Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[yorgi]

can it be that you have another client configured with PIA on another client instance with a policy rule for the same IP that you are using now? Make sure you are on DHCP and there are no other clients configured or if they are that the service is off.
if you have any policy rules for another client, make sure you are not on the same IP range of the other clients policy rules.
Please get back to me.

 

[yorgi]

Did you have a previous client setup on the same Client Instance client 1?
if so you should click the default to enter the data fresh.
I would also recommend a reboot after you do you default.
and finally I would try another client instance maybe 2 or 3. something seems weird.
did you ever have any success with VPN connections with this Router?
I have give you a few options to try.
get back to me

 

[yorgi]

Hi Sunnylink

First of all do not put DD WRT on your 87U because its old firmware and its beta and it doesn't support half the features the it should.

Because the PACE cannot do bridge mode I would use it as your router for Local ISP and use the 87U as the VPN router because its a way better router and it can handle the encryption.

Take your PACE 5168N and connect to the internet with it.
Make sure DHCP is enabled with this router.
Make sure the IP address is 192.168.1.1
once you have internet connection you are ready for the 87U
get into the 87U and change its address to 192.168.1.2
disable DHCP on this router.
Now connect the LAN out from the PACE router to the LAN in of the 87U
now get into the 87U and configure the VPN client as shown in my guide.
Once you get the VPN client going make sure to set all traffic goes to VPN

now when you connect to router A wifi you will have local ISP
if you connect to Router B wi fi you will have VPN

You can also set it up with Static IP addresses,
for computers that you want to use Local ISP
set them up like so
IP 192.168.1.50
subnet 255.255.255.0
gateway 192.168.1.1
dns 192.168.1.1

if you want to use the VPN
IP 192.168.1.50
subnet 255.255.255.0
gateway 192.168.1.2
DNS 192.168.1.2

This is the scenario as in your pdfs

 

[yorgi]

Yup did that step already! Any other ideas?

check above for options you can do

 

[sunnylink]

Hi Sunnylink

First of all do not put DD WRT on your 87U because its old firmware and its beta and it doesn't support half the features the it should.

Because the PACE cannot do bridge mode I would use it as your router for Local ISP and use the 87U as the VPN router because its a way better router and it can handle the encryption.

Take your PACE 5168N and connect to the internet with it.
Make sure DHCP is enabled with this router.
Make sure the IP address is 192.168.1.1
once you have internet connection you are ready for the 87U
get into the 87U and change its address to 192.168.1.2
disable DHCP on this router.
Now connect the LAN out from the PACE router to the LAN in of the 87U
now get into the 87U and configure the VPN client as shown in my guide.
Once you get the VPN client going make sure to set all traffic goes to VPN

now when you connect to router A wifi you will have local ISP
if you connect to Router B wi fi you will have VPN

You can also set it up with Static IP addresses,
for computers that you want to use Local ISP
set them up like so
IP 192.168.1.50
subnet 255.255.255.0
gateway 192.168.1.1
dns 192.168.1.1

if you want to use the VPN
IP 192.168.1.50
subnet 255.255.255.0
gateway 192.168.1.2
DNS 192.168.1.2

This is the scenario as in your pdfs

Yorgi,

Thanks so much for your quick response. Before writing you, I had my two routers connected as you said: "Because the PACE cannot do bridge mode I would use it as your router for Local ISP and use the 87U as the VPN router because its a way better router and it can handle the encryption". So your reply confirms that my problem wasn't my connections, it was the configuration of my VPN in ASUS RT-AC87R. Remember, I told you that the 2 router work well with my Roku Box.

I followed the instructions on the first page of your thread, and I got my VPN working like a charm! (thanks for your patience & great job). I did the followings:

Local ISP router connected to the wall - PACE 5168N (port: DSL, not the RJ-45)
VPN router - ASUS RT-AC87R (port: RJ-45, not DSL). For this reason, I had connected ASUS behind PACE.

I did not set any VPN Server.

I opened the interface of ASUS RT-AC87R, and in the VPN Client, I made all the corrections as you have given on the first page of this thread.

I used port 1198 and AES-128-CBC

From the file openvpn.zip, I extracted ca.rsa.2048.crt and crl.rsa.2048.pem.

Copy and Paste the content of ca.rsa.2048.crt to "Certificate Authority"

Copy and Paste the content of crl.rsa.2048.pem to "Certificate Revocation List"

For Custom Configurations, I only added the followings:
tls-client
remote-cert-tls server
ns-cert-type server
auth-nocache
mute-replay-warnings

That's all; it's working like a charm. CPU temperature always 63 degree Celsius & below. See the attached the attached image.

===================================

Notes:

My WAN DNS in ASUS RT-AC87R is the gateway of my non-VPN hardware (PACE 5168N) connected to the wall.

I have the DHCP enabled on both routers.

If I configure the ASUS RT-AC87R to Static IP, the dynamic IP of the internet connection from my ISP in PACE changes from time to time and that will make the VPN router ASUS RT-AC87R to get disconnected if on Static IP and no longer matches with that of the changing PACE. Do you think that the solution is to buy a Static IP from my Internet Service Provider?

Have a look at the file that I have attached, named "IP Address Allocation - 5168N Broadband Modem". When you said that I can also do my set up with Static IP addresses, for computers (or devices) that I want to use Local ISP, do you mean that the setup can be done as given in that file?

Warm regards.

 

[yorgi]

Yorgi,



My WAN DNS in ASUS RT-AC87R is the gateway of my non-VPN hardware (PACE 5168N) connected to the wall.

I have the DHCP enabled on both routers.

If I configure the ASUS RT-AC87R to Static IP, the dynamic IP of the internet connection from my ISP in PACE changes from time to time and that will make the VPN router ASUS RT-AC87R to get disconnected if on Static IP and no longer matches with that of the changing PACE. Do you think that the solution is to buy a Static IP from my Internet Service Provider?

Have a look at the file that I have attached, named "IP Address Allocation - 5168N Broadband Modem". When you said that I can also do my set up with Static IP addresses, for computers (or devices) that I want to use Local ISP, do you mean that the setup can be done as given in that file?

Warm regards.

You cannot have DHCP enabled on both routers.
Only one router can do DHCP. disable it on on the 87U please.
This is why you are getting disconnections.
then everything will work right.
As I can see you are connected to the VPN without any issues and your Router A is supplying the internet to the 87U

When I said static IP addresses i meant on your devices.
Like a windows PC you can configure it so that it can have a static IP instead of using wi fi

so if you want to connect to local ISP go to the wifi of your PACER, if you want VPN go to the WiFi of your 87U
its normal that the gateway of 87U is that of the first router.
Just make sure that you use ipleak.net and see if when you are connected to the VPN client you have a different IP then your local ISP

let me know if that worked. then I can explain things a bit better about static IP
but for now I want you to be able to connect to local ISP with router A and VPN on router B
is this working for you like this?

 

[yorgi]

Its normal for the router A DSL to loose connection and that will drop the VPN
you don't need a Static IP when the DSL resumes you will get a new IP on your router A but the Router B VPN will reconnect and will be working again. Please leave the IP address Static on the 87U and disable DHCP

 

[yorgi]

You can also do this which I would recommend. Disable DHCP from the PACER
and enable DHCP on the 87U and then do the IP pool start at 192.168.1.100 and pool end 192.168.1.254
this way you keep the range from 100-254 for DHCP
and 1-99 for Static IP this is probably the optimum way.
let me know

 

[sunnylink]

You can also do this which I would recommend. Disable DHCP from the PACER
and enable DHCP on the 87U and then do the IP pool start at 192.168.1.100 and pool end 192.168.1.254
this way you keep the range from 100-254 for DHCP
and 1-99 for Static IP this is probably the optimum way.
let me know

I will let you know as soon as possible. With this we are talking about, right now the PACE (ISP router) controls the ASUS (VPN router). If we do it the other way round by disabling the DHCP on PACE and enabling the DHCP on ASUS (VPN router), will the ASUS control the PACE?

 

[yorgi]

I will let you know as soon as possible. With this we are talking about, right now the PACE (ISP router) controls the ASUS (VPN router). If we do it the other way round by disabling the DHCP on PACE and enabling the DHCP on ASUS (VPN router), will the ASUS control the PACE?

DHCP is nothing to do with controlling anything.
Think of it this way. A device needs an IP address in order to connect to a service weather being Local ISP or VPN.
where the address comes from doesn't really matter. This is why you cannot have both routers giving DHCP addresses they will run into major conflicts and you will have devices that will connect and disconnect or even never be able to connect.
So just use the better router which is the 87u, enable DHCP along with the POOL start and finish as I mentioned earlier on that router and disable it on the PACE.
this way when a device needs an IP it will get it from the ASUS router and once its connected depending on which wi fi or gateway you connect to that will dictate what service will be given either local ISP or VPN.

 

[yorgi]

and one other thing. No router controls any other router. The PACE is still the first router which it gets its address from the ISP which has a DHCP server on their end and connects to your WAN and your PACE gets an IP from ISP.
Then the internet is carried over to the ASUS when need be, this is because you gave each router a static IP so they don't need a DHCP server to get their address. if you use local ISP it will come from the PACE if you use VPN it will come from the Router. But DHCP can only come from one router this is why we need it to be on the ASUS which will only give addresses to the devices.
The Asus will give addresses to PACE router for its clients and also for the VPN clients.
it may sound complicated but just do it that way.

 

[sunnylink]

and one other thing. No router controls any other router. The PACE is still the first router which it gets its address from the ISP which has a DHCP server on their end and connects to your WAN and your PACE gets an IP from ISP.
Then the internet is carried over to the ASUS when need be, this is because you gave each router a static IP so they don't need a DHCP server to get their address. if you use local ISP it will come from the PACE if you use VPN it will come from the Router. But DHCP can only come from one router this is why we need it to be on the ASUS which will only give addresses to the devices.
The Asus will give addresses to PACE router for its clients and also for the VPN clients.
it may sound complicated but just do it that way.

Thanks so much for your detailed explanation. Well understood, but do you know that I still have my ASUS configured with an automatic IP in the WAN instead of static IP? I think I will prepare to send you all the pages of the configurations of both routers so that you see all what is going on. First, I will do all that you have told me.

I'm glad I'm learning so much from you!

 

[yorgi]

Thanks so much for your detailed explanation. Well understood, but do you know that I still have my ASUS configured with an automatic IP in the WAN instead of static IP? I think I will prepare to send you all the pages of the configurations of both routers so that you see all what is going on. First, I will do all that you have told me.

I'm glad I'm learning so much from you!

Thats fine,
I am not talking DHCP in the WAN I am talking DHCP on the LAN side of things.
both router do DHCP for the devices. So you need to disable DHCP server on one of routers,
Go to ASUS router in LAN tab on the left and then DHCP server
under basic config you will see Enable the DHCP Server..Disable that and you are good.
WAN on the PACE is configured to your modem so don't touch that.
WAN for the asus won't make a difference how you set it up because you are not using a WAN port with the ASUS so stop talking about WAN and ASUS and Static IP in that area. it wont make any difference. When you setup a Static IP for the ASUS router to network with the other Router you do it in LAN tab then LAN IP and then Configure the LAN setting of RT-AC87U.
Thats where you would put a static IP for the ASUS router which was 192.168.1.2
So basically you are connected PACE LAN to ASUS LAN ANd not need to configure WAN IP for ASUS just LAN IP set to static and disable DHCP server on the ASUS.
I hope this makes more sense

 

[sunnylink]

Thats fine,
I am not talking DHCP in the WAN I am talking DHCP on the LAN side of things.
both router do DHCP for the devices. So you need to disable DHCP server on one of routers,
Go to ASUS router in LAN tab on the left and then DHCP server
under basic config you will see Enable the DHCP Server..Disable that and you are good.
WAN on the PACE is configured to your modem so don't touch that.
WAN for the asus won't make a difference how you set it up because you are not using a WAN port with the ASUS so stop talking about WAN and ASUS and Static IP in that area. it wont make any difference. When you setup a Static IP for the ASUS router to network with the other Router you do it in LAN tab then LAN IP and then Configure the LAN setting of RT-AC87U.
Thats where you would put a static IP for the ASUS router which was 192.168.1.2
So basically you are connected PACE LAN to ASUS LAN ANd not need to configure WAN IP for ASUS just LAN IP set to static and disable DHCP server on the ASUS.
I hope this makes more sense

Thanks so much. Well understood. The followings are the results of my experiments. If you would not mind, please number your answers so that I know which question you are answering.

1. Having DHCP enabled on both routers, PACE (ISP router) & ASUS (VPN router), my Roku media works on both, but sometimes I experience disconnections

2. If DHCP is enabled on ASUS but disabled on PACE, internet access on both routers are lost. I have to reset PACE to regain the internet access.

3. If DHCP is enabled on PACE and disabled on ASUS, my Roku box works well. I have not noticed disconnection so far.

4. When I was using only the DNS (without VPN) on my Roku, I could view some channels that I can no longer view when connected to the VPN and vice versa. Why does the use of VPN overrides the DNS even though I still have the DNS on my routers as they were?

5. Testing with the ipleak.net, my local IP Address shown was 192.168.1.87, but my real local ISP IP at the time of test was 206.45.xx.xx.

Regards.

 

[yorgi]

Thanks so much. Well understood. The followings are the results of my experiments. If you would not mind, please number your answers so that I know which question you are answering.

1. Having DHCP enabled on both routers, PACE (ISP router) & ASUS (VPN router), my Roku media works on both, but sometimes I experience disconnections

2. If DHCP is enabled on ASUS but disabled on PACE, internet access on both routers are lost. I have to reset PACE to regain the internet access.

3. If DHCP is enabled on PACE and disabled on ASUS, my Roku box works well. I have not noticed disconnection so far.

4. When I was using only the DNS (without VPN) on my Roku, I could view some channels that I can no longer view when connected to the VPN and vice versa. Why does the use of VPN overrides the DNS even though I still have the DNS on my routers as they were?

5. Testing with the ipleak.net, my local IP Address shown was 192.168.1.87, but my real local ISP IP at the time of test was 206.45.xx.xx.

Regards.

When you say DHCP on both routers are you meaning DHCP server or DHCP for WAN?
you are seriously missing the point.

If things are working why are you playing around with the WAN settings?
just disable DHCP server on ASUS like I mentioned and that's it.

There are companies like Netflix who are banning VPN because of geological reasons. Its probably the case with your TV stations.

When you test with ipleak.net take a look at your DNS, when you are on the VPN the IP and DNS are the same'
when you are on Local ISP the IP is that of ISP and DNS is whatever you set it up to be. google, openvpn etc.
you can set that here Connect to DNS Server automatically say no and you have 2 dns entries. you can change to google and opnedns or whatever you like.

 

[sunnylink]

and one other thing. No router controls any other router. The PACE is still the first router which it gets its address from the ISP which has a DHCP server on their end and connects to your WAN and your PACE gets an IP from ISP.
Then the internet is carried over to the ASUS when need be, this is because you gave each router a static IP so they don't need a DHCP server to get their address. if you use local ISP it will come from the PACE if you use VPN it will come from the Router. But DHCP can only come from one router this is why we need it to be on the ASUS which will only give addresses to the devices.
The Asus will give addresses to PACE router for its clients and also for the VPN clients.
it may sound complicated but just do it that way.

Hi Yorgi,

I'm still reading about the concept of VPN which is very interesting. Later I will ask you concrete questions to get out the loop.

Regards.

 

[p1r473]

Yes, I downloaded the strong 4096 certs. I clicked the service state to turn it on. The green light turns on on service state, and also the status page shows I'm connected

I've tried rebooting the router.

Here is my system log:
http://pastie.org/10927470

Thanks for your help!

 

[yorgi]

Yes, I downloaded the strong 4096 certs. I clicked the service state to turn it on. The green light turns on on service state, and also the status page shows I'm connected

I've tried rebooting the router.

Here is my system log:
http://pastie.org/10927470

Thanks for your help!

If you where in the same client your best bet is to restore defaults to the client because the certificates wont erase and you maybe stuck with 128 certificate for authority and the 256 for CRL so I would suggest you click on the default button on that client and start it again fresh.

 

[p1r473]

I have fixed it! In your first post, under AES-256-CBC port 1197, in the picture you are using CFB instead of CBC.
Can you update the picture to show CBC instead of CFB so other people won't get confused?
I am using CBC now instead of CFB as your picture shows and it works.

Also, question about policy rules: I want to route all traffic through the VPN, but also use the Merlin option "block traffic if VPN goes down".
Can I just provide 0.0.0.0 for both source and destination to route all traffic?
Thanks

Here was the pic you provided:
AES-256-CBC port 1197
View attachment 6798

 

[yorgi]

Good call. Thanks for that I will update the article.
Those pictures are just for a reference I did mention AES-256-CBC at least 10 times
I appreciate the input and I am happy that you got it working.

For all traffic to go to VPN this is the rule, I am pretty sure I have that as one of the examples on the policy rules section
but If not i will add it

source IP 192.168.1.0/24 destination IP 0.0.0.0 lface VPN

that will put everything on the vpn and you can use if tunnel goes down block all traffic.