Douglas Crawford

Douglas Crawford

février 10, 2016

Je commencerai cet article en vous disant qu’après m’en être servi en tant que VPN personnel pendant environ deux ans, je suis le plus grand adepte d’AirVPN. Ce fournisseur d’accès VPN italien, qui peut se vanter d’avoir été créé par des « hacktivistes et des activistes » est parmi ses concurrents celui qui a le plus à cœur de protéger la vie privée de ses utilisateurs. Il fait également appel à d’excellents systèmes d’encodage et de sécurité et propose des fonctionnalités extrêmement efficaces en ce qui concerne la protection des données telles que « VPN over SSL » et « VPN through Tor ». D’après mon expérience, AirVPN est aussi le service VPN le plus rapide et le plus stable que j’aie été amené à utiliser. Pourtant…

Les analyses de BestVPN montrent que malgré un fort taux d’inscription à AirVPN, la plupart des utilisateurs choisissent de ne pas renouveler leur abonnement. Il semble donc qu’un grand nombre de personnes ont essayé le service mais ne l’ont pas apprécié. Je ne peux contredire les chiffres et je les garde en tête en rédigeant mon article.

Offres et tarifs

AirVPN coûte 7 € (soit environ 8 $) par mois en proposant des réductions habituelles pour les achats groupés, pour un prix de 4,50 € (environ 5 $) pour l’achat d’un abonnement annuel. Vous pouvez l’essayer gratuitement pendant trois jours sur demande écrite ou, si vous êtes du genre impatient(e), vous pouvez vous abonner pour trois jours pour 1 €.

AirVPN prices

Tous les abonnements donnent un accès complet aux fonctionnalités d’AirVPN, ce qui fait d’AirVPN une solution relativement peu coûteuse par rapport à la plupart des services concurrents.

AirVPN payment methods

AirVPN accepte les paiements à l’aide de PayPal ainsi qu’une très large gamme d’autres prestataires de paiement, ce qui signifie que certains utilisateurs habitant dans des parties du monde n’ayant pas accès aux paiements internationaux ne devraient pas rencontrer de problème pour s’abonner. AirVPN accepte également les paiements en Bitcoins ainsi que toutes les autres crypto-monnaies imaginables.

Conclusion

Ce que j’ai aimé

  • Aucun historique
  • Un système de cryptage puissant (incluent la clé PFS)
  • Une interface open source avec protection contre les fuites DNS, killswitch et protection contre les « bugs » WebRTC
  • VPN dans Tor
  • Tunellisation SSL et SSH
  • Redirection de ports
  • Bitcoins et autres crypto-monnaies acceptés
  • Routage DNS pour éviter les blocages VPN
  • Essai gratuit de trois jours
  • Rapide et stable
  • Trois connexions simultanées
  • Le site internet renferme une quantité fantastique d’informations à propos du système VPN
  • P2P : oui

Ce sur quoi j’ai un avis mitigé

  • Le service propose peu d’emplacements de serveurs
  • L’Italie n’est pas un emplacement idéal

Ce que j’ai détesté

  • Le service entier est destiné à des utilisateurs ayant une connaissance très approfondie de la configuration d’un VPN

Fonctionnalités

AirVPN est situé en Italie et propose des serveurs dans 15 pays dont la plupart se situent en Europe à l’exception des États-Unis, du Canada et de Hong Kong. C’est assez peu si on le compare à d’autres fournisseurs, mais la plupart des emplacements les plus courants sont présents.

AirVPN prend uniquement en charge le protocole OpenVPN et considère que les protocoles PPTP et L2TP/IPsec ne sont pas assez sécurisés (les avis favorisent out IPSec mais OpenVPN est extrêmement sécurisé et est considéré généralement comme le meilleur protocole VPN disponible à l’usage commercial). Étant donné que les plateformes principales prennent toutes en charge le protocole OpenVPN (à l’exception de BlackBerry et de Windows Mobile), cela ne posera pas de problème à la plupart des utilisateurs.

Les utilisateurs ont droit à trois connexions simultanées (ce qui est parfait pour connecter en même temps votre PC, votre téléphone et votre tablette).

Routage DNS

Les plateformes de streaming empêchant de plus en plus les utilisateurs de contourner leurs restrictions géographiques en utilisant un VPN et d’autres technologies de contournement géographique, le système de routage DNS d’AirVPN à « double saut » de connexion via des serveurs internes permettant de contourner ces restrictions est le bienvenu.

dns routing

Cela signifie que même en étant connecté à des serveurs VPN situés en dehors des États-Unis et du Royaume-Uni, je peux accéder à des services tels que Hulu et BBC iPlayer (il n’est même pas nécessaire de se connecter à un serveur VPN correspondant au pays dans lequel est situé le service restreint géographiquement !). À l’usage je trouve que ce système fonctionne plutôt bien… mais pas toujours. Dans ce type de situations, le fait de me connecter simplement à un serveur situé dans le pays correspondant a toujours fonctionné pour moi.

Je précise également qu’en me rendant sur Netflix.com j’ai toujours été redirigé sur une version locale du site (d’après l’adresse IP de mon serveur VPN).

VPN sur Tor

Avec BolehVPN, AirVPN est à ma connaissance le seul service VPN proposant VPN sur Tor, ce qui vous permet de vous connecter d’abord au réseau Tor et ensuite à AirVPN. Lorsque vous utilisez également une méthode de paiement anonyme, AirVPN ne peut pas vous identifier, et ne peut détecter votre véritable adresse IP.

VPN through Tor permet d’atteindre un niveau d’anonymat très élevé, ce qui est habituellement impossible avec un VPN. Ce système est donc habituellement considéré comme le meilleur moyen de combiner les avantages en matière de confidentialité des VPN et de Tor, bien qu’il soit nécessaire de rappeler qu’AirVPN présente un point fixe dans la chaîne qui pourrait éventuellement être compromis.

AirVPN propose également des instructions d’utilisation du navigateur Tor pour configurer au mieux Tor through VPN (qui est bien plus sécurisé que la fonctionnalité de « pont transparent » Tor through VPN proposée par certains fournisseurs). Consultez la discussion à ce sujet à l’adresse suivante : 5 Best VPNs when using Tor.

Ports alternatifs, tunnellisation SSL et SSH

Le blocage des VPN est un phénomène rare, mais il peut arriver dans des pays comme la Chine et l’Iran (bien que cela arrive surtout en partiellement efficace). AirVPN vous permet de contrer ce type de mesures en lançant le trafic OpenVPN sur le port 443 qui est le port utilisé par le trafic SSL normal (norme de cryptage utilisée partout sur internet permettant de sécuriser les sites et les services internet).

Ceci permet de donner au trafic d’OpenVPN l’apparence d’un trafic SSL normal, ce qui le cache et le rend très difficile à bloquer (car cela met à mal internet !)

AirVPN port settings

L’interface permet de modifier facilement les paramètres de ports. En plus du port TCP 443, vous pouvez contourner les restrictions en sélectionnant une grande variété de ports qui risquent très peu de se retrouver bloqués.

Un adversaire très motivé pourra cependant effectuer une inspection des paquets en profondeur (DPI) pour se rendre compte que des protocoles VPN sont utilisés (et les pays comme la Chine ne se gênent pas pour restreindre l’accès à internet des utilisateurs !)

tunnel_ssl

La réponse d’AirVPN consiste à permettre aux utilisateurs de dissimuler leurs données cryptées par OpenVPN dans une couche d’encodage supplémentaire (SSL ou SSH). Ceci doit permettre de déjouer à peu près n’importe quelle méthode employée pour détecter l’utilisation d’un VPN (la NSA est sans doute en mesure de déchiffrer l’ancien protocole SSH, je recommande donc la tunnellisation SSH au besoin).

Les tunnellisations SSL et SSH devraient être plus qu’efficaces pour contrer le Le Grand Firewall de Chine, mais n’oubliez pas que les deux nécessitent plus de capacités de traitement pour la couche d’encodage supplémentaire, ce qui ralentira votre connexion internet.

La redirection de ports à distance est aussi proposée aux utilisateurs nécessitant jusqu’à 20 ports pour les connexions entrantes, ce qui est pratique pour les sites internet auto-hébergés et les serveurs destinés aux jeux en ligne.

Visitez AirVPN »

Sécurité et confidentialité

Comme le montre le tableau, AirVPN utilise un système de cryptage très puissant.*

OpenVPN Encryption
Cipher
AES-256
Data Auth
HMAC SHA1
Handshake
RSA-4096
Control Auth
HMAC SHA384
Forward Secrecy
DHE-4096
Logs & Legal
Connection
None
Traffic
None
Country
Ok

Il est quasiment inutile de préciser qu’AirVPN ne conserve aucun historique et utilise des adresses IP partagées et qu’il fait partie des quelques services VPN à utiliser PFS.

Grâce à cela, AirVPN a toujours s’est toujours prémuni des attaques potentielles de Logjam mises en lumière par des chercheurs l’année dernière. Il est également immunisé contre la récente faille port fail ayant touché un grand nombre de services VPN, grâce à son utilisation d’adresses IP entrantes et sortantes séparées sur chaque serveur VPN. De plus, AirVPN fait partie des quelques fournisseurs de VPN protégeant leurs utilisateurs contre le bug WebRTC (et comme nous le verrons, il propose également une protection contre les DNS leak et un killswitch par l’intermédiaire de son logiciel de bureau).

Comme je l’ai dit plus haut, AirVPN propose également de nombreuses technologies optionnelles rendant l’utilisation d’un VPN extrêmement sécurisée et privée (et potentiellement vraiment anonyme, grâce à VPN through Tor – en particulier lorsque l’on connaît la profusion de méthodes de paiement anonymes acceptées par AirVPN).

D’après moi, que ce soit en termes d’innovation technique ou d’excellence, et par l’attention qu’AirVPN accorde à la protection de la confidentialité de ses clients, aucun autre service ne lui arrive à la cheville.

Il est cependant important de remarquer que les mots qu’AirVPN utilise pour décrire la finalité de sa technologie et sa configuration relèvent d’un jargon très spécialisé. En parcourant la documentation proposée par AirVPN, on comprend aisément pourquoi l’utilisateur lambda préfère passer son chemin !

Le fait qu’AirVPN soit basée en Italie peut également représenter un problème, car ce pays est membre de l’alliance d’espionnage Quatorze Yeux qui coopère avec la NSA et le GCHQ. Ce n’est assurément pas idéal, et l’Italie ne plaisante pas avec le violation du droit d’auteur.

D’un autre côté, avant même que le Data Retention Direction de l’EU n’ait été déclarée invalide par la Cour de justice européenne pour atteinte aux droits de l’homme, les fournisseurs de VPN italiens n’étaient pas tenus de conserver un historique. AirVPN a déclaré que si cela lui était demandé par un des pays européens dans lesquels elle propose ses services, elle saisirait la Cour de justice européenne.

AirVPN propose à ses utilisateurs le téléchargement en peer-to-peer à partir de tous ses serveurs.

Le site web

Le site internet d’AirVPN semble à première vue plus fonctionnel qu’agréable à l’œil , impression renforcée par le jargon technique très souvent employé qui comporte des mots que seuls les fanatiques d’encodage seront à même de comprendre. Cela rebute certainement non seulement les utilisateurs lambda (et cela peut se vérifier dans les commentaires de nos lecteurs), mais aussi ceux ayant des connaissances techniques approfondies.

AirVPN stats 2

Les statistiques joliment présentées semblent faire exception à cette règle et permettent de voir facilement l’encombrement, le nombre d’utilisateurs, les délais de ping, le routage et bien d’autres détails d’un seul coup d’œil.

Assistance

L’assistance s’effectue principalement sur les forums foisonnants d’AirVPN. Malheureusement, les discussions sont souvent très techniques et il n’est pas surprenant que de nombreux utilisateurs soient intimidés par cela (ça commence à devenir une habitude…)

Malgré cela, les forums sont une véritable mine d’informations pour tout ce qui a trait au système VPN, et le cœur que met l’équipe d’AirVPN à discuter des plus petits détails de leur service (en s’appuyant sur des connaissances techniques très poussées) est un véritable bol d’air frais au sein d’une industrie dans laquelle les services d’assistance n’apportent que des réponses simplistes à des questions complexes ou, pire encore, semblent ne pas maîtriser leur sujet !

En plus de poser vos questions sur les forums, vous pouvez envoyer un e-mail (système de tickets) directement à l’équipe d’AirVPN. J’ai testé cette méthode par le passé et j’ai pu constater un temps d’attente allant jusqu’à 24 heures avant de recevoir une réponse, mais celle-ci était toujours très complète.

Processus/h2>

Inscription

L’inscription à AirVPN se fait facilement et sans heurts, la seule information personnelle demandée est une adresse e-mail valide. AirVPN encourage fortement ses utilisateurs à créer une adresse e-mail « jetable »).

Les paiements en Bitcoins s’effectuent par l’intermédiaire de CoinBase, et les autres paiements en crypto-monnaies sont traités par l’intermédiaire de CoinPaymnents. Une fois le paiement effectué, vous recevrez un e-mail de bienvenue contenant quelques liens utiles. À la différence de certains fournisseurs, aucune information concernant le compte n’est envoyée par e-mail : vous choisissez votre identifiant et votre mot de passe durant la procédure d’inscription.

Client Windows d’AirVPN

AirVPN a donné un prénom à son interface de bureau (également disponible sur Mac OSX Mavericks et Yosemite et Linux) : « Eddie », signalons avant tout que celui-ci est en open source. Cela signifie qu’il peut être contrôlé de manière indépendante pour s’assurer qu’il ne s’y déroule rien de suspect, j’aimerais bien que d’autres fournisseurs de VPN en fassent autant.AirVPN Eddie 1

Eddie comporte une protection contre les fuites VPN, une sélection dynamique des serveurs et de nombreuses statistiques pour que vous puissiez choisir le meilleur serveur auquel vous connecter.

AirVPN Eddie 2

Une profusion d’informations !

AirVPN logs

Grâce à l’historique en temps réel, vous pourrez surveiller ce que fait exactement Eddie (à condition d’avoir les connaissances nécessaires !)

AirVPN Eddie 4

Le cadenas situé en haut à droite indique l’activation du « verrouillage réseau ». Ceci permet de créer un pare-feu empêchant tout trafic sortant ou entrant sur l’ordinateur en dehors du tunnel VPN vers les serveurs d’AirVPN. AirVPN offre une bonne DNS leak protection même lorsque le verrouillage réseau est désactivé (je n’ai pas subi de fuite de DNS en utilisant ce service), mais le verrouillage réseau devrait empêcher totalement les fuites DNS, tout en fonctionnant à la manière d’un killswitch.

Le paramétrage devrait également empêcher les fuites IP dues au WebRTC, mais sur mon système le pare-feu du verrouillage réseau entre en conflit avec mon propre pare-feu, ce qui empêche cette fonctionnalité. Étant donné que je ne peux résoudre ce problème sans désinstaller complètement mon pare-feu (ce que je ne compte pas faire), je n’ai pas pu vérifier, mais en principe elle devrait fonctionner.

Eddie n’achemine pas correctement les demandes d’IPv6, mais il désactive IPv6 de manière à empêcher toute fuite DNS (il est difficile d’en faire le reproche à AirVPN, puisqu’à l’exception de Mullvad , aucun fournisseur n’est en mesure de traiter correctement les requêtes DNS).

La seule chose qui me dérange vraiment avec Eddie, c’est qu’il modifie les paramètres DNS de Windows. Cela est habituellement une bonne chose puisque cela garantit que toutes les requêtes DNS sont résolues par les serveurs d’AirVPN, mais si pour une raison ou une autre l’interface plante ou se ferme, je dois réinitialiser manuellement les paramètres DNS avant de pouvoir me connecter à nouveau à internet (Panneau de contrôle -> Centre réseau et partage -> Modifier les paramètres de la carte -> clic droit sur connexion -> Propriétés -> sélectionner Protocole Internet version 4 -> Propriétés -> Serveur DNS préféré : 8.8.8.8).

Eddie est certainement l‘interface VPN possédant le plus de fonctionnalités parmi celles que j’ai été amené à utiliser. Cependant, à l’instar de tout ce qui a trait à AirVPN, elle est trop orientée sur la technique et utilise des termes que même un utilisateur de VPN expérimenté comme moi aura du mal à bien comprendre sans faire de recherches.

Performances (Tests de vitesse, DNS, WebRTC et IPv6)

Les tests de vitesse ont été effectués avec une connexion haut débit à 50 Mbits/3 Mbits située au Royaume-Uni.

AirVPN_download
AirVPN_upload b
Les graphiques montrent les vitesses les plus élevées, les plus basses et les vitesses moyennes pour chaque serveur et chaque emplacement. Consultez notre explication complet pour plus de détails.

Comme on peut le constater, les résultats sont plutôt probants bien que, bizarrement, il me soit plus facile de me connecter à un serveur situé aux Pays-Bas qu’à un serveur situé au Royaume-Uni. Les performances des États-Unis à partir du Royaume-Uni sont exceptionnelles.

Même sans activer le verrouillage réseau, je n’ai jamais eu à faire face à des fuites de DNS et, comme je l’ai déjà précisé, Eddie empêche les fuites IPv6 et WebRTC (en activant le verrouillage réseau). Je tiens à signaler également que j’ai rarement eu à subir des chutes VPN en utilisant AIrVPN.

Autres plateformes

En plus de l’interface de bureau Eddie, AirVPN propose des instructions de configuration pour les appareils Android (en utilisant OpenVPN pour Android, l’interface OpenVPN pour Android et OpenVPN Connect) et iOS (en utilisant OpenVPN Connect) et pour les routeurs DD-WRT et Tomato.

En ce qui me concerne, j’utilise OpenVPN pour Android et il fonctionne parfaitement chez moi. L’application se reconnecte rapidement lorsque je passe d’un routeur à l’autre ou que je passe de la connexion mobile à la connexion WiFi, et je n’ai pas constaté de fuites de DNS. OpenVPN pour Android peut même être configuré pour fonctionner comme un killswitch !

Conclusions de l’évaluation d’AirVPN

Ce que j’ai aimé

  • Aucun historique
  • Un système de cryptage puissant (incluent la clé PFS)
  • Une interface open source avec protection contre les fuites DNS, killswitch et protection contre les « bugs » WebRTC
  • VPN dans Tor
  • Tunellisation SSL et SSH
  • Redirection de ports
  • Bitcoins et autres crypto-monnaies acceptés
  • Routage DNS pour éviter les blocages VPN
  • Essai gratuit de trois jours
  • Rapide et stable
  • Trois connexions simultanées
  • Le site internet renferme une quantité fantastique d’informations à propos du système VPN
  • P2P : oui

Ce sur quoi j’ai un avis mitigé

  • Le service propose peu d’emplacements de serveurs
  • L’Italie n’est pas un emplacement idéal

Ce que j’ai détesté

  • Le service entier est destiné à des utilisateurs ayant une connaissance très approfondie de la configuration d’un VPN

La seule description de la myriade de fonctionnalités proposée par AirVPN au sein de ce test suffit à prouver les avantages de ce service, mais aussi à comprendre pourquoi de nombreux utilisateurs ne s’y sentent pas totalement à leur aise. En termes de confidentialité, de fonctionnalités attractives et de connaissances techniques, AirVPN est très impressionnant, pour tout dire et d’après moi, aucun autre service du marché ne lui arrive à la cheville dans ces domaines.

Mais il y a un (gros !) mais : AirVPN a du mal à toucher un public plus large à cause de son orientation beaucoup trop technique et impénétrable. À beaucoup d’égards cela est assez injuste car leur interface est facile d’utilisation (téléchargez/lancez !) et il semble inopportun de critiquer un service alors qu’il porte un très grande attention aux détails et s’emploie à offrir une ribambelle de fonctionnalités rarement proposées ailleurs (voire pas du tout).

Cependant, en parcourant rapidement les discussions sur les forums, ou même la documentation destinée aux nouveaux utilisateurs, ou encore en observant la manière dont les options sont présentées au client, il est facile de comprendre pourquoi les visiteurs du site web sont intimidés !

En tant que tel (et malgré tout le bien que j’en pense), AirVPN constitue un service de niche destiné aux utilisateurs chevronnés et aux accros à la confidentialité, plutôt qu’un service VPN destiné au grand public.

Visitez AirVPN »

* La section confidentialité et sécurité de cet article a été mise à jour après qu’AirVPN m’a contacté pour que je clarifie certaines erreurs/confusions, dont la plus flagrante concernait l’utilisation de l’authentification HMAC SHA1 sur les canaux de données et de contrôle. Je suis maintenant convaincu que HMAC SHA1 est très sécurisé. Consultez la section des commentaires de cet article pour en savoir plus sur AIrVPN.

Douglas Crawford

Écrit par

Publié: février 10, 2016.

March 9th, 2018

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

114 réponses à “Évaluation de AirVPN

  1. Johnny dit :

    AirVPN didn’t allow me to log in with the password immediately after registering. I successfully reset the password 3 times, then tried to log in carefully checking it and it still wouldn’t let me in. The messed up thing is they won’t let me submit an inquiry to them without logging in! How am I supposed to get a refund?

  2. Iev dit :

    > Users are allowed up to 3 simultaneous connections (perfect for connecting your PC, phone, and tablet all at once).

    Review claims to be updated for 2018, but in fact it is somewhat out-of-date.

    Since November 2017 it is allowed to have 5 (five) simultaneous connections to AirVPN:
    https://airvpn.org/topic/24167-five-simultaneous-connections-per-account/

    Also the review is full of screenshots of the old client which has been redesigned more than a year ago. Worth updating in my opinion.

    Great review otherwise.

    1. Douglas Crawford dit :

      Hi lev,

      Well – the review claims to be updated only inasmuch as its publish date has been updated – its a Google results thing. That said, a full rewrite is due soon (and yeah – I use AirVPN as my personal VPN, so am aware of the changes :).)

  3. Fugadugadid dit :

    Wow if they are so willing and cared so much why did they open shop in Italy? Kind of reminds me of an anti-occupation human rights NGO housed in Tel Aviv. If they changed jurisdiction that would certainly be a leg-up in their commitment, and not look so much like controlled opposition. Given their vast knowledge and unsurpassed “consumer” tech, for all we know it could be run by the NSA (or partnered with them) running a compartmentalized top secret signals intelligence program with the expressed purpose of penetration testing in every form of encryption they offer; and using the ‘h@ktivizt’ meme as a selling point; never selling out their customers, not in the open anyway. We all hope this is not the case but…. nobody knows, so to wonder is just the way it is.

    1. Douglas Crawford dit :

      Hi Fugadugadid,

      I would guess AirVPN opened shop in Italy because that is where they live! I agree that there are better locations for a VPN to be based, but Italy is not a Five (or even Fourteen) Eyes member, and does not require VPNs foe keep logs.

  4. Bob dit :

    Hi Douglas,

    You wrote “No logs”, however we can read on their “Privacy” page:
    “Air servers and software procedures acquire only personal data which are strictly necessary for the technical functioning of the service, for example IP address.”

    So, it seems they log our personnal IP address, am I wrong?

    1. Douglas Crawford dit :

      Hi Bob,

      As I discuss in 5 Best No Logs VPNs, every VPN must, as a function of VPN technology, keep real-time logs. AirVPN, however, only keeps such logs in RAM until the client disconnects, and all output is directed to /dev/null (meaning that is it not recorded). This is pretty much as close the definition of a no-logs VPN as it is possible to get. This exact question is addressed in this discussion.

      It is worth noting, however, that you can access quite detailed session history via your archive page. This includes stuff such as timestamps and connection duration, and is enabled by default (it can be disabled). I have asked for further clarification on how this squares with the above information, and will update this answer (and the article) when I receive an answer.

  5. Onanuga tobiloba emmanuel dit :

    love your page

  6. AnnoyedCitizen dit :

    Dear Mr. Crawford,
    Thanks for your various reviews and articles that have proved very helpful for someone finally getting more serious about privacy, and in particular for your AirVPN review. AirVPN seems the best for my purposes, with its tech orientation duly noted. I plan to sign up, via annonymous payment.

    First off my needed level of privacy is more general and in response to new laws allowing ISPs to sell personal net usage history. Also, I would like to feel free to excersize my free speech rights and publish satirical political commentary without fear of undue harrassemnt (for legal speech), particularly by thin skinnned and vindictive, high governent officials.

    I understand that if someone engages in activities that cause the government to really want you, they will probably find you. I looked at some deep web leaning security sites, which are way too head-spinning, disciplined and paranoia inducing on a daily basis for me to try to maintain something near anonymimity with with sandboxes, and an array of other measures. My goal is more modest, a VPN, firewall, and browser track-blocking set up that provides a baseline of privacy for an average joe, with a sometimes sharp tongue.

    Your articles raised a lot of questions, which I hope you can help out with. My basic set up plan is:

    A) Major ISP provided cable modem router, which has 4 LAN ports.
    B) 1 Modem Port: To run Non-VPN Wifi Router for guests, and smartTV/AppleTV over which to run Netflix and possibly other streaming services without speed hits, as i have no geolocation issues at this point.
    C) 2nd Modem Port: to run OpenVPN flashed Wifi Router running AirVPN for Mac Desktop (wired) and when home, Mac Laptop, iPad and iPhone (over wifi) for private home browsing and online activity.

    QUESTIONS, mostly from general to specific
    1) Is this dual router set up, 1 non-VPN and 1 VPN router, secure if set up properly? Will the non-vpn one give up the VPN one somehow?

    2) Will the insecure nature of mobile devices when used over the VPN router (iphone and ipad with GPS chip) make my real IP address vulnerable to someone interested in corrolating the IP with my mobile device locations? Meaning that the mobile iOS devices should use the OpenVPN Connect software, rather than depend on the VPN router. Or would I still be susceptable to that kind of identification? though this kind of thing mostly done by government law enforcement agencies than by criminals or malicious hackers?

    3) Probably revealing my ignorance here, but could one run AirVPN desktop and/or OpenVPN Connect software at the same time as running over the VPN enabled router? Or would that cause conflicts, speed or looping issues?
    3b) Would there be an advantage to running the router on a 2nd AirVPN account, or from another VPN provider and the AirVPN desktop / OpenVPN Connect software for each device. Or would that make things super slow?

    4) You note in one of the comments that its better to use desktop VPN software, rather than over a router as you would lose some AirVPN features, notably the Kill Switch (“e.g. “network lock DNS leak protection and kill switch, port selection etc.”).

    This seems sound advice, but then I found some router code that enables you to “install” a Kill switch on a flashed router:
    Go to the Administration > Scripts > Firewall section and paste in the following script:
    iptables -I FORWARD -i br0 -o vlan2 -j DROP
    Click Save and then reboot your router.
    This is pretty simple to impliment, assumiing this code is correct.

    I am wondering if there are other OpenVpn router level script tweeks like this to fill in some of the other lost AirVPN features like network lock DNS leak, or simply by using Little Snitch/VPN Monitor as you mention in other articles?

    4b) As above, you mention port selection as another feature lost via router set up (which seems to be good for gaming, which i don’t need). But what are the other “etc.” features I might not want to miss in a router set up?

    5) Since I will need to install the desktop VPN software on my laptop and iOS devices anyway, for when away from my vpn router, was it really premature to buy and flash the OpenVPN enabled router?

    Thanks for any and all comments on the above!

    1. Douglas Crawford dit :

      Hi AnnoyedCitizen,

      Thanks!

      1) That should be a secure setup. I like it!

      2) The biggest problem with mobile devices is that both the OS and individual apps tend to send a lot of information back to their publishers (including Apple). This information gets sent regardless of whether a VPN is used. This can only be countered to a limited extent by clamping down on app’s permissions (which may prevent them from working correctly). So it’s really private companies rather than the government which are the danger here (although Apple did cooperate with the NSA…). Criminal hackers are not a big problem for home users, as your WiFi connection to the router will be encrypted (with WPA/WPA2). Using a VPN will, however, protect you when using an iOS device on public hotspots.

      3) Yes, you can do this, but as I discuss in this article, I think the advantages are limited if both VPNs connect to the same provider. Using two different providers has greater privacy benefit, but will cost more and be slow.

      4) That script is a good find. If you implement it, I’d be interested in hearing how it works out. You can certainly use IP tables on your router to prevent DNS leaks (see also here for instructions on configuring Little Snitch to work as a kill switch/ DNS leak protection).

      4b) VPN through SSH or SSL tunnels, VPN through Tor. But I’m guessing you probably aren’t interested in these features, anyway!

      5) Well, you can now connect all devices to AirVPN at once (AirVPN permits 3 simultaneous connections). Other family members and guests can also benefit from using the VPN.

  7. Orwellian dit :

    2 questions:
    1) Does the AirVPN setup in particular, and VPN setups in general, play well with cable TV modem routers?

    2) Does AirVPN have an open source IOS setup or app for Iphones?

    1 comment:
    Cisco Jupiter routers were compromised by the NSA, and for high-priority honeypot operations, it is SOP to target, intercept & re-direct shipments of computer component hardware in transit to engineer backdoor code insertions through chip-sets, so short of building your own servers and also visually monitoring them 24/7/365, it is very appropriate to ask the question whether servers manufactured in the UK, or anywhere else for that matter, are being competently inspected by VPN providers at the hardware, firmware & software level to detect similar compromises by GCHQ, NSA or any other hackers through code insertions into the server. After looking at the descriptions of your best 5 logless & encryption VPN providers, each of them describe a minimum of one or more glaring attack vectors for data interception or insertion by players operating at the level of the 5 Eyes Alliance.
    Even though yet to be reviewed by you, OVPN is the only commercial VPN service I am aware of which has demonstrably established functional design security all the way down to the bare metal level. As a result they have effectively eliminated all covert vectors of undetectable server-side SIGINT. So much so, I am confident of their ability to handle the targeted scrutiny that will come their way due to publicly raising their profile. Besides, they could use the business to setup more servers in more countries, lol! Of course, they remain exposed to the risk of HUMINT penetration & compromise, but as Edward Snowden has spectacularly demonstrated, everyone is exposed to that risk, even the NSA.

    1. Douglas Crawford dit :

      Hi Orwellian,

      1. Being based in the UK, I am not really familiar with cable routers (cable is not a thing here). But if it is a modem/router, then I see no reason why any VPN would not play well with it.

      2. No. AirVPN does not have any custom mobile apps. It instead provides the OpenVPN files necessary to manually configure OpenVPN Connect. This is the official app from OpenVPN Technologies, Inc. It is not 100% open source, but is the closest you will get for iOS.

      3. If the NSA is really out to get you (specifically), it probably will. It would be safer to use Tor than a VPN, but even then… If running OpenVPN in software, then it doesn’t matter if the router has been compromised, as the data is encrypted before and decrypted after it passes through the router. And a VPN router (or server will be able to resist almost all port attacks as long as strong handshake authentication is used (e.g. RSA-2048).

      4. Looking at the OVPN.se website, I am indeed impressed by the fact that it runs all of its own bare-metal servers, and does so without using any type of storage media. I am very busy at the moment, but when I have the time I would love to investigate this service more closely. Thank you for bringing it to my attention.

  8. R dit :

    I’m still enjoying AirVPN for a month now. No hiccups. I also couldn’t resist buying a very inexpensive Lifetime subscription to VPN.asia (also reviewed on this site). They both seem comparable, although VPN.asia doesn’t have as many servers and does not support Perfect Forward Secrecy. It does have a killswitch now.

    One odd thing: whoer.net warns with VPN.asia: “We have determined that you work under a proxy server with a low level of anonymity. Proxy servers are intended to increase the speed of your connection with the help of caching. Your IP replacement in the process is just a sideway action rather than a main purpose of proxies, and they can be easily detected. Please use other means, for example VPN. Open ports 80, 11080, 1723 [cached]. AirVPN give no such warning. Both are running OpenVPN.

    VPN.asia’s response was: “There are more ports open on our servers because we run multiply protocols, but this not means that its not secure.”

    Is this something to be concerned about?

    1. Douglas Crawford dit :

      Hi R,

      I must admit that I have not come across this issue before. But I think VPN.asia’s response sounds valid, and there is nothing to worry about. Do you get any such warnings when you visit ipleak.net?

      1. R dit :

        Douglas,

        ipleak.net reports: “No forwarded IP detected. If you are using a proxy, it’s a transparent proxy.” for both AirVPN and VPN.asia.

        With my provider-direct connection there are no errant open ports. (Shields Up! stealth mode) I was expecting the same with VPN’s (both Fail). So, if some of these ports must be open to support various protocols doesn’t that put the VPN at risk for attack?

        1. Douglas Crawford dit :

          Hi R,

          – I’m afraid that I don’t really understand why you are saying “I was expecting the same with VPN’s (both Fail).” ipleak.net detected no issues, while whoer.net only reported an issue with VPN.asia. Perhaps I am getting a little confused?

          – All VPN servers must open some ports, or else there would be no way for traffic to go in or out! The L2TP protocol, for example, uses UDP port 500, while by default OpenVPN uses UDP
          port 1194 (although it is common to run OpenVPN over TCP port 443 in order to mimic HTTPS traffic). It therefore stands to reason that the more VPN protocols a server supports, the more ports it must open.

          – It is my understanding that a strong authentication certificate (e.g. RSA-2048) will prevent a VPN server from being hacked via any open ports. In addition to this, any VPN worth its salt will employ failsafe mitigation measures. It is common practice, for example, to create log files to log any invalid authentications. The VPN provider can then filter these logs with a firewall named fail2ba. If there is X number of failed auths from one ip, fail2ban will enter the ip in iptable and the server will not respond to any a packets sent from that IP.

  9. Mike M dit :

    I signed up with AirVPN about 18 months ago. I am not a techie, but am not tech averse. I signed up on the recommendation of a former military guy I know who is well versed in this topic, personally and professionally.

    It took a while to work through the nuances or AirVPN and Open VPN but if you’re patient, and refer back and forth between the instructions and the apps, it will happen.

    I also like their site for checking your IP address, ipleak.net. It shows the IP you’re using, plus shows any leakage, and helps you plug that leakage.

  10. Scott dit :

    In one of your replies to my questions you suggested I go with express vpn but I replied with a concern of setting the VPN for my android tablet (amazon fire) and you gave me instructions on AirVPN so which one do you like most for: privacy and streaming video on such providers as kodi, Netflix, and Hulu. Oh do both VPNs provide set up instructions on their sites. Sorry I am full of questions.

    1. Douglas Crawford dit :

      Hi Scott,

      I persoanlly use AirVPN for reasons discussed in this review. But it is a service aimed more at techies, and can be a little rough around the edges. It also has no dedicated Android app. This is not a much of a problem for me, as the third-party OpenVPN for Android app is very good. But it does require a little setting up. I recommend ExpressVPN for you because it is a very professional service that offers an easy-to-use Android app which requires almost no setting-up at all (just install and run). Both services provide setup instructions on their websites, however, so neither should be too hard to get up and running. Note that AirVPN will give you a 3-day free trial if you email them about it, so you can always just give it try to see how you get on.

  11. Scott dit :

    Douglas
    So one more thing…what about my concern for the VPN gaining access to my desk top PC when I use my tablet at home. Can and will they? You suggested express vpn due to it being user friendly and having good android mobile apps. You said they keep some logs but they are aggregated. Sorry for my ignorance but what does aggregated mean as it relates to the VPN service Can I feel secure using kodi with Express VPN as I would assume most inforcment is interested in things more significant.

    1. Douglas Crawford dit :

      Hi Scott,

      – Using a VPN does not give anyone access to your PC or tablet. It’s simply not how they work.

      – Aggregated means that things such as connection times to the VPN server and length of session are logged, but these logs are not associated with an individual IP address (user). They are therefore useful for troubleshooting purposes, but pose a minimal privacy threat.

      – ExpressVPN has no problem with people using P2P or Kodi etc. on its service, and will protect you wile doing so.

  12. R dit :

    I just wanted to let you know that, after months of reading reviews here and a lot of procrastination, I finally signed up for airVPN and couldn’t be more pleased. I found the signup process easy and had no problems getting setup quickly and online. Everything works fine – no leaks of any kind, straight VPN, VPN over TOR, TOR over VPN. Although there is variability in server latency and speed I have found a few that give me fantastic throughput on my 150mbps connection. I would say my first VPN experience has been a very good one.

    Many Thanks!

  13. Se55iE dit :

    AirVPN is not so good now. All last new servers in Switzerland, Belgium, Austria, Czech Republic they buy at M 247 Ltd. But M247 is UK company. And you know what is going on now with privacy in UK.
    I don’t understand what is the point to buy CH and other servers at UK company ? Airvpn doing bad things.

    1. Douglas Crawford dit :

      Hi Se55iE,

      Interesting find. You are correct about AirVPN using M 247 Ltd servers. In this article AirVPN argues that it is irrelevant who owns the servers, but I will reach out to it for further comment on the situation.

      1. Douglas Crawford dit :

        Hi Se55iE,

        AirVPN has responded to my query about this (which cited the IPB) with the following,

        “The Investigatory Powers Act scope is not applicable to our company, and it can be challenged after it has been found by the Europen Union Court of Justice incompatible with human rights and EU legal framework (EUCJ decision of December 21, 2016).

        The Act provides three main lines of investigation: interception, interference and retention. The first two methods may cover datacenters in the UK, but they do not pose new challenges. The same can happen, and has happened, legally or illegally, virtually in any country in the world (see our article from 2012 about partition of trust to deal with this problem):
        airvpn.org/topic/54-using-airvpn-over-tor/#entry1745

        Note that with M247 we have various servers in various countries, not only in the UK. The applicable law is the law of the country the servers phyisically is located, as clarified by Art. 29 Working Party in the EP.

        Also please note that the Act has not yet been implemented operatively for data retention, not even at ISP level at the moment, and chances are that it will never be operative for datacenters (in regard to indiscriminate retention). About this last important point (data retention), our policy does not change and any interference with that will cause us to discontinue any server in the UK, just like we already did in France.”

        So what I take from this is that it does not matter whether M247 Ltd is a UK company, as long as you avoid UK servers (which is always a good idea anyway).

      2. Roger Garos dit :

        Hi Doug- I’m pretty much of a total novice re VPNs, etc., but was wondering if I could enhance the privacy of my telephone contacts by using a VPN with a VOIP service. Since I understand there can be compatibility issues, is AirVPN compatible with VOIP services?, and, if so, which one(s). Also,if not, which VPN would you recommend that would afford maximum privacy and VOIP compatibility? TIA Roger

        1. Douglas Crawford dit :

          Hi Roger,

          Using any VPN service (including AirVPN) will prevent your VoIP conversations being listened into by hackers when using public WiFi hotspots. But that is pretty much it. Your best option to improve phone/VoIP security would be to use Signal.

          1. Roger Garos dit :

            Thanks for the Signal tip Doug-Actually though,(vs hack protection),I’m at least as concerned with Voip as a vehicle to maintain my anonymity when I make calls to regular phone numbers. Was assuming that if I started using a VPN(like AirVPN),if I then set up a Voip account like Skype over that VPN, that 1)all location tags would be blocked, and, 2)Only indication of my identity would be the name that shows up on caller ID. Assuming these are both true, which Voip providers afford the best protection of subscriber personal information(since I don’t believe Skype does). If such a Voip exists, would assume that would solve all my problems. Any suggestions? TAIA

          2. Douglas Crawford dit :

            Hi Roger,

            Well, if using a VoIP though a VPN (such as AirVPN), then your IP address will appear to be that our the VPN server you are connected to. So yes, it should work for you in this context.

  14. Erwin Schulze dit :

    Without a doubt an excellent VPN! 5 Stars with praise! ?????

    1. Falco dit :

      I have been using Air VPN for years, it’s the best choice for me. Defiantly 5 stars. Very prompt customer service.

  15. Eng. Tarek Herik dit :

    Is this airvpn service gives every user different public ip addresses ?

    1. Douglas Crawford dit :

      Hi Eng. Tarek,

      With AirVPN (as with most VPN services) you are assigned an IP address that is shared with many other AirVPN users (usually 50-100) . This is good privacy as it makes it very hard to determine which of the IP addresses many users is responsible for what action on the internet.

  16. Sim dit :

    Hi

    1) Is there any possibility of choosing the encryption type for each server?

    2) Any feature(s) that AirVPN would charge for extra like choosing PFS over Cipher?

    3) The issue of Kaspersky Internet Security’s firewall conflicting with AirVPN’s firewall anyway to resolve it? I’m thinking of using Kasperskey on my PC.

    Thanks

    Regards

    1. Douglas Crawford dit :

      Hi Sim,

      1. AirVPN only supports the OpenVPN protocol. Given that this is the most secure (as long as PFS is used) and flexible VPN protocol available, I believe this to be sensible and principled decision.
      2. PFS is used in addition to the cipher. All AirVPN connections use PFS (for an explanation of what PFS is, lease see here).
      3. I’m afraid that I don’t use Kaspersky Internet Security’s firewall, so I can’t comment. The best place to ask about this is probably on AirVPN’s forums. You can, of course always use AirVPN without Network Lock (the firewall) enabled. I have never suffered DNS leaks even when Network Lock is turned off, although it does mean kill switch functionality is not available. There may well be other, better, solutions.

    2. Anonymous dit :

      I use both Kaspersky and Air and have had no problems at all.

  17. Terry dit :

    Hello,
    I need your help if possible .
    I just discovered Air VPN and started to use it now for one month.
    I was award of privacy while surfing but it was not easy to to decide which way to go and which tool to use but after reading alot on this site it gave me my answer,I’m in for a full year and even if there’s a lot of stuff I don’t get while looking at the logs I feel safer.
    My questions are regarding 2 points.
    I was using services from “Returnil Quietzone”and still do and I was wondering if the 2 softwares are complementary ? I have it not working on for now .
    My second questions is regarding the use of the ALFA R-36 router in my configuration,feels like I’m experiencing slower speeds while going through the router,I don’t know what should I change in the router’s settings.
    For infos,my 2 testing configs are: (connecting to my friends’s Wi-Fi whit her approbation).
    – A 14dB panel antenna directly to the AWUS036NH with an active 5m USB cable to my PC,it works fine,looking at the logs after a full day,no connexion breaks.
    – Same installation but going to the R-36 to have a my personnal wi-fi in the house is a different story,lots of connexion breaks but returns after these messages,’Disconnecting’, ‘Authorzation check failed,continue anyway’,after the 4 th try it connect back to a server and keeps on.
    Not sure if I’m at the right place for that and hope I did explain my little problem not to confusing.
    Thank you for your great work,I learned alot .
    terry

    1. Douglas Crawford dit :

      Hi Terry,

      1) Quietzone sandboxes your web sessions as well as connecting you to the internet via the Tor Network. It is closed source proprietary software, so for simple sandboxing your browser I would use free and open source Sandboxie instead. You can also use Sandboxie to sandbox the Tor Browser, which will achieve pretty much same thing as Quietzone, while being more secure (the Tor Browser is hardened, and you are not trusting a third party to make your VPN connection for you).

      Using Quietzone and a VPN together will dramatically slow down your internet connection (thanks to Tor). Sandboxing your browser does have complimentary function, but whether this is worth the extra hassle depends on your threat model. Personally I wouldn’t bother, but that is up to you to decide.

      2) The main problem with using a router for VPN is that processing a VPN connection is very processor-intensive (especially for OpenVPN). This means that all but the beefiest routers struggle with the job, resulting in poor internet performance.

  18. Wilton dit :

    Hi douglas, can you help me to configure my airvpn for best surfing websites ? how to activate dns leak protection and killswitch, i always see on ipleak.net i see that is no airvpn exit activate, i just see my country i think because of dns leak ? thank you, sorry about my poor english.

    1. Wilton dit :

      ….and i aways connect in recommended server, and aways is Canada. in this site aways show my real ip, because of dns leak. http://dnsleak.com/

      1. Wilton dit :

        …ops sorry, no my real ip, my real DNS ip.

    2. Douglas Crawford dit :

      Hi Wilton,

      In order to enable DNS leak protection and the kill switch in the AirVPN client you must enable the “Network Lock” feature. This creates a firewall that only allows internet connections that go through the VPN. When you first start the client up, and before you hit “Connect”, you are offered the chance to enable Network Lock (see screenshot). The option can also be turned on and off in Preferences -> General.

      1. Wilton dit :

        Oh yeah! thank you very much, now everything works perfectly!

  19. Hugh Mungus dit :

    Hello, thanks for the review I’m just letting you know that your “visit AirVPN” links redirect to the NordVPN website, haha.

    1. Douglas Crawford dit :

      Hi Hugh,

      Thanks for pointing this out! I have alerted our tech team to get this fixed asap!

  20. Mark dit :

    I have been living on this site for the past few days. I’m going to purchase a VPN very soon. I travel extensively and I don’t go to “adult” sites or anything like that.
    However, I do a lot of online banking and Amazon purchases.
    I, obviously, want to keep all of that info encrypted since I’m in hotels and airports.
    Would AirVPN be the best choice for me?
    I’ve been swayed back and forth a good bit lately between ExpressVPN and AirVPN.
    Thank you for your hard work and time. This is a great educational site!
    Mark

    1. Douglas Crawford dit :

      Hi Mark,

      For simply visiting your banking website and Amazon, etc., you do not really need a VPN, as your connection is protected by HTTPS. In many ways ExpressVPN and AirVPN straddle opposite ends of the VPN spectrum. ExpressVPN is arguably the best provider around in terms of newbie-friendly software, great customer service, and a genuine no quibble 30-day money-back guarantee. AirVPN, on the other hand, is arguably the best VPN service out there in terms of dedication to privacy and technical know-how. But it is not newbie-friendly and customer orientated in the way that ExpessVPN is. So it’s a bit like chalk and cheese. Personally I use AirVPN, but I fully understand why many others prefer ExpressVPN’s more approachable service.

      1. Mark J dit :

        Douglas,
        Is there anyway I can email you with a few questions? I would rather do that than have everyone see our questions.
        If you can see my email address that’s needed to post, please send me an email there.
        I signed up for AirVPN for a few days and I just have a few questions.
        Thank you.
        Mark

        1. Douglas Crawford dit :

          Hi Mark,

          I am employed by BestVPN, so please direct your questions here. We do not check whether the email address you enter is valid, so feel free to make one up and post your questions anonymously.

          1. scott dit :

            Douglas
            I am so frustrated! I am not computer savvy and have been fretting over VPNs for days now. I want one where privacy is of first importance and do not keep logs. I just want kodi covered. I want the VPN to only work on my tablet and not have access to my personal desk top pc and the info that is on it. I want one that is not going to cause lag in streaming. I was going to go with private internet access but then there was tons of complaints. Then I was thinking AirVPN but the UK kind of freaks me out. I have seen a lot of youtube vids that say go with IPvannish and other say private internet access. Im also worried that when I pick one that im not going to set it up right and my tablet is not going to function as I need it to. Just an FYI my tab is 32gb with 28gb available. HELP ME PLEASE!

          2. Douglas Crawford dit :

            Hi scott,

            Any decent VPN will do what you ask. I would suggest ExpressVPN because it has very easy-to-use mobile apps (perfect for your tablet). It does keep some minimal connection logs, but even these are aggregated.Not that AirVPN is based in Italy, not the UK (still 14-Eyes, so not perfect, but where is?) IPVanish and PIA are based in the US, and so are not recommended for privacy. NordVPN is based in Panama, keeps no logs at all, and has a mobile app, but can be slow. Another good option is Gibraltar-based IVPN, but this has no mobile apps.

          3. scott dit :

            Douglas
            Oh I just want it to automatically be working when I power up my tablet!

          4. Douglas Crawford dit :

            Hi scott,

            In the OpenVPN for Android app select the Settings tab. Tick “Connect on boot”, then touch “VPN used on boot and for Always-On” and select the AirVPN profile you want to use. If you are not already using AirVPN then you will find a provider that offers an Android app much easier to configure for your tablet.

  21. happy user dit :

    i have used air for 2 years when i have money i have air thay are he very best vpn for xbox live that you can getand 7 bucks lol i love my air

  22. Jochen dit :

    Nice review Douglas, I’m another of those totally satisfied customers (using it for 1 year, just renewed for another one).
    But yes, it is definitely for the more tech-savy crowd, nothing you point your mother at and just say “use that” 😉
    Two issues can get really frustrating the mentioned DNS problem when Eddy crashes, which they really should just give a prominent posting at their website as I needed some hours to find the root of the problem and resolve it.
    The other problem (general VPN problem not AirVPN related) is what I’ll call the MTU-Problem. I was at my mothers home who uses Unitymedia cable as a provider and I just couldn’t get a stable VPN connection, it worked for a short time and then just failing to transfer anything and sometimes even taking the router with it so I had to reset the router. That took me a lot of time resolving including reading a lot of VPN documentation and all sorts of partially related hints, postings,…
    You have to lower the maximum MTU-size then it works (eg link-mtu=1300 in the openVPN manual settings). Still don’t fully understood how to calculate the optimum MTU-size but playing around with the size should get you a working connection. If I sometimes decide to delve really deep into this topic and finally really understand the parameters (there is the fragment parameter to set and the correct mss-size to get the optimal throughput) then I really have to write a FAQ on this as there is not one easy explanation on the Web.
    But this is NOT an AirVPN problem, this is related to the provider!

    So, sorry for the long entry, just wanted to help other people having this problem, as I had big problems finding the cause and solution (and I’m very good at searching the web).

    Jochen

    PS: Just adding this for Search Engines to find it, remove if unwanted:
    Unitymedia VPN problems disconnection

    1. Douglas Crawford dit :

      Hi Jochen,

      Thanks!

      – In fairness, the DNS issue affects just about any VPN client that uses a firewall for DNS leak protection and kill switch. I totally agree that AirVPN should do more to flag up the problem and explain how to fix it.
      – I must admit that I have never heard of or encountered this “MTU-Problem before. Thanks for flagging it up, and for what sounds like the sterling work you have put into researching it. Do you know if it is just a Unitymedia (a German ISP) issue, or can it affect customers of other ISPs? If/when you do write a FAQ, please do contact me or post a link to it here.

  23. Phillski dit :

    I’m a rookie. This info sounds like a good choice. I have a new ASUS dual band router. How does this work? The software is to be installed on my router?

    1. Douglas Crawford dit :

      Hi Phillski,

      You can either install the AirVPN software client on your computers or configure your router (AirVPNs instructions for doing this using Asus-WRT are available here). Note that if you run the VPN from your router, you do not benefit from the additional functionality provided by AirVPN’s desktop software (e.g. “network lock DNS leak protection and kill switch, port selection etc.). It is also worth noting that the processor in even high-end routers can struggle to cope with the demands of processing OpenVPN, so your internet connection when using VPN will likely be faster using desktop or mobile VPN software.

      1. Phillski dit :

        this is more great information. Thank You very much

  24. Leon dit :

    Hi Douglas,

    Just a few words of feedback on my 1-week journey with AirVPN. Well, in fact I’m satisfied with the speeds I get, when connected to their 1-Gigabit servers with the minimum latency.
    What I don’t really like is that Network Lock feature simply does not work when Kaspersky Internet Security is installed and operating. Whenever I disconnect from whatever AirVPN VPN-server, the software is telling me: “Network is locked” or something like that. So, I assume, I shouldn’t be able to browse Internet anymore, right? Not a chance. The internet is still working as it has always been working.
    I need to shut down Kaspersky to make this feature work. Not good!

    Second issue is that AirVPN broke my Wi-Fi connection on the very same computer, when I utilized AirVPN through it. I have no idea what the software changed, but now Wi-Fi simply does not work — there is still a normal connection, but no connection to the Internet. I need to switch AirVPN back to browse internet while on wi-fi (I have a TP-Link 300mbps n-type USB adapter and I’m getting the internet from my smartphone, which is able to create a wi-fi hotspot).
    Guess I need to go and browse their forums for some info, I’m not sure I’m the only one with these problems.
    So, these are the facts, which kinda preventing me from purchasing a one-year package.
    I don’t like these facts and I’m really not very enthusiastic as to investigating these issues myself. Maybe you can advise anything? Overall it seems like they don’t have competitors on the VPN-market offering the same features and general stability. Correct?
    Thanks a lot.

    1. Douglas Crawford dit :

      Hi Leon,

      Thanks for the feedback.

      1) AirVPN’s “Network Lock” is in fact a firewall that prevents all connections outside the VPN. The Kaspersky Internet Security suite also uses a firewall. The 2 firewalls clearly have conflicting rules, and the Kapersky one is blocking Network Lock from functioning correctly. This is annoying, to be sure, but I don’t think really fair to blame AirVPN for the issue.
      2) As with most good VPN services, AirVPN routes DNS requests to its own servers (rather than your ISP performing this function). What you are experiencing is almost certainly due to your DNS settings not returning to default values after quitting AirVPN. Please see my How to Change your DNS Settings guide on how to fix this.
      3) When it comes to VPN technology, AirVPN is in a class of its own. But as noted in this review, user-friendliness is not one of its strengths.

  25. nik dit :

    hi Douglas,

    Im using PIA (private internet access) vpn. i use viber alot. on viber what ever vpn you use it always shows your exact location (i mean your true location). you can change to hundred location on vpn but it never change on viber. why is that? how can tweak the settings so it could show my vpn location?

    1. Douglas Crawford dit :

      Hi nic,

      The problem with Viber is that it is a mobile app, and mobile apps use information other than your IP address to determine your location (for example your GPS location data , network provider information, and IMEI number). Using a VPN cannot help with this, and unfortunately there is very little else you can do about it.

  26. John Varga dit :

    Douglas

    Your review of AirVPN is much appreciated. I have come close to signing up with others by reading comments as held me back. The only value I see from using VPN is to keep each persons ISP or local government off their back. If one only used VPN when needed it might make sense.

    I used VPN years ago through HMA. It was almost okay at the time but had no kill switch that worked. A lot has changed since then so I am back to the newbie level.

    Paranoia in the war with the three letter guys is not misplaced. They are very good at what they do. Experience with these guys tells me that they know almost everything about us they want to know. The new $1B+ NSA complex in Utah is coupled with a new Adobe complex across the road with direct fibers interconnecting. One of the prime principles of surveillance is to hide things in plain sight. Nobody thinks to look there. I have blocked all Adobe connections on my computer and do not use Flash or Adobe reader. The first thing they do when activated is to call home. I don’t know how much or what information is sent but the one thing that rarely changes is my MAC address. You might say the MAC address does not go past my router but that is only when it is in the header. If it is sent as part of the payload then all bets are off.

    I can see the effects of my blocking Adobe and AddThis by the number of connections the system tries to establish and are rejected by the firewall. Standard procedure is for them to keep incrementing port numbers looking for a way out.

    So why do I go into such detail? I want my life back only to myself about what I do on the internet. With all of this software calling home, with who knows what or how much information, I wonder if using the best VPN available will help if when I start my browser, my identity is revealed. When Firefox came out with a recent update they included a black box (no longer open source) for the DRM people. I found the DRM module was calling home every time FF loaded. I don’t use any DRM material on my machine. I chose to install the non-DRM version. Most people don’t even know it exists.

    I see VPN as only a partial solution. A solid firewall with Adobe, AddThis, and others blocked helps. NoScript is another good weapon.

    What I don’t understand, as a newbie, is if I install AirVPN will I still have access to my network printers and other computers on my LAN that I share files with? I don’t want to be trashed by the wizards at AirVPN for asking these types of simple questions. If I have to change some ports, configure something, or edit the register I am okay with that. The problem is I don’t know what to do and don’t have their experience.

    One thing AirVPN could do is provide help files or links to simple information a non-wizard needs. Forgive me, Mr. Wizard, if I offend you by asking what you think are dumb questions. I have my specialties and you have yours. Please guide me in the right direction. I am willing to dig for it and learn. I just don’t know where to look.

    1. Douglas Crawford dit :

      Hi John,

      Offend? Ha ha. That’s what I’m here for!

      – I completely agree that using a VPN is a only partial privacy/security solution. I think you should view internet privacy and security as a complex problem, and to have any chance of addressing the problem, you need the right tools. A VPN is one such tool, and if implemented well (as it is by AirVPN), a very good one.

      – If the NSA is after you in particular, then you are probably fucked. A VPN, however, is very effective at hiding your internet activity from blanket surveillance measures.

      – Please see my article on Firefox to incorporate DRM (reluctantly). Note that DRM can be turned off in Firefox (Settings -> Content).

      – To stop online tracking, browser extensions such as Privacy Badger, uBlock Origin, and (if you want to go nuclear) NoScript are better than VPN (or more accurately, should be used in combination with a VPN – see “toolbox” comments above).

      – As with almost all VPN clients, AirVPN exempts LAN connections from its firewall, allowing you to use local resources such network printers and NSA drives as normal. The only problem I have ever encountered is connecting to my Chromecast from my PC when AirVPN is running (although, strangely enough, Casting from my Android phone with AirVPN running works just fine).

      1. Crispin dit :

        Ublock Origin with Dynamic Blocking enabled is better than NoScript, as it prevents your browser from sending requests to the server in the first place.

        1. Douglas Crawford dit :

          Hi Crispin,

          Thanks. When I have the time I will investigate this more.

  27. Matthias dit :

    Hi Douglas,

    very helpful review, thanks! I am in China, using two vpn …just in case. The Air VPN set-up took some time as the user interface requires some understanding, which I do not have. But there was a good explanation on the website and I managed. Now I am able to use google and watch you tube videos. It also works during times of increased blocking activities (during public holidays and party congresses).

    Thanks!

    Matthias

  28. nobody dit :

    Save your money by reading this! Being AirVPN user for 3+ months, I can say – run away as fast as you can!

    Their servers worked well enough for 2+ months, then connection problems started occurring more and more often. Today I posted a message on their forum telling that service is down again, and called it a “great service”. Do you know what happened? They instantly banned me on the forum, closed my VPN account (I paid for 12 months of service) and this is it!

    Needless to say, they ignore all my emails and refund requests, so stay away from this “company”! Otherwise, your account will be closed and they will keep all your money in case you complain about their service.

    1. Douglas Crawford dit :

      Hi nobody,

      Ouch! That’s not good! I must say, however, that my experience has been somewhat different, and that AirVPN’s support has always tried to help when I’ve had an issue..

    2. VYI01 dit :

      @nobody (Poster)
      Well with the tone in which you write, I can understand why they might ban you, as you were probably quite indignant. By the sound of it, you appeared on the forum and cried like a baby, no offence. “Your servers are down! Nothing works!!!” and not even bothering to:

      – Describe the problem
      – Describe your setup and/or show relevant client logs
      – Describe things in a civil way
      – Describe the results of using AirVPNs OWN TESTING SERVICES such as the Route Checking feature, that lets you check all servers at once, to see if only 1 server is the problem or not: https://airvpn.org/routes/

      If that’s the case, then you kinda deserve a ban IMO, because honestly, there’s no telling legitimate users from spammers and trolls a lot of the time. What’s the result? Clean forums, where information isn’t obscured by emotional outbursts and senseless slurs. Because you know what? There’s a 99.99999% chance that the servers were not down that day; if so, more users than simply you, would’ve been on the forums reporting the issue. So what likely happened (and I did try look for your post), is that you appeared on the forums, moaned about problems in a lazy and unhelpful way (even downright rudely, if that “great service” remark was sarcasm) and then tried to pin the problem on the service itself, before checking and getting feedback on your own setup. This is basic 101 stuff.

      There’s also many helpful people on the forums. Just check this new-user guide that an AirVPN member made:

      https://airvpn.org/topic/18339-new-to-airvpn-or-just-confused-guide-to-getting-started/

      So if anything, you could ask him personally or post in the thread. The point is, you didn’t try to solve the problem like an adult, it seems, so why should anyone treat you like one?

      ———————————————-

      Otherwise it’s an excellent review Douglas. You put out some great stuff.
      The location of AirVPN doesn’t make a huge difference, because in a way, there’s not many viable countries in the world for this stuff. A lot of VPN providers they fake their Geo-IP, to make it appear that they’re located in a different country for instance. I think you should mention something about VPS instances:

      Namely that some services, such as PIA, offer many locations officially. But in reality, a lot of these locations are fake and run on a VPS. Running a VPS setup can be okay if users are informed as such; but most aren’t. This means people think you run “bare metal” servers in country X or Y, but in reality those servers are in country A, pretending to look like they’re in country X and Y. This then lets the VPN provider “add another flag” to their front-page. My point is, that AirVPN doesn’t do this. They’re very honest. In fact, they care so much about security and privacy, that they simply won’t setup servers in countries deemed bad for them. So it’s not because they don’t *want* to set up more servers or are physically unable to, it’s because they have a mission to protect the privacy of their users. That, and they make actual cost-benefit analysis about server locations: for instance, the Middle-East is an expensive place to set up a connection. If you could even get a good-quality one in the first place. But many other VPN providers don’t mention this. Just like they don’t mention that using a VPS means you can log everything the virtual “servers” are doing.

      I think you should’ve given it 5 stars for pricing, considering you get so much for your money. No over-selling, no lies or attempts at deceiving people. Oh well.

      I do agree their customer service could be a little better however, as well as making things more user-friendly for newcomers; but then there’s members who’ve already posted guides, like the one I linked to, as you said.

      Thank you.

      1. Douglas Crawford dit :

        Hi v13,

        Thanks! 🙂 As you will know if you have read this review, I am a big of fan of AirVPN. In fact, I think it runs both the most principled and technically capable VPN service on the market. As for the star rating, these are are not decided by me, or even by the BestVPN staff. They are derived from the ratings entered by readers when they post comments here.

      2. WA Family dit :

        I disagree that you can infer accurately from someone’s tone what type of client she/he’s been in the past. Several large publications on the psychology of complaining point out that many people don’t want to invest the effort and time in complaining–especially in a compliants-averse culture like that of the US, so by the time they do, often the issue they’re confronting has gone on for so long or has become so critical that tempers easily flare. If someone’s already tried diplomatically to handle the matter but has been ignored or mistreated, she/he’s likely to become significantly more agitated. Even tacitly censoring these individuals in other forums is counterproductive, as we should all know if companies whose services we’re paying for can be unprofessional. And ad hominem certainly doesn’t resolve anything (“…cried like a baby…”). Your own argument would have been much more credible without it.

        We, at least, appreciate Nobody’s heads-up as we look for a replacement VPN for our at-home browsing needs.

      3. Smellysocks dit :

        Firstly, and I’ll comment on your post vyl01, I’m a basic user and have used airvpn for over a yr now…and it’s fantastic! I had some connection issues to start which were quickly solved by a polite email to support.

        Secondly. I completely agree with your suggested comment about the previous post, the manner in which we conduct ourselves or the impression we portray…not to mention publicly degrade a very high service, I agree will be met with severe consequences

    3. Drasmorg dit :

      I have been using AirVPN for 3 years, the only problem I have ever encountered was with P2P slowing WAY down. The help desk, as stated, is very techie and did not help me at all fix the solution but for some reason it fixed itself. This was about 1 year ago and everything went back to good speeds after about a week, not sure why and it wasn’t anything I did. My subscription finished 4 days ago and I have been spending all that time searching for another provider but so far AIRVPN is still tops, even if all the vpn review sites don’t show it as. Once setup, which is just an install really, everything works out of the box. I renewal for a year, with a 10% coupon, will be $4.05 per month, slightly more than the cheaper vpns charge but far better product.

      I use Windows 8.1 firewall and the network lock works as advertised for me. I run IPLEAK test and nothing ever points to my real location. Sometimes when you shut down AIR the lock won’t reset your IP4 address, then you have to go in and change it from their DNS number to default, but that is it.

      As stated, I am buying their service again for the 4th year right now.

  29. Michael dit :

    AirVPN accept a wide range of payment options but beware if you are using a prepaid credit card. Their card processor Avangate does not always respond nicely to users of prepaid giftcards.

  30. Marco dit :

    Hello Douglas,

    can you explain why Italy is not an ideal loc?
    Cause I’m from Italy and I’m looking for a vpn to use here.

    Specifically, I work in an italian university, so the athenaeum network managing office assigned an IP to me, but I know they can (and probabily do) monitoring my traffic.

    Can you tell me if a vpn can allow me to safety dl with utorrent even in this circumstance and are there specific risks using an italian based vpn in Italy?

    Thanks

    1. Douglas Crawford dit :

      Hi Marco,

      Italy is a member of the Fourteen Eyes spying alliance that cooperates with the NSA and GCHQ. I have provided a couple of links in the article to demonstrate that this is more than a theoretical problem. Despite this issue, I still regard AirVPN as the most secure and privacy-conscious provider on the market. You can download safely using AirVPN (or any torrent-friendly VPN provider) – the NSA etc. does not care about this. As a precaution, however, I would suggest using a server based in Switzerland, as copyright piracy for personal use is not illegal there.

      1. Marco dit :

        Thanks for your ready answer!
        In truth, I don’t care at all about NSA spying activities, i fear much more the university network manager.

        Well I’ll try out airvpn, thanks again.

  31. Dario dit :

    Worst service ever!

    I was happily signed in the web site and then i decide to log out.
    Then i was not able to sign in again! I asked for a password reset and after several trials i finally decided to change the password to the most difficult one: 1111.

    NOTHING, always the same message: “username or password incorrect”

    They do not support anything else than OpenVPN. I wander why everyone is surprised by the fact that many potential users seem to be put off by AirVPN.

    Only few top routers support this protocol, and even less xDSL modem router do.

    Thank God i was smart enough to spend only 7 Euros in this junk.

    1. Douglas Crawford dit :

      Hi Dario,

      Support is not AirVPN’s strongest point, but I am surprised if it didn’t offer some assistance with this issue. As for support only for OpenVPN – it is the most secure and flexible VPN protocol, and I admire AirVPN’s decision to use only it. I agree, however, that AirVPN is not for everyone.

      1. Dario dit :

        They quickly solved the problem.
        Stupid encoding problem in my username not notified during registration!

  32. coen dit :

    Perfect working! Installation full automatic, nice working on my iMac.

  33. K dit :

    A quick follow-up regarding AirVPN. It appears one of the main founders of AivVPN is Mr. Paolo Brini. He is also a spokesperson for ScambioEtico, an Italian group that campaigns for civil liberties and copyright reform.

    This bit of info fills in, for me, the statement on AirVPN’s website that:
    “Air VPN was originally founded in 2010, by a group of ‘hacktivists’ and lawyers, both of which were willing to donate their time to a cause that they believed in. The AirVPN system was originally created for the Pirate Party festival in Rome, which shows just how involved they are in the pro-privacy and anonymity scene.”

    This gives me additional confidence and comfort in using AirVPN. Thank you Mr. Brini.

    1. Douglas Crawford dit :

      Hi K,

      That is a great bit of detective work – thanks for sharing!

  34. K dit :

    One of the interesting and recurring questions that comes up in the 15 years I’ve been using vpns is how can you decide which ones to trust? Are there some sort of “inside” forums or IRC channels where ‘those who know” know who runs various vpns? A simple statement on a vpn’s website of their good intentions really isn’t worth its screen space. For example Perfect Privacy, which provides a very good quality vpn service with easy triple hopping would seem to be a trustworthy operation based on their statement that they are a group of “privacy advocates”. Until you find out that this group of “privacy advocates” is founded and run by serious neo-Nazis. It seems very hard to determine who is actually behind many of the vpns so you could make a best judgement about their likely trustworthiness. Are there any recognized persons respected in the privacy community that vouch for particular vpns? (similar in principle to reviewing public encryption code). There ought to be. Does EFF for example vouch for the bona fides of any vpns?

    I would like to hear some trusted person vouch for AirVPN for example. I’ve found it very hard to find out anything about who is behind Air, just as it was hard to find out who was behind Perfect Privacy. It would seem nearly dereliction of duty for TLOs not to be operating some vpn honey pots, but how would you identify them? Without some kind of a web of trust, choosing a vpn is nothing more than a crap shoot.

    1. Douglas Crawford dit :

      Hi K,

      A web of trust to vouch for VPN providers is an excellent idea (especially if supported by the likes of the EFF)! Unfortunately no such thing currently exists, and I have no idea how it might be implemented, but BestVPN would be very happy to support such an initiative.

      With refernece to Perfect Privacy, could you please explain this statement and provide references? Thanks. Edit. ah… this. Ouch, not nice. Thanks for bringing it to my atention.

      1. K dit :

        Yes, this is a very distressing accusation against Perfect Privacy. And I wouldn’t say it if there weren’t definitive proof. In this case I will take a conviction by German courts as definitive. Below are two links to publications detailing the German court case against three neo-Nazis, and their relationship to PP. The third link is Wikipedia about one of those convicted. No doubt some further drilling down would reveal many additional connections.

        https://linksunten.indymedia.org/en/node/61004

        http://www.constantinereport.com/austria-home-mozart-liszt-strauss-hitler-neo-nazisvpn-provider-perfect-privacy-run-neo-nazis/

        https://en.wikipedia.org/wiki/Gottfried_K%C3%BCssel

        In 2012 a reference to the above arrests and trial appeared in the Perfect Privacy forums, but very quickly disappeared. I imagine a large percentage of PP users do not know that their (rather high) subscription fees go toward supporting people who advocate this kind of hateful and disgraced ideology. I seem to remember that I stumbled on some web references connecting the convicted neo-Nazis above and Stormfront, one of the largest American and European neo-Nazi groups. But I would encourage anyone interested to verify this independently.

        Re: web of trust for vpns, in the next few days, I’ll try contacting some of the privacy advocacy organizations listed here, https://epic.org/privacy/privacy_resources_faq.html, to see if they can offer some advice on how to go about creating a web of trust for vpns. I’d be happy to collaborate with you and some small group on such a project. Perhaps we can build a critical momentum to make this happen :). Feel free to contact me at my email below. Cheers.

        1. Douglas Crawford dit :

          Hi K,

          Thanks for tipping us off about this, we have now updated our Perfect Privacy review to include mention of the issue. It is entirely possible that Perfect Privacy was always unaffiliated with the vile political views of some of its staff, or even if it was, that this may no longer be true. We do, however, feel it an issue customers should be aware of, as many would be horrified to think thier subscription fees might contribute to propagating such extremist views. I have emailed you about your web of trust ideas.

        2. NG dit :

          One of the best comments on the site. I would try AirVPN but I’m afraid it’s too expensive. I’m sticking to PIA now that they’re offering a discount after my account expired 🙁

  35. Dave dit :

    How much processing power would you recommend for the additional layer of SSL?

    I was thinking of buying the Netgear R7000 Nighthawk DD-WRT FlashRouter with 1 GHz.

    1. Douglas Crawford dit :

      Hi Dave,

      I’m afraid that I can’t give you a definitive answer on this one, but when Peter reviewed this router he encountered no slowdown when using it for regular VPN. I would guess that it is powerful enough to deal with the extra layer of SSL, but it might be a good idea to ask AirVPN’s own forums just to be sure.

  36. K dit :

    Hi, Douglas
    I have to agree with all the previous posters that your review is excellent and IMHO, spot on! I’ve been using Air for about a year, it’s the 5th vpn I’ve used in the last 15 years. The functionality is superb and, as you said, it’s actually very easy (and reliable) to use.

    But, as again you put very nicely, the sort of icy ubertech can be at times frustrating. And I’m pretty tech savvy. At the moment I’m felling frustrated that some forum posts there were blocked because they weren’t sufficiently tech focused. God forbid you should talk about the political environment of privacy. Well, with Air it seems warm n fuzzy isn’t an option, you have to be satisfied with technical expertise par excellence. Which is what I’ve chosen by re-upping. As a future improvement to their service I would really like to see them add selectable multihop to Eddie. But they don’t seem well disposed to considering suggestions. Perhaps it’s just as well that they remain a smaller niche provider…increasing size often deteriorates quality. It does worry me that the group and all its severs (but one) are located in 15 Eyes countries. It would be comforting to be able to multihop (easily) through non-cooperating political jurisdictions. Cheers.

    1. Douglas Crawford dit :

      Hi K,

      Thanks! I will just note that I am dubious about the value of mulit-hop connections. The VPN still routes the signal, and so a) adversaries will be easily able to trace a user to the the VPN provider, and b) the provider still does the routing, so knows exactly who is connected to what. I am happy, however, for someone to explain why I’m wrong about this.

      1. K dit :

        Hi, Douglas

        What you have said is correct if you assume that the vpn provider is compromised, i.e. giving your information to some government organization. If they are protecting your information as they have promised, then it seems it would be much harder for lets say, the NSA to do backtracking traffic analysis through Russia to China to its originator in i.e. Venezuela. If the vpn is compromised, then 1 or 100 hops is irrelevant. But the same holds true for Tor or any vpn service, if it’s compromised, game over. If the vpn is not compromised, just multi-hopping itself makes traffic analysis exponentially harder with each hop, i.e 100 users on hop one X 100 users on hop two X 100 users on hop three…now you have to sort through 1 million sources for the source of the signal, not 100.

        Also not having the cooperation of the governments where the servers are located would seem to make the problem even harder than having that cooperation which might allow for example physical access to the servers.

        1. Douglas Crawford dit :

          Hi K,

          Interesting points, thanks. This only seems to be true, however, if you locate double-hop servers in countries where your primary adversary (say the NSA for argument’s sake) has no reach, which is itself problematic. Russia, for example, is hardly a place where I would want servers protecting my privacy to be located, and China actively tries to block VPN traffic. If we are going to assume the VPN provider is not compromised, then use of shared IPs and Perfect Forward Privacy should thwart all but the most advanced traffic analysis (and if someone capable of this e.g. the NSA is targeting you in this way, then you are probably in big trouble anyway).

          I also think that “the same holds true for Tor” seems wrong, as Tor connections are routed through at least 3 random nodes, and are re-encrypted each time. This makes it all but impossible to trace the route from beginning to end (a very powerful adversary such as the NSA, if it was willing to throw insane resources at pwning enough Tor nodes across the world, might be able to pull this off, but even then, it would be a long shot).

          1. K dit :

            I agree with most of your first paragraph. Actually the reach of 5 Eyes within Russia or China is probably only known to 5 Eyes. But it seems at least a bit comforting to think about triple hopping through non-cooperating jurisdictions. But it would depend on who you thought the threat was from; a Russian or Chinese dissident obviously wouldn’t want to use servers in their own countries. Also it would seem logical that a foreign government would be less invested in determining one’s political views, for example.

            As I understand Perfect Forward Secrecy, it wouldn’t really impact on traffic analysis as it only changes keys frequently, but traffic patterns wouldn’t change. But multihopping gives exponential improvements in defeating traffic analysis.

            There are several vpns that offer multihop. Do you know if it’s a sort of common practice to re-encrypt at each hop?

            A real weakness in TOR is that some percent (sometimes a very large percent) of volunteer nodes are controlled by government or hacker groups (sometimes a large percent, especially exit nodes). Also compromising a small number of administrative nodes could give a TOR attacker control over the routing of all TOR traffic. As far as I know this is not known to have happened, but is a theoretical weakness.

            Regards

          2. Douglas Crawford dit :

            Hi K,

            1) I think you do have a good point. If the double-hop server is located in a country hostile to your adversary, then it might be useful (but if it is located anywhere else, then I don’t think it is).
            2) True, PFS won’t prevent traffic analysis per se, but it does make it pretty much impossible to compromise an OpenVPN connection (my bad for being unclear).
            3) I know that NordVPN does encrypt data each time it leaves a double-hop server, but then most of its double-hop servers are located in countries friendly to the NSA and most international police forces…
            4) To effetely deanonymise someone on the Tor network the NSA would need to run a lot of those nodes… as I noted earlier, this might be possible, but would require a very large effort.

  37. AirVPN dit :

    Hi Douglas,

    very nice review, thanks.

    I would just like to point out a bad mistake in it that you might like to fix. You write: “As we can see on the table, AirVPN uses very strong encryption, although it is probably about time to move away from SHA1 data authentication to something stronger (SHA1 is still considered secure, but may not be for long)”

    The main problem is that you assume that SHA1 is the cipher for packets authentication, either on the Data or the Control Channel. But that was never the case, the cipher is HMAC SHA1 in the Data Channel (or HMAC SHA384 in the Control Channel).

    Let’s assume that collision methods against SHA can be routinely performed: even if that were true, that would not allow an attacker not knowing the HMAC key to make an undetected change in a packet (and therefore inject packets in the flow surreptitiously).

    To bring on the collision attacks on SHA-1 you need to know the state of the SHA-1 chaining variable. The key enters both extremities of the iteration of rounds in which the message (the packet, in our case) stands in HMAC. A much deeper break of SHA-1’s round function would be needed to break HMAC and then starting SHA1 collisions attempts.

    For a mathematical proof that HMAC (and NMAC) provide security without needing collision resistance of the underlying hash algorithm please see this very important paper:
    https://cseweb.ucsd.edu/~mihir/papers/hmac-new.html

    “This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistance-to-attack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weaker-than-PRF condition on the compression function, namely that it is a privacy-preserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known attacks do not invalidate the assumptions made. ”

    Kind regards and thank you again for the great review.

    Paolo
    AirVPN

  38. Sebastian dit :

    Hi Douglas

    Very nice review, it stands apart from many other VPN reviews i have read.
    I’am a Air-VPN user for the 4’th year now and love there service.
    Not long ago i renewed it for the next to years.
    I can agree to your “heavy tech focus” when discribing the language and the forum, but there are many nice people writing how to’s and torturials.
    The three simultaneous connections come very handy when you try to utilize all your broadband bandwidth. I use them in a simultaneous loadbalancing setup with opnsense firewall.
    Keep up the good work!

    Regards
    Sebastian

  39. sangy dit :

    AirVPN is surely the best VPN I’ve ever used. The speeds are damn good, it never felt like I was using a VPN. The only problem I faced was with the client. The client often crashed while minimizing the tab. But when it comes to privacy, this is the best

  40. Max dit :

    Hi Douglas, one quesiton,

    I see airvpn has servers in Canada. Is safest to download/p2p from them? I read this

    “Canada has enacted mandatory data logging and monitoring by Internet Providers and VPN service providers based in Canada”.

    Don’t know if this apply to all vpn providers located in Canada, or to all servers no matter where the vpn provider is located (i understand airvpn headquarters are in italy)

    Thanks!

    1. Douglas Crawford dit :

      Hi Max,

      If AirVPN says it’s safe to download then it will be safe. I think the mandatory logging situation in Canada is very “grey” at the moment, and no-one is really sure what is going on (including providers).

      1. Max dit :

        Hi Douglas, thanks for your answer.
        Anyone has a good coupon to use (20% o 35% off) for 1 year with airvpn?
        Thanks!

      2. Max dit :

        Hi Douglas, one more question about AirVpn, do you know if protect us from protected copyright holders just in case?
        Thanks!

        1. Douglas Crawford dit :

          Hi Max,

          Yes it will. Not only is it dedicated to protecting users’ privacy, but it uses shared IPs and keeps no logs, so it would be almost impossible to hand over users’ details, even somehow if forced to. Note that pretty much all VPN services who permit P2P also protect their customers in the same way.

  41. Mark Stubbs dit :

    Hi Douglas,

    Excellent review. I was quite surprised at the low renewal stats that you mentioned. Perhaps as a somewhat regular contributor on the AirVPN forum I/we could perhaps be a little more aware that newbies could be treated with a little more due care and attention. I for one can tend to be a little terse and impatient with what I deem to be ‘daft’ questions or comments from some.

    However, the general feeling is that we point or nudge people to look up stuff for themselves and therefore learn more about the subject by doing so. Need to be somewhere in the middle I guess!

    Best Regards

  42. Artur dit :

    Douglas

    As I happy AirVPN user I mostly agree with Your review. Mostly except, Air DNS double-hop. It’s at best patchy. For example BBC iPlayer just doesn’t work on most server locations outside UK. I’m currently on Netherlands servers and can’t connect to iPlayer. This is important, because some people may have false expectations that they can connect to fast, nearby server and stream content from all over the world. This just not work. However You may, as with any other VPN provider connect to given country and bypass geo-blocking.

    Another important information is that with their subscription You may have up to three simultaneous connections.

    Just my $0,02.

    1. Douglas Crawford dit :

      Hi Artur,

      I totally meant to include info about simultaneous connections, but simply forgot. I generally find that the “double-hop routing! works well, but you are right that it is not perfect. Thanks for your input, and I have updated the article accordingly.

  43. Guy Haiar dit :

    What part of Airvpn is the most confusing for people who sign up for it?

    1. Douglas Crawford dit :

      Hi Guy,

      TBH I don’t find anything that difficult (just download and install the software as per normal), but based on reader’s comments and our market analytics, many potential users seem to be put off by AirVPN very techy and jargon heavy focus.

  44. Rick dit :

    Nice Review Douglas and as always I learned something new. So who are some other VPN providers that provide ‘ Perfect Forward Secrecy’?
    I just finished a 1 year sub with PIA and sign-up with NordVPN. Nord’s servers are noticeably slower and do drop-out quite often. In your opinion which provider has better security features? Do either of them offer Perfect Forward Secrecy? it’s not mentioned anywhere on their website, I assume it’s something their marketing departments would splash on their website. Thanks.

    1. Douglas Crawford dit :

      Hi Rick,

      Thanks! To be honest, I don’t know which other services use PFS, but will include this information in any future reviews I do. As for PIA and NordVPN, it is probably best to ask them – I suspect they don’t implement PFS (or as you say, they would shout about it), but asking may encourage them (and other providers) top pull their socks up in this regard!

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Voulez-vous ajouter une note d'étoile à votre commentaire ? Cliquez ici
Prix
Fonctionnalités
Fiabilité
Vitesse
Service clients