-embedded configuration files, mandatory if you use network-manager as OpenVPN wrapper under Linux or just in case you use any wrapper that does not support embedded with certificates and keys OpenVPN configurations. - Option to generate files and scripts for OpenVPN over SSL/SSH connections by clicking on "Advanced Mode" - Option to select "Windows" or "Linux and others". Make sure you select the correct option according to your OS, because connections over SSL/SSH in Windows require different files than those required for Linux, *BSD and Unix-like / POSIX compliant systems such as Mac OSX. - New options to generate configuration files that support proxy authentication for OpenVPN over a proxy connections, particularly useful if you're behind a corporate or college proxy which requires authentication Instruction page for OpenVPN over SSL: https://airvpn.org/ssl Instruction page for OpenVPN over SSH: https://airvpn.org/ssh Please do not hesitate to contact us for any additional information. Kind regards & Datalove AirVPN admins

Hello! In general, if you use OpenVPN directly or the OpenVPN GUI you don't need those lines. There are some exceptions: those lines will help circumvent some DNS-poisoning censorship against our websites (in vast areas of China airvpn.org web site is censored), additionally they provide a "failover" in case one of the two frontends fails to respond, so we would recommend to add them in any case. Not exactly: once this is done, your system can't resolve names with DNS queries outside the VPN. The connectivity to the Internet is not broken. If you wish that your system can't connect to the Internet when disconnected from the VPN you can set your firewall, we recommend Comodo, please see our guide here: https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142 No, you don't need to modify the DNS addresses set in your router. Those DNS will be used by devices connected to the router only if those devices send DNS queries to your router DNS. Kind regards

I've never seen such a thing as a complete (exhaustive) guide on trying to remain anonymous while browsing. There are guides scattered here and there about logging out of Facebook (and, as above, deleting your Facebook cookies) while browsing other sites. There are articles touting the virtues of NoScript or Ghostery or some other extension. EFF ( https://eff.org/ ) have privacy-related news and occasionally some of these sorts of guides, but they're usually geared to the "non-technical", i.e. they have a few very basic steps you should take in some given situation. There's some *bad* advice out there about asking your browser to send a "Do-Not-Track" header (literally: "DNT: 1"). Virtually no one has a policy agreeing to respect this header. Apache httpd has already been patched to ignore the header if your User-Agent string reports IE10. Some sites agree that they see your header, but politely note that they don't respect it. The same applies to using add-ons like Beef TACO, which load your browser with a bunch of "opt-out" cookies to let sites know you'd prefer not to be tracked. There are no guarantees whatever that anyone will afford the slightest amount of attention to these cookies--especially if the company is sold on, or they enter receivership. Most auctioneers selling off pieces of a liquidating company will try to get money for all their "customer" data. Even if the company with your data stays afloat, nearly all "privacy" policies include a clause about changing at any time, without notice. (Or by posting a notice somewhere on *their* site, which you probably never browse to deliberately. How often do you visit the actual DoubleClick homepage?) I would simply point to the advice I gave above about using Firefox and installing privacy-oriented add-ons. Take control of your browser. Ensure you have blanket solutions for multiple sites--and not just "social networking sites". Google (all Google services) and Facebook and various other "social" companies like to know where you're going, but there's also an extensive, loosely-organized network-of-networks mass of advertising sites that place cookies, "web bugs" (1x1px transparent GIFs--usually), and tracking scripts (client-side JS). They tend to sell on their data to... essentially any interested party. Even if you live in Europe, don't expect data protection laws to help you. If you take control of the situation, and start using AdBlock Plus, Ghostery, Cookie Controller (my favourite for that task), and perhaps a dash of NoScript, a lot of your data will simply stop being sent to people you'd prefer not have it. Using block lists like Antisocial with ABP *should* kill virtually every "social networking" widget ever, although I'm not clear if it will break any Facebook functionality while you're deliberately visiting there. (Try and see. Just remove the list if there's a problem. ABP has a nice info pane you can toggle to see all elements being blocked on the current page.) In particular, using NoScript with the ABE functionality switched on and some rulesets of your own can make it relatively easy to keep code from certain sites from being embedded in other sites. Here's a very trivial example: Site .facebook.com Accept from .facebook.com Deny INC(SCRIPT, OBJ, SUBDOC) This will prevent any other site from embedding Facebook. If at some point Facebook starts using extra domains or subdomains, just add them to both lists to make sure they can all embed each other. (Ex: ".facebook.com .facebookpics.com") (Don't do this unless you know for certain that Facebook *actually* owns and operates "facebookpics.com") If you want some serious security, though, give a thought to using multiple browser profiles. Firefox has a UI for this: https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles Chrome has support for this, but no UI that I'm aware of. You'll want to consult the list of command-line switches: http://peter.sh/experiments/chromium-command-line-switches/ Depending on your exact needs, you can: a) use Firefox or Chrome with multiple profiles, in separate browser processes, just use one browser for some sites and the other for some other set, c) open separate "Incognito" instances of Chrome while running off the default profile (Firefox adds this in 19-rel or 20-beta), d) mix and match as you see fit. Separate issue: while you're at it, consider distrusting some of the default Certificate Authorities your browsers ship with. You *really* don't want to grant trust to CNNIC, China Telecom, etc.--even if you live there. Consider scanning the rest of the list to see if there are other root CAs that maybe shouldn't be trusted. I tend to disable around twenty. Chrome on Windows uses the Windows schannel API, thus the Windows certificate store for its SSL needs, so there's nothing in the browser itself to disable. Spend a minute Googling "windows certificate management" or the like. I would add some advice about IE, Safari, or Opera, but, respectively: * IE's less a browser and more an open wound * I've never used Safari, and would never consider it * Opera just announced they're throwing away the Presto engine for WebKit, obsoleting all current advice

Unfortunately, DNS was originally designed with a great deal of implicit trust, so encrypting the traffic between you and AirVPN doesn't necessarily cure everything. https://en.wikipedia.org/wiki/DNS_spoofing Hello! It must be said that connection to Air makes your system immune to DNS spoofing as long as you use the VPN DNS (and you don't have malware or hosts interfering software rewriting your hosts file, but in this trivial case neither DNSSEC can save you, obviously). And it must also be noted that things like that can't happen AFTER the connection to an Air VPN server (of course China has still the power to perform IP hi-jacking against our servers IP addresses and prevent connections or cause disconnections to our Chinese users). Kind regards