Can't get Private Internet Access VPN working on Merlin 380.60_beta2

[p1r473]

Hello, thank you for taking the time to read my thread.

My VPN provider, PIA, offers 2 OpenVPN config files: A default, and a strong one. Neither one is working for me.

The default one is located at https://www.privateinternetaccess.com/openvpn/openvpn.zip and the strong one is located at https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip

When I upload my openvpn file to Merlin, here are the SysLog errors I am getting:

For the strong config file:
Jul 12 01:04:22 openvpn[2522]: SIGUSR1[soft,tls-error] received, process restarting
Jul 12 01:04:23 kernel: ACCEPT IN=ppp0 OUT=br0 SRC=54.229.136.189 DST=192.168.1.69 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=53484 DF PROTO=TCP SPT=11366 DPT=32400 SEQ=3886525315 ACK=0 WINDOW=17922 RES=0x00 SYN URGP=0 OPT (020405AC0402080A4D307B6F000000000103030A)
Jul 12 01:04:24 openvpn[2522]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 12 01:04:24 openvpn[2522]: UDPv4 link local: [undef]
Jul 12 01:04:24 openvpn[2522]: UDPv4 link remote: [AF_INET]173.199.65.58:1197
Jul 12 01:04:24 openvpn[2522]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=8c254ec1297ae42c58ff84d3c2e4cc26, name=8c254ec1297ae42c58ff84d3c2e4cc26
Jul 12 01:04:24 openvpn[2522]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Jul 12 01:04:24 openvpn[2522]: TLS_ERROR: BIO read tls_read_plaintext error
Jul 12 01:04:24 openvpn[2522]: TLS Error: TLS object -> incoming plaintext read error
Jul 12 01:04:24 openvpn[2522]: TLS Error: TLS handshake failed


And the default config file:
Jul 12 01:09:25 rc_service: httpds 584:notify_rc restart_vpnclient1
Jul 12 01:09:26 openvpn[3257]: event_wait : Interrupted system call (code=4)
Jul 12 01:09:26 openvpn[3257]: vpnrouting.sh tun11 1500 1542 10.134.1.6 10.134.1.5 init
Jul 12 01:09:26 openvpn-routing: Configuring policy rules for client 1
Jul 12 01:09:26 openvpn-routing: Flushing client routing table
Jul 12 01:09:26 openvpn-routing: Completed routing policy configuration for client 1
Jul 12 01:09:26 openvpn[3257]: /usr/sbin/ip addr del dev tun11 local 10.134.1.6 peer 10.134.1.5
Jul 12 01:09:26 openvpn[3257]: SIGTERM[hard,] received, process exiting
Jul 12 01:09:27 kernel: EMF_ERROR: Interface tun11 doesn't exist
Jul 12 01:09:27 kernel: EMF_ERROR: Interface tap11 doesn't exist
Jul 12 01:09:27 openvpn[3614]: OpenVPN 2.3.11 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 22 2016
Jul 12 01:09:27 openvpn[3614]: library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.08
Jul 12 01:09:27 openvpn[3619]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 12 01:09:27 openvpn[3619]: UDPv4 link local: [undef]
Jul 12 01:09:27 openvpn[3619]: UDPv4 link remote: [AF_INET]173.199.65.30:1198
Jul 12 01:09:27 openvpn[3619]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 12 01:09:28 openvpn[3619]: [4d37dfffdf92f3c7c26dbe09d6f3034f] Peer Connection Initiated with [AF_INET]173.199.65.30:1198
Jul 12 01:09:30 openvpn[3619]: TUN/TAP device tun11 opened
Jul 12 01:09:30 openvpn[3619]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jul 12 01:09:30 openvpn[3619]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jul 12 01:09:30 openvpn[3619]: /usr/sbin/ip addr add dev tun11 local 10.104.1.6 peer 10.104.1.5
Jul 12 01:09:33 openvpn-routing: Skipping, client 1 not in routing policy mode
Jul 12 01:09:33 openvpn[3619]: Initialization Sequence Completed
Jul 12 01:09:40 openvpn[3619]: Authenticate/Decrypt packet error: cipher final failed
Jul 12 01:09:50 openvpn[3619]: Authenticate/Decrypt packet error: cipher final failed
Jul 12 01:10:00 openvpn[3619]: Authenticate/Decrypt packet error: cipher final failed
Jul 12 01:10:10 openvpn[3619]: Authenticate/Decrypt packet error: cipher final failed

I am putting my username and password in, and pasting their CA in. Check screenshots at the bottom of the post.

I have also tried 2 more approaches, manually putting all the commands from the conf file into the dropdowns and fields instead of importing the .ovpn, and I have also tried following PIA's unofficial help for Merlin routers located at https://support.privateinternetaccess.com/Knowledgebase/Article/View/142

I've also tried toggling some fields such as Username / Password Auth. Only, Encryption cipher, and Auth digest

Please, help! Ideally, I'd like the strong config file working.

 

[p1r473]

I've been trying other commands too and no luck.

persist-key
persist-tun
nobind
tls-client
auth-nocache
remote-cert-tls server
verb 1
comp-lzo
auth-nocache
ns-cert-type server
mssfix 0
mtu-disc yes


I wish I could just upload the .ovpn and be done with it! Sadly it seems much more difficult

Jul 12 02:24:03 openvpn[20679]: LZO compression initialized
Jul 12 02:24:04 openvpn[20679]: Control Channel MTU parms [ L:1570 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jul 12 02:24:04 openvpn[20679]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Jul 12 02:24:04 openvpn[20679]: Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ]
Jul 12 02:24:04 openvpn[20679]: Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Jul 12 02:24:04 openvpn[20679]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Jul 12 02:24:04 openvpn[20679]: Local Options hash (VER=V4): 'fc8ba345'
Jul 12 02:24:04 openvpn[20679]: Expected Remote Options hash (VER=V4): '79a26cd9'
Jul 12 02:24:04 openvpn[20679]: UDPv4 link local: [undef]
Jul 12 02:24:04 openvpn[20679]: UDPv4 link remote: [AF_INET]173.199.65.28:1197
Jul 12 02:24:04 openvpn[20679]: TLS: Initial packet from [AF_INET]173.199.65.28:1197, sid=1f81571c de0c0789
Jul 12 02:24:04 openvpn[20679]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Jul 12 02:24:04 openvpn[20679]: VERIFY OK: nsCertType=SERVER
Jul 12 02:24:04 openvpn[20679]: Validating certificate key usage
Jul 12 02:24:04 openvpn[20679]: ++ Certificate has key usage 00a0, expects 00a0
Jul 12 02:24:04 openvpn[20679]: VERIFY KU OK
Jul 12 02:24:04 openvpn[20679]: Validating certificate extended key usage
Jul 12 02:24:04 openvpn[20679]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jul 12 02:24:04 openvpn[20679]: VERIFY EKU OK
Jul 12 02:24:04 openvpn[20679]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=3fa752cea43d909ac8c5f7f5fb93b230, name=3fa752cea43d909ac8c5f7f5fb93b230
Jul 12 02:24:06 openvpn[20679]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Jul 12 02:24:06 openvpn[20679]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Jul 12 02:24:06 openvpn[20679]: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Jul 12 02:24:06 openvpn[20679]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Jul 12 02:24:06 openvpn[20679]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 12 02:24:06 openvpn[20679]: Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 12 02:24:06 openvpn[20679]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 12 02:24:06 openvpn[20679]: Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 12 02:24:06 openvpn[20679]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Jul 12 02:24:06 openvpn[20679]: [3fa752cea43d909ac8c5f7f5fb93b230] Peer Connection Initiated with [AF_INET]173.199.65.28:1197
Jul 12 02:24:08 openvpn[20679]: SENT CONTROL [3fa752cea43d909ac8c5f7f5fb93b230]: 'PUSH_REQUEST' (status=1)
Jul 12 02:24:08 openvpn[20679]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.120.1.1,topology net30,ifconfig 10.120.1.6 10.120.1.5'
Jul 12 02:24:08 openvpn[20679]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 12 02:24:08 openvpn[20679]: OPTIONS IMPORT: LZO parms modified
Jul 12 02:24:08 openvpn[20679]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 12 02:24:08 openvpn[20679]: OPTIONS IMPORT: route options modified
Jul 12 02:24:08 openvpn[20679]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 12 02:24:08 openvpn[20679]: TUN/TAP device tun11 opened
Jul 12 02:24:08 openvpn[20679]: TUN/TAP TX queue length set to 100
Jul 12 02:24:08 openvpn[20679]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jul 12 02:24:08 openvpn[20679]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jul 12 02:24:08 openvpn[20679]: /usr/sbin/ip addr add dev tun11 local 10.120.1.6 peer 10.120.1.5
Jul 12 02:24:08 openvpn[20679]: updown.sh tun11 1500 1570 10.120.1.6 10.120.1.5 init
Jul 12 02:24:08 rc_service: service 20743:notify_rc updateresolv
Jul 12 02:24:10 openvpn[20679]: /usr/sbin/ip route add 173.199.65.28/32 via 10.11.2.1
Jul 12 02:24:11 openvpn[20679]: /usr/sbin/ip route add 0.0.0.0/1 via 10.120.1.5
Jul 12 02:24:11 openvpn[20679]: /usr/sbin/ip route add 128.0.0.0/1 via 10.120.1.5
Jul 12 02:24:11 openvpn[20679]: /usr/sbin/ip route add 10.120.1.1/32 via 10.120.1.5
Jul 12 02:24:11 openvpn-routing: Skipping, client 1 not in routing policy mode
Jul 12 02:24:11 openvpn[20679]: Initialization Sequence Completed

 

[martinr]

Does the title of the topic imply it was working before you upgraded your firmware?

Is it worth sending the logs to PIA Support for advice?

 

[octopus]

Here is your problem:

Jul 12 02:24:06 openvpn[20679]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Jul 12 02:24:06 openvpn[20679]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Jul 12 02:24:06 openvpn[20679]: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Jul 12 02:24:06 openvpn[20679]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

Adjust this to get it working and remove all custom fix, at least for now to test. only add this: remote-cert-tls server

And you may set this: Extra HMAC Authorization (tls-auth) outgoing to "1" (one)

 

[HardCat]

Here is your problem:

Jul 12 02:24:06 openvpn[20679]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Jul 12 02:24:06 openvpn[20679]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Jul 12 02:24:06 openvpn[20679]: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Jul 12 02:24:06 openvpn[20679]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

Adjust this to get it working and remove all custom fix, at least for now to test. only add this: remote-cert-tls server

And you may set this: Extra HMAC Authorization (tls-auth) to "1" (one)

Also of note. PIA has removed Russian presence and are asking customers to update their clients and/or apps and openvpn config files. This was sent to customers by email last night.

 

[Deleted member 48827]

I have also tried following PIA's unofficial help for Merlin routers located at https://support.privateinternetaccess.com/Knowledgebase/Article/View/142
...
Please, help! Ideally, I'd like the strong config file working

I used PIA VPN with Tomato firmware for about a year; the setup is very much the same as Merlin FW. IIRC, 256-bit (strong) encryption is only available using PIA's client software. So, I would recommend getting it working with the default 128-bit BF-CBC encryption and default auth settings and then experiment from there. You must have the correct port set which matches the encryption you have chosen. The default, 128-bit BF-CBC uses port 1194.

I would forget about importing the .ovpn files and configure manually using the guide you linked (quoted above), except for the following changes:

Change “Basic Settings” section, set “Start with WAN” from “Yes” to "No". You can turn this on later after you get things working. Turn VPN off and on manually until then.
Change "Accept DNS Configuration” from “Strict” to "Exclusive". "Strict" breaks things in Merlin FW and it's probably not what you want anyway.
The recommended custom settings either overlap with the GUI, or are not needed, so ignore them. You can try the following custom settings which will help with a couple of the warnings:
remote-cert-tls server
auth-nocache

Good luck!

 

[Alaska99]

have you imported your certificat? Have you try reset to factory default?
I use it on 380.60 beta 2 and PIA run fine....

 

[Fester1952]

I am having the same issue, it indicates that it has connected, but I have no internet connectivity. Tried many recommended alternative settings to no avail.
The system log doesn't show anything devious:
Jul 14 12:47:33 rc_service: httpd 552:notify_rc start_vpnclient1
Jul 14 12:47:34 openvpn[9507]: OpenVPN 2.3.11 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 22 2016
Jul 14 12:47:34 openvpn[9507]: library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.08
Jul 14 12:47:34 openvpn[9508]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 14 12:47:35 openvpn[9508]: UDPv4 link local: [undef]
Jul 14 12:47:35 openvpn[9508]: UDPv4 link remote: [AF_INET]168.1.6.48:1197
Jul 14 12:47:35 openvpn[9508]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 14 12:47:37 openvpn[9508]: [6492a5cc3729709495e40f85cb6de923] Peer Connection Initiated with [AF_INET]168.1.6.48:1197
Jul 14 12:47:39 openvpn[9508]: TUN/TAP device tun11 opened
Jul 14 12:47:39 openvpn[9508]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jul 14 12:47:39 openvpn[9508]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jul 14 12:47:39 openvpn[9508]: /usr/sbin/ip addr add dev tun11 local 10.141.1.6 peer 10.141.1.5
Jul 14 12:47:42 openvpn-routing: Skipping, client 1 not in routing policy mode
Jul 14 12:47:42 openvpn[9508]: Initialization Sequence Completed

 

[p1r473]

Seems like something might be wrong on the server end?
https://www.privateinternetaccess.com/forum/discussion/comment/42317/#Comment_42317

 

[Hakon_H]

This is what fixed my issue.
Change port back to 1194. And insert my old certificate Authority.

Seems like the new certificate i downloaded was wrong

 

[yorgi]

This is what fixed my issue.
Change port back to 1194. And insert my old certificate Authority.

Seems like the new certificate i downloaded was wrong

There is nothing wrong. PIA updated their port to 1198 and added new RSA certificates.
check out this guide if you want to use the new ports and certificates from PIA with your Ausus router
http://www.snbforums.com/threads/ho...-for-pia-and-other-vpn-providers-07-14.30851/
you need to copy and paste 2 certificates with port 1198 its all explained in the article, because in the past with port 1194-97 it was 1 certificate.

 

[p1r473]

There is nothing wrong. PIA updated their port to 1198 and added new RSA certificates.
check out this guide if you want to use the new ports and certificates from PIA with your Ausus router
http://www.snbforums.com/threads/ho...-for-pia-and-other-vpn-providers-07-14.30851/
you need to copy and paste 2 certificates with port 1198 its all explained in the article, because in the past with port 1194-97 it was 1 certificate.

Thanks!!

 

[Fester1952]

Thanks so much yorgi, all working for me now, I was connecting before just no internet connectivity, your guide way better than anything on PIA.
Have setup my iMac and Synology Diskstation to use the VPN, everything else on local ISP.

 

[yorgi]

Thanks so much yorgi, all working for me now, I was connecting before just no internet connectivity, your guide way better than anything on PIA.
Have setup my iMac and Synology Diskstation to use the VPN, everything else on local ISP.

Excellent