What's new

Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Go do some research again - Juniper has SSLVPN, so does Cisco with AnyConnect - and it's not OpenVPN... OpenStack with Neutron, it also support SSLVPN, just not OpenVPN's view of VPN...

As I said, I personally worked with a certain device that was DEFINITELY OpenVPN, and they labeled it "SSL VPN". The client was a modified/rebranded OpenVPN client. I just can't remember the brand of the appliance the customer used.

Cert management gets to be a pain when management multiple dial in clients and one revokes a cert - how to get the clients new certs? Not so easy of a problem is it?

Certificate-based authentication is entirely optional. You can use other authentication methods. Asuswrt, for instance, defaults to username/password authentication through PAM.
 
Before you can even set any rules you need to make sure that your VPN is working.
a little check list.
what encryption are you using? did you set it as Exclusive in Accept DNS Configuration?
did you paste the 2 certificates in the appropriate places? Do you get a green light enabled?
put Redirect Internet traffic to ALL
DHCP is only for assigning IP addresses it has nothing to do with VPN.
Set your DHCP range to 192.168.1.100-192.168.1.254
this way you will have 192.168.1.0-192.168.1.99 for static IP addresses
I really cant help you unless I know more. Use the guide and follow step by step. make sure you first connect to the VPN and then worry about the rest. When you successfully connect then I can help you out with rules.


In a future Merlin firmware, can we have the internet kill switch independent of the policy rules. I get DNS leaks when I use the redirect internet traffic regardless if I use Strict or Exclusive....and the reason I know that is by testing and also by my ISP telling me they see something strange happening with my computer while using a VPN. When I remove redirect internet traffic...no issues..but the I lose the interent kill switch. The only way to create a sort of kill switch is turning NAT off.
 
In a future Merlin firmware, can we have the internet kill switch independent of the policy rules. I get DNS leaks when I use the redirect internet traffic regardless if I use Strict or Exclusive....and the reason I know that is by testing and also by my ISP telling me they see something strange happening with my computer while using a VPN. When I remove redirect internet traffic...no issues..but the I lose the interent kill switch. The only way to create a sort of kill switch is turning NAT off.

So why not just make a policy rule that says all traffic goes to VPN
Source IP 192.168.1.0/24 Destination 0.0.0.0 lface VPN
this way you have the kill internet if VPN goes down and all your traffic gets routed via the VPN
and leave it on Exclusive.
 
So why not just make a policy rule that says all traffic goes to VPN
Source IP 192.168.1.0/24 Destination 0.0.0.0 lface VPN
this way you have the kill internet if VPN goes down and all your traffic gets routed via the VPN
and leave it on Exclusive.


I did that. Total failure. DNS leaks like crazy. I spent hours making numerous changes. The problem is the redirect Internet traffic leaks. I get 5 to 10 DNS versus the 1 I normally get. And then I got a bot warning from my Isp. Once I remove the redirect Internet traffic.. It works fine. I tested this enough times on two different Asus routers with latest merlin. So what I like to see is a kill switch check box regardless if I set policy rules. I believe the policy rules don't protect DNS.
 
I did that. Total failure. DNS leaks like crazy.

Are you sure it's not the test method that's at fault there? For instance, you will have to completely disable IPv6 if you want to ensure that *all* your traffic goes through the tunnel. Otherwise, any IPv6 traffic will still go directly through your ISP.

Exclusive mode takes all IPv4 DNS requests and forces them through whichever DNS is provided by the tunnel provider. Any so-called DNS leak would have to come from using IPv6, or the test method not being accurate. For instance, client or app level caching.
 
As I said, I personally worked with a certain device that was DEFINITELY OpenVPN, and they labeled it "SSL VPN". The client was a modified/rebranded OpenVPN client. I just can't remember the brand of the appliance the customer used.

I was thinking maybe EasyVPN, but that's IPSec, e.g. not OpenVPN...

That's a miss... and that was fairly common in SMB routers...

Then there's the other SSLVPN's...
  • Pulse/Juniper - hmmm... nope, not OpenVPN
  • Cisco AnyConnect - That's another SSLVPN - nope, not OpenVPN
So I'm running out of candidates here... feel free to add on to this list...

Nobody that takes VPN seriously does OpenVPN - enterprises, carriers - they all use VPN's to conduct business - and none of that is OpenVPN

OpenVPN is portable, that's nice, because it's an application - which violates all normal networking fundamentals... because of the layer violations. Pushing packets up and down the protocol stack is just plain bad for performance, and I'm a recovering systems engineer... and have deployed an OpenVPN stack to investigate - ask @yorgi - built a nice/slick config that works...

If one is trying to do geo-unlocks - consider Proxy Servers, or perhaps PPTP - PPTP isn't very secure, but it's fast, and nobody worries about Cricket Matches on the BBC... but one can use OpenVPN there and get lower frame rates...

Interesting thing - with all the nflix account disclosures - there's a lot of traffic that we classify as OpenVPN - and yes, we can tell...

OpenVPN is the domain of the enthusiast, the casual user, the occasional hacker - it's not a serious VPN solution - that's why OpenStack community just chuckles at it....
 
Are you sure it's not the test method that's at fault there? For instance, you will have to completely disable IPv6 if you want to ensure that *all* your traffic goes through the tunnel. Otherwise, any IPv6 traffic will still go directly through your ISP.

Exclusive mode takes all IPv4 DNS requests and forces them through whichever DNS is provided by the tunnel provider. Any so-called DNS leak would have to come from using IPv6, or the test method not being accurate. For instance, client or app level caching.

IPv6 completely disabled.

I used the following sites to test DNS leaks

dnsleaktest.com
ipleak.com
dnsleak.com
https://hidester.com/dns-leak-test/

Now..the DNS leaks are not from my ISP but when I do a test without redirect traffic I only get one DNS..which is the same IP as my VPN. When I use redirect traffic, I get more DNS names but they are not my ISP. I was not concerned until my ISP said they saw some strange bot like traffic when using Kodi. When I removed the redirect traffic and check DNS leaks...I was back to normal and no more ISP broswer notifications.

I have a work around for the kill switch but I cant use that redirect traffic. The DNS trail is just a bit too risky for me.

Other than that...the VPN client works great
 
Are you sure it's not the test method that's at fault there? For instance, you will have to completely disable IPv6 if you want to ensure that *all* your traffic goes through the tunnel. Otherwise, any IPv6 traffic will still go directly through your ISP.

Exclusive mode takes all IPv4 DNS requests and forces them through whichever DNS is provided by the tunnel provider. Any so-called DNS leak would have to come from using IPv6, or the test method not being accurate. For instance, client or app level caching.
When you say disable all ipv6 traffic do you mean by the router in basic config Connection type IPv6 disable? or tcp/ip connection from the client?
Why is it that IPv6 traffic doesn't go via the tunnel? that's a problem :(
If you disable IPv6 then any new site that only uses IPv6 won't you have a problem viewing it?
or will it get diverted automatically to ipV4?
Soon a lot of traffic will be going via IPv6 whats going to happen then?
I guess OpenVPN has to update their service to have IPv6 traffic routed their way.
And as SFX2000 hinted about the future of this project....oh well lets see :p
 
Last edited:
IPv6 completely disabled.

I used the following sites to test DNS leaks

dnsleaktest.com
ipleak.com
dnsleak.com
https://hidester.com/dns-leak-test/

Now..the DNS leaks are not from my ISP but when I do a test without redirect traffic I only get one DNS..which is the same IP as my VPN. When I use redirect traffic, I get more DNS names but they are not my ISP. I was not concerned until my ISP said they saw some strange bot like traffic when using Kodi. When I removed the redirect traffic and check DNS leaks...I was back to normal and no more ISP broswer notifications.

I have a work around for the kill switch but I cant use that redirect traffic. The DNS trail is just a bit too risky for me.

Other than that...the VPN client works great

Did you google search those DNS addresses that you got to see where they came from?
Maybe they are from your VPN provider.
I also know that when you go from exclusive to strict there is no way of going back to exclusive.
It will not show you the IP and DNS of your VPN provider. When you use strict it shows VPN IP and DNS of VPN and I think that is normal from the results you are getting.
You need to default the VPN client and start it again and don't go back and froth from Exclusive to Strict it just wont work right
when you setup a client you need to have it exclusive from the start before you hit apply.
That is the results I had in the past with OpenVPN client.
My suggestion is to do a factory reset on your router as well. This back and forth business can cause issues in the NVRAM.
this is from my experience someone else can say I am wrong.
But try what I am saying and hopefully you will get it to work right. There is no way that you are the only person having this problem with 2 routers when thousands of others have no issues at all.

to be sure about ipV6 check this site out and see if you are leaking any dns when you are using a vpn client
https://ip6.nl/
 
Last edited:
You need to default the VPN client and start it again and don't go back and froth from Exclusive to Strict it just wont work right
when you setup a client you need to have it exclusive from the start before you hit apply.
That is the results I had in the past with OpenVPN client.
That's not true....you just need to remember that there are multiple levels of DNS caching involved. Whenever you switch, you need to flush the caches on your client (for a browser, close it, then reopen)....and the OS (for windows, ipconfig /flushdns or net stop dnscache, net start dnscache. I like the latter net stop/net start since it seems to me that the ipconfig command doesn't flush ipv6 entries).
 
When you say disable all ipv6 traffic do you mean by the router in basic config Connection type IPv6 disable? or tcp/ip connection from the client?

On the client. Microsoft's Torredo can potentially bypass your tunnel.

Why is it that IPv6 traffic doesn't go via the tunnel? that's a problem :(

Welcome to the world of dual stacks. IPv4 traffic cannot go through an IPv6 route, and vice-versa, otherwise we'd all be able to use IPv6 over IPv4. You route through either one, or the other. So, if you wanted to tunnel IPv6, you would need a second IPv6 VPN tunnel for that traffic.

I guess OpenVPN has to update their service to have IPv6 traffic routed their way.

IPv6 has been supported by OpenVPN for a year or two now. It's just not supported by Asuswrt, as I have no way of really testing it, and the amount of code changes required to implement such a thing is not something I want to do. And I'm not sure if any of these VPN service providers support IPv6 either.
 
On the client. Microsoft's Torredo can potentially bypass your tunnel.



Welcome to the world of dual stacks. IPv4 traffic cannot go through an IPv6 route, and vice-versa, otherwise we'd all be able to use IPv6 over IPv4. You route through either one, or the other. So, if you wanted to tunnel IPv6, you would need a second IPv6 VPN tunnel for that traffic.



IPv6 has been supported by OpenVPN for a year or two now. It's just not supported by Asuswrt, as I have no way of really testing it, and the amount of code changes required to implement such a thing is not something I want to do. And I'm not sure if any of these VPN service providers support IPv6 either.
I think just knowing about this issue is a good start. My ipV6 is disabled on the router and I disabled it on the tcp adapter on my pc that is always on a VPN. at least its a quick fix but in the future when IPv6 will be a must I hope that ASUS updates the code and hopefully PIA and others will do the same. It's a concern for the future and present.
thanks for that info :)
 
On the client. Microsoft's Torredo can potentially bypass your tunnel.

Double agree here - easy enough to disable on Windows desktops, but Xbox also does this, and if/when using media player there, it can cause a leak...
 
ROUTER (ASUS RT-AC87R) BEHIND ROUTER (PACE 5168N)

1. Reset your first Router (ISP Router – PACE) and leave it the way it is. Only make changes that you think are necessary. Connect the first router (ISP router) from its Ethernet port to the WAN port of the second router (VPN router).

2. The table arrangement attached to this post, as a formula, can work with any router behind router setup. You can also use any private IP address range for either router, provided the address range allocated to one router does not overlap with that of the other router. Refer to your user manual on where to enter all the necessary information given.

3. In a Router behind Router setup, both Routers in their default setup are always using the same blocks of private Network IP Addresses (like 192.168.xxx.xxx). So you should use different private address blocks in the DHCP Server in each Router. The two routers must pull from different IP pools in Router behind Router (like 192.168.xxx.xxx for one router & 10.0.xx.xx for the other router).

I’m posting these to the attention of those like me who need the same help, Yorgi and whoever wants to make contribution to clear up any point. If all works for you, give thanks to Yorgi who is the brain behind my success.


LAN SETTINGS


PACE: Settings – LAN – DHCP – DHCP Network Range
Except you know what you are doing, leave all in their defaults as given in the table. Old routers are more difficult to setup compared to new one.

ASUS: Advanced Settings – LAN – LAN IP or DHCP Server – Basic Config
You may use the same settings given on the table below or allocate your own addresses within the accepted range specified by your router.

Refer to the table below or the attached table named: "Router behind Router IP Address Plan & Setup"

Router behind Router IP Address Plan & Setup.jpg


WAN SETTINGS

PACE:
Leave all on their Default Settings, except for the WAN DNS Server which you can enter your Service Provider DNS for Geo-unblocking.

ASUS:
WAN IP Address:
Use any IP address from the ISP Router’s range (PACE) that is not yet assigned. Example, 192.168.100.120 (Advanced Settings – WAN – Internet Connection – WAN IP Setting – IP Address).

WAN Gateway: Use the IP (Gateway) address of the ISP Router (PACE), 192.168.100.254
The first Router (PACE) is your gateway to the internet, so its IP address must be placed as the gateway of the second Router (ASUS).

WAN Connection Type: Choose “Static IP”. The second router for VPN needs to have a Static IP Address and pingable. Consequently, “Lease Time Expiry” is no longer applicable. (Advanced Settings – WAN – Internet Connection – Basic Config – WAN Connection Type).

WAN Subnet Mask: Use the LAN Subnet Mask of the ISP Router (PACE), 255.255.255.0
(Advanced Settings – WAN – Internet Connection – WAN IP Setting – Subnet Mask).

WAN DNS Server: Use either the LAN IP Address of PACE or the DNS of your VPN provider.
(Advanced Settings – WAN – Internet Connection – WAN DNS Setting – DNS Servers).


===============================================================


ADVICE: You cannot enable the DHCP Server on both routers because both routers may attempt to assign addresses (may cause disconnections). Disable DHCP Server on either the first or the second router.
(PACE: Settings – LAN – DHCP – DHCP Server Enabled)
(ASUS: Advanced Settings – LAN – DHCP Server – Basic Config – Enable the DHCP Server (Yes/No)).

Contrary to the above advice, I have DHCP Servers on both routers enabled, and the 2 routers have been working without any problem, why?

If I connect a device (e.g. Roku box) to the first router (PACE), it is assigned an IP address only within the specified LAN IP Range given on the table. If the Roku box is removed and connected to the second router for VPN (ASUS), it will now have a different IP address specified by the LAN IP Range of ASUS as given on the table. I am thinking that since a device can only be connected to one router at a time, 2 routers cannot assign addresses to that device (Roku) and moreover, the IP Range of the two routers are far from overlapping with each other. Is that correct or not?

Testing my two routers on IPleaks.net, pages 1 and 2 give results of connecting my ISP router (PACE) with no VPN configuration. Pages 3 and 4 give results of a connection with my ASUS router having VPN setup and my location detected as California.

Olympics Rio.jpg


ASUS RT-AC87R.jpg


PACE.jpg
 

Attachments

  • IPleaks Test - IPDNS Detect.pdf
    324.4 KB · Views: 986
Not sure why you are getting the error. Did you put the certificates from the UDP in the proper area in Content modification of Keys & Certificates.?
Where you able to connect with TCP?
I was able to connect with UDP but not with TCP. I used all the correct CAs
 
ROUTER (ASUS RT-AC87R) BEHIND ROUTER (PACE 5168N)


Contrary to the above advice, I have DHCP Servers on both routers enabled, and the 2 routers have been working without any problem, why?


View attachment 7055
You keep talking about having both routers DHCP enabled.
I will say it for the last time, you only need one router to assign DHCP
it may work now but when you try to add more clients you will get into conflicts and devices will not be able to connect and you will have dropped clients
The way you are going with DHCP you are going to get yourself into a nice problem where your router will flip addresses and eventually you will be on local ISP instead of VPN and you will never know because you think your setup is perfect.
I strongly advise you to disable one of the routers DCHP for LAN
WAN doesn't make a difference because only one router is connected to the ISP modem.
I hope you are still not confusing both
Good luck with things :)
 
Little side-bar tip...

Align those antennae - They work together as a team for MIMO - but for that to work, they need to be in the same orientation...

ASUS RT-AC87R.jpg
 
Little side-bar tip...

Align those antennae - They work together as a team for MIMO - but for that to work, they need to be in the same orientation...

View attachment 7085
When you say with MIMO does that mean that one has to enable the BETA MIMO on the router in order for this to work?
or are you saying its a better way to setup the antennas to get maximum efficiency?
Because from what I know having the antennas at a 90 degrees from each other for each bandwidth is the suggested way.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top