Jump to content

OverviewMissionSpecsFAQTerms Of ServicePrivacyAbout Us

info
Technical Specs
We provide ONLY protocol/servers.
  • OpenVPN >=2.4, negotiation with following ciphers (ncp-ciphers directive server-side):
    AES-256-GCM AES-256-CBC AES-256-CFB AES-256-OFB AES-256-CFB1 AES-256-CFB8 AES-128-GCM AES-128-CBC AES-128-CFB AES-128-OFB AES-128-CFB1 AES-128-CFB8 CAMELLIA-256-CBC SEED-CBC
    OpenVPN <2.4, AES-256-CBC as data channel cipher.
  • Negotiation with following TLS ciphers (IANA names, tls-cipher directive server-side):
    TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-DHE-RSA-WITH-AES-256-CBC-SHA TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
    Unlike the OpenVPN default, we don't accept any AES-128 or any TLS-ECDHE.
  • Perfect Forward Secrecy through Diffie-Hellman key exchange DHE. After the initial key negotiation, re-keying is performed every 60 minutes (this value can be lowered unilaterally by the client)
  • 4096 bit RSA keys size
  • 4096 bit Diffie-Hellman keys size (unique for each server, VPN or webserver)

Recommended daemons (client >=2.4) (not yet supported in all servers)

  • Encrypt and authenticate all control channel packets (tls-crypt directive) with 2048 bit.
  • SHA512 message digest (if the negotiated cipher is not AEAD, e.g. GCM).

Compatibility daemons (client <2.4)

  • TLS additional authorization layer key (tls-auth directive): 2048 bit
  • HMAC-SHA1 for authentication

Available port/protocols

Multiple entry ports (53, 80, 443, 1194, 2018, 28439, 38915, 41185), native OpenVPN tcp/udp or with additional tunnel layers (SSL, SSH).

Assigned IP

Servers support both IPv4 and IPv6 tunnel (exit-ip), and are reachable over IPv4 and IPv6 (entry-ip). Currently (2018/01) not all servers support IPv6 tunnel yet.
DNS server address is the same as gateway, in both IPv4 and IPv6 layer.

IPv4 Local Address chosen: 10.{daemon}.*.*, Subnet-Mask: 255.255.0.0
IPv6 Unique Local Address (ULA) chosen: fde6:7a:7d20:{daemon}::/48.

Restrictions

  • Outbound port 25 blocked to prevent spam.

VPN DNS Server

Namecoin
OpenNIC
  • Every VPN server has its DNS server, directly finds out information about the root servers, top level domains and authoritative name servers.
  • Our DNS servers are neutral, do not ever inject or alter the requests (other services resolve to search results, try to fix typo etc).
  • Where ICANN or root servers themselves interfer with censorship, we may apply specific censorship fix to our DNS server. See "AirVPN does not recognize ICANN authority anymore" topic for more informations.
  • Using our DNS allows our customers to use our anti-geolocation discrimination features. For example, visit a website that allows only United States connections from a Netherlands VPN server.
  • It's recommended to use our DNS server to avoid censorship and use our anti-geolocation features.
  • VPN DNS addresses (private addresses, only reachable from inside the VPN): 10.4.0.1 / fde6:7a:7d20:4::1 - reachable from any virtual subnet
    However, we recommend that your machine accepts the DNS push from our servers. If that's not possible, then we suggest to set the DNS IP address matching the VPN gateway IP address, as this is the safest method to prevent certain attacks based on hijacking.
  • For any kind of issue about censorship or geolocation restriction you encounter using our services, please feel free to write us in our forums or write a support ticket.

Protocols and entry-IP addresses of each VPN server

Every AirVPN server has 4 entry-IPv4 addresses and 4 entry-IPv6 addresses that support different ports and protocols. Look at the faq "How can I get VPN servers entry-IP addresses?" for more information about FQDN resolution.

Entry IP Protocol Port Specs Description Min. OpenVPN version
1udp443Recommended for best performance
1tcp443If you have issue with UDP
1udp80If your ISP applies caps or blocks
1tcp80If your ISP applies caps or blocks
1udp53If your ISP applies caps or blocks
1tcp53If your ISP applies caps or blocks
1udp2018If your ISP applies caps or blocks
1tcp2018If your ISP applies caps or blocks
2udp443If your ISP blocks the standard Entry IP
2udp80If your ISP blocks the standard Entry IP
2udp53If your ISP blocks the standard Entry IP
2udp2018If your ISP blocks the standard Entry IP
2tcp2018If your ISP blocks the standard Entry IP
1ssh22If your ISP applies caps or blocks
2ssh22If your ISP blocks the standard Entry IP
2ssh80If your ISP applies caps or blocks
2ssh53If your ISP applies caps or blocks
2ssl443If your ISP applies caps or blocks
1udp1194Official OpenVPN port
1tcp1194Official OpenVPN port
1udp41185If your ISP applies caps or blocks on lower port ranges
1tcp41185If your ISP applies caps or blocks on lower port ranges
1ssh38915If your ISP applies caps or blocks on lower port ranges
1ssl28439If your ISP applies caps or blocks on lower port ranges
2udp1194Official OpenVPN port, if your ISP blocks the standard Entry IP
2tcp1194Official OpenVPN port, if your ISP blocks the standard Entry IP
2udp41185If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP
2tcp41185If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP
2ssh38915If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP
2ssl28439If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP
3udp443tls-crypt, tls1.2Recommended for best performance2.4
3tcp443tls-crypt, tls1.2If you have issue with UDP2.4
3udp80tls-crypt, tls1.2If your ISP applies caps or blocks2.4
3tcp80tls-crypt, tls1.2If your ISP applies caps or blocks2.4
3udp53tls-crypt, tls1.2If your ISP applies caps or blocks2.4
3tcp53tls-crypt, tls1.2If your ISP applies caps or blocks2.4
3udp2018tls-crypt, tls1.2If your ISP applies caps or blocks2.4
3tcp2018tls-crypt, tls1.2If your ISP applies caps or blocks2.4
4udp443tls-crypt, tls1.2If your ISP blocks the standard Entry IP2.4
4udp80tls-crypt, tls1.2If your ISP blocks the standard Entry IP2.4
4udp53tls-crypt, tls1.2If your ISP blocks the standard Entry IP2.4
4udp2018tls-crypt, tls1.2If your ISP blocks the standard Entry IP2.4
4tcp2018tls-crypt, tls1.2If your ISP blocks the standard Entry IP2.4
3ssh22tls-crypt, tls1.2If your ISP applies caps or blocks2.4
4ssh22tls-crypt, tls1.2If your ISP blocks the standard Entry IP2.4
4ssh80tls-crypt, tls1.2If your ISP applies caps or blocks2.4
4ssh53tls-crypt, tls1.2If your ISP applies caps or blocks2.4
4ssl443tls-crypt, tls1.2If your ISP applies caps or blocks2.4
3udp1194tls-crypt, tls1.2Official OpenVPN port2.4
3tcp1194tls-crypt, tls1.2Official OpenVPN port2.4
3udp41185tls-crypt, tls1.2If your ISP applies caps or blocks on lower port ranges2.4
3tcp41185tls-crypt, tls1.2If your ISP applies caps or blocks on lower port ranges2.4
3ssh38915tls-crypt, tls1.2If your ISP applies caps or blocks on lower port ranges2.4
3ssl28439tls-crypt, tls1.2If your ISP applies caps or blocks on lower port ranges2.4
4udp1194tls-crypt, tls1.2Official OpenVPN port, if your ISP blocks the standard Entry IP2.4
4tcp1194tls-crypt, tls1.2Official OpenVPN port, if your ISP blocks the standard Entry IP2.4
4udp41185tls-crypt, tls1.2If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP2.4
4tcp41185tls-crypt, tls1.2If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP2.4
4ssh38915tls-crypt, tls1.2If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP2.4
4ssl28439tls-crypt, tls1.2If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP2.4

Web Server - airvpn.org

  • Web site supporting HTTP2, Perfect Forward Secrecy, Secure Renegotiation, TLS up to 1.2, DHE, ECDHE and HSTS.
  • No external tracking applications or cookies from third parties.
  • See Qualys SSL Labs for a peer review of our web site.
Servers online. Online Sessions: 14307 - BW: 49848 Mbit/sYour IP: 54.167.18.170Guest Access.