gluetun VPN provider support: AirVPN

Publicly accessible URL to a structured (JSON etc.) list of servers: https://airvpn.org/api/status/
Specs: https://airvpn.org/specs/

Wireguard

Same public key for all users and servers: PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=
Same private key, pre-shared key and address per user
IP field 1 to use
Ports supported: 1637 or 47107

OpenVPN

Authentication:

Unencrypted private key user.key
Certificate user.crt
⚠️ NO username+password

Supported ciphers:

OpenVPN 2.5: CHACHA20-POLY1305 AES-256-GCM AES-256-CBC AES-192-GCM AES-192-CBC AES-128-GCM AES-128-CBC
OpenVPN 2.4: AES-256-CBC (to test)

UDP

IP field from API: 1, 2, 3, 4 Ports allowed: 53, 80, 443, 1194, 2018, 41185

client
dev tun
remote de.vpn.airdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
explicit-exit-notify 5
push-peer-info
setenv UV_IPV6 yes
ca "ca.crt"
cert "user.crt"
key "user.key"
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
tls-auth "ta.key" 1

TCP

IP field - port combinations:

IP field from API: 3, 1 Ports allowed: 53, 80, 443, 1194, 2018, 41185

IP field from API: 2, 4 Ports allowed: 1194, 2018, 41185

IP field from API: 1 Ports allowed: 443

client
dev tun
remote de.vpn.airdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
push-peer-info
setenv UV_IPV6 yes
ca "ca.crt"
cert "user.crt"
key "user.key"
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto tcp
tls-auth "ta.key" 1

File contents

ca.crt:

ta.key:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
7bb7a23a0f5f28d01e792df68f1764ab
f2688719288808bf58e8a2d4f9354ecf
132625dfb895fc3f6330ae1e868e4dfa
c164c0931593d7f9a7da9595cf353433
8896e1d0a987a0d19838944af8fea4e5
215a3a0c76f4c67d5a4aee6a53be66a4
c88b84f850030840fb30f8550ed8068f
35c1ef34ee8f40a0ea5862dfb6f8d3c5
7ab5e27ac2799cf93e8765ff63cd8cd8
6b391b813925cd373bb202796f64d16f
003d042ca828d1b07f18ba1d0cb0323d
df3ee9287e9e084e655699efb3cffa92
3626946fa372e7beee245e7a95b4c1d8
7d16cae685218d4b8afc019b22e41083
476ee9883fe666d236301e55b2062551
4d91c8a69467a758293994df1e6fa7ae
-----END OpenVPN Static key V1-----

user.crt format:

-----BEGIN CERTIFICATE-----
J/9HjKvquvbzsE2/gv/XlkTe1sYQXKGx
-----END CERTIFICATE-----

user.key format:

-----BEGIN PRIVATE KEY-----
2riM/JR5fnknWZ5LLbQMGjBUdBlazF8tBdtd1l
-----END PRIVATE KEY-----

Sep 05 '22 00:09 qdm12

Per request... here is the ovpn file (UDP) I was using (cert removed):

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Tuesday 23rd of August 2022 08:46:04 PM
# OpenVPN Client Configuration
# AirVPN_Europe_UDP-443
# --------------------------------------------------------

client
dev tun
remote europe.vpn.airdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
explicit-exit-notify 5
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----

It was easy to set up the Wireguard version, so I have abandoned OpenVPN for now.

I'm glad to help re:AirVPN where I can. Thank you.

Sep 05 '22 00:09 truthsword

Nice thanks!

Can you put their cert please (it's not private information or specific to a user)
Do they support openvpn TCP? If so would you have an openvpn file for tcp?
For Wireguard, is your private key AND interface address always the same for multiple servers, or does it change per server? (you can check and compare two servers)

Sep 05 '22 03:09 qdm12

Can you put their cert please (it's not private information or specific to a user)

Attached.

Do they support openvpn TCP? If so would you have an openvpn file for tcp?

Yes. See below config

Here are the TCP (443) and UDP (443) configs. The certs and keys are typically embedded. But these configs are for separate certs and keys.

TCP (443)

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Monday 5th of September 2022 06:37:29 PM
# OpenVPN Client Configuration
# AirVPN_Germany_TCP-443
# --------------------------------------------------------

client
dev tun
remote de.vpn.airdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
push-peer-info
setenv UV_IPV6 yes
ca "ca.crt"
cert "user.crt"
key "user.key"
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto tcp
tls-auth "ta.key" 1

UDP (443)

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Monday 5th of September 2022 06:37:29 PM
# OpenVPN Client Configuration
# AirVPN_Germany_UDP-443
# --------------------------------------------------------

client
dev tun
remote de.vpn.airdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
explicit-exit-notify 5
push-peer-info
setenv UV_IPV6 yes
ca "ca.crt"
cert "user.crt"
key "user.key"
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
tls-auth "ta.key" 1

For Wireguard, is your private key AND interface address always the same for multiple servers, or does it change per server?

PublicKey, PresharedKey, and PrivateKey are the same. The Interface address varies (DNS address was constant for my meager sample of 2).

Attachments: ca.zip ta.zip

Sep 05 '22 19:09 truthsword

Awesome. A few more things

Do you use a username+password or just your user.key file?
~It looks like those zip files are encrypted with a password, can you send it to me at [email protected] ? Although ca and tls-auth are public key data so nothing to worry about either~
For user.crt and user.key, can you send me the header (such as BEGIN PRIVATE KEY) only here (not the content)
The Interface address varies ah bummer, ok then it's easier to use the custom provider. I'll mention it in the wiki.

Sep 05 '22 22:09 qdm12

1. Do you use a username+password or just your user.key file?

Only the user key is required in my docker-compose yaml. Of course, I must log in to my AirVPN account to download the WireGuard configuration details.

2. It looks like those zip files are encrypted with a password, can you send it to me at [[email protected]](mailto:[email protected]) ? Although ca and tls-auth are public key data so nothing to worry about either

No encryption. I attached them again as "txt" files (remove the ".txt" extension).

3. For user.crt and user.key, can you send me the header (such as BEGIN PRIVATE KEY) only here (not the content)

user.crt

-----BEGIN CERTIFICATE-----
J/9HjKvquvbzsE2/gv/XlkTe1sYQXKGx
-----END CERTIFICATE-----

user.key

-----BEGIN PRIVATE KEY-----
2riM/JR5fnknWZ5LLbQMGjBUdBlazF8tBdtd1l
-----END PRIVATE KEY-----

Hope this helps!

Sep 06 '22 13:09 truthsword

Awesome I'll get to it soon for Openvpn.

Regarding Wireguard that's great. However I need each server public key:

the public key is the same for all servers, please just copy paste it here
otherwise can you reach out to airvpn and ask them to add the wireguard public key to their status API https://airvpn.org/api/status/ ? If they don't want to, you could alternatively send me all their wireguard config files (removing your interface address and private key) but that's not really nice for future automated server updates.

Sep 07 '22 20:09 qdm12

I'm a confused regarding OpenVPN vs WireGuard. The cert I posted was from a combined download for OpenVPN and WireGuard.

I'm not understanding what you need that I have not already provided.

Sep 07 '22 21:09 truthsword

Wireguard doesn't use cert, you usually only plug in a single ini wg.conf file looking like:

[Interface]
PrivateKey = yPVg4qaobHiPrW0ArLAnfei3/x029iQTHacbMGO7kE=
Address = 192.168.3.9/32

[Peer]
PublicKey = uUZPz3PrwIRUcOIJ4HMMQM4anHGUQFpGqpXCakSXwT4=
AllowedIPs = 0.0.0.0/0
Endpoint = 1.2.3.4:51820

Do you have such file(s) for vpn servers?

Sep 08 '22 00:09 qdm12

Here are the connect files for two servers... one in Austria, one in New Zealand. This includes certs, ta, and basic ovpn config files for udp and tcp.

This download is available for 24 hours! Download here

Sep 08 '22 17:09 truthsword

Sorry I didn't download it in time. On the other hand, Wireguard is just a single config file (as mentioned above) per server (and not OpenVPN/certs/ta), so do you have such files? (also don't forget to remove your PrivateKey field)

If so, can you send the temporary link to [email protected] just to be sure no-one gets them? I already have the necessary openvpn files for now as far as I know, so no need to re-send them. I'm just curious about Wireguard now.

Thanks!

Sep 11 '22 16:09 qdm12

[Interface]
Address = 10.183.235.239/10, fd7d:76ee:e68f:a993:7f75:ac6f:a543:5df3/48
PrivateKey = xxxxxxx=
DNS = 10.128.0.1, fd7d:76ee:e68f:a993::1

[Peer]
PublicKey = PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=
PresharedKey = xxxxxxx=
Endpoint = xxx.xxx.xxx.xxx
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 15

Sep 11 '22 17:09 truthsword

Can you try qmcgaw/gluetun:pr-1145 with for OpenVPN?

For Wireguard, can you clarify

Is the pre-shared key the same for all their servers?
Is the PublicKey field the same for all their servers (it shouldn't but asking just in case)

Does airvpn has any contact email address perhaps? You may be able to answer, but asking them would quite more efficient. In particular I would need to know about Wireguard:

Is the PublicKey server-specific or user-specific? If it is user-specific let's stop the questions here; otherwise:
Where can I get the public key for each server? Could we have them as part of their HTTP servers status API?
Are all the IPs listed in their servers status API response supporting both OpenVPN and Wireguard?

Sep 11 '22 22:09 qdm12

For Wireguard, can you clarify Is the pre-shared key the same for all their servers? Is the PublicKey field the same for all their servers (it shouldn't but asking just in case)

I can't sample all their servers. But a sample size of 2, one from Dallas TX USA, and the other from Prague... the PresharedKey and the PublicKey were each identical between locations.

Does airvpn has any contact email address perhaps?

[email protected]

Can you try qmcgaw/gluetun:pr-1145 for OpenVPN?

Hopefully, tomorrow. Thanks!

Sep 11 '22 23:09 truthsword

Awesome, I emailed them. If the public key is the same for all, that should simplify things quite a bit (hopefully it's not user specific). Can you share one endpoint though? I'm curious if the ip is listed on their servers status API and what port it uses. And then I should be good to go wireguard-wise (at least to try it before their support replies)

Sep 12 '22 03:09 qdm12

Can you share one endpoint though? I'm curious if the ip is listed on their servers status API and what port it uses.

From a Dallas server (there are 9): Endpoint =199.249.230.26:1637 From a Prague server (there are 4): Endpoint = 89.238.166.234:1637 From a combined "Asia" server list: Endpoint = asia.vpn.airdns.org:1637

Sep 12 '22 14:09 truthsword

Awesome! Yes these are part of AirVPN's web API response. I also got a detailed reply from their support by email. The test image may not work, I'll re-do some changes/fixes later.

Sep 12 '22 15:09 qdm12

The test image may not work, I'll re-do some changes/fixes later.

Fine. I'll hold off for now. My existing WireGuard Gluetun is working well. Thanks!

Sep 12 '22 15:09 truthsword

Both OpenVPN and Wireguard implementation are up in https://github.com/qdm12/gluetun/pull/1145 with instructions feel free to try it.

I tested it with an AirVPN account they were nice enough to give me for free 😉 I'll merge it soon, I just need to iron a few tiny details with airvpn support.

Sep 18 '22 00:09 qdm12

Thanks. I'll test on a Synology NAS first.

I'll wait until the "official" release on my production machines, as I need to "stack" my docker compose files for the containers that run through Gluetun ... as with every Gluetun container image update, my client containers (ex. jackett) won't reconnect unless I manually restart their containers.

Sep 18 '22 15:09 truthsword

thank you! =D

Sep 21 '22 00:09 DoctorDrive

Testing it now, and it looks to be working well! I did need to rename my key and certificate files to client.key and client.crt for them to be recognized. The SERVER_COUNTRIES environment variable appears to be doing its job. I set mine to Canada, and connected a few times, with each connection resulting in a different Canadian server selected -- which is perfect.

What other environment variables are available?

Here's my stack as implemented in Portainer, which includes a linked Firefox container for testing:

version: "3"
services:
    gluetun:
        image: qmcgaw/gluetun:pr-1145
        container_name: gluetun
        cap_add:
            - NET_ADMIN
        ports:
            - 8100:8000 # Remote Control VPN
            - 3000:3000 # Firefox
        environment:
            - VPN_SERVICE_PROVIDER=airvpn
            - VPN_TYPE=openvpn
            - SERVER_COUNTRIES=Canada
            - PUID=1000
            - PGID=1000
            - TZ=America/Denver
        volumes:
            - /data/openvpn:/gluetun
            
    firefox:
        image: lscr.io/linuxserver/firefox:latest
        container_name: firefox
        environment:
            - PUID=1000
            - PGID=1000
            - TZ=America/Denver
        volumes:
            - /data/firefox:/config
        shm_size: "1gb"
        network_mode: 'service:gluetun'
        depends_on:
            - gluetun

And, the results from ipleak.net using the linked Firefox container:

screenshot-ipleak net-2022 09 24-17_17_24

Sep 24 '22 17:09 bnhf

Support is finalised in the latest image with commit https://github.com/qdm12/gluetun/commit/f15dde6502cfccd2d322852807dad18544020d16

Documentation is available at https://github.com/qdm12/gluetun/wiki/AirVPN

Thank you all for your patience and testing the image!

Oct 20 '22 10:10 qdm12

gluetun gluetun copied to clipboard

VPN provider support: AirVPN

Wireguard

OpenVPN

UDP

TCP

File contents

gluetun
gluetun copied to clipboard