What's new

Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

yorgi

Very Senior Member
***There is a WebRTC bug that when using a VPN one can see your real IP Address.
Mos VPN providers have not fixed this bug and you can be vulnerable.
Please visit this site while you are connected to your VPN to make sure your VPN provider has fixed this issue.
https://ip.voidsec.com

*** I suggest that every time you update to a new firmware do a Default on OpenVPN client then reboot the router and enter the data again. Otherwise you may get into issues where connection drops or other weird things may happen.

I disabled the Cipher Negotiation for PIA because it doesn't work
Only legacy Cipher works so it's not needed at the moment.

*** the only difference from the images below is a new field for certificates
Keys and Certificates click edit and copy paste your certificates as indicated in article.

Advanced Settings.jpg


Encryption Cipher has been renamed to Legacy/fallback cipher.
It is confirmed that PIA has not updated their servers for the new Cipher.
I will update the article as soon as they make the changes to use the new Cipher.

*****OpenVPN 2.4 bug causes VPN to have re connection failure for PIA subscribers.
Add this command to custom configurations for temporary fix. If you are having similar problems and are not with PIA you can try this fix.
pull-filter ignore "auth-token"

PART I

Here is a how to guide using PIA VPN provider as an example which will help you in getting your VPN client up and running with Merlin Firmware.
I have updated this article to use PIA's new 1197 and 1198 ports with new certificates
If you do not use PIA read the section where I explain how to connect using other VPN providers
Please read both sections of this article carefully.

In the Images below I have set it to use Policy Rules Strict. If you do not want to use Policy rules and want all your traffic to go to the VPN then simply use "ALL" in the Redirect Internet traffic option. When you select "All" if VPN goes down you are protected as it has an automatic feature with the firewall which stops traffic until VPN is re established. Redirect Internet Traffic option is covered in the second part of the guide.

AES-128-CBC port 1198
1198.jpg

AES-256-CBC port 1197
256..jpg


Custom configurations to use with PIA.

AES-128 and AES-256
custom config.jpg


In "custom configurations" I have added the following
auth-nocache this command doesn't cache the password otherwise you may have a security issue.
mute-replay-warnings this command stops the same warning from appearing over and over in
system log.

***Please take note that this function was not indicated in previous article. You need to put
disable-occ in custom configurations for 1198 and 1197

It is important to add this line otherwise the following 2 warnings that will occur

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

By putting disable-occ on custom configuration for port 1197 and 1198 these warnings will disappear.

pull-filter ignore "auth-token" This will fix the problem when re connection is not established after one day. This fix is only for PIA but if you experience similar issues try using this command.

pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
Adding these 2 lines in custom configurations insures that the VPN doesn't use ipV6 traffic.

***Certificates for PIA and other providers are discussed in the next section of this article.

UDP ports for PIA:

port 1194: This port uses Blowfish-CBC encryption and Auth digest to SHA1
No longer supported by PIA but you are free to try it :)
Speed: 30-35 mb/s

port 1195: For no encryption use with encryption type set to none and Auth digest set to none and in custom configuration add auth none. this method is the fastest and full speed but without encryption. Not very safe.
Speed: full bandwidth of your ISP

port 1197: For stronger encryption use with AES-256-CBC encryption and Auth digest sha256 speeds 20-30 mb/s

port 1198: Use the preferred encryption method which is AES-128-CBC encryption with Auth digest to SHA1
This encrytpion method delivers the fastest speeds compared to the other methods.
Speeds 50-60 mb/s

**certificates are discussed in Part II of the guide

TCP Ports:

PIA also offers TCP protocol on ports 501 AES-256-CBC and 502 AES-128-CBC
Configure the same as UDP Protocol with the exception of changing UDP to TCP and new port numbers. This TCP protocol has different certificates which are found in PART II of this article.

Configuring a VPN client which is not from PIA:

***Please refer to your VPN provider for encryption and ports

If you don't use PIA for your VPN provider the image above may not help you connect.
the easiest way to get your VPN client to work quickly and painlessly is to do the following.
Every provider will supply a .ovpn file. Simply click on the browse button in the "Import .ovpn file" and go to the location where you stored the .opvn file, select the .opvn file and then click upload. The router will read all the information from the .ovpn file and will then configure the VPN client. After the router has configures the client, Some VPN providers provide the certificates in the .ovpn file while some will have a separate .crt file. Make sure you copy and paste the certificates if they are not included in the .ovpn to the "Content modification of Keys & Certificates." area. If the .ovpn file has the certificates included you will see them copied into the "Content modification of Keys & Certificates." if not, you will have to do this manually.
Almost all providers will enter different data in the custom configurations area so do not be alarmed if the data is not the same or similar to PIA. The .ovpn file contains all the important information needed to auto configure the VPN client.

The same example above will work with Stock ASUS firmware
import the client.ovpn into another ASUS router. It will automatically configure everything you need to connect to the VPN Server, including certificates.
Simply go to the VPN client on your ASUS router and look for "Import .ovpn file" use the browse button to find the client1.ovpn file then click on upload.
That's it. you should be ready to connect. Turn the service state button to ON
You can enable start to WAN option if you want the Client to automatically connect to the VPN server when router gets rebooted.
My opinion on using Stock Firmware with ASUS is when you have established connection to the VPN server if for some reason there is a glitch and the server drops connection you will leak DNS and your local ISP IP will show. There is no drop connection if tunnel goes down. I strongly suggest using Merlin Firmware if you want to use it as a VPN client.

Auth digest: refer to your VPN provider or leave it default if you are not sure.
For Pia use SHA1 for AES-128-CBC and SHA256 if you are using AES-256.CBC

Accept DNS Configuration should be set to exclusive

Cipher Negotiation: refer to your VPN provider or leave it default if you are not sure.
For PIA I have disabled it because It doesn't work.

Legacy/fallback cipher: For PIA use AES-128-CBC or AES-256-CBC depending on the encryption you use with PIA.

Redirect Internet traffic:

Use "POLICY RULES STRICT" in "Redirect Internet traffic" for selective routing
By enabling Policy rules feature, it gives you the freedom to route specific devices to VPN and other devices to Local ISP. You can even have a device use VPN but have specific address's use Local ISP or vise versa.

Please note:
When you are in a VPN tunnel the DNS is determined by the VPN therefore if you redirect specific IP address's to WAN which is Local ISP the DNS will show that of the VPN and not from Local ISP this is also known as a DNS leak.
However you can route your FTP or SMPT which do not use DNS therefore you can setup that all traffic goes to VPN except for FTP and SMPT so you can get your email or access your FTP without having it routed via the VPN.

When you enable Policy Rules you have an extra option "block traffic if VPN goes down".
This is one of the best features when using Merlin firmware because when it's enabled if for some reason the VPN Server drops connection the router will suspend all traffic until the VPN client re connects to the server. This way you won't leak your Local IP address to the public.
I strongly recommend that you Enable "block internet traffic if VPN goes down"

Please refer to the second part of this article for examples using Policy Rules.

If you do not want to use Policy Rules but want all your traffic to go via the VPN client then use the "ALL" option in the Redirect Internet traffic area this will exclusively use the DNS of VPN. You are still safe if the connection drops as the firewall is programed to automatically drop connection if VPN client drops connection.

set to compression "LZO Addaptive" I use to disable compression but I found that it is needed for best results.

Here is a good chart you can bookmark for ports, certificates and encryption methods from PIA. They recommend using ports 1198, 1197, 502 and 501 with AES encryption. You are free to explore other methods found in the link below. I will show you examples using these methods in part 2 of this guide.

https://helpdesk.privateinternetacc...ings-should-I-use-for-ports-on-your-gateways-

Part II follows;
 
Last edited:
PART II

Certificates for PIA:

Download these zip files from PIA in order to get the certificates you need to make appropriate client work.
AES-128-CBC https://www.privateinternetaccess.com/openvpn/openvpn.zip
AES-256-CBC https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip

extract the content of the zip file.
For AES-128-CBC
Look for ca.rsa.2048.crt and crl.rsa.2048.pem for 128 encryption
which are found in the openvpn.zip

For AES-256-CBC encryption you are looking for the following certificates which are found in the openvpn-strong.zip;
crl-verify crl.rsa.4096.pem ca and ca.rsa.4096.crt.

Go to VPN tab in VPN client and look for the Certificate Authority now click on
Content modification of Keys & Certificates in Authorization Mode.
Open ca.rsa.2048.crt with a txt editor and copy and paste the entire content in the "Certificate authority" section,
Next open crl.rsa.2048.pem with a txt editor and copy its entire content to
"Certificate Revocation List (Optional)"

Do the same procedure as above for aes-256-cbc with the exception that you are copying and pasting data from these certificates crl-verify crl.rsa.4096.pem and ca ca.rsa.4096.crt

Use the image below for reference

cr.jpg


Certificates for PIA TCP protocol on ports 501 AES-256-CBC and 502 AES-128-CBC
Do the same as the other examples with the certificates found in these links.
https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip
https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip

POLICY RULES EXAMPLES:

There are many ways you can use "selective routing" or as its called Policy rules.
Here are 5 examples. 0.0.0.0 means any IP Address. Local ISP is your Internet Service Provider.

A: You can use CIDR range 192.168.1.80/28 which is address's between 192.168.1.80-192.168.95
In this example IP address 192.168.1.80-192.168.1.95 will go to VPN and all other traffic will go to WAN local ISP
Note: The traffic that goes to WAN Local ISP resolves to the DNS of the Local ISP therefore no more need to use DNSfiltering as in the past in order to resolve the proper DNS.

ie: source IP 192.168.1.80/28 Destination 0.0.0.0 lface VPN

B: Selecting an IP address for each client to go through the VPN only and all other traffic goes to Local ISP.
in the example below 2 IP address's go to VPN and every other address goes to Local ISP
note: The traffic that goes to Local ISP resolves to the DNS of the Local ISP therefore no more need to use DNSfiltering as in the past in order to resolve the proper DNS.

ie: source IP 192.168.1.50 Destination IP 0.0.0.0 lface VPN
source IP 192.168.1.51 Destination IP 0.0.0.0 lface VPN

C: You can use CIDR range and make rules that IP range traffic goes to VPN and Specific IP address's go to Local ISP
in the example below 192.168.1.0/24 is the range for 192.168.1.1-192.168.1.254 which is all traffic will go to VPN and for IP 192.168.1.50 all traffic will go to VPN except for Facebook which will route via Local ISP.
note: Don't forget because you are routing traffic from the VPN tunnel to WAN the DNS will be that of the VPN so Facebook will see your VPN address as DNS. this is called DNS leak, if security is important to you then I suggest you do not route traffic though WAN when on the VPN tunnel.

ie: source IP 192.168.1.0/24 destination IP 0.0.0.0 lface VPN
source IP 192.168.1.50 destination IP 173.252.64.0/18 lface WAN

D: Normally when using a VPN the SMPT port is blocked by the VPN provider for security.
In this example 24.123.456.78 will be the IP address for the SMPT server
so basically all Device traffic from IP range 192.168.1.1-192.168.1-254 will go to the VPN but all IP address's will use Local ISP for email and a specific computer 192.168.1.160 will use Local ISP for FTP which will use fiticious address 64.125.65.23

ie: Source IP 192.168.1.0/24 Destination IP 0.0.0.0 lface VPN
Source IP 0.0.0.0 Destination IP 24.123.456.78 lface WAN
Source IP 192.168.1.160 Destination IP 64.125.65.23 lface WAN

E: All traffic goes to VPN, this is a great alternative from the "redirecting all traffic" because you have the option to "Block routed clients if tunnel goes down"
The example below says that all traffic goes to VPN

Source IP 192.168.1.0/24 Destination IP 0.0.0.0 lface VPN

In this forum we have made tests with many different routers and models and the results are as follows;
no router until date has given better then 60 mb/s so don't go nuts if you have a 200 mb/s with your ISP and you can't get more then 60 mb/s, this is normal. the routers CPU just can't handle more!
RT-N66U and RT-AC66u will never give you more then 10 mb/s on a VPN because CPU are not fast enough.
Dual core CPU's give you better performance.
If your router has a Dual Core CPU take note that VPN client 2 4 use Core 1 and Clients 1 3 5 use Core 2 Take advantage of this because you can split the load for routing on core 1 and VPN on core 2
also take note that USB Media drives uses core 2 so use the best configuration for your needs.

Computer router solution:

If you need better speeds then mentioned above, you can create a router using a mini computer running pfsence. A computer will easily decrypt the encryption and can give you the maximum bandwidth of you VPN provider. It is extremely difficult to configure but it is an alternative.

Router Solution for High Speed VPN Client:

Hardware isn't the only issue. Not all VPN providers have sufficient backbone connections to support high upload and download speeds. One has to try several providers before they can get consistent download speeds of over 70 Mbps.

Sbabai Technology offers custom routers which claim can reach speeds of your ISP
http://www.sabaitechnology.com/

***Important for ASUS routers and VPN providers

IPv6 is the future for IP addresses. The problem right now is that IPv4 addresses are running out and many companies are moving forward to IPv6. This is a problem for VPN users.
When you are connected to the VPN server their Tunnel only supports IPv4 traffic so that means all Traffic that is heading for IPv4 goes through the VPN tunnel but for IPv6 traffic, it will automatically go to local ISP which means DNS leak. This is because PIA and other companies including ASUS WRT do not support IPv6 yet
This means that one will have to disable IPv6 for any device that will be on a VPN.
The easiest way is to disable IPv6 directly on the router, But to ensure complete safety it is recommended that one disables IPv6 on all devices OS that are on a VPN.
For windows OS and MAC disable IPv6 from the TCP adapter. For other Devices OS please research on how to disable IPv6.

OpenVPN supports IPv6 but ASUS has not added the code on their firmware yet, and neither has PIA or many other VPN service providers.

This is a serious issue where privacy is important, so take the necessary precautions to avoid any problems in the future.

here is a site that you can test your device to see if you are connecting to IPv6 addresses

https://ip6.nl/

PC.
Reference:

Here is a site that will help you create CIDR ranges
http://networkcalculator.ca/ip-calculator.php

Here is a whois lookup that show you the CIDR range of IP address's
http://www.whois.com/whois/

Here is a site to test to see if you are leaking DNS
https://ipleak.net/

speedtest your connection
https://speedtest.net

Always test with ipleak.net to make sure your VPN is showing the right IP address.
As a general rule when you are connected to the VPN the IP address and DNS should be the same as the VPN Server.

The VPN's speed will be determined by the encryption method you choose.
Dual core CPU's are the best choice because they deliver fastest speeds when in VPN client mode. Encryption makes the router work harder therefore I suggest using AES-125-CBC for optimum performance and security.

Speed test with VPN

For those who use 100mb/s or faster you will find that disabling NAT may give a bit better performance but you will get somewhere around 30mb/s when you speed test your service.
In the real world you are getting about 60mb/s so don't judge a speed test to be real world numbers. Try a really fast torrent and you will see speeds in the 5 MB/if you have a faster cpu you should get over 60 mb/s
Better cpu will give always give you faster VPN speeds

I will update this guide whenever there are new firmware or changes with PIA
 
Last edited:
Thank you for the detailed explanation and time for making this super guide!
 
One question buddy...

If I am using no encryption, what certificate does one use, if any?

And would these custom settings suffice?

pia-signal-settings
tls-client
remote-cert-tls server
reneg-sec 0
auth none
auth-nocache
verb 3
mssfix 0
 
One question buddy...

If I am using no encryption, what certificate does one use, if any?

And would these custom settings suffice?

pia-signal-settings
tls-client
remote-cert-tls server
auth none
auth-nocache
mssfix 0
You need to always have that BF and/or AES certificate. and there is a different certificate if you use AES-256 and more custom configuration addons.

the only difference is the port and putting auth none at the custom configurations

So you would need to put port 1195 and none for encryption and the following
at custom configuration

tls-client
remote-cert-tls server
ns-cert-type server
auth-nocache
auth none


I am not sure why you put this pia-signal-settings and missfix 0
but all of the above would be needed for no encryption
 
Last edited:
One question buddy...

If I am using no encryption, what certificate does one use, if any?

And would these custom settings suffice?

pia-signal-settings
tls-client
remote-cert-tls server
reneg-sec 0
auth none
auth-nocache
verb 3
mssfix 0

OpenVPN 2.X

no idea why you would want to play with packet size or put it to 0
-mssfix max
Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes.

also pia-signal-settings
I would take that out because you have already setup the encryption types with the Merlin VPN client.
no need to double up on that.

here is some more literature for different types of encryptions and other commands one can put in custom configurations to achieve what a PIA client would be able to do.

https://www.privateinternetaccess.com/forum/discussion/9093/pia-openvpn-client-encryption-patch
 
Last edited:
Ah I see, thx very much.

pia-signal-settings is there because John's Fork said it required it with PIA, so I just added it in there. I'll remove the mssfix also, lol.

Its one big learning curve is VPN stuff, so thank you for all your help.
 
Ah I see, thx very much.

pia-signal-settings is there because John's Fork said it required it with PIA, so I just added it in there. I'll remove the mssfix also, lol.

Its one big learning curve is VPN stuff, so thank you for all your help.
Perhaps pia-signal-settings is required by PIA if we didn't have all the features of Merlin like maybe some other client which is not as sophisticated as Merlin but when you put that option you would have to add the encryption type as well to make it work right as you can see from that PIA article.

it would probably be used like this

pia-signal-settings
cipher aes-128-cbc

that would probably work but its not needed because we have those setting in Merlin :)
 
Yorgi just as info the only following are needed based on my testing. I think rest of those u listed are already build in when router is negotiating so you're jut repeating that again in custom settings. I'm not sure if that will interfere or not but it's redundant. Merlin or John would know better. I think rest of those instructions are for open source dd-wrt firmware types. I could be wrong but

Required
tls-client
remote-cert-tls server
reneg-sec 0

optional in 380 down firmware. Listing verb in custom config will also work better with some vpn nodes. May connect you to closest node.
This is all dependent on vpn node server closest to you so one has to experiment a little in their region.

verb 3 threw 10....i found 3 being best. 5 will report too much unnecessary errors like pockets being dropped due to something like udp error. Not really usefull for avr joe.
 
Also DNS filtering is a good idea to make sure your DNS points to the right server.
Use the following DNS for PIA and whatever DNS you like for local isp traffic

View attachment 5647

In the next firmware release you won't need this dnsfiltering step as its been fixed when using exclusive mode which will resolve the DNS of the VPN and when using local ISP you will get local isp DNS

as the firmware is now when you use local ISP and VPN is turned on the DNS will show that of your VPN provider and NOT the Local ISP, so use DNS filtering make sure VPN or ISP use the proper DNS

Be safe and enjoy!

Cool bro. But one will get vpn dns threw PIA once set to exclusive so just curious why would you use that? You don't want to point to google dns or opendns as then your're leaking out out of your vpn protecting and essentially advertising your internet activities. Unless this could be used as backup when vpn provider dns goes down.

I also redirect all traffic, not based on policy but maybe that's how u use dns filtering?

Great guide bro
 
Cool bro. But one will get vpn dns threw PIA once set to exclusive so just curious why would you use that? You don't want to point to google dns or opendns as then your're leaking out out of your vpn protecting and essentially advertising your internet activities. Unless this could be used as backup when vpn provider dns goes down.

I also redirect all traffic, not based on policy but maybe that's how u use dns filtering?

Great guide bro
Hey brother :)
The only reason that I use DNS filtering is because I use selective IP address for VPN and when you do that the VPN DNS shows up when you are using Local ISP, he is fixing that issue with the new release.
Also even if you use exclusive and you check on ipleak.net you will see that you get a DNS address for PIA instead of the an IP address. Normally when you use OPENVPN program and check ipleak.net you will see the IP address and the DNS address are the same. When you use Merlins VPN and do the ipleak.net test you will see an IP address and another address for DNS.
its nothing wrong with that but why not have it resolve as the way PIA and openvpn and Tomaote USB work.
That is the only reason that I use those DNSfiletering because its really not working the way it should.
I hope that makes scene. Try it out and you will see.
 
Yorgi just as info the only following are needed based on my testing. I think rest of those u listed are already build in when router is negotiating so you're jut repeating that again in custom settings. I'm not sure if that will interfere or not but it's redundant. Merlin or John would know better. I think rest of those instructions are for open source dd-wrt firmware types. I could be wrong but

Required
tls-client
remote-cert-tls server
reneg-sec 0

optional in 380 down firmware. Listing verb in custom config will also work better with some vpn nodes. May connect you to closest node.
This is all dependent on vpn node server closest to you so one has to experiment a little in their region.

verb 3 threw 10....i found 3 being best. 5 will report too much unnecessary errors like pockets being dropped due to something like udp error. Not really usefull for avr joe.
I would almost agree with you but,

persist-key not sure
persist-tun not sure
tls-client for sure
remote-cert-tls server for sure
ns-cert-type server f0r sure
auth-nocache this stops some error about caching a password and now its gone.
auth none auth none is for no encrytion as we know
reneg-sec 0 I picked this one off from OpenVPN site.
verb 3 and I agree with verb 3 being the best :)

some of the for sure is because I was on the openvpn site and was reading all the switches and I found that they should be used according to them.

Anyone have something to add I would be glad to listen :)
 
I am not going to put new firmware on my router because its still alpha stage so I will wait
Maybe the filtering dns is not needed now but for my firmware i had to do this.
When the new Firmware comes out i will most likely fix this section as there will be new additions
but for now I will stick to my guns unless Merlin says I am doing something wrong :)
 
I am not going to put new firmware on my router because its still alpha stage so I will wait
Maybe the filtering dns is not needed now but for my firmware i had to do this.
When the new Firmware comes out i will most likely fix this section as there will be new additions
but for now I will stick to my guns unless Merlin says I am doing something wrong :)

Even in oldest firmware you will ALWAYS get dns from PIA if you set for exclusive or strict and that's available in oldest firmware. Actually that's how it should be setup anyway. You never wanna browse threw ANY other dns but vpn provider one and they are always injected once you connect. That's not dependent on firmware version but when you connect to pia you get re-reroutes you see in log and part of re-routes you get re-routes for dns as well. Again nothing to do with new vs old firmware. Oldest Merlin firmware will act the same, meaning will re-route to pia vpn DNS severs. In fact firmware does not do that but PIA server does. Your router just accepts re-reoutes from vpn provider. That's what router does, routes and part of routes is dns.

You don't wanna point to opendns or google dns if you're on vpn unless you have specified policy rules setup that are pointing for some custom arrangement.
I redirect all traffic threw vpn but i guess that depends on what you're doing.

Once in a while i'll be checking if my dns is leaking but i never seen it does ever

https://dnsleaktest.com/
 
Even in oldest firmware you will ALWAYS get dns from PIA if you set for exclusive or strict and that's available in oldest firmware. Actually that's how it should be setup anyway. You never wanna browse threw ANY other dns but vpn provider one and they are always injected once you connect. That's not dependent on firmware version but when you connect to pia you get re-reroutes you see in log and part of re-routes you get re-routes for dns as well. Again nothing to do with new vs old firmware. Oldest Merlin firmware will act the same, meaning will re-route to pia vpn DNS severs. In fact firmware does not do that but PIA server does. Your router just accepts re-reoutes from vpn provider. That's what router does, routes and part of routes is dns.

You don't wanna point to opendns or google dns if you're on vpn unless you have specified policy rules setup that are pointing for some custom arrangement.
I redirect all traffic threw vpn but i guess that depends on what you're doing.

Once in a while i'll be checking if my dns is leaking but i never seen it does ever

https://dnsleaktest.com/
I know. But when you do a dnsleaktest do you see your IP address and then PIA DNS address?
or do you See PIA IP address for the DNS as well?
I don't think you understood. I am exclusive as well and I never said that the DNS is not PIA
but if you use PIA software or TomatoeUSB or OpenVPN software when you do a DNSleaktest you will see that with the other programs you will see 172.xxx.xxx.xx for IP and DNS when you do it with merlin
you will get 172.xxx.xxx.xx and DNS 209.222.18.218

that is not the way the other programs resolve it. also when you use local ISP the DNS will show as 209.222.18.218 and not google or whatever. so thats why I use dns filtering, when I am on ISP i get google and when I am on PIA i get PIA
but the right way. I am not saying that Merlins is not right but when I tested all the others I didn't get the same resluts as with PIA, openvpn, or TomatoeUSB

Try it and you will see :)
 
Hmmm...yeah i'm not sure what' you're saying. If you set dns filtering on and set for opendns you will leak out of PIA to open dns and you don't wanna do that unless i'm not understanding what you're doing. I get PIA dns if dns filtering is off.


upload_2016-3-21_12-12-22.png
 
1.jpg





Ok look at the 2 of them.
the first one is with DNSfiltering and the second one is without DNSfiltering
they are both right but it shouldnt be showing the actual DNS of PIA it should be showing the IP as in the first image.
try it with this site and you will see
https://ipleak.net/
The first image is the way openvpn.exe, PIA and TomatoeUSB router show it
and these second image is Merlins
you tell me if there is no difference?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top