AirVPN: The air to breathe the real Internet
Overview
AirVPN is an OpenVPN and WireGuard based VPN operated by activists in defense of net neutrality, privacy and against censorship. This impenetrable tunnel prevents criminal organizations, your ISP or even your government from spying on your communications. AirVPN comes with industry-standard security features like 256-bit AES encryption, an advanced-kill switch option (Network lock), and a no-logs policy. It also offers perfect forward secrecy, split-tunneling, full leak protection, and Tor support. AirVPN uses advanced OpenVPN (TCP and UDP) and WireGuard (faster than OpenVPN) protocols. AirVPN also provides protection against IPv6, DNS, and WebRTC leaks. AirVPN has a small network having 200+ servers in 22 countries that are spread out over 40 locations. Most of AirVPN’s servers are located in Europe and North America, as well as in Singapore and Japan. AirVPN allows 5 connections per account, offers affordable and flexible plans, and backs all purchases with a 30-day money-back guarantee.
AirVPN Client - Eddie
Eddie is a free and open source (GPLv3) OpenVPN and WireGuard wrapper with additional features like:
- User-friendly UI
- Multiplatform support: Windows, macOS, Android, GNU/Linux (with particular effort to support a lot of distro) with multiple architectures: x64, x86, armv7i, aarch64 (Raspberry)
- Censorship counter-measures, like tunnel over SSH, over SSL, direct Tor integration
- Network lock / leak prevention
- Advanced options for DNS, routing, events, leak etc.
- Customizable actions triggered by events
- CLI edition
Eddie is the official client of AirVPN. While Eddie is focused on usage simplicity and quick responsiveness, it also includes features which can be appreciated by the advanced users, such as full control on OpenVPN directives, custom directives and custom routes. It's integrated with AirVPN VPN service (required for some feature like tunnel over SSH/SSL), but can be used standalone with any OpenVPN or WireGuard provider (tick Preferences -> Advanced -> Multi provider to add other providers or even remove AirVPN).
Why AirVPN?
- No traffic limit. No time limit. Access to all of our exit-nodes.
- Five simultaneous connections per account.
- Unlimited and free servers switches.
- High performance servers in many countries
- Optional block lists protecting you from ads, adware, trackers and malicious sources.
- No maximum speed limit, it depends only on the server load (see here). Minimum allocated granted bandwidth: 4 Mbit/s download + 4 Mbit/s upload.
- Every protocol is welcome, including p2p. Forwarded ports and DDNS to optimize your software.
- No personal information required. When you open an account, you are not forced to enter any personal data, not even a real e-mail address.
- Transparent policies on bandwidth allocation in order to give you an exact evaluation of the performance you can achieve: no overbooking, no overselling.
- We use OpenVPN and WireGuard to establish the connection between your computer and our servers. OpenVPN is the most reliable and secure solution for encrypted tunnels. Forget PPTP or other insecure protocols.
AirVPN offers OpenVPN on ports 80 TCP / UDP, 443 TCP / UDP and 53 TCP / UDP. Additionally, every Air server supports directly OpenVPN over SSH, OpenVPN over SSL and OpenVPN over Tor. This means that even the most brutal techniques of monitoring, censorship, throttling and traffic shaping will fail against AirVPN, because your ISP and your government will see only TCP or UDP traffic on a unique port.
- Fully compliant with the European Union legal framework protecting your privacy: Directive on Data Protection (95/46/EC), Directive concerning the processing of personal data and the protection of privacy (2002/58/EC) and General Data Protection Regulation (EU Regulation 2016/579)
- API - Application Programming Interface
- Help us cover our mission
FEATURES
Surf Anonymously
Protection against snoopers, data miners and privacy intrusive entities
- Hide your IP - Get a new IP address, so that nobody can discover your identity through it
- No monitoring nor logging of your online activities
- Perfect Forward Secrecy - Through Diffie-Hellman key exchange DHE. After the initial key negotiation, re-keying is performed every 60 minutes (this value can be lowered unilaterally by the client)
- Additional connection types, supported by every Air VPN server, for ISPs or countries disrupting OpenVPN, are OpenVPN over SSH, SSL or Tor
- Stay protected with the security offered by very strong encryption, 4096 bit DH and RSA keys size, AES-256-GCM or CHACHA20-POLY1305 encryption cipher.
- Make it impossible to identify the type of traffic or protocol you are using, even for your ISP.
- Connect to any wireless network without risking data eavesdropping between your computer and the WiFi hotspot.
Defeat restrictions
Circumvent censorship, georestriction and traffic shaping.
- All protocols allowed - No discrimination toward any service, protocol or application.
- Internal VPN DNS based on root servers anti-ICE/ICANN censorship
- Port Forwarding / DDNS
- Without port forwarding, the performance of some applications, for example BitTorrent and eMule clients, would be severely impaired and the services on your computer would not be reachable from the Internet
ADDITIONAL FACTS ABOUT AIRVPN
- All AirVPN servers use RAM disks
All VPN servers use RAM disks. After a minimal bootstrap which must bring up the TCP/IP stack, the network and essential services to operate on the network, vital files (including secrets, configuration files and scripts) are downloaded on RAM from the network, from selected storage and strong authentication ensuring integrity. If a server reboots unexpectedly, the AirVPN management must confirm the authorization for the server to be re-admitted in the infrastructure, making it possible to understand the cause of the reboot and to verify whether the server has been tampered before it comes back operational.
- WireGuard availability
WireGuard is available since 2022 (in beta testing since the last quarter of 2021) and it also includes pre-shared keys, just in case they are needed for a quick additional cipher deployment in an unlikely post-quantum world. The API has been improved to offer the option to re-generate keys on the fly, resolving the privacy problems posed by WireGuard.
- Ads, trackers, blocking lists availability
Ads, trackers etc. blocking lists are available since 2021. AirVPN's system is unrivalled on any VPN service, as you can configure it, add additional blocks or specific exceptions to lift blocks, and link different lists, additions and exceptions to different devices. Also, the user can operate via API to get the available list information. Note that the ad blocking system is opt-in for a precise choice: by default the network must remain agnostic and neutral. Blocks are enforced only when explicitly wanted by the users.
- Additional connection modes
Additional connection modes include OpenVPN connecting through HTTP(S) and SOCKS proxies, OpenVPN over Tor (not available on Android), OpenVPN over previously established TLS and SSH tunnels (OpenVPN over stunnel and OpenVPN over SSH), OpenVPN TLS-Auth for backward compatibility, OpenVPN TLS-Crypt for enhanced block bypassing
AirVPN Protocols
AirVPN is an OpenVPN and WireGuard based VPN.
- WireGuard on different ports, with additional pre-shared keys
- OpenVPN in any TCP/UDP and TLS-Auth / TLS-Crypt combination on a wide range of ports, in addition to:
- OpenVPN over Tor
- OpenVPN over SSH
- OpenVPN over TLS (stunnel etc.)
- OpenVPN over HTTPS and SOCKS 4/5 proxy
AirVPN also provides protection against IPv6, DNS, and WebRTC leaks. With a more advanced OpenVPN settings, Eddie Windows edition (v2.21.8) gives the user 60 various combinations of protocols and ports, including UDP, TCP, and (unusually) SSL or SSH to bypass VPN blocks. This along with text descriptions guide the user when to use each one ('if your ISP applies caps or blocks' --standard entry IP, lower port ranges, etc.). There are two (2) provided WireGuard connections that offer lightweight / efficient UDP connections for the user.
AirVPN Servers
AirVPN has a small network having 200+ servers in 22 countries that are spread out over 40 locations. Most of AirVPN’s servers are located in Europe and North America, as well as in Singapore and Japan. Eddie displays the server load percentage, which measures how many active users are connected to a server (the lower the server load, the faster the connection speeds). These provided speed metrics help users identify the fastest servers and supports torrenting on all servers allowing the user to "quickly" pick servers that are likely to provide faster speeds. The AirVPN site server link shows statistics of all AirVPN servers. Statistics are updated every 5 minutes. The Eddie client continuously pings each server of the VPN service, and also provides a rank of each server. Scores are computed on following parameters: average ping/latency; average load; average users; recent disconnections or failed retries; known issues; ISP reliability.
Load colors (yellow, green and red).
Yellow means that, if possible, the user should pick a different server, because the load is getting high (but if the user selects it, he can still have good performance but not for long). Red means that the server is at capacity (high), so the user is advised to avoid it. Green servers are the better choices as the load on these servers are not full. AirVPN usually recommends to select the "least loaded server" between the first 5-6 servers with the lowest round trip time ("latency") from the user's node.
To better understand it kindly look at the image below.
As mentioned above, "AirVPN usually recommends to select the "least loaded server" between the first 5-6 servers with the lowest round trip time ("latency") from the user's node",
The 5-6 servers with the least load are:
1 - Mirfak - Frankfurt - Germany at 301 ms. latency, 7% load
2 - Mesartim - Munich - Germany at with 230 ms. latency, 13% load
3 - Errai Frankfurt - Germany at 287 ms. latency, 14% load
4 - Markab Prague - Czechia at 302 ms. latency, 16% load
5 - Phact Riga - Latvia at 238 ms. latency, 18% load
6 - Alphrik Alblasserdam - Netherlands at 188 ms. latency, at 18% load
The lowest round trip time -- latency are:
1 - Alphrik Alblasserdam - Netherlands at 188 ms. latency, at 18% load
2 - Mesartim - Munich - Germany at with 230 ms. latency, 13% load
3 - Phact Riga - Latvia at 238 ms. latency, 18% load
4 - Errai Frankfurt - Germany at 287 ms. latency, 14% load
5 - Markab Prague - Czechia at 302 ms. latency, 16% load
6 - Mirfak - Frankfurt - Germany at 301 ms. latency, 7% load
To simplify the user's selection, the user can change the "Scoring rule" of the Servers to "Latency". This can be done by selecting the "Scoring rule toggle" located at the bottom right of the "Servers" page (Preferences > Servers). Then it is advised to "sort" the latency list to place the best 5 servers on top. To sort the list, user should click the "latency Column header". See image below.
See AirVPN Server graphical distribution and additional information HERE
Info on AirVPN Recommended Servers HERE
Info on AirVPN Recommended Servers HERE
Eddie Windows edition 2.21.8 (Some additional info)
OpenVPN directives
The "prefer CHACHA20-POLY1305 data cipher if available" is both supported by OpenVPN and WireGuard protocols of AirVPN Windows Eddie-UI v2.21.8. If the user CPU does not support AES-NI, he (the user) may force CHACHA20-POLY1305 even in OpenVPN by enabling (checking the box for --prefer CHACHA20-POLY1305 data cipher if available). The user is assured of getting better performance using CHACHA20-POLY1305 if his CPU doesn't support the AES New Instructions (AES-NI) because it is lighter than AES-GCM.
AES-256-GCM and CHACHA20-POLY1305 security are considered equivalent thus the user can just pick one based on his preference.
The base directives shown by Preferences > OpenVPN directives > base directives, are the directives which Eddie enforces by default. Of course, the user can modify such settings but unless the user is advanced/intermediate, AirVPN recommends the use of the default settings for the base directives.
More info on "CHACHA20-POLY1305" can be seen HERE
More info on "OpenVPN Directives" can be seen HERE
Routes (Split Tunneling)
A "route" is an entry in the routing table. "Routes" are aimed at routing table specific, user's custom modifications, for example to have some traffic outside the tunnel. Say, if a user wants some traffic to and from a specific subnet outside the VPN tunnel (traffic routed through your ISP and not the VPN). In this case, this option is perfect for this need.
More info on "Routing" can be seen HERE
In Eddie Android edition you can split traffic on an application basis. You can define "white" and "black" lists of apps. If a black list is defined, the apps included in the black list will have their traffic routed outside the VPN. Any other app will have its traffic routed into the VPN. If you define a white list, only the apps in the white list will have their traffic routed inside. Any other device traffic will be routed outside the VPN. Traffic splitting will work both on WireGuard and on OpenVPN.
In Eddie Desktop edition for Linux, Mac and Windows you can split traffic on a destination basis (IP addresses, IP addresses range, or host names). You can tell Eddie to send the traffic outside the VPN tunnel only for specific destinations, or you can tell Eddie to send all the traffic outside the tunnel except for specific destinations. Traffic splitting will work both on WireGuard and OpenVPN.
Note: The next version build of Eddie Desktop edition for Windows will soon have the same whitelist / blacklist filtering the same as the Android version.
Sending system report to AirVPN
If the user encounters any issues whatsoever, he is encouraged to send a system report to AirVPN.
AirVPN forums has a topic for such HERE
Copying / saving the AirVPN configuration file
The user can "copy" configuration file of Eddie settings. Users can check this HERE for the data path, and HERE for the "profiles".
Wintun driver in Eddie-UI v2.21.8
In Eddie-UI ver2.20.0 the "wintun driver" can be set in Preferences > Advanced. In version 2.21.8 the "wintun driver" has become the default setting and the TAP driver has been deprecated. Compared to the TAP driver, wintun driver is a faster and more reliable driver for the virtual network interfaces on Windows. An option to force usage of the "old" TAP driver is provided via a checkbox if user wishes to use it.
Network Lock and Leak testing
Network lock is a feature that prevents IPv4/IPv6 communications when your system is not connected to an AirVPN server. Its main purpose is preventing IPv4/IPv6 leaks under any circumstance, including unexpected VPN disconnection, but not limited to it. Traffic leaks can arise not only after an unexpected disconnection from the VPN, but even because of wrong binding in software settings. Network Lock prevents leaks of any kind.
The AirVPN "Network Lock" is based on strict firewalls rules contrary to several so called "kill switches" and VPN check monitoring processes (which don't do anything while connection is on and become totally useless if they crash).
With "Network Lock" strict firewall-based rules, the protection against leaks is active even when the connection is detected as "on" (regardless it is really "on" or not), even if Eddie could not work anymore and even if the user mis-configured by accident a listening service binding it to a physical network card. If Eddie/OpenVPN/WireGuard stops unexpectedly leak prevention is assured because of the strict firewall rules of the Network Lock.
To simulate leak prevention, the user can kill Eddie (simulating a crash) via Task Manager and see if his "real IP" is reflected / shown in the ipleaktest.net (or any leak test site).
AirVPN_Network Lock Demo
AirVPN_Kill Eddie_Client_Network Lock Demo
Torrent client leak test
In ipleak.net there is a torrent client test that be utilize to check if the user's real IP is shown. To test the torrent program, in this case, qBittorent Portable, a magnet link provided by ipleak.net should be imported in the torrent software (remember to start the torrent software after your system has already connected to the VPN). Once the magnet link is imported in the torrent software, (in a few seconds) the web site will detect and show the torrent software advertised IP address, which must NOT be your real IP address. (Refresh the page if necessary). Kindly see attached videos below.
AirVPN_Torrent_Client Misconfigured LeakTest
Further test can be done by misconfiguring the torrent client to force traffic to flow "outside" AirVPN client. qBittorrent has a feature called “Bind to Network Interface” which forces the client only to use the selected network adapter. To do this, go to Tool -> Options -> Advanced. Under Network interface, select your physical network interface and click Apply under optional IP to bind to, select your real IP address and click Apply.
NOTE: User should exercise caution now because qBittorrent specifically mis-configured to force traffic leaks outside the VPN tunnel.
To apply the misconfiguration, shut down qBittorrent, start AirVPN Eddie client for Windows and enable Network Lock. Connect to some VPN server, and finally run qBittorrent. Verify that that there is no leaks by repeating the "Torrent Address Detection" test of ipleak.net.
To reset the correct settings for qBittorrent, reverse the previous operation (or bind qBittorrent to the VPN network interface for an additional safety layer). "Binding" the torrent client (qBittorrent) to the VPN network interface (Eddie) ensures that all torrent client traffic will flow always "inside" the VPN client. AirVPN client with Network Lock enabled will ensure that there is no IP leak. Kindly see attached videos below.
Note: As in the torrent leaktest, the user's real IP address should not be reflected in ipleak.net.
AirVPN anti geo-blocking routing system
Some websites may be censored by ISPs with DNS tricks. AirVPN uses internal neutral DNS, so websites may be unlocked without need to be listed here. However, it might occur that websites either discriminate contents on a country origin request basis or they are censored by ISPs.
For the supported website, a double-hop with our routing servers is performed. See HERE. The user can set his DNS preference in the AirVPN client area HERE. Note: Login is required.
More info HERE
For additional info / or an overview of Eddie desktop edition see HERE
Latest stable version of AirVPN Eddie Client (Windows Edition) is version 2.21.8 (26 May 2022)
WHAT'S NEW in Eddie client version 2.21.8 (26 May 2022) STABLE
- [bugfix] [windows] "Network interface no more available" in some situation
- [change] [linux/macOS] Hummingbird available also in High Sierra
- [change] [linux] eddie-tray updated to GTK3 (cleaning dependencies issue)
- [bugfix] [all] Minor bugfixes
WHAT'S NEW in Eddie client (Windows Edition) version 2.22.2 (25 Oct 2022) EXPERIMENTAL / NOT STABLE
- [bugfix] [linux/macOS] Race condition in ping-request (thx to @cmaves)
- [bugfix] [windows] VirtualStore path issue on 32bit
- [bugfix] [all] Minor fixes
- [new] [all] Option to skip network-lock confirmation
The complete changelog page of Eddie client is HERE.
Eddie 3.0 for Android preview features WireGuard full integration with AirVPN, a thorough improvement on network management to provide additional robustness on network switching and re-connections, an exclusive option to access local network even when connecting over WireGuard and a dark theme. When compared with OpenVPN3-AirVPN library or OpenVPN3 and on agnostic networks, performance is remarkably higher and battery life is approximately 15-20% longer, even when the throughput is slightly higher. Users can download Eddie Android 3.0 APK directly from our repository or from the Google Play Store. See HERE
If the user runs Android 8 or higher version, AirVPN strongly recommend that you activate Always on VPN and Block connection without VPN (aka VPN Lock) from Android advanced per app VPN settings. That's the most secure method to prevent traffic leaks in various circumstances. For users who run Android 7 or older versions and he sets Eddie to connect through WireGuard, a best effort is made to prevent leaks, but it may not be as effective as Android 8 and higher versions mentioned settings.
Finally, all users should keep in mind that Android TV suffered the Always On VPN feature amputation, therefore Eddie start & connection at bootstrap are not possible from Android TV 10 and higher versions. Older versions can still run Eddie during the bootstrap and have it connected. Furthermore, a totally effective leaks prevention is hindered when you use WireGuard on Android TV, although Eddie will always perform a best effort to prevent them.
MAIN FEATURES
- Free and open source OpenVPN and WireGuard GUI
- Complete WireGuard and OpenVPN support with full integration with AirVPN infrastructure
- WireGuard networking management to allow quick re-connections even when WireGuard would remain stuck after a failure. No more "forever stuck wg client" haunting users running the Android WireGuard client.
- Linked against the new OpenVPN-AirVPN 3.8.2 library
- Dark theme support and option to switch to dark, light or system default theme
- Improved VPN profile management
- Full compatibility with Android 5.1 up to 13 and Android TV 5.1 and higher versions.
- VPN profile export both to internal database and external file or app
- ChaCha20-Poly1305, AES-CBC and AES-GCM support on both OpenVPN Control and Data channel
- Battery-conscious application
- Low RAM footprint
- Ergonomic and friendly interface
- Ability to start and connect during device startup according to a priority list which includes automatic choice, your defined country and your defined AirVPN server
- Option to define which apps must have traffic inside or outside the VPN tunnel through white and black list
- Localization in simplified and traditional Chinese, Danish, English, French, German, Italian, Portuguese, Russian, Spanish, Turkish
- Enhanced security thanks to locally stored encrypted data through optional master password
- Quick one-tap connection and smart, fully automated server selection
- Smart server selection with custom settings.
- Manual server selection
- Smart attempts to bypass OpenVPN blocks featuring protocol and server fail-over
- Full Android TV compatibility including D-Pad support. Mouse emulation is not required.
- Enhancements aimed at increasing accessibility and comfort to visually impaired persons
- AirVPN servers sorting options
- Customizable "Default", "Favorite" and "Forbidden" servers and countries
- OpenVPN mimetype support to import profiles from external applications
- Support for custom bootstrap servers
- AirVPN broadcast messages support
- The app is aware of concurrent VPN use. In case another app is granted VPN access, Eddie acts accordingly and releases VPN resources
- Optional local networks access. In such case, local network devices are exempted from the VPN and can be accessed within the local devices
- Localization override. User can choose the default language and localization from one of the available ones
- Favorite and forbidden lists can be emptied with a single tap
- Ability to directly select an AirVPN area (country, continent, planet) to connect to
- VPN re-connection in case of unexpected OpenVPN disconnection. (It requires VPN Lock to be disabled)
Eddie Android edition 3.0 (Some additional info)
AirVPN Server selection
Unlike Eddie Windows edition, Eddie Android edition does NOT use ping. Instead, it uses a different system to select the "best" server. First, it tries to determine the location of the user. Then it consults a chart of "best routes" from country to country, excluding the home country.
For example, if a user is in the Netherlands, Eddie will try to connect to the countries with the best routing from the Netherlands, except the Netherlands. An option is available to allow Eddie to connect to the home country (the "golden rule" claims that for security reasons a foreign country should be preferred).
To simplify the user's ideal server selection, the user can just check the lowest percentage (shown as a pie-chart) and the lowest round trip time (latency in xxMbit/s). See image below.
The given example shows the Sweden servers. The "ideal servers" shown are:
Sweden, Albali, Uppsala with 16 Mbit/s lowest round trip time (latency) with 1% of 1Gbit/s load usage
Sweden, Algieba, Uppsala with 16 Mbit/s lowest round trip time (latency) with 1% of 1Gbit/s load usage
Sweden, Alrami, Uppsala with 21 Mbit/s lowest round trip time (latency) with 2% of 1Gbit/s load usage
Sweden, Altarf, Uppsala with 23 Mbit/s lowest round trip time (latency) with 2% of 1Gbit/s load usage
The Switzerland severs are shown to differentiate them versus the ideal servers of Sweden. (Not ideal and nearing full load capacity).
Switzerland, Achird, Zurich with 500 Mbit/s round trip time (latency) with 50% of 1Gbit/s load usage
Switzerland, Hamal, Zurich with 1 Gbit/s round trip time (latency) with 107 % of 1Gbit/s load usage
VPN Profile
A profile is useful if the user wants Eddie to bypass any internal configuration and send the profile settings to OpenVPN. This comes very handy when there is a need to connect Eddie to a third-party VPN. In general, since Eddie is well integrated with AirVPN, the user doesn't need a profile to connect to AirVPN servers (but he can do so, if he chooses). A profile file contains OpenVPN/WireGuard directives (for its settings and config), certificates and keys. The number of profiles is limited only by the device memory. User can switch profiles on the go. Both WireGuard and OpenVPN use profiles, and they are generated by our Configuration Generator (or similar service in another VPN). OpenVPN and WireGuard profiles are mutually incompatible, of course. Eddie is able to generate (and even export) profiles both for WireGuard and OpenVPN. It's a useful feature when you want to have a profile for some other machine which cannot run Eddie. Go to the servers view and long-tap (i.e. push and keep pressed until a contextual menu appears) the server or the country you wish to generate a profile for, and select the proper menu item. NOTE: Eddie must have the authorization to write files in your device storage directory, of course. The configuration file will be generated in accordance with the current overall settings of the app.
Default OpenVPN Protocol
As we all know (and have experienced) TCP is slower but when UDP is blocked then TCP is the only way to bypass the block. User should always try UDP first, and switch to TCP only when UDP is blocked or heavily shaped (so it becomes too slow). TCP is supported only by OpenVPN and not by WireGuard. Eddie Android version 2.4 did not support WireGuard. WireGuard can work only in UDP. It is difficult to say whether WireGuard, or UDP, or both are somehow capped by the user's ISP. User should test it from time to time. Note that traffic shaping might be enforced only on specific peak times, making the observation more difficult. Thus, the procedure to switch to OpenVPN UDP, then OpenVPN TCP, and check whether differences arise is good. In this way the user can methodically discern whether there's some specific action against some specific software or protocol.
OpenVPN TLS Mode
TLS 1.2 is very robust and secure thus, thus, TLS 1.2 is to be preferred as it offers more features and security than the previous versions (Settings > VPN > Minimum TLS version). There is no correlation between the TLS pre-authorization mode and torrenting or any other activity. WireGuard implements a completely different way which is not customizable. TLS 1.2 for OpenVPN. WireGuard uses its own procedure which is very secure and can not be modified by design.
On the "Default OpenVPN TLS Mode" (Settings > AirVPN >), both TLS-Auth and TLS-Crypt are mutually exclusive connection modes of OpenVPN. AirVPN recommends TLS-Crypt as it is more advanced. It encrypts the whole Control Channel starting from the handshake, so OpenVPN fingerprint will not be detected by DPI. Therefore, TLS-Crypt is useful to bypass blocks against OpenVPN. The app keeps TLS-Auth available just in case the user wants to use the app with some third-party VPN which does not support TLS-Crypt, and therefore TLS-Auth would become mandatory. For additional information on this, kindly see here: https://build.openvpn.net/doxygen/group_...crypt.html (jump to "detailed description").
Encryption algorithm
AirVPN advises to select/use CHACHA20-POLY1305 for an Android device, because many devices do not support AES-New Instructions, so AES-GCM will be slower than CHACHA20. (WireGuard does not support AES-GCM so the question is not in place with WireGuard). CHACH20-POLY1305 and AES-256-GCM are considered equivalent under a security point of view. "OpenVPN Encryption algorithm" is only for OpenVPN, WireGuard is minimal, and very rudimentary. It lacks even basic features. On the other hand, it's fast and requires less RAM and code maintenance. Transport protocol is the protocol used to wrap and transport packets once they are encrypted. With WireGuard it's UDP, with OpenVPN it's either UDP or TCP.
Split Tunneling
In Eddie Android edition you have the option to define lists of apps whose traffic must go inside or outside the VPN tunnel (so called "traffic splitting on an application basis"). If user defined an "exclude list", traffic of the listed apps will flow outside the VPN tunnel, while traffic of anything else will flow inside the tunnel. Conversely, if the user defines an "include/white list", traffic of the apps in the include list will be tunnelled (inside the VPN tunnel), while ANYTHING ELSE will flow outside the tunnel.
Again, user can define "white" and "black" lists of apps. If a "black list" is defined, the apps included in the black list will have their traffic routed outside the VPN. Any other app will have its traffic routed into/inside the VPN. If user chooses to define a "white list", only the apps included in the white list will have their traffic routed inside the VPN tunnel. Any other device traffic will be routed outside the VPN. Traffic splitting will work both on WireGuard and on OpenVPN.
Forwarded Ports
The user can "link" a remotely forwarded port to all devices (the port will be forwarded to each connected device) or to a specific device (port will be forwarded only to the specified device). The user can modify these settings in the port panel, on the "Device" combo box.
The image above is an example. Port 6954 is forwarded to all devices, while the other ports are forwarded only to those devices which use the specified "device" certificate/key with the label "Linux p2p" and the other ones. Forwarded ports are an infrastructure setup. They are therefore available regardless of the protocol the user prefers. User can have remote port forwarding both with WireGuard and OpenVPN. Eddie Android edition, actually, by default connects via WireGuard. He (the user) can switch to OpenVPN simply by tapping the WireGuard icon on the main view or on the server view.
Forwarding remotely inbound ports for P2P is important to improve performance and to make the torrent software capable to seed once it has the whole file. Without remote port forwarding the software would not be connectable from the Internet and therefore once the download has finished no seeding would be possible. This is due to how the BitTorrent protocol works. If a user does not want forwarded ports, he can simply delete them from his AirVPN account ports control panel. If the user chooses to have forward ports "only" for his Android device, he needs to make sure that the Android device uses a specific "device" (client key) and set the port option to that device by selecting the proper device name in the "Device" combo box of the port.
How can I optimize performance of eMule and BitTorrent with AirVPN?
AirVPN allows p2p, as well as any other protocol. AirVPN does not discriminate against any protocol. Currently p2p is a set of the most efficient protocols to share and access information on the Internet.
To obtain the best performance with a BitTorrent client or an eMule client, the user should log-in to his account in airvpn.org and proceed to remotely forward a port from the menu "Client Area"->"Forwarded ports". User should select a port (or let the system choose an available one for him). Select "TCP & UDP". (Note: Remember the port number).
User should then configure the "Port used for incoming connections" (also called "Listening port") in his BitTorrent client so that it matches the port number he has just forwarded remotely. On eMule, go to "Options"->"Connection" tab. Write in both fields of "Client ports" the number of the port that you have forwarded. Disable UPnP, NAT-PMP and any possible automatic port mapping feature that can modify the listening port and force the p2p program to bind to the physical network interface.
Note: If you run uTorrent or any other software with bandwidth management, make sure to disable such management.
Setting it this way the user's clients will be able to accept incoming connections from the Internet, enhancing performance in several cases and making initial seeding possible. This procedure can be performed just once and for all, as long as he(the user) doesn't wish to change port(s) on his torrent clients. On BitTorrent clients, user should make sure to disable the option to pick random ports at every startup.
If user forwards a port for a p2p torrent client, he should NOT remap it to a different local port and make sure that the torrent client port matches the remotely forwarded port number, otherwise his torrent client will communicate to trackers (if you use them) and DHT the wrong port: torrent clients will communicate to trackers and DHT the port number configured with them. As a result, he(the user) will get no incoming packets from the swarm and the torrent client network status token will remain yellow.
IMPORTANT: The user should NOT forward on his router the same ports he uses on his BitTorrent or eMule client (or any other listening service) while connected to the VPN. Doing so exposes his system to correlation attacks and potentially causes unencrypted packets to be sent outside the tunnel from the torrent client. He should make sure that "NETWORK LOCK", is enabled, as it will prevent any possible traffic leak outside the VPN tunnel, including leaks caused by torrent program bad configuration and leaks caused by unexpected VPN disconnections.
VPN Lock and Leaktesting
VPN Lock is Eddie Android edition 3.0 version of "Network Lock". As in the Windows version this feature prevents IPv4/IPv6 communications when your system is not connected to an AirVPN server. Its main purpose is preventing IPv4/IPv6 leaks under any circumstance, including unexpected VPN disconnection, but not limited to it. Traffic leaks can arise not only after an unexpected disconnection from the VPN, but even because of wrong binding in software settings. Network Lock prevents leaks of any kind. The AirVPN "VPN Lock" is based on strict firewalls rules contrary to several so called "kill switches" and VPN check monitoring processes (which don't do anything while connection is on and become totally useless if they crash).
The android system settings are more flexible (but only available on Android 8 and higher version) because they allow re-connections without leaks, while AirVPN's "VPN Lock" prevents re-connections to prevent leaks.
Torrent Client Leaktest
Just like in Eddie Windows edition the user can also perform a torrent leaktest. To test the android torrent program, in this case, "Fud", get/add the "magnet link" provided by ipleak.net. (Remember to start the torrent software after your system has already connected to the VPN). Once the magnet link is imported in the torrent software, (in a few seconds) the web site will detect and show the torrent software advertised IP address, which must NOT be your real IP address. (Refresh the page if necessary). The key part in this phase is that the real IP address of the user must never be displayed. If user sees his "real" IP address anywhere, something is wrong.
Latest stable version of AirVPN Eddie Client for Android is version 3.0 (30-Nov-2022)
- [NEW] Full WireGuard integration with AirVPN
- [NEW] Improved network change management
- [NEW] Optional access to local network even when connecting over WireGuard (local network tunneling exemption)
- [NEW] Dark theme
- [NEW] Revamped quick connection algorithm
- [NEW] One-tap pre-connection switch from WireGuard to OpenVPN 3 and vice-versa
- [NEW] Easy system report (log and logcat) one-tap generation and delivery to our servers
- [NEW] Ability to connect to any service via WireGuard and OpenVPN profiles
- [NEW] OpenVPN3-AirVPN 3.8.2 library inked against OpenSSL 1.1.1r
- Bug fixes and general architectural improvements
- An updated version is soon to come out! STAY TUNED!
AirVPN Pricing Plans
PERTINENT LINKS