Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[yorgi]

Hi, I have a question I am relocated in china... (the Great Firewall) I bought asus rt-ac68u (stock firmware) which i use as my pppoe dailer to the internet, now I have linux in Hong Kong which i installed openvpn server on it
the problem is when i add openvpn client on my asus it all goes well it connects and everything BUT all the computer in my home get no internet (the idea of course is to have vpn internet to bypass the Great Chinese Firewall)
my question is what can cause such a problem? i am trying to look for solutions online but all i come up with is configuration for vpn providers (since i have my own VPN server i dont really need those)
If anyone can help me it will greatly improve my life here in china.
as for configuration here is the important server configuration part:
port 56283
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 210.220.163.82"
keepalive 10 60
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
ping-timer-rem
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

and this is my client.ovpn (omitting personal information of course)
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote XXX.XXX.XXX.XXX 56283
resolv-retry infinite
nobind
ping-timer-rem
keepalive 10 60
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
..... etc...

Please can someone explain me what i am doing wrong?
Best regards,
Chinatown

What software are you running on the VPN server on linux?
maybe you missed some kind of configuration on the servers end, like redirect all internet traffic via the server.
I don't think your problem is with your client as much as your server.
All you need to do is load the servers opvn file on your router and if it connects then you are in business.
I would also suggest getting rid of the default firmware and going with Merlin as you have a lot more options that you can tweak in order to establish a openvpn connection to a server.

 

[yorgi]

The main issues that were reported were resolved by reverting the GPL 4180 merge that caused them. What's left is some people will need to adjust their OpenVPN configuration if they are using configuration settings that are now considered obsolete or work differently with OpenVPN 2.4.0. Otherwise, 380.65 does resolve a number of issues related to OpenVPN, @john9527 having identified and resolved a number of timing issues relative to starting/stopping OpenVPN.

The RT-AC87U might (again, sigh) be a particular case. I had one report of wifi-related issues with the RT-AC87U webui, but I haven't had the time yet to investigate.

LOL this is why I didn't bother updating because of weird issues with my 87U
I will however update and will report if I have any issues.
I have to update the article as well so maybe this weekend I will go fishing

 

[CaptainSTX]

Hi, I have a question I am relocated in china... (the Great Firewall) I bought asus rt-ac68u (stock firmware) which i use as my pppoe dailer to the internet, now I have linux in Hong Kong which i installed openvpn server on it
the problem is when i add openvpn client on my asus it all goes well it connects and everything BUT all the computer in my home get no internet (the idea of course is to have vpn internet to bypass the Great Chinese Firewall)
my question is what can cause such a problem? i am trying to look for solutions online but all i come up with is configuration for vpn providers (since i have my own VPN server i dont really need those)
If anyone can help me it will greatly improve my life here in china.
as for configuration here is the important server configuration part:
port 56283
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 210.220.163.82"
keepalive 10 60
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
ping-timer-rem
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

and this is my client.ovpn (omitting personal information of course)
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote XXX.XXX.XXX.XXX 56283
resolv-retry infinite
nobind
ping-timer-rem
keepalive 10 60
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
..... etc...

Please can someone explain me what i am doing wrong?
Best regards,
Chinatown

No first hand experience but doesn't the great firewall of China block VPN connections?

"On May 2011, the Great Firewall of China did a probe which blocked VPNs temporarily. Unfortunately on Dec 2012, the Great Firewall of China ISPs and government worked really hard to block all existing VPN protocols. They have updated GFW so it can now learn, detect and block VPN protocols in real-time and automatically. All standard protocols like OpenVPN, PPTP, L2TP/IPSec, IPSec, SSTP are blocked. They use DPI (deep packet inspection) to detect IP addresses running VPN protocols. Then it takes them a few hours or in best case 1 day to block these IPs.

This practically means standard VPN protocols will not work in China anymore. Not now or ever. Censorship in China will become much worse. They are making new laws which will make VPNs illegal and request from Internet users to use their real name when signing up on web sites.

All VPN providers are affected by this block, not just Astrill in China. Even big companies like Apple are affected and their employees have problems to connect to their corporate VPN from China."

Supposedly there are protocols that can't be detected, but I don't have first hand experience to tell you that they work.

 

[Chinatown]

What software are you running on the VPN server on linux?
maybe you missed some kind of configuration on the servers end, like redirect all internet traffic via the server.
I don't think your problem is with your client as much as your server.
All you need to do is load the servers opvn file on your router and if it connects then you are in business.
I would also suggest getting rid of the default firmware and going with Merlin as you have a lot more options that you can tweak in order to establish a openvpn connection to a server.

Thanks for the reply, I solved the problem by rebooting the router... (apperantly only after reboot we actually did what it suppose to which is kinda wierd:/)
I have no idea why it cant work as is after putting the ovpn file but thats a problem for another day.

 

[yorgi]

Thanks for the reply, I solved the problem by rebooting the router... (apperantly only after reboot we actually did what it suppose to which is kinda wierd:/)
I have no idea why it cant work as is after putting the ovpn file but thats a problem for another day.

It is very easy for China to block entire subnets from VPN providers. If Netflix did it so can China

 

[Chinatown]

It is very easy for China to block entire subnets from VPN providers. If Netflix did it so can China

If they really wanted to do it it would have been done long time ago, the chinese gov unlike what everybody think dont really want to block the vpn. they do want to "control" it so it wont spread too much
but in the end of the day we (the non chinese) must have a way to communicate with the outside world to bring more business to china and thats why they will never totally block it.

 

[Patje]

@yorgi, RT-AC87 here running 380.65 for several days connecting just fine with PIA. I made no changes to my configs that have been in use for months. Of course, this means I am not taking advantage of any of the newer options in OpenVPN 2.4.

Hello HardCat,

How does your config file looks like?

 

[HardCat]

Hello HardCat,

How does your config file looks like?

My config is exactly the same as @yorgi has shown us in the first post in this thread. I am also on PIA.

 

[Patje]

My config is exactly the same as @yorgi has shown us in the first post in this thread. I am also on PIA.

Okay, thanks.

I'll try it one more time (my connection drops once or twice a day).
I use the same config as @yorgi described, the only difference is I don't fill in the .crt and .PEM.
In my config I point to the .crt and .PEM files on my usb-stick.

Till now this worked flawless for me.

 

[yorgi]

Okay, thanks.

I'll try it one more time (my connection drops once or twice a day).
I use the same config as @yorgi described, the only difference is I don't fill in the .crt and .PEM.
In my config I point to the .crt and .PEM files on my usb-stick.

Till now this worked flawless for me.

as long as you point the certificates to the right place it doesn't matter where they are

 

[Patje]

as long as you point the certificates to the right place it doesn't matter where they are

Hmmm strange,

My pia vpn works well on 380.64_2. When I upgrade the firmware to 380.65, and leave the openvpn settings the same (only disable Cipher Negotiation), the problem appears within a day. My vpn status in the router says "connected" but I can't serve the Internet. When I restart the vpn client, everything is fine for a few hours. When I revert back to 380.64_2, everything is fine for "always".


Verzonden vanaf mijn iPhone met Tapatalk

 

[yorgi]

Hmmm strange,

My pia vpn works well on 380.64_2. When I upgrade the firmware to 380.65, and leave the openvpn settings the same (only disable Cipher Negotiation), the problem appears within a day. My vpn status in the router says "connected" but I can't serve the Internet. When I restart the vpn client, everything is fine for a few hours. When I revert back to 380.64_2, everything is fine for "always".


Verzonden vanaf mijn iPhone met Tapatalk

what model router do you have?
I would suggest that if things work better with the previous version keep it on there until there is an update.
I haven't updated since .56 because of backward compatibility and future of Merlin contribution.
I am still not sure about the future so keep what works for now and we will see what happens

 

[Patje]

what model router do you have?
I would suggest that if things work better with the previous version keep it on there until there is an update.
I haven't updated since .56 because of backward compatibility and future of Merlin contribution.
I am still not sure about the future so keep what works for now and we will see what happens

My model is a RT-AC3200

Maybe it's better to stick on 380.64_2 [emoji57]


Verzonden vanaf mijn iPhone met Tapatalk

 

[yorgi]

My model is a RT-AC3200

Maybe it's better to stick on 380.64_2 [emoji57]


Verzonden vanaf mijn iPhone met Tapatalk

I agree. These newer routers have made Merlilns life miserable because they are using completely different methods on their firmware.
So there are to many routers out there to release a firmware that is good for all routers. Now its more like bounce around from one router to another and custom fix it so it works right for each model.
So if it aint broke dont fix it

 

[frooty]

Hmmm strange,

My pia vpn works well on 380.64_2. When I upgrade the firmware to 380.65, and leave the openvpn settings the same (only disable Cipher Negotiation), the problem appears within a day. My vpn status in the router says "connected" but I can't serve the Internet. When I restart the vpn client, everything is fine for a few hours. When I revert back to 380.64_2, everything is fine for "always".

I also have this issue with 380.65 - every time I restart/reboot my computers I have to restart my vpn clients on my N66U. I noticed the VPN screen on the new firmware are slightly different from the ones posted in the OP, namely the addition of Cipher Negotiation & Negotiation Ciphers - but I get the pronlem weather Cipher Negotiation is enabled or disabled.

Any ideas?

Edit: N66U router.

 

[Syn]

Hmmm strange,

My pia vpn works well on 380.64_2. When I upgrade the firmware to 380.65, and leave the openvpn settings the same (only disable Cipher Negotiation), the problem appears within a day. My vpn status in the router says "connected" but I can't serve the Internet. When I restart the vpn client, everything is fine for a few hours. When I revert back to 380.64_2, everything is fine for "always".


Verzonden vanaf mijn iPhone met Tapatalk

https://helpdesk.privateinternetacc...ing-up-an-Asus-Router-running-Merlin-Firmware

follow these steps and you should be good to go on 380.65 -- I am also on PIA and had issues prior to reading the article.

 

[Syn]

@yorgi

the custom config line you posted in OP
aes-256-jpg.6800

Is that what one should still go by? I only have persist-key & persist-tun and it works fine, also if I chose to disable Legacy (encryption) since I read somewhere it helps with VPN speeds (I only use it to stream media) do I have to change anything in custom config line at that point?


Thank you.

 

[frooty]

https://helpdesk.privateinternetacc...ing-up-an-Asus-Router-running-Merlin-Firmware

follow these steps and you should be good to go on 380.65 -- I am also on PIA and had issues prior to reading the article.

Those are the settings I used to use, but when I upgraded to the latest firmware the problems started - so I tried the settings in this thread but it didn't fix the problem.

 

[Syn]

Those are the settings I used to use, but when I upgraded to the latest firmware the problems started - so I tried the settings in this thread but it didn't fix the problem.

did you import ovpn file for the server you want to connect to?
you would also want to delete 2 lines in that .ovpn file

crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt

as you will add certification manually.

 

[frooty]

did you import ovpn file for the server you want to connect to?
you would also want to delete 2 lines in that .ovpn file

crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt

as you will add certification manually.

For the old settings or for the settings in this thread?