Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[yorgi]

hi !
sorry for the late reply,work...

tried tap,but thats a dead ringer... no connection out/in possible.

so back to tun

I can ping the server@192.168.1.1 from the client side AND I can ping the openvpn gateway 10.8.0.2 on the clients side,so the tunnel works,yet no data is routed from the server to the client.
So I guess its just a question of where/how to add a routing rule.

I googled so much,that my head&eyes hurt.. so Im not sure what of the following would do the trick:

* client config file
info you put into ccd files (client configuration..)
didnt try that,not sure what to put into the config file

* a static route on the server side
done via i.e.
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.8.0.2 dev tun21
or ip route add 192.168.0.0/24 via 10.8.0.2

this also didnt help


* or via server custom configuration
ie. push route "192.168.0.0 255.255.255.0 10.8.0.2 1"

yet push route results in a routing error ,as seen on the clients syslog :

Nov 8 17:09:07 openvpn[12642]: Ignore conflicted routing rule: 192.168.0.0 255.255.255.0
Nov 8 17:09:07 openvpn-routing: Skipping, client 1 not in routing policy mode

slowly but steady starting to hate networkstuff

I am curious, when you say out to the client are you trying it on windows PC? or iOS?
I would do all my tests on PC and I would also disable the windows firewall when you make these tests to make sure that its not stopping your share.
I don't think you have to go the route of static route yet.
My only question at this point is this. you have a router with ISP running VPN server which is in one location and then you have another router with paid ISP running client in another location. Now are you introducing a 3rd computer to the equation to access the networks of those 2 routers in a tunnel?
I am confused when you say you are able to go into the server but not to the client. From where?
if you are connected to the server from the client you should have access to your local network and the network of the VPN Server.
If you log on to the server from another computer maybe try remote desktop to the client PC and access its share.
If you are using the anniversary edition of win10 it should work right away if you are not then you may have to put firewall rules.
I need to know your scenario a bit better because its still confusing as what it is you are trying to achieve.
It all depends on how you are trying to access these share and how many computers are in the network.
please let me konw.

Also your IP that you tried with static routes are wrong.
192.168.1.0-254 would be 192.168.1.0/24 in CIDR you put a 0 where you needed to put a 1
I think the static route may help but really not sure. since you mentioned it I just corrected it for you,
netmask 255.255.255.0 gateway 192.168.2.0/24 interface WAN

Here is openvpn switches that you can put in custom configurations.
https://openvpn.net/index.php/open-source/documentation/howto.html#mitm
Maybe you can find something there as well.

And I agree about the network stuff!

 

[heliosone]

Hi!

no third computer/device,all pings are done via secure shell on each device.
I tried the changed static route,and even a bunch of other variants,but I still cant reach the clients lan from the server.

I think I give up at this point....

thanks for your help !!

 

[yorgi]

Hi!

no third computer/device,all pings are done via secure shell on each device.
I tried the changed static route,and even a bunch of other variants,but I still cant reach the clients lan from the server.

I think I give up at this point....

thanks for your help !!

you can always remote desktop locally to the clients once you have connected to the server and then access anything you want.
You can also have computers sleeping and when you log onto the server you can wake them up with magic packet and then remote desktop.
I will try this scenario with 2 routers in different places one client and sever and will post back. I know it can be done.
I will add it to my article on servers and will let you know as well.

 

[heliosone]

you can always remote desktop locally to the clients once you have connected to the server and then access anything you want.
You can also have computers sleeping and when you log onto the server you can wake them up with magic packet and then remote desktop.
I will try this scenario with 2 routers in different places one client and sever and will post back. I know it can be done.
I will add it to my article on servers and will let you know as well.

No computers are involved in this,so thats not an option.
Also the device with the vnc server is a IOT device,not a computer.
The main purpose is to control it from afar,so I need the client=>server connection to do that.
Thanks ahead for your efforts in this matter !!!

 

[Rpony]

Yorgi, do you personally believe 128 vs 256 encryption is enough protection?

 

[yorgi]

Yorgi, do you personally believe 128 vs 256 encryption is enough protection?

128 is fine. I never use 256 because it slows down the router. As far as protection, what kind of protection are you expecting from a VPN service?
I personally think that these services don't provide much protection other then mask your IP address. If you do something stupid or say something that the NSA gets concerned I am sure that their 50 dollars a year service won't protect you.
So protection is a big word and cannot be taken lightly.

 

[yorgi]

No computers are involved in this,so thats not an option.
Also the device with the vnc server is a IOT device,not a computer.
The main purpose is to control it from afar,so I need the client=>server connection to do that.
Thanks ahead for your efforts in this matter !!!

My best advice is do remote desktop to those commuters that are important. Do a remote desktop to one pc that is on the LAN with the other PCs and setup a port trigger on the router and you don't need VPN. Microsoft already provides a secure tunnel, similar to a VPN tunnel and its super secure. As long as you use a strong username and password no one can get into your network. I would trust remote desktop more then OpenVPN server from a router.
this is my opinion

 

[Rpony]

Hey Yorgi
Followed your step by step. I'm connected however I'm getting a message in the log as follows that repeats multiple times.
Kernal:TCPossible SYN flooding on port 55951.
Any ideas?

 

[yorgi]

Hey Yorgi
Followed your step by step. I'm connected however I'm getting a message in the log as follows that repeats multiple times.
Kernal:TCPossible SYN flooding on port 55951.
Any ideas?

Not sure, maybe ask your VPN provider about that one. Not all VPN's behave the same.
Who is your vpn provider?

 

[Rpony]

PIA

 

[Junior85353]

I know. But when you do a dnsleaktest do you see your IP address and then PIA DNS address?
or do you See PIA IP address for the DNS as well?
I don't think you understood. I am exclusive as well and I never said that the DNS is not PIA
but if you use PIA software or TomatoeUSB or OpenVPN software when you do a DNSleaktest you will see that with the other programs you will see 172.xxx.xxx.xx for IP and DNS when you do it with merlin
you will get 172.xxx.xxx.xx and DNS 209.222.18.218

that is not the way the other programs resolve it. also when you use local ISP the DNS will show as 209.222.18.218 and not google or whatever. so thats why I use dns filtering, when I am on ISP i get google and when I am on PIA i get PIA
but the right way. I am not saying that Merlins is not right but when I tested all the others I didn't get the same resluts as with PIA, openvpn, or TomatoeUSB

Try it and you will see

****Please take note there was an error for port 1198
I forgot to put disable-occ in custom configurations.
Please fix this otherwise the following 2 warnings will show up in system log

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

PART I

Here is a how to guide using PIA VPN provider as an example which will help you in getting your VPN client up and running with Merlin Firmware.
I have updated this article to use PIA's new 1197 and 1198 ports with new certificates
If you do not use PIA read the section where I explain how to connect using other VPN providers
Please read both sections of this article carefully.

AES-128-CBC port 1198
View attachment 7395
AES-256-CBC port 1197
View attachment 7146

Custom configurations to use with PIA.

AES-128
View attachment 6800
AES-256
View attachment 6800

In "custom configurations" I have added the following
ns-cert-type server This will block clients from connecting to any server which lacks the nsCertTyp
auth-nocache this command doesn't cache the password otherwise you may have a security issue.
mute-replay-warnings this command stops the same warning from appearing over and over in system log

***Please take note that this function was not indicated in previous article. You need to put
disable-occ in custom configurations for 1198 and 1197

It is important to add this line otherwise the following 2 warnings that will occur

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

By putting disable-occ on custom configuration for port 1197 and 1198 these warnings will disappear. I apologize for any inconveniences I may have caused with this error.

***Certificates for PIA and other providers are discussed in the next section of this article.

The VPN's speed will be determined by the encryption method you choose.
Dual core CPU's are the best choice because they deliver fastest speeds when in VPN client mode. Encryption makes the router work harder therefore
Models such as ASUS 68U or higher are the best choices.
Models such as ASUS 66U or inferior are not a great choice because they will give you slower speeds because they have a single core cpu and not as powerful as higher end models.
If VPN client or server is important to you, then think of upgrading to a better router.

UDP ports for PIA:

port 1194: This port uses Blowfish-CBC encryption and Auth digest to SHA1
No longer supported by PIA but you are free to try it
Speed: 30-35 mb/s

port 1195: For no encryption use with encryption type set to none and Auth digest set to none and in custom configuration add auth none. this method is the fastest and full speed but without encryption. Not very safe.
Speed: full bandwidth of your ISP

port 1197: For stronger encryption use with AES-256-CBC encryption and Auth digest sha256 speeds 20-30 mb/s

port 1198: Use the preferred encryption method which is AES-128-CBC encryption with Auth digest to SHA1
This encrytpion method delivers the fastest speeds compared to the other methods.
Speeds 50-60 mb/s

**certificates are discussed in Part II of the guide

TCP Ports:

PIA also offers TCP protocol on ports 501 AES-256-CBC and 502 AES-128-CBC
Configure the same as UDP Protocol with the exception of changing UDP to TCP and new port numbers. This TCP protocol has different certificates which are found in PART II of this article.

***Please refer to your VPN provider for encryption and ports

If you don't use PIA for your VPN provider the image above may not help you connect.
the easiest way to get your VPN client to work quickly and painlessly is to do the following.
Every provider will supply a .ovpn file. Simply click on the browse button in the "Import .ovpn file" and go to the location where you stored the .opvn file, select the .opvn file and then click upload. The router will read all the information from the .ovpn file and will then configure the VPN client. After the router has configures the client, Some VPN providers provide the certificates in the .ovpn file while some will have a separate .crt file. Make sure you copy and paste the certificates if they are not included in the .ovpn to the "Content modification of Keys & Certificates." area. If the .ovpn file has the certificates included you will see them copied into the "Content modification of Keys & Certificates." if not, you will have to do this manually.
Almost all providers will enter different data in the custom configurations area so do not be alarmed if the data is not the same or similar to PIA. The .ovpn file contains all the important information needed to auto configure the VPN client.

The same example above will work with Stock ASUS firmware
import the client.ovpn into another ASUS router. It will automatically configure everything you need to connect to the VPN Server, including certificates.
Simply go to the VPN client on your ASUS router and look for "Import .ovpn file" use the browse button to find the client1.ovpn file then click on upload.
That's it. you should be ready to connect. Turn the service state button to ON
You can enable start to WAN option if you want the Client to automatically connect to the VPN server when router gets rebooted.

Auth digest: refer to your VPN provider or leave it default if you are not sure.
Accept DNS Configuration should be set to exclusive
Encryption cipher: refer to your VPN provider or leave it default if you are not sure.

Use "POLICY RULES" in "Redirect Internet traffic" for selective routing
By enabling Policy rules feature, it gives you the freedom to route specific devices to VPN and other devices to Local ISP. You can even have a device use VPN but have specific address's use Local ISP or vise versa.

Please note:
When you are in a VPN tunnel the DNS is determined by the VPN therefore if you redirect specific IP address's to WAN which is Local ISP the DNS will show that of the VPN and not from Local ISP this is also known as a DNS leak.
However you can route your FTP or SMPT which do not use DNS therefore you can setup that all traffic goes to VPN except for FTP and SMPT so you can get your email or access your FTP without having it routed via the VPN.

When you enable Policy Rules you have an extra option "block traffic if VPN goes down".
This is one of the best features when using Merlin firmware because when it's enabled if for some reason the VPN Server drops connection the router will suspend all traffic until the VPN client re connects to the server. This way you won't leak your Local IP address to the public.

Please refer to the second part of this article for examples using Policy Rules.

Enable the feature "Redirect Internet traffic" to to "ALL Traffic" if you want all your devices to go through the VPN tunnel which will exclusively use the DNS of VPN

set to compression "none" Do Not disable compression because the VPN tunnel won't work.
compression is not needed because, jpg, mp3, mp4, smart phone etc are all compressed data.

Here is a good chart you can bookmark for ports and certificates from PIA;

https://helpdesk.privateinternetacc...ings-should-I-use-for-ports-on-your-gateways-

Part II follows;

Good Evening. I was referred to this site from VPN University. My apologies if you have covered this situation previously. Here is my original question/post:

I recently upgraded to the Asus RT-AC5300 router. My current 3rd party VPN service is Private Internet Access (PIA). Support through email with them has been a challenge. I am using the 3rd-party ASUSWRT-Merlin firmware.
My goal:
1. Have the ethernet ports on my network to have my local ISP IP address. (Most of these items are smart plugs or low traffic type items).
2. First 5 GHz connected to VPN using PIA within the US on a server on the east coast.
3. Second 5GHz connected to VPN using PIA outside of the US (example UK)

Could this all be running at the same time on this router?
Any advice, feedback or instruction would be much appreciated as I am a novice.

 

[yorgi]

Good Evening. I was referred to this site from VPN University. My apologies if you have covered this situation previously. Here is my original question/post:

I recently upgraded to the Asus RT-AC5300 router. My current 3rd party VPN service is Private Internet Access (PIA). Support through email with them has been a challenge. I am using the 3rd-party ASUSWRT-Merlin firmware.
My goal:
1. Have the ethernet ports on my network to have my local ISP IP address. (Most of these items are smart plugs or low traffic type items).
2. First 5 GHz connected to VPN using PIA within the US on a server on the east coast.
3. Second 5GHz connected to VPN using PIA outside of the US (example UK)

Could this all be running at the same time on this router?
Any advice, feedback or instruction would be much appreciated as I am a novice.

Hello, You can sort of do what you want but not exactly.
My suggestion is if you want to have 2 different VPN locations to get 2 different VPN service providers.
The problem in having 2 connections from one VPN provider is that most of the time if you enable 2 connections there is a great chance that you will get a router conflict and you the VPN wont establish connection. Basically the router crashes.

Here is my suggestion, read the guide carefully

Assuming your read the guide do the following.
Setup VPN on Clients 1 and 3
First you will enable client 1 with 128 aes encryption and test the connection to make sure you are connected to the VPN server.
Now you will have to setup a policy rule for which PC's will use VPN. The way we do this is by choosing specific static IP addresses that will always be on the VPN.
Because we are using IP addresses one can be on the 5ghz or 2.4ghz or LAN and be on the VPN because of these specific IP addresses that their destination is VPN.
all the rest of the IP addresses will go via Local ISP

enable policy rules and also "Block routed clients if tunnel goes down" this will protect the VPN connection that if a VPN server drops connection the router will stop internet to the VPN IP addresses and will only resume when it successfully connects to the VPN server.
Caution if you enable 2 clients and you get a router conflict the block router clients if tunnel goes down goes out the window and your IP will leak to the public.
So please be advised not to have 2 clients from PIA enabled at the same time.
If you want to use separate clients turn one off and enable the other. this is the only way you can make this work without issues. this is why I keep saying to get 2 different providers. Ideally for every connection to a client you should be with a separate service provider.

Here are the rules you can apply. I am not sure how many devices you want to have going over VPN but lets say 15 IP addresses will get routed over the VPN and the rest will go to WAN local ISP

the rule below will dictate to the router to use 192.168.1.80-192.168.1.94 all the rest of the IP addresses range will be going on WAN local ISP

Source IP 192.168.1.80/28 Destination IP 0.0.0.0 lface VPN

by creating this rule you will have the option for having 15 devices connecting to VPN

Once that works then you can disable the first client and enable the second client and do the same thing as above but this time the IP range will be different

rules ip address from 192.168.1.65-192.168.1.78 VPN

Source IP 192.168.1.70/28 destination IP 0.0.0.0 lface VPN

In a perfect world you can have both VPN servers on and have 30 devices that will use client 1 or 2 depending on the IP address given.

If your needs are 2 clients then you have to get another company to provide VPN for the second client.
Do not expect to run 2 clients from PIA at the same time, it will never work properly because their servers are pretty much all on the same subnet.
If you enable 2 services at the same time, chances are that you will never get on VPN, the firewall of the router will crash and you will be leaking DNS and your IP address will be local and not VPN.
If you don't like what you hear stop the second client right there and only use one at a time. trust me on what I am saying.

unfortunately we are not living in a perfect world, and you cannot choose to have 5ghz only for VPN and the 2.4 ghz Local ISP etc.
Keep in mind these routers are not business class, and they offer tons of features for a low price. There are going to be obvious limitations because of this.
and even if you had a high end router, the same problem would apply if you had 2 clients running from one provider.

It is also very important to setup your IP pool. Use the guide as a reference.
if you get stuck anywhere let me know.

cheers

 

[yorgi]

FYI there are ways to load scripts and have VPN only on 5ghz but that is way complicated.
You can always give that a go, there are scripts on merlin
https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN.
good luck getting that working
I would suggest you use the method I explained in the above post and forget this one unless you have tons of free time on your hands and are ready for a major challenge that could take you months to figure out and I doubt anyone will go through the trouble to help you out with scripts. You will be on your own with that one!
but I will not stop you from trying.
Here is more help with merlin Scripts and how to guides.
https://github.com/RMerl/asuswrt-merlin/wiki

 

[patrick sullivan]

Hey Yougi, everything is working fine, but I thought I would try adding the Certificate Revocation List (Optional) to my setup, and I now see this:

But, if I remove the optional certificate, the DNSLeak works correctly like before-both have the same Canada IP address. I opened crl.rsa.4096.pem with a txt editor and copy its entire content to "Certificate Revocation List (Optional)".

Any thoughts? The 209 USA IP is not mine, but maybe PIA's?

Here is the certificate (optional) for UDP 1197:
-----BEGIN X509 CRL-----
MIIDWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAgEAppFfEpGsasjB1QgJcosGpzbf2kfRhM84o2TlqY1ua+Gi5TMd
KydA3LJcNTjlI9a0TYAJfeRX5IkpoglSUuHuJgXhP3nEvX10mjXDpcu/YvM8TdE5
JV2+EGqZ80kFtBeOq94WcpiVKFTR4fO+VkOK9zwspFfb1cNs9rHvgJ1QMkRUF8Pp
LN6AkntHY0+6DnigtSaKqldqjKTDTv2OeH3nPoh80SGrt0oCOmYKfWTJGpggMGKv
IdvU3vH9+EuILZKKIskt+1dwdfA5Bkz1GLmiQG7+9ZZBQUjBG9Dos4hfX/rwJ3eU
8oUIm4WoTz9rb71SOEuUUjP5NPy9HNx2vx+cVvLsTF4ZDZaUztW9o9JmIURDtbey
qxuHN3prlPWB6aj73IIm2dsDQvs3XXwRIxs8NwLbJ6CyEuvEOVCskdM8rdADWx1J
0lRNlOJ0Z8ieLLEmYAA834VN1SboB6wJIAPxQU3rcBhXqO9y8aa2oRMg8NxZ5gr+
PnKVMqag1x0IxbIgLxtkXQvxXxQHEMSODzvcOfK/nBRBsqTj30P+R87sU8titOox
NeRnBDRNhdEy/QGAqGh62ShPpQUCJdnKRiRTjnil9hMQHevoSuFKeEMO30FQL7BZ
yo37GFU+q1WPCplVZgCP9hC8Rn5K2+f6KLFo5bhtowSmu+GY1yZtg+RTtsA=
-----END X509 CRL-----

 

[patrick sullivan]

I realize that A CRL is not a certificate, it's a Certificate Revocation List, but that doesn't help me. Isn't this the file that I am suppose to place in there?

 

[yorgi]

I realize that A CRL is not a certificate, it's a Certificate Revocation List, but that doesn't help me. Isn't this the file that I am suppose to place in there?

Hey Patrick
Yea you have to paste the -----BEGIN X509 CRL-----etc....... into Certificate Revocation List optional
You need to make sure you are set to Exclusive in the Accept DNS Configuration
Also Encryption cipher to AES-256-CBC
Make sure you download the right certificates for the 256 encryption and Auth digest SHA256
also custom configuration should be like this;
tls-client
remote-cert-tls server
ns-cert-type server
auth-nocache
mute-replay-warnings
disable-occ
The way you are now its showing the DNS of PIA which is ok but
it should show the IP of PIA and not a DNS as it is showing there.
So if I where to take a guess it would probably be the exclusive option
if that doesn't work I would default the VPN client and reboot the router and start it over again
If you go back and forth from Exclusive to Strict that will cause problems.
Let me know how it works out

 

[patrick sullivan]

Perfect. I'll make sure I have the correct settings. I thought I double checked. Maybe it was a lack of reboot. I am curious though, what's the point of the CRL? As you know, my system works perfect as is. Just wondering what the function of that is?

Cheers!

 

[patrick sullivan]

My bad. I had everything correct. When I originally received the poor results shown above, I went in and deleted the CRL (but didn't click save). Then rebooted and everything corrected. So, the CRL was in there all along. UGH! Sorry for wasting your time G! FYI, I still have "auth sha256" listed in custom.

Thanks again!

 

[RMerlin]

FYI, I still have "auth sha256" listed in custom.

Remove that, and configure it on the Auth Digest field instead, to avoid any conflict.

 

[patrick sullivan]

Got it!

Thanks