Douglas Crawford

Douglas Crawford

February 10, 2016

AirVPN is an Italian VPN provider, which proudly boasts how it was setup by “hacktivists and activists” pays an almost unrivaled concern to maintaining users’ privacy.I will start this review by noting that after using it as my personal VPN service for around two years, I am a bigger fan than ever of AirVPN. It also employs excellent encryption and security measures, and offers fantastic privacy enhancing features (such as VPN over SSL and VPN through Tor). In my experience, AirVPN is also almost certainly the fastest and most stable VPN service I have ever used. And yet…

BestVPN’s analytics show that while initial signup rates to AirVPN are quite high, most users do not renew /blog/25587/why-were-changing-our-vpn-review-speed-tests/their subscriptions. It therefore seems that many out there have tried the service, but simply don’t like it. I can’t argue with figures, and have kept this fact in mind while writing this review.

Pricing & Plans

AirVPN charges €7 (approx. $8 USD) for a month’s subscription, with the usual discounts available for bulk purchases, going down to €4.50 (approx. $5 USD) if an annual subscription is purchased. A 3-day free trial is available upon written request, or if you are impatient, a 3-day subscription can be had for €1.

AirVPN prices

/blog/29990/vpn-encryption-terms-explained-aes-vs-rsa-vs-sha-etc/

 All subscriptions provide full access to all of AirVPN’s features, making AirVPN a fairly low-cost option when compared to many rival services.

AirVPN payment methods

AirVPN accepts payment via PayPal and an impressively wide range of payment processors, meaning that users in parts of the world otherwise often discriminated against when making international payments should encounter no problems when purchasing a subscription. It also accepts payment via not only Bitcoin, but also via almost any other cryptocurrency you care to name.

Features

AirVPN is based in Italy and offers servers in 15 countries, most of which are in Europe except for those in the US, Canada, and Hong Kong. Compared to some providers this is not a lot, but does cover the most popular locations.

AirVPN only supports the OpenVPN protocol, regarding PPTP and even L2TP/IPsec as being too insecure (the jury is out on IPSec, but OpenVPN is defiantly secure, and is generally regarded as the best VPN protocol available for commercial use).  Given that OpenVPN now runs on all major platforms (except Blackberry and Windows Mobile), this is unlikely to be a problem for most users.

Users are allowed up to 3 simultaneous connections (perfect for connecting your PC, phone, and tablet all at once).

DNS Routing

With more and more streaming services blocking users from bypassing their geo-restrictions by using VPN and other geo-spoofing technologies, AirVPN’s fancy DNS routing system that “double-hops” your connection through internal servers in order to bypass such censorship is very welcome. This is a great VPN for iPlayer and other streaming services such as Hulu.

dns routing

This means that even when connected to VPN servers outside the US or UK, this is a VPN that works with hulu and BBC iPlayer (it is not even necessary to connect to a VPN server in the country which hosts the geo-restricted service!). In use I find this generally works well… but not always. In these situations simply connecting to a server located in the desired country has always worked for me.

I should also note that visiting Netflix.com takes me a local version of the website (based on my VPN server’s IP address).

VPN through Tor

Along with BolehVPN, AirVPN is the only service I know of to offer VPN through Tor, where you connect first to the Tor network, then to AirVPN. When also using an anonymous payment method (for example properly mixed Bitcoins), this means that AirVPN cannot know who you are, as it does not see your real IP address.

VPN through Tor affords a very high level of true anonymity, something not usually possible with VPN. It is therefore usually regarded as the best way to combine the privacy benefits of VPN and Tor, although the fact that AirVPN presents a fixed point in the chain that could potentially be compromised is a point to bear in mind.

AirVPN also provides instructions for using the Tor browser to achieve secure Tor through VPN (which is much more secure than the “transparent bridge” Tor through VPN feature offered by some providers). For a full discussion on this issue, please see 5 Best VPNs when using Tor.

Alternative ports, SSL and SSH tunneling

It is rare for VPNs to be blocked, but it happens in places such as China and Iran (although this is usually only partially effective). AirVPN allows you to counter such measures by running OpenVPN traffic over TCP port 443, which is the same port used by regular SSL traffic (the encryption standard used by the whole internet to make websites and internet services secure).

This makes OpenVPN traffic look just like regular SSL traffic, which both hides it, and makes it very difficult to block (as doing so effectively breaks the internet!)

AirVPN port settings

Port settings are easily changed in the client. In addition to TCP port 443, you can evade censorship by switching a variety of ports that are unlikely to be blocked

A very determined adversary, however, can perform sophisticated deep-packet inspection to discover that VPN protocols are being used (and places such as China are not above breaking the internet for users!).

tunnel_ssl

AirVPN’s answer to this is to allow users to wrap their OpenVPN encrypted data inside yet another layer of encryption (SSL or SSH). This should foil pretty much any method employed to detect the use of VPN (the NSA may be able to decrypt the old SSH protocol, so I recommend SSL tunneling if required).

SSL and SSH tunneling makes this a great VPN in China and more than capable of defeating the Great Firewall of China, but it should be noted that both require additional processing power for the additional layer of encryption, which will slow down your internet connection.

Remote port forwarding is also available for users who require up to 20 open ports for incoming connections , which is useful for self-hosted websites and games servers.

Visit AirVPN »

Security & Privacy

As we can see on the table, AirVPN uses very strong encryption.*

OpenVPN Encryption
Cipher
AES-256-CBC
Data Auth
HMAC SHA1
Handshake
RSA-4096
Control Auth
HMAC SHA384
Forward Secrecy
DHE-4096
Logs & Legal
Connection
None
Traffic
None
Country
Italy
It almost goes without saying that AirVPN keeps no logs and uses shared IP addresses, and is one of the very few VPN providers to implement Perfect Forward Secrecy (without which OpenVPN should not be considered particularly secure). For this it uses 4096-bit Diffie-Hellman keys, which are refreshed every 60 minutes (or can be set to more often via the client).

Thanks to this, AirVPN was always immune to the potential Logjam attacks exposed by researchers last year. It was also immune by the recent “port fail” vulnerability that affected many VPN services, thanks to its use of separate entry and exit IP addresses on each VPN server. Furthermore, AirVPN is one of the very few VPN providers to protect users against the WebRTC bug (and as we shall see, DNS leak protection and a killswitch are also provided courtesy the desktop client).

As discussed above, AirVPN also offers various (optional) technologies that make using VPN extremely secure and private (and thanks to VPN through Tor, potentially even truly anonymous – especially given the wealth of anonymous payment methods that AirVPN accepts).

In my view, in terms of both technical innovation and excellence, plus its attention to detail in protecting customers’ privacy, there is no other service out there that can touch AirVPN.

It is worth noting, however, that the language AirVPN uses to describe both the purpose of its technology, and how it should be setup, can best be described terse and laden jargon-laden. Looking through AirVPN’s documentation, it soon becomes clear why mainstream users might run away!

Another potential issue is that AirVPN is based in Italy, a member of the Fourteen Eyes spying alliance that cooperates with the NSA and GCHQ. This is defiantly not ideal, and Italy is also not very friendly when it comes to copyright piracy.

On the other hand, though, even before the EU EU Data Retention Directive was declared invalid by the European Court of Justice on human rights grounds, Italian VPN providers were not required to keep any logs.  AirVPN says if any such demands were ever made of it by any EU country it operates in, it would bring the case in front of the ECJ.

AirVPN is happy for users to P2P download from any of its servers.

The website

The AirVPN website looks functional rather than pretty, an impression not improved by the often very jargon-heavy language used, with terminology that only more advanced encryption junkies are likely to understand. This is almost certainly (and this is backed up comments from our readers) very off-putting to not just casual users, but even those with above-average technical understanding.

AirVPN stats 2

An exception to this general techies-only presentation style is the beautiful looking server statistics, which make it easy to see details such as load, number of users, ping times, routing and more at a glance.

Support

Support is mainly provided via AirVPNs extensive forums. Unfortunately, the discussions tend towards the very techy, and it is not surprising that many users might find them highly intimidating (do you see a theme developing here?).

On the plus side, the forums provide a treasure-trove of VPN related knowledge, and the AirVPN team’s willingness to discuss intimate details of their operation (backed up by what is clearly strong technical knowledge) is a breath of fresh air in an industry where support often either only provides simple answers to complex questions, or even worse, does not seem to have a clue what its taking about!

In addition to posting questions for the forums, you can email (ticket system) the AirVPN team directly. I have tried this in the past, and found that it can take up to a day to receive a reply, but that the reply is invariably comprehensive.

The Process

Signing Up

Signing up for AirVPN is easy and painless, with the only personal information requested being a valid email address (AirVPN actively encourages users to deploy a disposable email address for this).

Bitcoin payments are made via CoinBase, while other cryptocurrency payments are handled through CoinPaymnents. Once payment is made you will receive a welcome email containing some useful links. Unlike some providers, no account details are sent via plaintext email – you choose your login name and password during signup.

The AirVPN Windows VPN client

AirVPN calls its custom desktop client (also available for Mac OSX Mavericks and Yosemite, and Linux) “Eddie”, and the first nothing to note it about is that Eddie is fully open source. This means that it can be independently audited to ensure nothing untoward is going on, and I wish that more VPN providers would open source their software.

AirVPN Eddie 1

Eddie features DNS leak protection, dynamic server selection, and lots of stats to help you decide on the best server to connect to.

AirVPN Eddie 2

Lots of information!

AirVPN logs

Thanks to real-time logs, it is possible to keep an eye on exactly what Eddie is doing (if you have the knowledge to understand them!).

AirVPN Eddie 4

The lock to the top right indicates that “Network Lock” is enabled. This creates a firewall that prevents any traffic from entering or exiting the computer outside the VPN tunnel to AirVPN’s servers. AirVPN offers good DNS leak protection even without Network Lock enabled (I have never encountered a DNS leak using the service), but Network Lock should ensure DNS leaks are impossible, while also acting as a killswitch.

This setup should also prevent IP leaks due to the WebRTC “bug”, but on my system the Network Lock firewall conflicts with my regular firewall, preventing this feature from working. As this cannot be resolved without completely uninstalling my firewall (something I am not willing to do) I have been unable to check, but in theory this feature should work fine.

Eddie does not properly route IPv6 requests, but does disable IPv6 in order to prevent DNS leaks (it is difficult to slam AirVPN too hard over this, as other than Mullvad , no provider handles DNS requests properly).

The only real issue I have with Eddie is that it changes the Windows DNS settings. This is usually  a good thing as it ensures  all DNS requests are resolved by AirVPN’s servers, but if for any reason the client shuts down suddenly, I need to manually reset the DNS settings before I can connect to the internet again (Control Panel -> Network and Sharing Center -> Change adapter settings -> right-click connection -> Properties -> select Internet Protocol Version 4 -> Properties -> Preferred DNS server: 8.8.8.8).

Eddie is probably the most fully featured VPN client I have ever used. As with most things related to AirVPN, though, it has a techy focus, and uses terms that even an experienced VPN user such as myself sometimes needs research in order to fully understand.

Performance (Speed, DNS, WebRTC and IPv6 Tests)

Speed tests were performed on a 50Mbps/3Mbps UK broadband connection.

AirVPN_download
AirVPN_upload b
Graphs show highest, lowest and average speeds for each server and location. See our full speed test explanation for more detail.

As we can see, the results are pretty good, although (slightly oddly) it is quicker for me to connect to a server in the Netherlands than in the UK. US performance from the UK is very solid.

Even without Network lock enabled I have never encountered DNS leak issue, and as noted previously, Eddie prevents IPv6 leaks and (if Network Lock is enabled) WebRTC leaks. Anecdotally, I very rarely suffer VPN dropouts when using AirVPN.

Other Platforms

In addition to the Eddie desktop client, AirVPN provides setup instructions for Android (using OpenVPN for Android, OpenVPN Client for Android and OpenVPN Connect) and iOS (using OpenVPN Connect) devices, and DD-WRT and Tomato routers.

Personally, I use OpenVPN for Android, and find that it works flawlessly. The app quickly reconnects when I move between routers or switch from mobile to WiFi connections, and I detect no DNS leaks. OpenVPN for Android can even be configured to act as a killswitch!

Conclusion

I liked

  • No logs
  • Strong encryption (including Perfect Forward Secrecy)
  • Open source client with DNS leak protection, killswich and WebRTC “bug” protection
  • VPN over Tor
  • SSL and SSH tunnelling
  • Port forwarding
  • Accepts Bitcoins (and other crypto-currency)
  • DNS routing to evade VPN blocks
  • 3-day free trial
  • Fast and stable
  • 3 simultaneous connections
  • Website is a fantastic repository of VPN knowledge
  • P2P: ok

I wasn’t so sure about

  • Not a huge number of server locations
  • Italy is not an ideal location

I hated

  • All aspects of the service suffer from assuming that users have a PhD in arcane VPN configuration lore

Even describing what the myriad of AirVPN’s features do in this review amply demonstrates the strengths of this service, but also why many users struggle with it. In terms of dedication to privacy, cool features, and technical know-how, AirVPN is very impressive – in fact in my opinion no-one else on the market can touch it in these regards.

But (and this is big but!) AirVPN clearly fails to engage with a wider audience due to its impenetrably tech-heavy focus. In many ways this is unfair, as the AirVPN client is easy to use (just download and run!), and it seems churlish to criticize a service for its meticulous attention to detail and for offering a slew of features rarely available elsewhere (if at all).

If we take a quick look at the discussions on the forums, however, or even much of the documentation designed to help new users, or how options are presented in the client, it is easy to see why both visitors to the website and existing become intimidated!

As such (and great as I think it is), AirVPN should probably be regarded as a niche service aimed at tech-heads and privacy junkies, rather than one suitable for a mainstream VPN audience.

Visit AirVPN »

*The privacy and security section of this article has been updated following AirVPN contacting me to clear up some errors/confusion, the most notable of which  relate to the use of HMAC SHA1 authentication on data and control channels. I am now convinced that HMAC SHA1 is very secure. Please see the comments section of this article for AirVPN’s in-depth reasoning.