Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[p1r473]

Even with DNS set to exclusive mode, the router is still making my PC use the DNS server set in AIProtection. I am using a DNSCrypt Non-logging server, so I guess it is just as good as using the PIA DNS server right?

Using your guide I was able to set up UDP 128bit, UDP 256bit, and they all worked. Thanks very much.

A few things I think your guide is missing
-TCP No Encryption- how would you do it and what cert would you use?
-A screenshot for UDP no encryption
-Any of the TCP configs.

I have made you a screenshot for UDP no encryption for your guide.
Question: is auth-none necessary in custom config?
Also, I am not getting the full ISP speed when using no encryption. It is actually much much slower. Any idea why?

 

[p1r473]

Now that I got UDP working I wanted to test to see if TCP worked but it gets stuck at connecting. Here is my config and log. I am getting TLS handshake errors. First I am trying TCP 128 and if we can make that work then I will do TCP 256.
http://pastie.org/10928929

 

[yorgi]

Even with DNS set to exclusive mode, the router is still making my PC use the DNS server set in AIProtection. I am using a DNSCrypt Non-logging server, so I guess it is just as good as using the PIA DNS server right?

Using your guide I was able to set up UDP 128bit, UDP 256bit, and they all worked. Thanks very much.

A few things I think your guide is missing
-TCP No Encryption- how would you do it and what cert would you use?
-A screenshot for UDP no encryption
-Any of the TCP configs.

I have made you a screenshot for UDP no encryption for your guide.
Question: is auth-none necessary in custom config?
Also, I am not getting the full ISP speed when using no encryption. It is actually much much slower. Any idea why?

For no encryption all you need to do is put the settings as you did and use the certificate that I pasted.
When we made tests with no encryption everyone got pretty much full bandwidth, just be sure you are using a server that is close to you, not all servers are fast from PIA. Take a look at how many servers they are running for each country then you will be able to see the better servers to use.
I will fix the explanation so it makes more sense, with no encryption.
As far as UDP ports its the exact same thing as the TCP with the exception that you change the port therefore
its not important to make more images in my guide as it is explained that you follow everything the same with the exception of the new certificates and port. These images are for reference.

 

[yorgi]

Now that I got UDP working I wanted to test to see if TCP worked but it gets stuck at connecting. Here is my config and log. I am getting TLS handshake errors. First I am trying TCP 128 and if we can make that work then I will do TCP 256.
http://pastie.org/10928929

UDP are not as fast as TCP but some people have better results with UDP.

 

[p1r473]

UDP are not as fast as TCP but some people have better results with UDP.

Any idea why it gives TLS handshake error?

Also I would have thought UDP is faster because it is connectionless

 

[sfx2000]

UDP are not as fast as TCP but some people have better results with UDP.

Depends on the Link quality - there are situations where UDP can be much faster, being that it depends on upper layers - TCP is pretty much true, and helps on lossy connections...

 

[yorgi]

Any idea why it gives TLS handshake error?

Also I would have thought UDP is faster because it is connectionless

Not sure why you are getting the error. Did you put the certificates from the UDP in the proper area in Content modification of Keys & Certificates.?
Where you able to connect with TCP?

 

[Patje]

Thanks yorgi for this excellent guide.

I've only one "safety issue" running a dnsleak test. I asked it already elsewhere on the forum but it's not clear to me.

When I use "Exclusive" in my dns configuration and I run a test, I got a Pia IP address and a dns address witch is the same address.

When I use "Strict" in my dns configuration and run a test, I got the same Pia IP address as above and a different dns address. This dns address is NOT my ISP address but Pia's dns IP address.

Is this a safety leak?

I prefer Strict because then everything runs through my adblocker (ab-solution)

Kr.,
Patrick

 

[yorgi]

Thanks yorgi for this excellent guide.

I've only one "safety issue" running a dnsleak test. I asked it already elsewhere on the forum but it's not clear to me.

When I use "Exclusive" in my dns configuration and I run a test, I got a Pia IP address and a dns address witch is the same address.

When I use "Strict" in my dns configuration and run a test, I got the same Pia IP address as above and a different dns address. This dns address is NOT my ISP address but Pia's dns IP address.

Is this a safety leak?

I prefer Strict because then everything runs through my adblocker (ab-solution)

Kr.,
Patrick

I wouldn't recommend using Strict because as Merlin said it is outdated and not secure, Even the author who created it says do not use it.
Merlin also said at one point he was thinking of taking out Strict altogether.
I would keep it to Exclusive, its the only one that works right where your DNS and IP are the same of PIA and when you use ISP its the proper DNS.
If you prefer to use Strict do it at your own risk

 

[Patje]

I wouldn't recommend using Strict because as Merlin said it is outdated and not secure, Even the author who created it says do not use it.
Merlin also said at one point he was thinking of taking out Strict altogether.
I would keep it to Exclusive, its the only one that works right where your DNS and IP are the same of PIA and when you use ISP its the proper DNS.
If you prefer to use Strict do it at your own risk

Thanks for your clear answer.
Exclusive it's gonna be.

Kr.,
Patrick

 

[jmgraham]

sorry if this has already been answered somewhere in this thread. I cannot get the policy rules to work. My setup is RT-AC88U running 380.61 firmware. DHCP is turned off as i run windows server 2012 R2 in my network. That handles the DNS and DHCP. Will the policy rules still work when router has dhcp "off". Using PIA exactly as OP, 128bit encryption.

Even when i try to force everything through the VPN it still goes through WAN. VPN is on and connected. I'm thinking it maybe because router is not handling DHCP. I am checking routing on a computer with static IP which is outside of DHCP range.

 

[yorgi]

sorry if this has already been answered somewhere in this thread. I cannot get the policy rules to work. My setup is RT-AC88U running 380.61 firmware. DHCP is turned off as i run windows server 2012 R2 in my network. That handles the DNS and DHCP. Will the policy rules still work when router has dhcp "off". Using PIA exactly as OP, 128bit encryption.

Even when i try to force everything through the VPN it still goes through WAN. VPN is on and connected. I'm thinking it maybe because router is not handling DHCP. I am checking routing on a computer with static IP which is outside of DHCP range.

Before you can even set any rules you need to make sure that your VPN is working.
a little check list.
what encryption are you using? did you set it as Exclusive in Accept DNS Configuration?
did you paste the 2 certificates in the appropriate places? Do you get a green light enabled?
put Redirect Internet traffic to ALL
DHCP is only for assigning IP addresses it has nothing to do with VPN.
Set your DHCP range to 192.168.1.100-192.168.1.254
this way you will have 192.168.1.0-192.168.1.99 for static IP addresses
I really cant help you unless I know more. Use the guide and follow step by step. make sure you first connect to the VPN and then worry about the rest. When you successfully connect then I can help you out with rules.

 

[jmgraham]

Before you can even set any rules you need to make sure that your VPN is working.
a little check list.
what encryption are you using? did you set it as Exclusive in Accept DNS Configuration?
did you paste the 2 certificates in the appropriate places? Do you get a green light enabled?
put Redirect Internet traffic to ALL
DHCP is only for assigning IP addresses it has nothing to do with VPN.
Set your DHCP range to 192.168.1.100-192.168.1.254
this way you will have 192.168.1.0-192.168.1.99 for static IP addresses
I really cant help you unless I know more. Use the guide and follow step by step. make sure you first connect to the VPN and then worry about the rest. When you successfully connect then I can help you out with rules.

Thanks for the reply yorgi, PIA VPN seems to be working. Status page says connected. I am using AES-128-CBC port 1198 encrytion. I followed the example in the original post exactly apart from user/pass and which PIA server. This is how i have my network setup. 192.168.1.100-192.168.1.199 for DHCP but using DHCP server in windows server 2012 r2. Anything below is static IP's. My windows server uses 192.168.1.99 as a static IP. I have a policy as below:
Source IP 192.168.1.0/24 Destination IP 0.0.0.0 lface WAN
Source IP 0.0.0.0 Destination IP xxx.xxx.xxx.xxx lface VPN

this is to route a particular website via VPN everything else goes out on WAN but i cant get it to work. No traffic seems to go over VPN. VPN status page shows nothing going over VPN.

Thanks

 

[yorgi]

Thanks for the reply yorgi, PIA VPN seems to be working. Status page says connected. I am using AES-128-CBC port 1198 encrytion. I followed the example in the original post exactly apart from user/pass and which PIA server. This is how i have my network setup. 192.168.1.100-192.168.1.199 for DHCP but using DHCP server in windows server 2012 r2. Anything below is static IP's. My windows server uses 192.168.1.99 as a static IP. I have a policy as below:
Source IP 192.168.1.0/24 Destination IP 0.0.0.0 lface WAN
Source IP 0.0.0.0 Destination IP xxx.xxx.xxx.xxx lface VPN

this is to route a particular website via VPN everything else goes out on WAN but i cant get it to work. No traffic seems to go over VPN. VPN status page shows nothing going over VPN.

Thanks

Are you sure you pasted the 2 certificates that you downloaded in the proper places?
Can you disable the Server just for the test and make DHCP active on the router and test the VPN with a wired connection to the router on a static IP address.
Do you have more then one VPN client enabled at the same time?
if you are still having problems can you make an image of the VPN status page and your setting for the client?
also close the vpn service and clear the system log and then connect the VPN and then copy paste the log and post it here.
I have a feeling its certificates or a router conflict.
if its a router conflict try shutting down the router and power off while the power button is enabled so it can flush the capacitors.
then reboot the router.
all your tests should be done with one computer with static IP and the router. take everything else out of the equation before you continue with other DHCP server etc.

 

[yorgi]

Thanks for the reply yorgi, PIA VPN seems to be working. Status page says connected. I am using AES-128-CBC port 1198 encrytion. I followed the example in the original post exactly apart from user/pass and which PIA server. This is how i have my network setup. 192.168.1.100-192.168.1.199 for DHCP but using DHCP server in windows server 2012 r2. Anything below is static IP's. My windows server uses 192.168.1.99 as a static IP. I have a policy as below:
Source IP 192.168.1.0/24 Destination IP 0.0.0.0 lface WAN
Source IP 0.0.0.0 Destination IP xxx.xxx.xxx.xxx lface VPN

this is to route a particular website via VPN everything else goes out on WAN but i cant get it to work. No traffic seems to go over VPN. VPN status page shows nothing going over VPN.

Thanks

there are 2 certificiates that you have to download from the link I supplied, if you use the 1 certificate that I pasted it wont work because that is for blowfish and no encryption. please make sure the certificates are there and in the right places.
if they are in the wrong are then you have to do a default for the client configuration.
I would almost suggest you do that next. something could have gone wrong and its having a conflict.
Try another client like 2 and see if you get the same issue.
Only use one client at a time. make sure if you have more then once client active to deactivate and try only with one.

 

[jmgraham]

Are you sure you pasted the 2 certificates that you downloaded in the proper places?
Can you disable the Server just for the test and make DHCP active on the router and test the VPN with a wired connection to the router on a static IP address.
Do you have more then one VPN client enabled at the same time?
if you are still having problems can you make an image of the VPN status page and your setting for the client?
also close the vpn service and clear the system log and then connect the VPN and then copy paste the log and post it here.
I have a feeling its certificates or a router conflict.
if its a router conflict try shutting down the router and power off while the power button is enabled so it can flush the capacitors.
then reboot the router.
all your tests should be done with one computer with static IP and the router. take everything else out of the equation before you continue with other DHCP server etc.

I tried the "re-direct all" and it worked. My all traffic via VPN. Then back to "policy rules" and guess what, its still working. Wierd.
But thanks for the help.

 

[sfx2000]

I have to chuckle a bit...

L2TP/IPSec - create/enter the shared secret passphrase, create a user account and create/enter another passphrase there, along a dest end-point - done... takes at most two minutes.

Less work, better performance... and that tunnel is totally secure.

I did a writeup/how-to on OpenVPN for the client/server sides - amazing amount of work to be done - no wonder enterprises just don't use it.

The only advantage I see with OpenVPN is the ability to hole punch using TCP/80 or TCP/443, as most places won't block those ports - the downside to OpenVPN relates to it's portability, e.g. it works on many platforms, but it's a strength over-applied, which makes it a weakness...

L2TP/IPSec - I get near wire speed on it - OpenVPN on the same platform - maybe half...

Always wonder though - why folks put so much effort into VPN inside the router if not doing it for dial-in/remote access into one's on LAN, which isn't that common... and b2b site-to-site, again, not that common in the SNB community...

So my guess is most folks are working around Geo-Unlocking content via a VPN provider that has end-points out of country. And even there - better ways than OpenVPN...

 

[RMerlin]

takes at most two minutes.

For such a basic setup, OpenVPN is just as fast. Enable OpenVPN, let the firmware automatically generate the certificates. Add user/passwords to the webui, export .ovpn config file, and you're done.

It's when you go into special scenarios that it takes longer - and such special scenarios are quite often not even possible at all with L2TP.

As for IPSEC... I can't compile the kernel with the IPSEC modules because it generates too many changes into the kernel, leading to version symbol changes. Only way is to go with usermode IPSEC, which will not give you anywhere near the same performance level.

no wonder enterprises just don't use it.

A lot of entreprises uses it without even knowing it. It is typically marketed as "SSL VPN" by SSL appliance manufacturers. It's really just a rebranded OpenVPN. Had a former customer of mine using a firewall/router with that (I forgot the manufacturer).

 

[sfx2000]

A lot of entreprises uses it without even knowing it. It is typically marketed as "SSL VPN" by SSL appliance manufacturers. It's really just a rebranded OpenVPN. Had a former customer of mine using a firewall/router with that (I forgot the manufacturer).

Go do some research again - Juniper has SSLVPN, so does Cisco with AnyConnect - and it's not OpenVPN... OpenStack with Neutron, it also support SSLVPN, just not OpenVPN's view of VPN...

I was chatting the other day with some other OpenStack folks, and someone mention if there was going to be an OpenVPN driver for Neutron - after the collective chuckle, someone suggested firing up a Nova instance to handle it - OpenStack isn't going there due to layer violations (App Layer (L7) doing L3, erm, no) - OpenVPN will have to meet their design without standing up a VM to handle the application layer.

L2TP/IPSec is the gold-standard in enterprise and cloud these days if not using MPLS...

 

[sfx2000]

For such a basic setup, OpenVPN is just as fast. Enable OpenVPN, let the firmware automatically generate the certificates. Add user/passwords to the webui, export .ovpn config file, and you're done

I'll agree it works...

Cert management gets to be a pain when management multiple dial in clients and one revokes a cert - how to get the clients new certs? Not so easy of a problem is it?