Jump to content
Not connected, Your IP: 44.210.149.205

Technical Specs

WireGuard
  • Data packets symmetric encryption: ChaCha20-Poly1305
  • Perfect Forward Secrecy (PFS): ECDH with Curve25519
  • Pre-shared key (post-quantum resistance): Yes
OpenVPN
  • OpenVPN Data Channel: OpenVPN version>=2.4 available ciphers (data-ciphers directive server-side):
    CHACHA20-POLY1305 AES-256-GCM AES-256-CBC AES-192-GCM AES-192-CBC AES-128-GCM AES-128-CBC
    OpenVPN <2.4, AES-256-CBC as data channel cipher.
  • OpenVPN Control Channel: negotiation with following TLS ciphers (IANA names, tls-cipher directive server-side):
    TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-DHE-RSA-WITH-AES-256-CBC-SHA
    Unlike the OpenVPN default, we don't accept any AES-128 or any TLS-ECDHE.
  • Perfect Forward Secrecy through Diffie-Hellman key exchange DHE. After the initial key negotiation, re-keying is performed every 60 minutes (this value can be lowered unilaterally by the client)
  • 4096 bit RSA keys size
  • 4096 bit Diffie-Hellman keys size (unique for each server, VPN or webserver)
  • About OpenVPN DCO, see Road To OpenVPN 2.6 and our announcement

Recommended daemons (OpenVPN client version>=2.4)

  • Encrypt and authenticate all control channel packets (tls-crypt directive) with 2048 bit.
  • SHA512 message digest (if the negotiated cipher is not AEAD, e.g. GCM).

Compatibility daemons (OpenVPN client version<2.4)

  • TLS additional authorization layer key (tls-auth directive): 2048 bit
  • HMAC-SHA1 for authentication

Available port/protocols

Multiple entry ports (53, 80, 443, 1194, 2018, 28439, 38915, 41185), native OpenVPN tcp/udp or with additional tunnel layers (SSL, SSH), WireGuard.

Assigned IP

Servers support both IPv4 and IPv6 tunnels and are reachable over IPv4 and IPv6 on entry-IP addresses.
DNS server address is the same as gateway, in both IPv4 and IPv6 layer.

Chosen IPv4 Local Address

OpenVPN: 10.{daemon}.*.*, Subnet-Mask: 255.255.255.0
WireGuard: 10.128.0.0/10

Chosen IPv6 Unique Local Address (ULA)

OpenVPN: fde6:7a:7d20:{daemon}::/48
WireGuard: fd7d:76ee:e68f:a993::/64

Restrictions

  • Outbound port 25 blocked to prevent spam.

VPN DNS Server

OpenNIC
Namecoin
  • Every VPN server runs its own DNS server that directly finds out information about root servers, top level domains and authoritative name servers.
  • Our DNS servers are neutral, do not ever inject or alter the requests (other services resolve to search results, try to fix typo etc), and allow users to specify (opt-in) lists (Client ⇨ DNS) or custom answers or exceptions globally at account level or even at single device level.
    We collect third party lists, and also offer our recommendations based on third party lists with our exceptions. On our side, we do not add domains to be blocked.
    Third party lists are generally block-lists used in hosts files, when every entry is matched as a domain. Therefore, if a list includes "abc.com", "subdomain.abc.com" is blocked as well.
    We also support lists that can return custom A,AAAA,CNAME,TXT records, and we support different matching methods: Exact (exact FQDN), Domain (domain and subdomain), Wildcard (with * and ? as wildcards), Contain, Start with, End with.
    We support only third-party lists with open licenses granting re-distribution.
    We provide an API to fetch every and each list in different formats (see Client Area ⇨ API ⇨ dns_lists service)
  • Using our DNS allows our customers to use our anti-geolocation discrimination features. For example, visit a website that allows only United States connections from a Netherlands VPN server.
  • It's recommended to use our DNS server to avoid censorship and use our anti-geolocation features.
  • VPN DNS addresses (private addresses, only reachable from inside the VPN): 10.4.0.1 / fde6:7a:7d20:4::1 - reachable from any virtual subnet
    However, we recommend that your machine accepts the DNS push from our servers. If that's not possible, then we suggest to set the DNS IP address matching the VPN gateway IP address, as this is the safest method to prevent certain attacks based on hijacking.
  • For any kind of issue about censorship or geolocation restriction you encounter using our services, please feel free to write us in our forums or write a support ticket.

DoH, DoT

Every gateway/daemon assigned to you acts as a DNS (port 53), DoH (dns-over-http, port 443), DoT (dns-over-tls, port 853).
DoH and DoT don't add any actual benefit, because plain DNS requests are encrypted inside our tunnel anyway.
However, users might need it for special configurations. In such cases, use dns.airservers.org (automatically resolved into VPN gateway address).
Our DNS returns a NXDOMAIN for "use-application-dns.net", for compatibility reasons.

Special resolutions & URLs

check.airservers.org - Gateway IPv4 and IPv6 addresses
exit.airservers.org - Exit-IPv4 and exit-IPv6 addresses
use-application-dns.net - NXDOMAIN, for DoH compatibility, ensure Air DNS will be used (for anti-geolocation features, it can be opted out in DNS config)

https://check.airservers.org - Info about connected server
https://check.airservers.org/api/ - Same as above, in JSON
Use https://ipv4.airservers.org or https://ipv6.airservers.org - Same as above, specific IP layer

Name can be resolved only by VPN DNS, therefore VPN connection is required

Protocols and entry-IP addresses of each VPN server

Every AirVPN server has 4 entry-IPv4 addresses and 4 entry-IPv6 addresses that support different ports and protocols. Look at the faq "How can I get VPN servers entry-IP addresses?" for more information about FQDN resolution.

Type Description Entry IP Protocol & port Min. OpenVPN version Specs
OpenVPN
Recommended for best performance3UDP 4432.4tls-crypt, tls1.2
OpenVPN
If you have issue with UDP3TCP 4432.4tls-crypt, tls1.2
OpenVPN
Lightweight and efficient UDP connection3UDP 1637
OpenVPN
Alternative port for WireGuard3UDP 47107
OpenVPN
Official WireGuard port3UDP 51820
OpenVPN
Lightweight and efficient UDP connection1UDP 1637
OpenVPN
Alternative port for WireGuard1UDP 47107
OpenVPN
If your ISP applies caps or blocks3UDP 802.4tls-crypt, tls1.2
OpenVPN
If your ISP applies caps or blocks3UDP 532.4tls-crypt, tls1.2
OpenVPN
Official OpenVPN port3UDP 11942.4tls-crypt, tls1.2
OpenVPN
If your ISP applies caps or blocks3UDP 20182.4tls-crypt, tls1.2
OpenVPN
If your ISP applies caps or blocks on lower port ranges3UDP 411852.4tls-crypt, tls1.2
OpenVPN
If your ISP blocks the standard Entry IP4UDP 4432.4tls-crypt, tls1.2
OpenVPN
If your ISP blocks the standard Entry IP4UDP 802.4tls-crypt, tls1.2
OpenVPN
If your ISP blocks the standard Entry IP4UDP 532.4tls-crypt, tls1.2
OpenVPN
Official OpenVPN port, if your ISP blocks the standard Entry IP4UDP 11942.4tls-crypt, tls1.2
OpenVPN
If your ISP blocks the standard Entry IP4UDP 20182.4tls-crypt, tls1.2
OpenVPN
If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP4UDP 411852.4tls-crypt, tls1.2
OpenVPN
If your ISP applies caps or blocks3TCP 802.4tls-crypt, tls1.2
OpenVPN
If your ISP applies caps or blocks3TCP 532.4tls-crypt, tls1.2
OpenVPN
Official OpenVPN port3TCP 11942.4tls-crypt, tls1.2
OpenVPN
If your ISP applies caps or blocks3TCP 20182.4tls-crypt, tls1.2
OpenVPN
If your ISP applies caps or blocks on lower port ranges3TCP 411852.4tls-crypt, tls1.2
OpenVPN
Official OpenVPN port, if your ISP blocks the standard Entry IP4TCP 11942.4tls-crypt, tls1.2
OpenVPN
If your ISP blocks the standard Entry IP4TCP 20182.4tls-crypt, tls1.2
OpenVPN
If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP4TCP 411852.4tls-crypt, tls1.2
OpenVPN + OpenVPN
If your ISP applies caps or blocks3TCP 222.4tls-crypt, tls1.2
OpenVPN + OpenVPN
If your ISP applies caps or blocks4TCP 802.4tls-crypt, tls1.2
OpenVPN + OpenVPN
If your ISP applies caps or blocks4TCP 532.4tls-crypt, tls1.2
OpenVPN + OpenVPN
If your ISP applies caps or blocks on lower port ranges3TCP 389152.4tls-crypt, tls1.2
OpenVPN + OpenVPN
If your ISP blocks the standard Entry IP4TCP 222.4tls-crypt, tls1.2
OpenVPN + OpenVPN
If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP4TCP 389152.4tls-crypt, tls1.2
OpenVPN + OpenVPN
If your ISP applies caps or blocks4TCP 4432.4tls-crypt, tls1.2
OpenVPN + OpenVPN
If your ISP applies caps or blocks on lower port ranges3TCP 284392.4tls-crypt, tls1.2
OpenVPN + OpenVPN
If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP4TCP 284392.4tls-crypt, tls1.2
OpenVPN
Recommended for best performance1UDP 443
OpenVPN
If you have issue with UDP1TCP 443
OpenVPN
If your ISP applies caps or blocks1UDP 80
OpenVPN
If your ISP applies caps or blocks1UDP 53
OpenVPN
Official OpenVPN port1UDP 1194
OpenVPN
If your ISP applies caps or blocks1UDP 2018
OpenVPN
If your ISP applies caps or blocks on lower port ranges1UDP 41185
OpenVPN
If your ISP blocks the standard Entry IP2UDP 443
OpenVPN
If your ISP blocks the standard Entry IP2UDP 80
OpenVPN
If your ISP blocks the standard Entry IP2UDP 53
OpenVPN
Official OpenVPN port, if your ISP blocks the standard Entry IP2UDP 1194
OpenVPN
If your ISP blocks the standard Entry IP2UDP 2018
OpenVPN
If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP2UDP 41185
OpenVPN
If your ISP applies caps or blocks1TCP 80
OpenVPN
If your ISP applies caps or blocks1TCP 53
OpenVPN
Official OpenVPN port1TCP 1194
OpenVPN
If your ISP applies caps or blocks1TCP 2018
OpenVPN
If your ISP applies caps or blocks on lower port ranges1TCP 41185
OpenVPN
Official OpenVPN port, if your ISP blocks the standard Entry IP2TCP 1194
OpenVPN
If your ISP blocks the standard Entry IP2TCP 2018
OpenVPN
If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP2TCP 41185
OpenVPN + OpenVPN
If your ISP applies caps or blocks1TCP 22
OpenVPN + OpenVPN
If your ISP applies caps or blocks2TCP 80
OpenVPN + OpenVPN
If your ISP applies caps or blocks2TCP 53
OpenVPN + OpenVPN
If your ISP applies caps or blocks on lower port ranges1TCP 38915
OpenVPN + OpenVPN
If your ISP blocks the standard Entry IP2TCP 22
OpenVPN + OpenVPN
If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP2TCP 38915
OpenVPN + OpenVPN
If your ISP applies caps or blocks2TCP 443
OpenVPN + OpenVPN
If your ISP applies caps or blocks on lower port ranges1TCP 28439
OpenVPN + OpenVPN
If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP2TCP 28439

Web Servers

Web site supporting HTTP2, Perfect Forward Secrecy, Secure Renegotiation, TLS 1.2 or 1.3, DHE, ECDHE and HSTS. No external tracking applications or cookies from third parties.
All website have a PWA (Progressive Web App), use "Add to Home Screen" to instantiate it.
Mail SPF, DKIM, ADSP and DMARC on all domains managed by us.
DNSSEC on our domains (except ipleak.net, airservers.org and airdns.org)

Vulnerability Disclosure Policy and Bug Bounty Program

×
×
  • Create New...