Technical Specs
We provide ONLY
protocol/servers.

-
OpenVPN Data Channel: OpenVPN version>=2.4 available ciphers (data-ciphers directive server-side):
CHACHA20-POLY1305 AES-256-GCM AES-256-CBC AES-192-GCM AES-192-CBC AES-128-GCM AES-128-CBC
OpenVPN <2.4, AES-256-CBC as data channel cipher. -
OpenVPN Control Channel: negotiation with following TLS ciphers (IANA names, tls-cipher directive server-side):
TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-DHE-RSA-WITH-AES-256-CBC-SHA
Unlike the OpenVPN default, we don't accept any AES-128 or any TLS-ECDHE. - Perfect Forward Secrecy through Diffie-Hellman key exchange DHE. After the initial key negotiation, re-keying is performed every 60 minutes (this value can be lowered unilaterally by the client)
- 4096 bit RSA keys size
- 4096 bit Diffie-Hellman keys size (unique for each server, VPN or webserver)
Recommended daemons (OpenVPN client version>=2.4)
- Encrypt and authenticate all control channel packets (tls-crypt directive) with 2048 bit.
- SHA512 message digest (if the negotiated cipher is not AEAD, e.g. GCM).
Compatibility daemons (OpenVPN client version<2.4)
- TLS additional authorization layer key (tls-auth directive): 2048 bit
- HMAC-SHA1 for authentication
Available port/protocols
Multiple entry ports (53, 80, 443, 1194, 2018, 28439, 38915, 41185), native OpenVPN tcp/udp or with additional tunnel layers (SSL, SSH).
Assigned IP
Servers support both IPv4 and IPv6 tunnels and are reachable over IPv4 and IPv6 on entry-IP addresses.
DNS server address is the same as gateway, in both IPv4 and IPv6 layer.
IPv4 Local Address chosen: 10.{daemon}.*.*, Subnet-Mask: 255.255.255.0
IPv6 Unique Local Address (ULA) chosen: fde6:7a:7d20:{daemon}::/48.
Restrictions
- Outbound port 25 blocked to prevent spam.
VPN DNS Server
- Every VPN server runs its own DNS server that directly finds out information about root servers, top level domains and authoritative name servers.
- Our DNS servers are neutral, do not ever inject or alter the requests (other services resolve to search results, try to fix typo etc).
- Where ICANN or root servers themselves interfer with censorship, we may apply specific censorship fix to our DNS server. See "AirVPN does not recognize ICANN authority anymore" topic for more information.
- Using our DNS allows our customers to use our anti-geolocation discrimination features. For example, visit a website that allows only United States connections from a Netherlands VPN server.
- It's recommended to use our DNS server to avoid censorship and use our anti-geolocation features.
- VPN DNS addresses (private addresses, only reachable from inside the VPN): 10.4.0.1 / fde6:7a:7d20:4::1 - reachable from any virtual subnet
However, we recommend that your machine accepts the DNS push from our servers. If that's not possible, then we suggest to set the DNS IP address matching the VPN gateway IP address, as this is the safest method to prevent certain attacks based on hijacking. - For any kind of issue about censorship or geolocation restriction you encounter using our services, please feel free to write us in our forums or write a support ticket.
Protocols and entry-IP addresses of each VPN server
Every AirVPN server has 4 entry-IPv4 addresses and 4 entry-IPv6 addresses that support different ports and protocols. Look at the faq "How can I get VPN servers entry-IP addresses?" for more information about FQDN resolution.
Type | Entry IP | Protocol & port | Specs | Description | Min. OpenVPN version |
---|---|---|---|---|---|
OpenVPN | 3 | udp 443 | tls-crypt, tls1.2 | Recommended for best performance | 2.4 |
OpenVPN | 3 | tcp 443 | tls-crypt, tls1.2 | If you have issue with UDP | 2.4 |
OpenVPN | 3 | udp 80 | tls-crypt, tls1.2 | If your ISP applies caps or blocks | 2.4 |
OpenVPN | 3 | udp 53 | tls-crypt, tls1.2 | If your ISP applies caps or blocks | 2.4 |
OpenVPN | 3 | udp 1194 | tls-crypt, tls1.2 | Official OpenVPN port | 2.4 |
OpenVPN | 3 | udp 2018 | tls-crypt, tls1.2 | If your ISP applies caps or blocks | 2.4 |
OpenVPN | 3 | udp 41185 | tls-crypt, tls1.2 | If your ISP applies caps or blocks on lower port ranges | 2.4 |
OpenVPN | 4 | udp 443 | tls-crypt, tls1.2 | If your ISP blocks the standard Entry IP | 2.4 |
OpenVPN | 4 | udp 80 | tls-crypt, tls1.2 | If your ISP blocks the standard Entry IP | 2.4 |
OpenVPN | 4 | udp 53 | tls-crypt, tls1.2 | If your ISP blocks the standard Entry IP | 2.4 |
OpenVPN | 4 | udp 1194 | tls-crypt, tls1.2 | Official OpenVPN port, if your ISP blocks the standard Entry IP | 2.4 |
OpenVPN | 4 | udp 2018 | tls-crypt, tls1.2 | If your ISP blocks the standard Entry IP | 2.4 |
OpenVPN | 4 | udp 41185 | tls-crypt, tls1.2 | If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP | 2.4 |
OpenVPN | 3 | tcp 80 | tls-crypt, tls1.2 | If your ISP applies caps or blocks | 2.4 |
OpenVPN | 3 | tcp 53 | tls-crypt, tls1.2 | If your ISP applies caps or blocks | 2.4 |
OpenVPN | 3 | tcp 1194 | tls-crypt, tls1.2 | Official OpenVPN port | 2.4 |
OpenVPN | 3 | tcp 2018 | tls-crypt, tls1.2 | If your ISP applies caps or blocks | 2.4 |
OpenVPN | 3 | tcp 41185 | tls-crypt, tls1.2 | If your ISP applies caps or blocks on lower port ranges | 2.4 |
OpenVPN | 4 | tcp 1194 | tls-crypt, tls1.2 | Official OpenVPN port, if your ISP blocks the standard Entry IP | 2.4 |
OpenVPN | 4 | tcp 2018 | tls-crypt, tls1.2 | If your ISP blocks the standard Entry IP | 2.4 |
OpenVPN | 4 | tcp 41185 | tls-crypt, tls1.2 | If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP | 2.4 |
OpenVPN | 3 | ssh 22 | tls-crypt, tls1.2 | If your ISP applies caps or blocks | 2.4 |
OpenVPN | 4 | ssh 80 | tls-crypt, tls1.2 | If your ISP applies caps or blocks | 2.4 |
OpenVPN | 4 | ssh 53 | tls-crypt, tls1.2 | If your ISP applies caps or blocks | 2.4 |
OpenVPN | 3 | ssh 38915 | tls-crypt, tls1.2 | If your ISP applies caps or blocks on lower port ranges | 2.4 |
OpenVPN | 4 | ssh 22 | tls-crypt, tls1.2 | If your ISP blocks the standard Entry IP | 2.4 |
OpenVPN | 4 | ssh 38915 | tls-crypt, tls1.2 | If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP | 2.4 |
OpenVPN | 4 | ssl 443 | tls-crypt, tls1.2 | If your ISP applies caps or blocks | 2.4 |
OpenVPN | 3 | ssl 28439 | tls-crypt, tls1.2 | If your ISP applies caps or blocks on lower port ranges | 2.4 |
OpenVPN | 4 | ssl 28439 | tls-crypt, tls1.2 | If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP | 2.4 |
OpenVPN | 1 | udp 443 | Recommended for best performance | ||
OpenVPN | 1 | tcp 443 | If you have issue with UDP | ||
OpenVPN | 1 | udp 80 | If your ISP applies caps or blocks | ||
OpenVPN | 1 | udp 53 | If your ISP applies caps or blocks | ||
OpenVPN | 1 | udp 1194 | Official OpenVPN port | ||
OpenVPN | 1 | udp 2018 | If your ISP applies caps or blocks | ||
OpenVPN | 1 | udp 41185 | If your ISP applies caps or blocks on lower port ranges | ||
OpenVPN | 2 | udp 443 | If your ISP blocks the standard Entry IP | ||
OpenVPN | 2 | udp 80 | If your ISP blocks the standard Entry IP | ||
OpenVPN | 2 | udp 53 | If your ISP blocks the standard Entry IP | ||
OpenVPN | 2 | udp 1194 | Official OpenVPN port, if your ISP blocks the standard Entry IP | ||
OpenVPN | 2 | udp 2018 | If your ISP blocks the standard Entry IP | ||
OpenVPN | 2 | udp 41185 | If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP | ||
OpenVPN | 1 | tcp 80 | If your ISP applies caps or blocks | ||
OpenVPN | 1 | tcp 53 | If your ISP applies caps or blocks | ||
OpenVPN | 1 | tcp 1194 | Official OpenVPN port | ||
OpenVPN | 1 | tcp 2018 | If your ISP applies caps or blocks | ||
OpenVPN | 1 | tcp 41185 | If your ISP applies caps or blocks on lower port ranges | ||
OpenVPN | 2 | tcp 1194 | Official OpenVPN port, if your ISP blocks the standard Entry IP | ||
OpenVPN | 2 | tcp 2018 | If your ISP blocks the standard Entry IP | ||
OpenVPN | 2 | tcp 41185 | If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP | ||
OpenVPN | 1 | ssh 22 | If your ISP applies caps or blocks | ||
OpenVPN | 2 | ssh 80 | If your ISP applies caps or blocks | ||
OpenVPN | 2 | ssh 53 | If your ISP applies caps or blocks | ||
OpenVPN | 1 | ssh 38915 | If your ISP applies caps or blocks on lower port ranges | ||
OpenVPN | 2 | ssh 22 | If your ISP blocks the standard Entry IP | ||
OpenVPN | 2 | ssh 38915 | If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP | ||
OpenVPN | 2 | ssl 443 | If your ISP applies caps or blocks | ||
OpenVPN | 1 | ssl 28439 | If your ISP applies caps or blocks on lower port ranges | ||
OpenVPN | 2 | ssl 28439 | If your ISP applies caps or blocks on lower port ranges and blocks the standard Entry IP |
Web Servers
Web site supporting HTTP2, Perfect Forward Secrecy, Secure Renegotiation, TLS 1.2 or 1.3, DHE, ECDHE and HSTS. No external tracking applications or cookies from third parties.
All website have a PWA (Progressive Web App), use "Add to Home Screen" to instantiate it.
Mail SPF, DKIM, ADSP and DMARC on all domains managed by us.
DNSSEC on our domains (except ipleak.net, airservers.org and airdns.org)
- airvpn.org web server configuration provides a balance between compatibility and security strength, with no dangerous compromise (A+ rating in Qualys SSL Labs).
- airvpn.dev web server configuration provides a hardened security configuration to get a rating aiming to 100% (Qualys SSL Labs, CryptCheck) which sacrifices compatibility with older systems and browsers (example: Android 6 will not connect).
- airvpn3epnw2fnsbx5x2ppzjs6vxtdarldas7wjyqvhscj7x43fxylqd.onion is the onion Tor version. Served in HTTP and HTTPS. HTTP version is recommended, as HTTPS is superfluous with onion hidden services. HTTPS version needs acknowledgment and exception for certificate domain name mismatch, no solution is possible right now.
- airvpn.eth official frontend via ENS resolution, that resolves into our .onion address.
All website have a PWA (Progressive Web App), use "Add to Home Screen" to instantiate it.
Mail SPF, DKIM, ADSP and DMARC on all domains managed by us.
DNSSEC on our domains (except ipleak.net, airservers.org and airdns.org)
Vulnerability Disclosure Policy and Bug Bounty Program
Detailed information in our Vulnerability Disclosure Policy and Bug Bounty Program page.
securitytxt.org support, RFC5785 link
securitytxt.org support, RFC5785 link