Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[yorgi]

I updated the article and you no longer need to put the certificates on the jffs partition with paths on the custom configurations.
Please take a look on page one its all explained.

 

[lolek74]

Thank you very much for your help. I managed to configure router. After formatting JFFS i needed to reboot the router again to have access to it. I copied required files and referenced it as you advised. It works like a dream. I'm getting 42Mbps.

 

[yorgi]

Thank you very much for your help. I managed to configure router. After formatting JFFS i needed to reboot the router again to have access to it. I copied required files and referenced it as you advised. It works like a dream. I'm getting 42Mbps.

That's all good but I got it working now without having to set no paths or jffs partitions
go to page one of this article and on the second part you will see the certificates and where to place them so it will work without this setup you just did. It doesn't really make a difference but if you ever update the firmware you may loose the files you copied to the JFFS partition. Also don't forget to disable SSH when you are done with it.
I would suggest you do it the articles way by copying the certificates to their appropriate places

 

[p1r473]

I am going to try to configure the 3 configs (no encryption, strong encryption, recommended encryption) tonight with your guide. Do I not need to use RSA certs for AES-256-CBC w/ SHA256 on port 1197 or no encryption 1195? It seems you mention you only need RSA certs with port 1198.
Would using RSA certs with port 1197/1195 provide any additional security?

What is the advantage of using AES-128 on 1198 with RSA certs vs. AES-128 on port 1196 without?

Thanks. I will let you know if I run into any problems following the guide tonight!

 

[yorgi]

Hi, I don't see any reference to the JFFS stuff on the first/second post; you should add it for people to find easily! I also don't see any mention of the config for 1195, can you post screenshots please?

I am going to try to configure the 3 configs tonight with your guide. Do I not need to use RSA certs for AES-256-CBC w/ SHA256 on port 1197 or 1195? It seems you mention you only need RSA certs with port 1198.
Would using RSA certs with port 1197/1195 provide any additional security?

Thanks. I will let you know if I run into any problems following the guide tonight!

Hi, I do mention in regards to the 256 certificates
"Do the same procedure as above for aes-256-cbc with the exception that you are copying and pasting data from these certificates crl-verify crl.rsa.4096.pem and ca ca.rsa.4096.crt" AES-256-CBC https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
check your private message

 

[p1r473]

I just read your post now about not needing to copy the files over to JFFS anymore that we can now paste them into the CA.
This is good news!
I will try tonight and let you know how it goes

Thanks for you guide!

 

[L&LD]

Yorgi, can you think of any reason why I would be getting disconnected from the Internet when I select the Client Control Service State switch to off after being on? This is happening to my iMac which has a static IP address. Everything returns to normal if I reboot the router. If I have my iMac wireless selected to DHCP this does not occur, only when on a static IP.

Is the static IP trying to use an address that is already assigned to another device?

 

[yorgi]

Yorgi, can you think of any reason why I would be getting disconnected from the Internet when I select the Client Control Service State switch to off after being on? This is happening to my iMac which has a static IP address. Everything returns to normal if I reboot the router. If I have my iMac wireless selected to DHCP this does not occur, only when on a static IP.

Can you check In LAN/DHCP/IP pool starting address should be 192.168.1.100 and finishing address should be 192.168.1.254
and make sure that all your static IP addresses are below 100 otherwise you will have problems.
Let me know if that works.

 

[yorgi]

My IP pool starts at 192.168.0.100 and ends at 192.168.0.254 and all static IP's are below 100.
It's no big deal, I can live with it as it only involves a router re-boot but I am curious why it is happening.
Edit .. I only have the static IP set in the iMac wireless settings and not on the router. Entered iMac static IP of 192.168.0.16 into router manual assignment, made no difference, internet drops off when I turn VPN off and router re-boot required to resume internet connectivity with local ISP IP.
If I turn VPN back on all is ok again, I resume internet connectivity.
I thought it may have something to do with "Block routed clients if tunnel goes down", turned it off but not that, same result. By the way, it is only the devices that are listed under policy rules that are affected, no others. And also it does not affect LAN connectivity, just internet which to me pointed to that switch above.

View attachment 6829

Changed from static IP to auto in iMac wireless setting and it certainly is registering the static IP as I have entered in manual assignment under LAN/DHCP server settings.

View attachment 6830

When you went to LAN and enable manual assignments at the bottom did you give the laptop the same IP address
192.168.0.16?
Did you try giving the mac another IP address? like 192.168.0.50?
You mentioned Policy rules and VPN.
can you please take a screen shot of the rules. Maybe you did a CIDR range that includes the mac? Is the Mac suppose to be part of the rules? Does it do VPN only or its ISP?
So far you haven't done anything wrong. but I have a feeling your rules maybe causing this issue.
let us know

 

[yorgi]

Yes



Tried that. It is not only the Mac that exhibits this behaviour, it is any device under policy rules. I have a NAS, shown as Diskstation under policy rules that also
will lose internet connectivity when the VPN switch is set to off.



I have 3 devices under policy rules that I want to have VPN access at certain times, I turn off the VPN when I want my full ISP speed back.

View attachment 6832

View attachment 6834
I am still wondering if this is the cause, a firmware bug that is blocking the clients when it sees the tunnel goes down
even though I have turned VPN off?

Hi
This is perfectly normal. When you put a policy rule and say that these IP addresses will go to VPN and when you turn off the VPN it is normal that you will have no internet. The router doesn't see a connection therefore it blocks all traffic as its suppose to do.
so please don't change your setup.
If you want to use your local ISP just manually change IP address on your mac to any other ip then .3 .16 or .17
so just give it 192.168.0.80 and gateway 192.168.0.1 and DNS 192.168.0.1 and subnet 255.255.255.0
or even simpler change to DHCP and you are guaranteed internet as you where doing before.
then you will have internet access to your laptop without having to stop the VPN service.
I have scripts I run when on my windows PC when I want to change from VPN "static IP to Local ISP DHCP
I am not sure how to make scripts with MAC to change from Static to DHCP
search google and I am sure someone will have a script to do that

 

[yorgi]

Also remember when you are on a VPN and for some reason the server hick-ups you want the router to stop all traffic otherwise
what is the use of having a VPN right? This is why its normal when you tell it to "block routed clients if the internet goes down" as you did with the 3 ip addresses you entered. So the reason you where not having problems when you where changing the laptop to DHCP is because the DHCP range is not covered in the VPN range.
I hope it makes more sense now

 

[yorgi]

Ah ok, I would have assumed if you purposely turn the VPN off, as it's a deliberate action by me, then it would ignore the "blocked routed clients if tunnel goes down" switch.
I will just continue with re-booting the router, don't have to change anything that way.
Thanks for your input.

why are you rebooting the router? you don't have to reboot anything.
All you have to do is change the IP address of your MAC and then you will have ISP internet.
"blocked routed clients if tunnel goes down" is normal. If you are on a VPN and the server goes down would you like everyone to see your IP Address? I would assume NO. So leave it like that. When the router sees IP address of the mac 192.168.0.16 it will route it to the VPN
in the other scenario, when the router sees the mac with a DHCP address then it will route it via local ISP being your internet service provider.
Are we on the same page?

 

[yorgi]

I can see the point of "blocked routed clients if tunnel goes down" switch if the VPN server goes down but not if I deliberately turn the VPN off.

When you manually turn the VPN OFF its the same thing as having the feature "blocked routed clients if tunnel goes down"
If you are using Policy rules and you are saying that IP address .16 which is your MAC goes to VPN
then if you turn off the VPN it is normal that you won't get any internet to the mac.
"blocked routed clients if tunnel goes down" is if it happens unexpectedly like a server goes down for a second or so the devices in the rules will stop getting internet until the ROUTER sees a connection is back to the VPN server.
but when you turn off VPN purposely it will not allow any internet to the IP addresses that you have assigned in the rules.
So basically these 3 devices are on your Policy Rules iMac, diskstation and parralels. they have static IP addresses that are binded to the VPN
if for any reason the VPN is turned OFF manually or the server hick-ups there will be no internet to these addresses until the VPN server is back up again. So the only way to get internet to the devices that are on the policy rules is to change their IP address to any address.
Just change your iMAC address to 192.168.0.50 will go to your Internet service provider and your mac will now show ISP's address. change the IP back to 192.168.0.16 and you will be on the VPN. there is no reason for reboot. I am still stumped with why you are rebooting.
there is nothing wrong with your router, or firmware.
Do you have 100 computers on static? because if you do and you need more just change your subnet to 255.255.0.0 now you can have thousands of computers. 192.168.xxx.xxx
from what I see there are 3 addresses out of 100 that you are using so there is no reason why you cannot assign a static IP address to your iMAC which is not in the same range as your VPN rules. You have 96 left
I hope you understand now because I don't think we where in the same page.

 

[yorgi]

Doesn't work if I change it to 192.168.0.50, because 192.168.0.16 is bonded by the iMac MAC address in the router static IP address assignment and it always will be 192.168.0.16
Unless I am missing something here.
As I said, I need my iMac to have a static IP. Changing it to another IP brings in other issues.
It is just as easy to turn the VPN off then reboot the router and my iMac is then back on my local ISP IP and not on the VPN IP.

If you reboot the router and the iMac goes to Local ISP on 192.168.0.16 you have a major problem. its not suppose to do that.

There is no reason to bind the iMac from DHCP. That is your problem. remove the MAC address from Manually Assigned IP around the DHCP list. Manually assign 192.168.0.16 to the iMac, from the MAC operating system. it will always have VPN as long as its address is 192.168.0.16, there is no way for it to change on its own. Do it on the MAC level. so long as you give it the static IP .16 you will be on the VPN. change the IP to anything else and it will be Local ISP. I still don't understand the reboot part.
I would read this stuff carefully because i don't know how else to explain it. all your configurations seem to be right with the exception that you are confusing VPN with Local ISP and selective routing. I am also very alarmed that when you reboot the router and you don't change the IP address it comes back to local ISP, Unless you are not explaining yourself properly.

 

[yorgi]

Do this to your iMac
change it from DHCP to Static IP for VPN

IP 192.168.0.16
subnet 255.255.255.0
gateway 192.168.0.1
DNS 192.168.0.1

if you want to change to local ISO

IP 192.168.0.50
subnet 255.255.255.0
gateway 192.168.0.1
DNS 192.168.0.1

This is done on the MAC and not on the router. It is impossible for the mac to change the IP address therefore making it binded to the VPN
but you have the option to change the address to anything other then the 3 IP addresses that you put in the rules.
Please try to understand this otherwise you are in the Dark. there is no reason to reboot a router all the time to achieve what want.
I hope you take my suggestions and do it right. This is why you came to the forum. Start reading and stop assuming
I am here to help!

 

[sunnylink]

Hi All,

Yorgi, thanks for taking the initiative to create this thread. I posted this same message in another thread of this forum, but haven't got any reply yet.

I have the RT-AC87R with the latest Merlin v380.59 installed. I have succeeded in setting up the dual connection with PACE 5168N as can be seen in one of the files attached to this message. Both routers are working fine, interconnected and any of the router can stream from my Roku box. All my Wi-Fi are working well. But I can not make my VPN work yet and I do not know what I’m doing wrong.

1. When I checked the VPN Status, it reads "Running, or Connecting..." and it takes forever hanging. Attached is also the "VPN System Error Log - syslog" to help you understand the problem I have.

2. Another problem that I have noticed is that, when I connect my laptop to the RT-AC87R, I can enter the interface of both ASUS RT-AC87R and PACE 5168N. But when I connect the laptop to the PACE 5168N, I can only browse the interface of the PACE 5168N. No access to RT-AC87R. What am I doing wrong? Note that my WAN IP in RT-AC87R is supplied by 5168N and RT-AC87R is configured in PACE 5168N a Supplementary Network.


3. I have read messages from other threads and I understand that the DD-WRT firmware for RT-AC87U can as well be flashed on RT-AC87R. Must my RT-AC87R be flashed with the DD-WRT firmware in order to make the VPN work?

4. Must my dual connection be bridged in order to make the VPN work? I want the RT-AC87R to be my VPN Router and the PACE 5168N connected to the wall be my Internet Router so that I can connect my laptop to any of the routers for specific purpose. I will not be using my laptop always with VPN.

5. In a dual connection of routers like this, do I also need to set up the VPN Server on the RT-AC87R?

6. Why are some using the L2TP protocol while my VPN provider (Private Internet Access) is using the OpenVPN?

7. The problem now is that I can't make the VPN connection work. I need someone to just tell me what I'm doing wrong, how to setup each interconnected router so that they can flow together? I know it is possible because others have succeeded in using multiple routers well set up for VPN. The 2 of my routers are all very popular (ASUS RT-AC87R and PACE 5168N). See the attached files for any relevant reference. Note that the firmware of PACE 5168N and 5268AC are 99% identical.

I have written to my VPN technical support (PIA) but it looks like they have no time to look into my problem. The Private Internet Access has no information on setting up 2 routers.

Regards.

 

[p1r473]

I see your problem. You are using port 1198
you need to choose port 1196 for AES-128-CBC with this certificate which you would copy and paste in content modifications of key & certificates in certificate authority

-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----

If you want to use port 1198 with the new RSA certificates take a look at the how to guide because it got updated.

I dont see any mention of 1196 on the first post, can you update it please?


So I have just tried to set up the Strong encryption, and it is failing.
Please see my system log:
http://pastebin.com/dmWnusxr

 

[yorgi]

1196 was AES-128-CBC which is no longer supported.
use 1198 which has been replaced and it uses 2 new certificates
Did you download the certificates for AES-256-CBC for port 1197?
everything looks right so I would assume your problem is you need to copy and paste the 2 certificates in their proper location
in contents modifications of key and certificates.
read the second part of the article for the exact location to paste these certificates.

 

[p1r473]

Yup did that step already! Any other ideas?

 

[yorgi]

It's not possible. It should work. I tested it on my side and there is no problem with the configuration.
does the service get enabled by a green light? or the light never goes on?
Did you click on the service state to turn on the client?
Please do this. Clear your system log and then turn the service on. then copy and paste the log so i can see it.
Did you try to power off the router and then power on again?
its a mistery why its not working for you.
Are you sure you downloaded the right certificates?
ca.rsa.4096.crt
crl.rsa.4096.pem