Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[mirage22]

yes, I had the same question about reneg-sec o. Thank's for answering that Eric.
Same goes with TLS-CLIENT. is that needed?

 

[yorgi]

yes, I had the same question about reneg-sec o. Thank's for answering that Eric.
Same goes with TLS-CLIENT. is that needed?

Yes its needed.
You can always see if something is needed by uploading and Import .ovpn file
it will scan what you already have and only adds what is needed in the custom config.
I had added a few extra lines and that reneg 0 is one that I didn't know was incorporated in the client.
there is no perfect openvpn guide its a lot of hit and miss but I think this guide is now pretty accurate.
I will update if someone finds anything wrong

 

[Veldkornet]

Has anyone had any problems with OpenVPN Client using policy rules?

I have a few rules that redirect 0.0.0.0 where the destination is x.x.x.x.

Everything seems to be working fine in the beginning and works as expected, but after a few minutes the error below keeps repeating every 20 seconds and no devices have internet anymore. If I just redirect all traffic instead of using a policy, it seems to work fine.

Mar 24 22:34:39 openvpn[3574]: RESOLVE: Cannot resolve host address: <vpn_host>: Name or service not known
Mar 24 22:34:54 openvpn[3574]: RESOLVE: Cannot resolve host address: <vpn_host>: Name or service not known
Mar 24 22:35:14 openvpn[3574]: RESOLVE: Cannot resolve host address: <vpn_host>: Name or service not known
Mar 24 22:35:34 openvpn[3574]: RESOLVE: Cannot resolve host address: <vpn_host>: Name or service not known

*Note, <vpn_host> has the actual vpn server name that you would normally enter in the configuration page, and not the text "<vpn_host>".

Right before that repeated error is this:

Mar 24 22:34:19 openvpn[3574]: read TCPv4_CLIENT: Connection timed out (code=110)
Mar 24 22:34:19 openvpn[3574]: Connection reset, restarting [0]
Mar 24 22:34:19 openvpn[3574]: SIGUSR1[soft,connection-reset] received, process restarting
Mar 24 22:34:19 openvpn[3574]: Restart pause, 5 second(s)
Mar 24 22:34:24 openvpn[3574]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 24 22:34:24 openvpn[3574]: Socket Buffers: R=[87380->87380] S=[16384->16384]

Sent from my iPhone using Tapatalk

 

[yorgi]

Has anyone had any problems with OpenVPN Client using policy rules?

I have a few rules that redirect 0.0.0.0 where the destination is x.x.x.x.

Everything seems to be working fine in the beginning and works as expected, but after a few minutes the error below keeps repeating every 20 seconds and no devices have internet anymore. If I just redirect all traffic instead of using a policy, it seems to work fine.

Mar 24 22:34:39 openvpn[3574]: RESOLVE: Cannot resolve host address: <vpn_host>: Name or service not known
Mar 24 22:34:54 openvpn[3574]: RESOLVE: Cannot resolve host address: <vpn_host>: Name or service not known
Mar 24 22:35:14 openvpn[3574]: RESOLVE: Cannot resolve host address: <vpn_host>: Name or service not known
Mar 24 22:35:34 openvpn[3574]: RESOLVE: Cannot resolve host address: <vpn_host>: Name or service not known

*Note, <vpn_host> has the actual vpn server name that you would normally enter in the configuration page, and not the text "<vpn_host>".

Right before that repeated error is this:

Mar 24 22:34:19 openvpn[3574]: read TCPv4_CLIENT: Connection timed out (code=110)
Mar 24 22:34:19 openvpn[3574]: Connection reset, restarting [0]
Mar 24 22:34:19 openvpn[3574]: SIGUSR1[soft,connection-reset] received, process restarting
Mar 24 22:34:19 openvpn[3574]: Restart pause, 5 second(s)
Mar 24 22:34:24 openvpn[3574]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 24 22:34:24 openvpn[3574]: Socket Buffers: R=[87380->87380] S=[16384->16384]

Sent from my iPhone using Tapatalk

specific IP goes to VPN and all other traffic will automatically go to Local ISP

Under source IP put 192.168.xxx.xxx Destination IP 0.0.0.0 and lface VPN
add as many lines as you have devices that you want to use for VPN

also very important to enable
Block routed clients if tunnel goes down

 

[Veldkornet]

I am not sure of how you set it up but maybe this will help

This is for all traffic to go to VPN but specific IP address's go to Local ISP

Under source IP put 255.255.255.0 and Destination IP 0.0.0.0 and lface VPN

This is for Traffic that you want on Local ISP and do that for all devices you don't want going to VPN for each device put a new line with a new IP address;

Under source IP put 192.168.xxx.xxx Destination IP 0.0.0.0 and lface WAN

Or you can do it like this which would be specific IP goes to VPN and all other traffic will go to Local ISP

Under source IP put 192.168.xxx.xxx Destination IP 0.0.0.0 and lface VPN
add as many lines as you have devices that you want to use for VPN

Hmm okay, so I'm missing 1 rule I guess if I understand you correctly. I was under the assumption that this was done automatically. Ie, all clients will use the WAN, unless I specify in the rules that it should use the VPN.
Basically I want all traffic to use the normal WAN, but to a few specific destinations it should use a VPN (for all clients).

Does source have to be 255.255.255.0? Or does 0.0.0.0 also work?
So in other words I should change it like this?

Source: 255.255.255.0 Dest: 0.0.0.0 WAN (I don't currently have this added)
Source: 255.255.255.0 Dest: x.x.x.x VPN
Source: 255.255.255.0 Dest: x.x.x.x VPN
Source: 255.255.255.0 Dest: x.x.x.x VPN
Source: 255.255.255.0 Dest: x.x.x.x VPN
Source: 255.255.255.0 Dest: x.x.x.x VPN

 

[yorgi]

Hmm okay, so I'm missing 1 rule I guess if I understand you correctly. I was under the assumption that this was done automatically. Ie, all clients will use the WAN, unless I specify in the rules that it should use the VPN.
Basically I want all traffic to use the normal WAN, but to a few specific destinations it should use a VPN (for all clients).

Does source have to be 255.255.255.0? Or does 0.0.0.0 also work?
So in other words I should change it like this?

Source: 255.255.255.0 Dest: 0.0.0.0 WAN (I don't currently have this added)
Source: 255.255.255.0 Dest: x.x.x.x VPN
Source: 255.255.255.0 Dest: x.x.x.x VPN
Source: 255.255.255.0 Dest: x.x.x.x VPN
Source: 255.255.255.0 Dest: x.x.x.x VPN
Source: 255.255.255.0 Dest: x.x.x.x VPN

If you want all traffic to use local ISP and selected for VPN then just do it like this
In the example .50 and .51 will go to VPN everything else will automatically go to Local ISP
Under source IP put 192.168.1.50 Destination IP 0.0.0.0 and lface VPN
Under source IP put 192.168.1.51 Destination IP 0.0.0.0 and lface VPN

Dont change anything on destination IP leave those at 0.0.0.0
that should work for you without any problems.

 

[yorgi]

Also in LAN basic config in the IP Pool Starting Address put 192.168.1.100
as it is now by default DHCP uses 192.168.1.2-192.168.1.254
get those static IP address's to be out of the DHCP pool

another note
if you use Manually Assigned IP around the DHCP
make sure that the IP address's you use are in the Static Pool 192.168.1.2-192.168.1.99

otherwise it can really screw things up. I never understood why by default the DHCP takes all 254 address's by doing that, Static IP address's will not work properly

 

[Veldkornet]

If you want all traffic to use local ISP and selected for VPN then just do it like this
In the example .50 and .51 will go to VPN everything else will automatically go to Local ISP
Under source IP put 192.168.1.50 Destination IP 0.0.0.0 and lface VPN
Under source IP put 192.168.1.51 Destination IP 0.0.0.0 and lface VPN

Dont change anything on destination IP leave those at 0.0.0.0
that should work for you without any problems.

I actually want it the other way around...
For example, so all Facebook traffic from all clients should use the VPN.

So then I've added:
Under source IP put 0.0.0.0 Destination IP 66.220.158.68 and face VPN

And for the first 5-10 minutes it seems to work fine, and on the VPN status page I can see that traffic is passed through it. But then all of a sudden everything dies as I mentioned in my initial post because it seems like it can't fine the VPN host anymore. But when I don't use policy rules it works fine....

So, I was just wondering if it was me having a wrong config, or something else.

I have it setup as such:

Start with WAN Yes
Interface Type TUN
Protocol TCP
Server Address and Port Address: nl-am-001.privatetunnel.com Port: 443
Firewall Automatic
Authorization Mode  TLS
Username/Password Authentication No
Extra HMAC authorisation Outgoing (1)
Auth digest SHA1
Create NAT on tunnel Yes
------------------------------------------------------------
Global Log verbosity 3
Poll Interval 0
Accept DNS Configuration Exclusive
Encryption cipher BF-CBC
Compression None
TLS Renegotiation Time -1
Connection Retry -1
Verify Server Certificate No
Redirect Internet traffic Policy Rules
Block routed clients if tunnel goes down No
------------------------------------------------------------
FaceBook    0.0.0.0    66.220.158.68    VPN
------------------------------------------------------------
setenv USERNAME email@domain.com
remote-cert-tls server
sndbuf 0
rcvbuf 0
socket-flags TCP_NODELAY
auth-nocache

 

[yorgi]

I actually want it the other way around...
For example, so all Facebook traffic from all clients should use the VPN.

So then I've added:
Under source IP put 0.0.0.0 Destination IP 66.220.158.68 and face VPN

And for the first 5-10 minutes it seems to work fine, and on the VPN status page I can see that traffic is passed through it. But then all of a sudden everything dies as I mentioned in my initial post because it seems like it can't fine the VPN host anymore. But when I don't use policy rules it works fine....

So, I was just wondering if it was me having a wrong config, or something else.

I have it setup as such:

Start with WAN Yes
Interface Type TUN
Protocol TCP
Server Address and Port Address: nl-am-001.privatetunnel.com Port: 443
Firewall Automatic
Authorization Mode  TLS
Username/Password Authentication No
Extra HMAC authorisation Outgoing (1)
Auth digest SHA1
Create NAT on tunnel Yes
------------------------------------------------------------
Global Log verbosity 3
Poll Interval 0
Accept DNS Configuration Exclusive
Encryption cipher BF-CBC
Compression None
TLS Renegotiation Time -1
Connection Retry -1
Verify Server Certificate No
Redirect Internet traffic Policy Rules
Block routed clients if tunnel goes down No
------------------------------------------------------------
FaceBook    0.0.0.0    66.220.158.68    VPN
------------------------------------------------------------
setenv USERNAME email@domain.com
remote-cert-tls server
sndbuf 0
rcvbuf 0
socket-flags TCP_NODELAY
auth-nocache

I think this will help you. I found it in README-merlin.txt

To have all your clients use the VPN tunnel when trying to
access an IP from this block that belongs to Google:

RouteGoogle 0.0.0.0 74.125.0.0/16 VPN

 

[Veldkornet]

I think this will help you. I found it in README-merlin.txt

To have all your clients use the VPN tunnel when trying to
access an IP from this block that belongs to Google:

RouteGoogle 0.0.0.0 74.125.0.0/16 VPN

Well that's pretty much what I'm doing actually, except to a few specific IP's instead of a whole range.

@RMerlin, any ideas?

 

[yorgi]

Well that's pretty much what I'm doing actually, except to a few specific IP's instead of a whole range.

@RMerlin, any ideas?

try doing it like this maybe it will work better.
0.0.0.0 66.220.144.0/20 lface VPN
this is for facebook.com

 

[yorgi]

Well that's pretty much what I'm doing actually, except to a few specific IP's instead of a whole range.

@RMerlin, any ideas?

What method did you use to know that you where successful in routing Facebook via your VPN?
I am trying to do the same thing to see if I get the same issues you are getting

 

[Veldkornet]

Well FaceBook was just an example. But it's to specific IP's, not a range.

I suppose I can't thoroughly test that the route actually works unless all other traffic is disabled.
I was just looking at the VPN statistics and saw that data was sent/received. Also in my PrivateTunnel app I can see that data was used. Ie, I downloaded a 200MB file, and 200MB showed up in the statistics & app.

So it appears that the route works. But then then something happens, and all goes to hell.

If you are testing it, just leave it running for about 15-20 minutes. The problem usually occurs by then.

Even if the route is wrong and no traffic goes over the VPN though, it shouldn't be giving this problem and going ape ###%!


Sent from my iPhone using Tapatalk

 

[yorgi]

Well FaceBook was just an example. But it's to specific IP's, not a range.

I suppose I can't thoroughly test that the route actually works unless all other traffic is disabled.
I was just looking at the VPN statistics and saw that data was sent/received. Also in my PrivateTunnel app I can see that data was used. Ie, I downloaded a 200MB file, and 200MB showed up in the statistics & app.

So it appears that the route works. But then then something happens, and all goes to hell.

If you are testing it, just leave it running for about 15-20 minutes. The problem usually occurs by then.

Even if the route is wrong and no traffic goes over the VPN though, it shouldn't be giving this problem and going ape ###%!


Sent from my iPhone using Tapatalk

Turn off the power on your router and start it up again.
Something doesn't seem right on your end.
maybe that will help

 

[Veldkornet]

Yeah, just wanted to check that it was just me.

I'll do a factory reset and try again.

Thanks for looking into it


Sent from my iPhone using Tapatalk

 

[yorgi]

Yeah, just wanted to check that it was just me.

I'll do a factory reset and try again.

Thanks for looking into it


Sent from my iPhone using Tapatalk

Well from the problems you where having that made me learn more about selective routing.
and I tried what you are talking about with my VPN on and having the SMPT server use the Local ISP and it worked like a charm.
So whatever problems you had, a factory reset or upgrading the firmware will probably help for sure.
I am using the latest 380.58 Merlin

 

[Veldkornet]

I am also using Merlin 380.58

Anyway, after some late night home network maintenance, the problem seems to be solved!

However, in bad troubleshooting fashion, I did 4 different things in setup this time, so I'm not sure which caused the problem or may be in any way related.

1) I did a factory reset with the WPS button and setup everything from scratch.
2) I setup the client manually this time, the previous time I just imported the profile.
3) I used UDP 1194 instead of TCP 443 this time.
4) I have DNSCrypt running this time. Previously not.

Anyway, at least it working now. Or at least it has been for the last 12 hours anyway, so far so good


Sent from my iPhone using Tapatalk

 

[yorgi]

I am happy it worked out.
I am not sure about your VPN settings because you are not using PIA as your provider, but 1194 is a better port
when you loaded the openvpn config it added a bunch of stuff on the custom configuration which I would assume are important in achiving a proper connection;

setenv USERNAME email@domain.com
remote-cert-tls server
sndbuf 0
rcvbuf 0
socket-flags TCP_NODELAY
auth-nocache

double check that out.

I did quite a bit of research and test yesterday as well and I figured it out.
in regards to the Facebook example,
You would need to add the entire CDIR for Facebook to work right. maybe that's why you where getting problems.
this is the way you find out.

open command prompt and type nslookup facebook.com
you need to do a whois lookup on the IP you get from Facebook which is 173.252.120.68
go to this website https://www.whatismyip.com/ip-whois-lookup/ paste that address in the IP box
and do a whois search, the results are as follows
NetRange: 173.252.64.0 - 173.252.127.255
CIDR: 173.252.64.0/18
In the policy rules you would have to put it like this.
in the example below everything in the IP range of 192.168.1.1-192.168.1.254 will go to Local ISP
and the Facebook IP will go to VPN

192.168.1.0/24 0.0.0.0 WAN
source IP 0.0.0.0 destination IP 173.252.64.0/18 lface VPN

so basically 0.0.0.0 means any source IP in your case any IP in your network,
when the router sees the CDIR IP range it will automatically pass everything coming from Facebook through the VPN
This is great when you want SMPT for email which is normally blocked by the VPN service provider
and you can set a rule that everything goes via the VPN except for SMPT which goes to Local ISP
assuming the SMPT server is 74.123.214.22 the rule would be as follows;
So this example all traffic goes to the VPN and when the router sees that SMPT address it will send the data via Local ISP

192.168.1.0/24 0.0.0.0 VPN
0.0.0.0 74.123.214.22 lface WAN

What an amazing way to do things
thanks for bringing up that question, I really learned a lot about selective routing.
I put some more examples on the how to guide in regards to policy based routes.

Here is a good site to find out the CDIR of an IP range
http://networkcalculator.ca/ip-calculator.php

If anyone knows how to properly tests the IP range of Facebook to make sure the data is going via the VPN please let us know

 

[Veldkornet]

Yeah I use PrivateTunnel from OpenVPN, but indeed I added those extra parameters as well. Although "TCP_NODELAY" no longer does anything, tells me now in the logs that it's ignored, but it's there just in case

Also, now that it's working properly and no longer crashes out, I did indeed use the ranges instead of individual IP's, i.e. "x.x.x.0/24" etc.

Been testing it most of the morning, looks to be working 100%!

Thanks for looking into it with me!

Going back to the FaceBook example, instead of FaceBook, you could use Goolge for the tests (although I guess they have a lot more ranges to cover ) If you log into Gmail, it shows you what IP you're logged in from, or have logged on from previously. Maybe Facebook has something similar in their security settings somewhere.

But that IP that's shown should be different to the one that your ISP gives that you can also find in all of those whatsismyip websites.

 

[yorgi]

Yeah I use PrivateTunnel from OpenVPN, but indeed I added those extra parameters as well. Although "TCP_NODELAY" no longer does anything, tells me now in the logs that it's ignored, but it's there just in case

Also, now that it's working properly and no longer crashes out, I did indeed use the ranges instead of individual IP's, i.e. "x.x.x.0/24" etc.

Been testing it most of the morning, looks to be working 100%!

Thanks for looking into it with me!

Going back to the FaceBook example, instead of FaceBook, you could use Goolge for the tests (although I guess they have a lot more ranges to cover ) If you log into Gmail, it shows you what IP you're logged in from, or have logged on from previously. Maybe Facebook has something similar in their security settings somewhere.

But that IP that's shown should be different to the one that your ISP gives that you can also find in all of those whatsismyip websites.

Well the problem I am encountering is that a lot of the big sites use more then 1 IP address.
for example if you do a nslookup enough times on facebook you will get 2 address's and for ebay you get 6 address's
that would mean quite a few CDIR rules to cover each site and you still can't be sure when you visit that site if it will go though VPN or WAN
because the IP ranges seem to change often enough.

So what seems to be a great thing ends up being a nightmare. but in a perfect world this makes total sense because when you are on a VPN
and you want to go do your banking or check your email you don't necessarily want to visit with your VPN thus having to change from VPN to Local each time. with selective routing one can do it but how many address's would it take for each huge site. that is something to really think about. At least with SMPT server for email its good because you don't get a ton of IPs
so this policy based routing has its great features but a huge downfall at the same time

Hopefully someone can shed some fresh lite in this matter