Staff

Hello! The "range" is specified by mask /32, so it's this single unique address. Yes, it's plausible that some past event flagged the IP address. We don't know the internals of Tailscale but definitely this behavior should be investigated. Why an attempted connection to this specific IP address and why this port? Kind regards

Hello! There's nothing listening to port 54037 on any AirVPN server. We can't see why Tailscale seeks a connection to it, anyway we are sure now that there's no malware there as there's nothing. Probably Malwarebytes behavior comes from some past event or it's yet another over-blocking case. Kind regards

the effective MTU of the tunnel is limited by the smallest MTU anywhere along the path Hello! On our servers the MTU limit is 1420 bytes on a standard Ethernet frame because of IPv6 over IPv4. For PPPoE see also https://www.hitoha.moe/wireguard-mtu-over-pppoe/ So, if you set 1432 bytes MTU for your WireGuard interface, the fragmentation will occur on our servers, not on your side. The upper, actual limit is the lowest MTU in the path, in other words the smallest MTU on the path silently limits the tunnel. The 12 bytes difference may be negligible and most packets will not be fragmented, and you will not see fragmentation on your side, but you could notice a performance hit on upload (upload from you to the server we mean). Kind regards

Hello! Problem solved, can you please try again now? Kind regards

@Zack Hello! The IP address you mention is assigned to AirVPN server Asellus in the Netherlands. Please mention explicitly port Y, we want and must verify what your app (mention the app too if possible) will find on that port, it's important. Kind regards

Hello and thank you for having reported the problem! We are working on it. We will update this thread when the issue is solved. Kind regards

Hello! Please see here: https://airvpn.org/forums/topic/79065-eddie-desktop-apt-repository-signing-key-update/ Kind regards

Hello! Starting from February 1st, 2026, Debian (e.g. Trixie) enforces stricter OpenPGP policies and no longer accepts repository signatures involving SHA1-based certifications. As a result, users may see errors such as: Get:4 http://eddie.website/repository/apt stable InRelease [3,954 B] Err:4 http://eddie.website/repository/apt stable InRelease Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on C181AC89FA667E317F423998513EFC94400D7698 is not bound: No binding signature at time 2025-01-14T13:07:46Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z Warning: OpenPGP signature verification failed: http://eddie.website/repository/apt stable InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Signing key on C181AC89FA667E317F423998513EFC94400D7698 is not bound: No binding signature at time 2025-01-14T13:07:46Z because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance because: SHA1 is not considered secure since 2026-02-01T00:00:00Z Error: The repository 'http://eddie.website/repository/apt stable InRelease' is not signed. Notice: Updating from such a repository can't be done securely, and is therefore disabled by default. Notice: See apt-secure(8) manpage for repository creation and user configuration details. This was caused by an outdated signing key certification used by the repository. Solution The repository signing key has been regenerated and the repository is now correctly signed again. To restore updates, please re-import the updated maintainer key: curl -fsSL https://eddie.website/repository/keys/eddie_maintainer_gpg.key | sudo tee /usr/share/keyrings/eddie.website-keyring.asc > /dev/null Then run: sudo apt update Sorry for the inconvenience, and thanks for your patience. Kind regards

Hello! Interesting thread indeed, thank you. Our position is close to the EFF position you can read here: https://www.eff.org/deeplinks/2025/08/no-uks-online-safety-act-doesnt-make-children-safer-online We will keep you informed. So far, you probably know well our approach with similar, lower or higher requests from Russia, China and a few other countries, and there's no plan at the moment to change our position. In general, we think that it is impossible that those persons who advance, propose or defend such dangerous laws in so called democracies are in good faith (except in peculiar cases where they suffer from some mental illness or carry a neurological deficit). They have an hidden agenda developed on the myth of pervasive control but more importantly fueled by monetary reward. Yes, that's a motivational reason, maybe almost as strong as monetary reward and votes. Moreover, there is a real possibility that such laws lead on the short run to an increase in support (and therefore votes) which, net of dissent, is positive, even though by tiny tenths of percentage which are anyway not negligible for an embarrassingly inept ruling class that's incapable of developing serious strategies to improve the life of teenagers and children. Their total failure is proven by the official data (England and Whales police records in this case) that show a dramatic rise of sexual offenses against children in the UK in the last 5 years in spite of (and someone could even argue because of) more and more laws allegedly thought to protect children. Where does this 0.1% come from? If you want to stay real please adjust this quota (since 2025, start multiplying that percentage by 250 to begin with). Furthermore, there's no money involved to use Tor, its usage is totally free and well beyond Ofcom abilities to control it. However, it's true that people may find it boring because it's like 10 times slower than a VPN with a decent infrastructure. It would indeed. However, we seriously doubt that the ramshackle British institutions, always short of funds, can surpass the GFW designers and maintainers in efficiency, competence and grandeur of operation. And note that the GFW is routinely bypassed nowadays by the most and least skilled to connect to a wide range of VPNs. Our aggregate data show that this claim is deeply incorrect, at least for AirVPN, if we consider p2p improper usage quantified by DMCA and other warnings. It's not the majority, on the contrary it is a tiny minority. Where does this assumption come from? We would like to assess official stats to compare them with what we gather on the field. Kind regards

Hello! Thanks, we are aware of the problem. Unfortunately the registrar does not allow to change this setting on the authoritative DNS. For a deliberate choice, airvpn.org is one of the very few domain names we operate for which we do not manage directly the metal behind our own authoritative servers. We will anyway remind the provider of the problem as we did in the past and we will consider whether it's appropriate moving the domain name for this problem. Kind regards

@Peter Laanstra Hello! There isn't (and there never was) any throttling policy at all on any AirVPN server. Please test directly from the host (no containers) to quickly discern whether the problem is GlueTun specific or not. Please test different torrent software as well as smaller WireGuard interface MTU (start testing from 1280 bytes). On GlueTun, FIREWALL_VPN_INPUT_PORTS environment variable must be set properly. The fact that you unset it sounds like an error: why do you say that you don't set it to avoid firewall conflicts? This environment variable is read by the container exactly for firewall rules. If the variable is empty, no unsolicited incoming packets will be allowed on tun0 (or any other VPN interface). Please feel free to elaborate. Kind regards

@rpoyner Hello and welcome aboard! We see the problem. First, please make sure you have downloaded Eddie notarized version exclusively from AirVPN web site. Then, you need to avoid app translocation by moving Eddie to the /Applications folder using the Finder app. Once the translocation doesn't take place anymore, please follow this message if any problem persists: https://airvpn.org/forums/topic/70745-eddie-cant-connect-to-any-server/?do=findComment&comment=249545 Kind regards

Hello! No need for MSS clamping when using WireGuard, just modify the MTU if necessary. Since MSS clamping 1. becomes necessary only when you can't modify MTU, 2. needs packet mangling (WireGuard does not expose any option for it) and 3. requires anyway a server side modification, just operate through MTU. (*) In OpenVPN (only when working over UDP), where networking management is a bit different, you can seriously consider the mssfix directive if you have any "fragmentation" problem that causes packet loss and poor performance. mssfix announces to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes. See also OpenVPN manual: https://openvpn.net/community-docs/community-articles/openvpn-2-6-manual.html In Eddie you can add custom directives for OpenVPN in "Preferences" > "OVPN Directives" window. (*) EDIT: there is a special case where MSS clamping becomes necessary with WireGuard too, although it is a consequence of bad PMTUD handling. If an intermediate link doesn’t correctly handle PMTUD (Path MTU Discovery), TCP packets larger than the tunnel MTU may be dropped, and the client will observe hanging connections or stalled downloads, possibly only for certain destination. In this case MSS clamping helps for sure. Kind regards

Hello! Yes, current DDoS / flood unfortunately. Kind regards

Hello! Yes. Server side it is 1420 bytes, so this is your upper limit too. Thus you can test up to 1420 bytes to find the MTU that can provide you with the best performance. Kind regards