Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[sfx2000]

When you say with MIMO does that mean that one has to enable the BETA MIMO on the router in order for this to work?
or are you saying its a better way to setup the antennas to get maximum efficiency?
Because from what I know having the antennas at a 90 degrees from each other for each bandwidth is the suggested way.

Just MIMO period - no MU, not SU, it's just MIMO...

In the example above - it's not 4 individual antennas, it one array consisting of four elements...

That 90 degree trick - It pops up every once in a while on the blog-o-sphere, and then we go thru this topic all over again...

 

[RMerlin]

That 90 degree trick - It pops up every once in a while on the blog-o-sphere, and then we go thru this topic all over again...

It's actually very situational, there's not really any one-size-fits-all position. In some environments, having some of the antennas at a different angle provides more path diversity through signal bounces, which can be beneficial in some crowded environments. It also helps covering more floors, as otherwise your radiation pattern only directly hits the horizontal plane, with only some bounces going in the Z acxis.

Don't forget that most clients have fewer streams than the router can provide, so path diversity is good for these.

 

[yorgi]

Just MIMO period - no MU, not SU, it's just MIMO...

When you say this....I have Multi-User MIMO *BETA enable or disable. I have not updated to the latest version of Merlin because I am not sure if I want to
Is this what you are referring too?

 

[RMerlin]

When you say this....I have Multi-User MIMO *BETA enable or disable. I have not updated to the latest version of Merlin because I am not sure if I want to
Is this what you are referring too?

No. That setting relates to MU-MIMO, a new bleeding-edge technology. MIMO however is a fundamental part of 802.11n that's been there since pretty much day one.

 

[RSJ]

Just wanted to say a quick thank you for this detailed write up. This saved me so much time setting up RT-AC68U to work with PIA! Excellent post from someone with a wealth of information.

 

[ray]

Thank you so much for the instructions! I just signed up for PIA and got it working fairly easily. Am now routing my Buffalo NAS traffic through the VPN. I'm running an RT-N66U though, will see how it holds up.

 

[Patje]

Thanx for the great and easy guide.

But still a question...

I'm using Kodi on a RPi2 which is routed trough the vpn (policy rules). But when I use the vpn route, there are a lot less working streams available for movies and/or series. Is there a solution for my problem?


TIA
Patrick

 

[yorgi]

Thanx for the great and easy guide.

But still a question...

I'm using Kodi on a RPi2 which is routed trough the vpn (policy rules). But when I use the vpn route, there are a lot less working streams available for movies and/or series. Is there a solution for my problem?


TIA
Patrick

It all depends where the streams are coming from.
Try using a US server if its content from the US and so on.
I never had a problem like that living in Canada but I have heard about geometric issues with kodi.
Easiest way to fix that is use a different server.

 

[Patje]

It all depends where the streams are coming from.
Try using a US server if its content from the US and so on.
I never had a problem like that living in Canada but I have heard about geometric issues with kodi.
Easiest way to fix that is use a different server.

Thanx,

gonna try


kr.,
Patrick

 

[akatkando]

Good Evening... thank you Yorgi, for this great thread. I have tried for hours this afternoon to get my Asus RT-AC88U set up with PIA. I was not successful and my screen shots, so far of the GUI have not worked for me. I will have to try again tomorrow after I get my scheduled work done.

I do have a copy of the System Log that I will attach and maybe it will be of some use in trying to figure out what it is that I have managed to do incorrectly. I could not find a file named client.1.ovpn to import, the file that I did find within the unzipped download is titled: US California.opvn and that is what I used to install and appears to perhaps be one of my issues. I cannot find the file that you listed as client1.opvn.

I tried this using Chrome and IE, both, and turned the router off-and-on multiple times. I used the install files for AES-128 and followed those instructions and graphic examples.

I do not know what it is that I am looking for and at in the System Log, perhaps experienced eyes can see what else is incorrect.

Thanks for any help that anyone has to offer.

 

[yorgi]

Good Evening... thank you Yorgi, for this great thread. I have tried for hours this afternoon to get my Asus RT-AC88U set up with PIA. I was not successful and my screen shots, so far of the GUI have not worked for me. I will have to try again tomorrow after I get my scheduled work done.

I do have a copy of the System Log that I will attach and maybe it will be of some use in trying to figure out what it is that I have managed to do incorrectly. I could not find a file named client.1.ovpn to import, the file that I did find within the unzipped download is titled: US California.opvn and that is what I used to install and appears to perhaps be one of my issues. I cannot find the file that you listed as client1.opvn.

I tried this using Chrome and IE, both, and turned the router off-and-on multiple times. I used the install files for AES-128 and followed those instructions and graphic examples.

I do not know what it is that I am looking for and at in the System Log, perhaps experienced eyes can see what else is incorrect.

Thanks for any help that anyone has to offer.

Hi, I think you are confusing the VPN server guide page when you are saying client.1.ovpn this file is only in the VPN server guide.

I looked at your log and you are missing .ca certificate which once again is in the zip file that you need to download.
If you download this zip file from here;
AES-128-CBC https://www.privateinternetaccess.com/openvpn/openvpn.zip
you will find a bunch of .ovpn files and the certificate files . Each one of these files refers to a different country or city like US California.ovpn
You need to copy and paste the content of these two files in ca.rsa.2048.crt crl.rsa.2048.pem in VPN tab Authorization Mode
Content modification of Keys & Certificates. Look at the guide to see the 2 areas that you need to paste the content from these certificates.

Read the guide carefully from beginning to end and there are 2 parts
let me know if you succeeded

 

[akatkando]

Hi, I think you are confusing the VPN server guide page when you are saying client.1.ovpn this file is only in the VPN server guide.

I looked at your log and you are missing .ca certificate which once again is in the zip file that you need to download.
If you download this zip file from here;
AES-128-CBC https://www.privateinternetaccess.com/openvpn/openvpn.zip
you will find a bunch of .ovpn files and the certificate files . Each one of these files refers to a different country or city like US California.ovpn
You need to copy and paste the content of these two files in ca.rsa.2048.crt crl.rsa.2048.pem in VPN tab Authorization Mode
Content modification of Keys & Certificates. Look at the guide to see the 2 areas that you need to paste the content from these certificates.

Read the guide carefully from beginning to end and there are 2 parts
let me know if you succeeded

Thank you, Yorgi, for your response and I am sorry for the delay in my response. My work has kept me busy.

I had tried to use the correct .ovpn file, but could not get items that I had input to save. After rebooting the router several times everything saved correctly and PIA VPN is working just fine.

I now have to find some threads to direct me in how to set things up for that I can use the VPN and still be able to view Netflix and Time Warner Cable, without having to turn off the VPN. I need to find the way that the members in the household that want to access the Internet behind the VPN can, while other members can watch their programs on the television that are being viewed though the various TV access boxes through WiFi.

Thank you again for your great instructions and your help.

 

[yorgi]

Thank you, Yorgi, for your response and I am sorry for the delay in my response. My work has kept me busy.

I had tried to use the correct .ovpn file, but could not get items that I had input to save. After rebooting the router several times everything saved correctly and PIA VPN is working just fine.

I now have to find some threads to direct me in how to set things up for that I can use the VPN and still be able to view Netflix and Time Warner Cable, without having to turn off the VPN. I need to find the way that the members in the household that want to access the Internet behind the VPN can, while other members can watch their programs on the television that are ūnortunàtely being viewed though the various TV access boxes through WiFi.

Thank you again for your great instructions and your help.

Hi
you wont find any threads about netflix because they have pretty much isolated themselves from VPN servers.
In the past you could create a policy rule that would let Netflix traffic through the tunnel and onto local ISP but not anymore. to much politics. Besides who cares about netflix, if you have kodi and Exodus repository you don't need netflix, they don't have latest movies or TV shows, its all a bunch of old stuff There are tons of other way of getting your movies and TV just be resourceful now that you have VPN the world is your oyster I am not familiar with Time Warner Cable but I am sure its probably along the same lines as Netflix. Geo blocking is the new BUZZ word.....Good luck

 

[yorgi]

****Please take note there was an error for port 1198 using PIA Server.
I forgot to put disable-occ in custom configurations. It was indicated for AES-256 but not for AES-128
Please fix this otherwise there are 2 warnings 1 about mtu and the other about blowfish being used by the remote server.

 

[Kodi]

Hi Yorgi,

I added the disable-occ and it did get rid of the errors! Thanks so much! I just wanted again to thank you so much for all the time and effort you are putting in to save all of us newbies. You have no idea how much I appreciate it.
I am using the IP of PIA, and I'm not sure how I can check if I'm using PIA's DNS server. I tried changing the DNS on the WAN of my router, but after I input PIA's DNS, it cuts off my internet using DNS : 209.222.18.222 and 209.222.18.218. So I was left with no choice, but to change it back to the default.



Here are my router settings:

I added the disable-occ, but didn't get the latest screen print.

Everything seems to look great! I'm no longer getting any errors in my logs. Maybe I'm not using Wireshark correctly? When I turn on the PIA windows client, all the traffic from my desktop 192.168.1.xx goes through the UDP tunnel and I can't read any data. Once I turn the PIA windows client off and remove the desktop pc from the VPN policy routing from WAN. The PC is now going through the VPN tunnel via 192.168.1.0/24 per your advice. Then I used Wireshark to capture the same desktop IP of 192.168.1.xx. Data travels through a lot of other protocols and not UDP and I can read the text in some of the packets. I will have to include some screen shots when I get home from work tonight.

What are some of the drawbacks of encrypting the VPN tunnel vs. not encrypting the VPN tunnel? Is it the man in the middle attack? Can your ISP still see your activity even though you're going through the tunnel, but without encryption?

I was reading this forum from the beginning and decided to follow you and use DNS filtering for both my media boxes and my pc for testing to see if this will fix the issue. I set these devices to use PIA's DNS 209.222.18.222. I will try Wireshark again and see what happens.

I love this forum! Thank you for everyone's help! It's has been a lifeline for me.

 

[yorgi]

Hi Yorgi,

I added the disable-occ and it did get rid of the errors! Thanks so much! I just wanted again to thank you so much for all the time and effort you are putting in to save all of us newbies. You have no idea how much I appreciate it.
I am using the IP of PIA, and I'm not sure how I can check if I'm using PIA's DNS server. I tried changing the DNS on the WAN of my router, but after I input PIA's DNS, it cuts off my internet using DNS : 209.222.18.222 and 209.222.18.218. So I was left with no choice, but to change it back to the default.



Here are my router settings:
View attachment 7402

View attachment 7401
I added the disable-occ, but didn't get the latest screen print.

View attachment 7403

View attachment 7404

View attachment 7405

Everything seems to look great! I'm no longer getting any errors in my logs. Maybe I'm not using Wireshark correctly? When I turn on the PIA windows client, all the traffic from my desktop 192.168.1.xx goes through the UDP tunnel and I can't read any data. Once I turn the PIA windows client off and remove the desktop pc from the VPN policy routing from WAN. The PC is now going through the VPN tunnel via 192.168.1.0/24 per your advice. Then I used Wireshark to capture the same desktop IP of 192.168.1.xx. Data travels through a lot of other protocols and not UDP and I can read the text in some of the packets. I will have to include some screen shots when I get home from work tonight.

What are some of the drawbacks of encrypting the VPN tunnel vs. not encrypting the VPN tunnel? Is it the man in the middle attack? Can your ISP still see your activity even though you're going through the tunnel, but without encryption?

I was reading this forum from the beginning and decided to follow you and use DNS filtering for both my media boxes and my pc for testing to see if this will fix the issue. I set these devices to use PIA's DNS 209.222.18.222. I will try Wireshark again and see what happens.

I love this forum! Thank you for everyone's help! It's has been a lifeline for me.

everthing looks right on your setup
Don't forget that disable-occ
when you connect using the router go to https://ipleak.net/
look at the IP address you get. it should not be the same as your local ISP address
you should have an IP from PIA with a DNS being the same as PIA
if you have that then you are good to go.
Not sure about wireshark but I tried the legacy and it seemed to show PIA address.
Make sure you do a DNS test for the IP and then you are good to go.
if you still have problems let me know

 

[Kodi]

I guess I'm good to go! I turned off DNS filtering as I'm getting the same results whether it's on or off. lol.

Using Wireshark here is the local area connection that I chose highlighted in blue for both tests.

Here is the results going through the PIA VPN on my router with the PIA Windows client software disabled. .






Here is the results going through the PIA client software on my Windows PC with the router VPN disabled

This makes me believe that I am anonymous and going through the VPN tunnel with my router, but none of my data is encrypted.

What are some of the drawbacks of encrypting the VPN tunnel vs. not encrypting the VPN tunnel? Is it the man in the middle attack? Can your ISP still see your activity even though you're going through the tunnel, but without encryption?

everthing looks right on your setup
Don't forget that disable-occ
when you connect using the router go to https://ipleak.net/
look at the IP address you get. it should not be the same as your local ISP address
you should have an IP from PIA with a DNS being the same as PIA
if you have that then you are good to go.
Not sure about wireshark but I tried the legacy and it seemed to show PIA address.
Make sure you do a DNS test for the IP and then you are good to go.
if you still have problems let me know

 

[yorgi]

I guess I'm good to go! I turned off DNS filtering as I'm getting the same results whether it's on or off. lol.

View attachment 7407



Using Wireshark here is the local area connection that I chose highlighted in blue for both tests.

View attachment 7408



Here is the results going through the PIA VPN on my router with the PIA Windows client software disabled. .






Here is the results going through the PIA client software on my Windows PC with the router VPN disabled

View attachment 7413

This makes me believe that I am anonymous and going through the VPN tunnel with my router, but none of my data is encrypted.

What are some of the drawbacks of encrypting the VPN tunnel vs. not encrypting the VPN tunnel? Is it the man in the middle attack? Can your ISP still see your activity even though you're going through the tunnel, but without encryption?

Not sure about your results because I only see one image so I can't see the difference.
Also when you use wireshark with the win PC and PIA software it reads the packets directly from the PC
but you need to get wireshark to go between the WAN traffic and the modem in order to see what gets encrypted when going out from the WAN which you are not doing now.
From what I see your setup is working ok.
There is no reason to use DNS filtering because the VPN resolves the DNS properly.
There was an issue in earlier versions of the firmware where you needed to use DNS filtering but not anymore.
You can use the WAN DNS settings to put Google or Norton DNS instead of using the Local ISP DNS which is usually crappy for devices that use local ISP only. But the way you have it setup everything goes via the VPN except the router. I guess you are running an FTP and you don't want it to be going VIA VPN?
why is it that you put the routers IP to go to WAN?

There is no way the connection would work if the encryption was not working. but you can do more tests with your wireshark and let us know
As long as you are .59 or higher you shouldn't worry.

 

[Kodi]

Not sure about your results because I only see one image so I can't see the difference.
Also when you use wireshark with the win PC and PIA software it reads the packets directly from the PC
but you need to get wireshark to go between the WAN traffic and the modem in order to see what gets encrypted when going out from the WAN which you are not doing now.
From what I see your setup is working ok.
There is no reason to use DNS filtering because the VPN resolves the DNS properly.
There was an issue in earlier versions of the firmware where you needed to use DNS filtering but not anymore.
You can use the WAN DNS settings to put Google or Norton DNS instead of using the Local ISP DNS which is usually crappy for devices that use local ISP only. But the way you have it setup everything goes via the VPN except the router. I guess you are running an FTP and you don't want it to be going VIA VPN?
why is it that you put the routers IP to go to WAN?

There is no way the connection would work if the encryption was not working. but you can do more tests with your wireshark and let us know
As long as you are .59 or higher you shouldn't worry.

lol... opps... sorry! Here is the other screen shot using the router VPN.. I see what you mean.... I guess there is no real way to test the router VPN encryption. If there was a way, I would love to test it. I actually have a few servers at home that I don't leave on all the time, and when I do, it's nice to use the WOL feature in the router so there is a way to get to my data when I am traveling. With the VPN on, I wasn't able to find another way to access my router. If my servers were powered on and running through the VPN, is there any way to access them if both my router and servers were going through the VPN tunnel? Or is the easiest way is to set them both to WAN? I can't access my router and servers with my DDNS when the VPN is enabled.

I just noticed these errors in the VPN log. I tried researching it, but couldn't find anything on these errors...

Oct 5 20:06:54 openvpn[6816]: ERROR: Linux route delete command failed: external program exited with error status: 2
Oct 5 20:06:54 openvpn[6816]: /usr/sbin/ip route del 198.8.80.13/32
Oct 5 20:06:54 openvpn[6816]: /usr/sbin/ip route del 0.0.0.0/1
Oct 5 20:06:54 openvpn[6816]: ERROR: Linux route delete command failed: external program exited with error status: 2
Oct 5 20:06:54 openvpn[6816]: /usr/sbin/ip route del 128.0.0.0/1
Oct 5 20:06:54 openvpn[6816]: ERROR: Linux route delete command failed: external program exited with error status: 2

 

[yorgi]

lol... opps... sorry! Here is the other screen shot using the router VPN.. I see what you mean.... I guess there is no real way to test the router VPN encryption. If there was a way, I would love to test it. I actually have a few servers at home that I don't leave on all the time, and when I do, it's nice to use the WOL feature in the router so there is a way to get to my data when I am traveling. With the VPN on, I wasn't able to find another way to access my router. If my servers were powered on and running through the VPN, is there any way to access them if both my router and servers were going through the VPN tunnel? Or is the easiest way is to set them both to WAN? I can't access my router and servers with my DDNS when the VPN is enabled.

View attachment 7414


I just noticed these errors in the VPN log. I tried researching it, but couldn't find anything on these errors...

Oct 5 20:06:54 openvpn[6816]: ERROR: Linux route delete command failed: external program exited with error status: 2
Oct 5 20:06:54 openvpn[6816]: /usr/sbin/ip route del 198.8.80.13/32
Oct 5 20:06:54 openvpn[6816]: /usr/sbin/ip route del 0.0.0.0/1
Oct 5 20:06:54 openvpn[6816]: ERROR: Linux route delete command failed: external program exited with error status: 2
Oct 5 20:06:54 openvpn[6816]: /usr/sbin/ip route del 128.0.0.0/1
Oct 5 20:06:54 openvpn[6816]: ERROR: Linux route delete command failed: external program exited with error status: 2

Hi
its normal that you can't access your servers when they are on a VPN
Think of it this way. You are connecting to another computers network and all the traffic gets re directed to the server and then you. This is why you have another IP when you log on to the VPN server. How can you connect to your computer when its already connected to another computer.
My suggestion is this, You don't need to put your servers that you do backup on a VPN, just use Remote desktop
its a super secure tunnel and as long as your password is secure you can get onto your PC from anywhere you are in the world and then remote desktop to computers that are on the VPN and have access to all your file shares and do your work. You can always setup your own VPN server and have access to your LAN but I think the best way is to use remote desktop. Use your VPN to download your movies and watch your kodi which is what most people do with VPN's these days and leave one PC on Local ISP and you can use DDNS to connect to it with remote desktop.