Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[Syn]

For the old settings or for the settings in this thread?

just follow the settings I posted in the URL, make sure to save all changes as you going through it. When importing that .OVPN file delete the 2 lines I posted as you will manually enter certification key.

 

[frooty]

OK, thanks - I'll give it a go & report back.

 

[Chris_EST]

SYN, I'm hoping you can help me. I have been at this all night and can't get it. I have tired the steps here https://helpdesk.privateinternetacc...ing-up-an-Asus-Router-running-Merlin-Firmware and they aren't working for me I also tryied changing a few things around having reading through this and still get "Error - SSL/TLS issue!" when trying to start the service.

Under VPN Status is says "OpenVPN Client 1 - Error connecting - Authentication failed." However, I have confirmed the password I'm using and I'm able to log in the PIA desktop app and mobile app with the same log in no issues.

Here is a screenshot (attached) of my settings right now, with the error message showing.

I'm working with a ASUS RT-AC3200, with Asuswrt Merlin firmware 380.65.

UPDATE: I got it working, messing around with it some more. Here is what I was doing wrong, in case it helps someone else. When I was pasting the Certificate Authority in I was removing "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" and only pasting what was in between. Once I pasted everything, it worked

 

[doczenith1]

Hmmm strange,

My pia vpn works well on 380.64_2. When I upgrade the firmware to 380.65, and leave the openvpn settings the same (only disable Cipher Negotiation), the problem appears within a day.

My vpn knowledge is not great but it's my understanding that since 380.65 upgraded openvpn to version 2.4 and new ciphers were added that you need to have Cipher Negotiation set to Enable (with fallback) so the client will fallback to the older ciphers that PIA uses as it is still on a pre 2.4 version of openvpn.

My client was setup per the PIA settings linked to above when my router was on 380.64_2 and after a flash to 380.65 and no changes to the vpn configuration the client seems to be working ok although I don't use it that often.

 

[Syn]

SYN, I'm hoping you can help me. I have been at this all night and can't get it. I have tired the steps here https://helpdesk.privateinternetacc...ing-up-an-Asus-Router-running-Merlin-Firmware and they aren't working for me I also tryied changing a few things around having reading through this and still get "Error - SSL/TLS issue!" when trying to start the service, can you help please? Here is a screenshot (attached) of my settings right now, with the error message showing.

You got few issues on there my friend, instead of me going over one by one I included screenshot of my settings.

when you 'choose file' for your .ovpn find your us-east OVPN settings and you will need to delete two lines in there before you choose file and upload

2 lines to delete are:

crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt

once those lines deleted and you save the file then you can go ahead and upload ovpn file, after you upload it don't click save until you get your screen looking like the ones below...

Under Authorization Mode click on "Content modification of Keys & Certificates"

www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt -> download link (will need to open with text editor to copy certificate authority lines)

Certificate Authority (make sure to click 'apply' when you paste this)

certificate.jpg

^ should look like that...


after you got it all done hit save and then switch "SERVICE STATE" to ON.


Good luck.

 

[Chris_EST]

Thank you SYN. It is working now, I have another question. . . do you notice a huge drop is speed when using the VPN this way? I have very little drop in speed when I use the VPN directly on my desktop. Without the VPN, I get around 200 MBPS download wireless. In the same spot on the VPN, connected to the wireless, I only get up to 30 MBPS download. Is that huge drop normal for running the VPN off the router? I have tired different servers off of PIA and get the same speed drop.

 

[doczenith1]

I did some testing a while back that may help you with some reference numbers on throughput. These are my speeds using the OpenVPN Client on two different ASUS routers. Both routers running Asuswrt-Merlin 380.64 firmware. Using the VPN client to connect through PIA VPN servers.

AC3100 (1.4 Ghz dual core)
CTF enabled
DL: 61 Mbps with core 1 at 25%, core 2 at 75%
UL: 84 Mbps with core 1 at 35%, core 2 at 100%

AC68U (1.0 Ghz dual core)
CTF enabled
DL: 44 Mbps with core 1 at 30%, core 2 at 80%
UL: 58 Mbps with core 1 at 40%, core 2 at 100%

For reference, when using the same PIA VPN server with a windows client I'm able to attain 250 Mbps down and 350 Mbps up on the same DSLReports HTML5 speed test.

The speed tests were conducted over a wired connection from the computer to the router.

Data encryption: AES-128
Data authentication: SHA1
Handshake: RSA-2048

 

[Syn]

Thank you SYN. It is working now, I have another question. . . do you notice a huge drop is speed when using the VPN this way? I have very little drop in speed when I use the VPN directly on my desktop. Without the VPN, I get around 200 MBPS download wireless. In the same spot on the VPN, connected to the wireless, I only get up to 30 MBPS download. Is that huge drop normal for running the VPN off the router? I have tired different servers off of PIA and get the same speed drop.

different factors when it comes to speed. I am also getting about 30-40 (my internet is 150mb down) - if you disable your encryption I believe your VPN picks up speed.

https://www.snbforums.com/threads/a...380-64-vpn-connection-slow.36552/#post-298822

^ this post explains it better...

 

[yorgi]

Guys I will update the guide. I have not had time to update my firmware. I am still on older firmware.
Once its done them guide will be updated as well

 

[frooty]

Guys I will update the guide. I have not had time to update my firmware. I am still on older firmware.
Once its done them guide will be updated as well

That would be great yorgi - I'm still having issues with disconnects every time I switch off/on/reboot all my gear.

 

[frooty]

Hi all,

Any news on this problem? I've since had to revert back to the older firmware because of this problem & it's working normally again.....

 

[Séb]

I did some testing a while back that may help you with some reference numbers on throughput. These are my speeds using the OpenVPN Client on two different ASUS routers. Both routers running Asuswrt-Merlin 380.64 firmware. Using the VPN client to connect through PIA VPN servers.

AC3100 (1.4 Ghz dual core)
CTF enabled
DL: 61 Mbps with core 1 at 25%, core 2 at 75%
UL: 84 Mbps with core 1 at 35%, core 2 at 100%

AC68U (1.0 Ghz dual core)
CTF enabled
DL: 44 Mbps with core 1 at 30%, core 2 at 80%
UL: 58 Mbps with core 1 at 40%, core 2 at 100%

For reference, when using the same PIA VPN server with a windows client I'm able to attain 250 Mbps down and 350 Mbps up on the same DSLReports HTML5 speed test.

The speed tests were conducted over a wired connection from the computer to the router.

Data encryption: AES-128
Data authentication: SHA1
Handshake: RSA-2048

Hi I have a AC5300, I have looked carefully in this thread and all over the net and to be frank I do not know how you manage to get your PCUs to run so high, mine rarely goes over 50%. This situation is frustrating for me because I have a 120mb/s connection but with the VPN settings discussed I can reach only 45-50mb/s. What is it that I need to do to really use the core to a higher percentage... and if I can get the CPUs to run faster would it get me better VPN connection speeds... Thank you all for this thread it is extremely useful.

Regards

 

[frooty]

Hi all,

Any news on this problem? I've since had to revert back to the older firmware because of this problem & it's working normally again.....

Still suffering with this - please, if anyone else is using PIA can you please upload your settings?

Thanks.

 

[ians325]

Can Anyone tell me if you can increase the max limits from 100 on the Web gui? before install this firmware
as im looking to route all netflix and iplayer and amazon through my isp and and the rest of the traffic over vpn?

 

[Xentrk]

Still suffering with this - please, if anyone else is using PIA can you please upload your settings?

Thanks.

Do you want settings for ALL TRAFFIC or POLICY RULES? I use TorGuard. I have screen shots of both examples that may help you. Let me know which ones you want. I found quirks with policy routing and had to change settings when compared to OpenVPN 2.3 to get it to work.

 

[ians325]

Any way of Adding All these address to route to use isp instead of Openvpn
route 108.175.32.0 255.255.255.0 net_gateway

route 108.175.33.0 255.255.255.0 net_gateway

route 108.175.34.0 255.255.255.0 net_gateway

route 108.175.35.0 255.255.255.0 net_gateway

route 108.175.38.0 255.255.255.0 net_gateway

route 108.175.39.0 255.255.255.0 net_gateway

route 108.175.40.0 255.255.255.0 net_gateway

route 108.175.41.0 255.255.255.0 net_gateway

route 108.175.42.0 255.255.255.0 net_gateway

route 108.175.43.0 255.255.255.0 net_gateway

route 108.175.44.0 255.255.255.0 net_gateway

route 108.175.46.0 255.255.255.0 net_gateway

route 108.175.47.0 255.255.255.0 net_gateway

route 185.2.220.0 255.255.255.0 net_gateway

route 185.2.221.0 255.255.255.0 net_gateway

route 185.2.222.0 255.255.255.0 net_gateway

route 185.2.223.0 255.255.255.0 net_gateway

route 185.9.188.0 255.255.255.0 net_gateway

route 185.9.190.0 255.255.254.0 net_gateway

route 192.173.112.0 255.255.240.0 net_gateway

route 192.173.64.0 255.255.240.0 net_gateway

route 192.173.64.0 255.255.255.0 net_gateway

route 192.173.80.0 255.255.240.0 net_gateway

route 192.173.96.0 255.255.240.0 net_gateway

route 198.38.102.0 255.255.254.0 net_gateway

route 198.38.102.0 255.255.255.0 net_gateway

route 198.38.108.0 255.255.255.0 net_gateway

route 198.38.109.0 255.255.255.0 net_gateway

route 198.38.110.0 255.255.255.0 net_gateway

route 198.38.111.0 255.255.255.0 net_gateway

route 198.38.112.0 255.255.255.0 net_gateway

route 198.38.113.0 255.255.255.0 net_gateway

route 198.38.114.0 255.255.255.0 net_gateway

route 198.38.115.0 255.255.255.0 net_gateway

route 198.38.116.0 255.255.255.0 net_gateway

route 198.38.117.0 255.255.255.0 net_gateway

route 198.38.118.0 255.255.255.0 net_gateway

route 198.38.119.0 255.255.255.0 net_gateway

route 198.38.120.0 255.255.255.0 net_gateway

route 198.38.121.0 255.255.255.0 net_gateway

route 198.38.122.0 255.255.255.0 net_gateway

route 198.38.123.0 255.255.255.0 net_gateway

route 198.38.124.0 255.255.255.0 net_gateway

route 198.38.125.0 255.255.255.0 net_gateway

route 198.38.99.0 255.255.255.0 net_gateway

route 108.175.32.0 255.255.255.0 net_gateway

route 108.175.33.0 255.255.255.0 net_gateway

route 108.175.34.0 255.255.255.0 net_gateway

route 108.175.35.0 255.255.255.0 net_gateway

route 108.175.38.0 255.255.255.0 net_gateway

route 108.175.39.0 255.255.255.0 net_gateway

route 108.175.40.0 255.255.255.0 net_gateway

route 108.175.41.0 255.255.255.0 net_gateway

route 108.175.42.0 255.255.255.0 net_gateway

route 108.175.43.0 255.255.255.0 net_gateway

route 108.175.44.0 255.255.255.0 net_gateway

route 108.175.46.0 255.255.255.0 net_gateway

route 108.175.47.0 255.255.255.0 net_gateway

route 185.2.220.0 255.255.255.0 net_gateway

route 185.2.221.0 255.255.255.0 net_gateway

route 185.2.222.0 255.255.255.0 net_gateway

route 185.2.223.0 255.255.255.0 net_gateway

route 185.9.188.0 255.255.255.0 net_gateway

route 185.9.190.0 255.255.254.0 net_gateway

route 192.173.112.0 255.255.240.0 net_gateway

route 192.173.64.0 255.255.240.0 net_gateway

route 192.173.64.0 255.255.255.0 net_gateway

route 192.173.80.0 255.255.240.0 net_gateway

route 192.173.96.0 255.255.240.0 net_gateway

route 198.38.102.0 255.255.254.0 net_gateway

route 198.38.102.0 255.255.255.0 net_gateway

route 198.38.108.0 255.255.255.0 net_gateway

route 198.38.109.0 255.255.255.0 net_gateway

route 198.38.110.0 255.255.255.0 net_gateway

route 198.38.111.0 255.255.255.0 net_gateway

route 198.38.112.0 255.255.255.0 net_gateway

route 198.38.113.0 255.255.255.0 net_gateway

route 198.38.114.0 255.255.255.0 net_gateway

route 198.38.115.0 255.255.255.0 net_gateway

route 198.38.116.0 255.255.255.0 net_gateway

route 198.38.117.0 255.255.255.0 net_gateway

route 198.38.118.0 255.255.255.0 net_gateway

route 198.38.119.0 255.255.255.0 net_gateway

route 198.38.120.0 255.255.255.0 net_gateway

route 198.38.121.0 255.255.255.0 net_gateway

route 198.38.122.0 255.255.255.0 net_gateway

route 198.38.123.0 255.255.255.0 net_gateway

route 198.38.124.0 255.255.255.0 net_gateway

route 198.38.125.0 255.255.255.0 net_gateway

route 198.38.96.0 255.255.255.0 net_gateway

route 198.38.97.0 255.255.255.0 net_gateway

route 198.38.98.0 255.255.255.0 net_gateway

route 198.38.99.0 255.255.255.0 net_gateway

route 198.45.48.0 255.255.255.0 net_gateway

route 198.45.49.0 255.255.255.0 net_gateway

route 198.45.52.0 255.255.255.0 net_gateway

route 198.45.53.0 255.255.255.0 net_gateway

route 198.45.54.0 255.255.255.0 net_gateway

route 198.45.55.0 255.255.255.0 net_gateway

route 198.45.56.0 255.255.255.0 net_gateway

route 198.45.57.0 255.255.255.0 net_gateway

route 198.45.58.0 255.255.255.0 net_gateway

route 198.45.61.0 255.255.255.0 net_gateway

route 198.45.62.0 255.255.255.0 net_gateway

route 198.45.63.0 255.255.255.0 net_gateway

route 23.246.0.0 255.255.192.0 net_gateway

route 23.246.10.0 255.255.255.0 net_gateway

route 23.246.11.0 255.255.255.0 net_gateway

route 23.246.12.0 255.255.255.0 net_gateway

route 23.246.13.0 255.255.255.0 net_gateway

route 23.246.14.0 255.255.255.0 net_gateway

route 23.246.15.0 255.255.255.0 net_gateway

route 23.246.16.0 255.255.255.0 net_gateway

route 23.246.17.0 255.255.255.0 net_gateway

route 23.246.18.0 255.255.255.0 net_gateway

route 23.246.19.0 255.255.255.0 net_gateway

route 23.246.2.0 255.255.255.0 net_gateway

route 23.246.20.0 255.255.255.0 net_gateway

route 23.246.22.0 255.255.255.0 net_gateway

route 23.246.23.0 255.255.255.0 net_gateway

route 23.246.24.0 255.255.255.0 net_gateway

route 23.246.25.0 255.255.255.0 net_gateway

route 23.246.26.0 255.255.255.0 net_gateway

route 23.246.27.0 255.255.255.0 net_gateway

route 23.246.28.0 255.255.252.0 net_gateway

route 23.246.28.0 255.255.255.0 net_gateway

route 23.246.29.0 255.255.255.0 net_gateway

route 23.246.3.0 255.255.255.0 net_gateway

route 23.246.30.0 255.255.255.0 net_gateway

route 23.246.31.0 255.255.255.0 net_gateway

route 23.246.36.0 255.255.255.0 net_gateway

route 23.246.37.0 255.255.255.0 net_gateway

route 23.246.38.0 255.255.255.0 net_gateway

route 23.246.39.0 255.255.255.0 net_gateway

route 23.246.4.0 255.255.255.0 net_gateway

route 23.246.40.0 255.255.255.0 net_gateway

route 23.246.41.0 255.255.255.0 net_gateway

route 23.246.42.0 255.255.255.0 net_gateway

route 23.246.44.0 255.255.255.0 net_gateway

route 23.246.46.0 255.255.255.0 net_gateway

route 23.246.47.0 255.255.255.0 net_gateway

route 23.246.48.0 255.255.255.0 net_gateway

route 23.246.49.0 255.255.255.0 net_gateway

route 23.246.5.0 255.255.255.0 net_gateway

route 23.246.50.0 255.255.255.0 net_gateway

route 23.246.51.0 255.255.255.0 net_gateway

route 23.246.54.0 255.255.255.0 net_gateway

route 23.246.55.0 255.255.255.0 net_gateway

route 23.246.56.0 255.255.255.0 net_gateway

route 23.246.57.0 255.255.255.0 net_gateway

route 23.246.58.0 255.255.255.0 net_gateway

route 23.246.59.0 255.255.255.0 net_gateway

route 23.246.6.0 255.255.255.0 net_gateway

route 23.246.62.0 255.255.255.0 net_gateway

route 23.246.63.0 255.255.255.0 net_gateway

route 23.246.7.0 255.255.255.0 net_gateway

route 23.246.8.0 255.255.255.0 net_gateway

route 23.246.9.0 255.255.255.0 net_gateway

route 37.77.184.0 255.255.255.0 net_gateway

route 37.77.185.0 255.255.255.0 net_gateway

route 37.77.186.0 255.255.255.0 net_gateway

route 37.77.187.0 255.255.255.0 net_gateway

route 37.77.188.0 255.255.255.0 net_gateway

route 37.77.189.0 255.255.255.0 net_gateway

route 37.77.190.0 255.255.255.0 net_gateway

route 37.77.191.0 255.255.255.0 net_gateway

route 45.57.0.0 255.255.128.0 net_gateway

route 45.57.2.0 255.255.255.0 net_gateway

route 45.57.3.0 255.255.255.0 net_gateway

route 45.57.4.0 255.255.255.0 net_gateway

route 45.57.5.0 255.255.255.0 net_gateway

route 64.120.128.0 255.255.128.0 net_gateway

route 66.197.128.0 255.255.128.0 net_gateway

route 54.214.0.0 255.255.0.0 net_gateway

route 46.51.128.0 255.255.192.0 net_gateway

route 46.51.192.0 255.255.240.0 net_gateway

route 46.137.0.0 255.255.128.0 net_gateway

route 46.137.128.0 255.255.192.0 net_gateway

route 79.125.0.0 255.255.128.0 net_gateway

route 176.34.64.0 255.255.192.0 net_gateway

route 176.34.128.0 255.255.128.0 net_gateway

route 23.20.0.0 255.252.0.0 net_gateway

route 50.16.0.0 255.252.0.0 net_gateway

route 50.112.0.0 255.255.0.0 net_gateway

route 54.224.0.0 255.240.0.0 net_gateway

route 54.240.0.0 255.240.0.0 net_gateway

route 67.202.0.0 255.255.192.0 net_gateway

route 72.44.32.0 255.255.224.0 net_gateway

route 75.101.128.0 255.255.128.0 net_gateway

route 107.20.0.0 255.252.0.0 net_gateway

route 174.129.0.0 255.255.0.0 net_gateway

route 184.72.0.0 255.254.0.0 net_gateway

route 184.169.128.0 255.255.128.0 net_gateway

route 204.236.128.0 255.255.128.0 net_gateway

 

[frooty]

Do you want settings for ALL TRAFFIC or POLICY RULES?

Both would be nice, Thanks!

 

[ignade82]

What is your speed with Purevpn ?
I am base in london and it is terrible 10 mbit with RT-AC3100.

I dont k now If i should try another provider.
I am disappoint for this router

this is from router:
http://imagizer.imageshack.com/img922/5703/oydHBg.png
http://imagizer.imageshack.com/img923/8170/1W4r0l.png
http://imagizer.imageshack.com/img923/1665/wdnXLt.png

and this is .ovpn file which i upload to openvpn clients settings...

client

dev tun
remote il1-ovpn.purevpn.net  53
proto udp
nobind
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
MIIEoTCCA4mgAwIBAgIJANysBdFD6U2oMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
VQQGEwJISzELMAkGA1UECBMCSEsxETAPBgNVBAcTCEhvbmdLb25nMRAwDgYDVQQK
EwdQdXJlVlBOMQswCQYDVQQLEwJJVDEQMA4GA1UEAxMHUHVyZVZQTjEQMA4GA1UE
KRMHUHVyZVZQTjEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRvbWFpbjAeFw0x
NDA0MTAwNzI5NDlaFw0yNDA0MDcwNzI5NDlaMIGRMQswCQYDVQQGEwJISzELMAkG
A1UECBMCSEsxETAPBgNVBAcTCEhvbmdLb25nMRAwDgYDVQQKEwdQdXJlVlBOMQsw
CQYDVQQLEwJJVDEQMA4GA1UEAxMHUHVyZVZQTjEQMA4GA1UEKRMHUHVyZVZQTjEf
MB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRvbWFpbjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAJYqtUkQTlf/pHcGXuuII8S3pfI0fwFbs7l/1RP3nX3n
v1vyuvLi7h0jWsgJU0XM7LJywiRFJ8zsMLH7KZnIg7bscb50GY75WIq7C2NnWnnS
7zzyCCm2XD/2xZPym2lVRytpnWJbpemSS6Hdz7xI3q2FmixuBa1t5FeKsXfeaGGg
+ohwLvamnGHJYUYu3Nu0EWVzzy5wgT0c2C5jleGxl3kxRimD8FpnlAVdqyt0ib/f
f9XanaotSopIHUZmpYjT+udRC2+harlNKvOXYgDRl1mpimCvlzEWpZAo8dyBCxWl
xlBIT8OA8rimGi1XviknuOlWu2cGi13Ug8mCG0MjOQ0CAwEAAaOB+TCB9jAdBgNV
HQ4EFgQUt+1vJ2X2ho12PUDhdo2CsSHYXbYwgcYGA1UdIwSBvjCBu4AUt+1vJ2X2
ho12PUDhdo2CsSHYXbahgZekgZQwgZExCzAJBgNVBAYTAkhLMQswCQYDVQQIEwJI
SzERMA8GA1UEBxMISG9uZ0tvbmcxEDAOBgNVBAoTB1B1cmVWUE4xCzAJBgNVBAsT
AklUMRAwDgYDVQQDEwdQdXJlVlBOMRAwDgYDVQQpEwdQdXJlVlBOMR8wHQYJKoZI
hvcNAQkBFhBtYWlsQGhvc3QuZG9tYWluggkA3KwF0UPpTagwDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQUFAAOCAQEAAhLQQmkKWJdyGqgMSKOWXSKN2WXTDjIdb9bK
Q8uHeq0LYCcPoRh8VYJg2X4UWR/KO9pKaG+iZJw4Jqz4GQJjjJLKHfsWwj790ay0
7U5KT08qmxFaxZUYn663H9b0+Zud1spTsTJjVe1eoRk6IDbbB4OMUzN9zyWEn6er
xi6llIAjQX1qtlBQasmTAbRtbSsCsZAxL2kXysULIdLrQP0iTgMQqqkv5zvpdEKN
3ciKCd8OHEhHOlAwA0/DNy3dg3Et0F2hNMDJhqMpxXsbKtGJ/rzGXQF2geEVzLZA
o42I1wBOSZLTX1fO1gl3gAGS9aYg5o31rrpBKzQewitJgIuc+Q==
-----END CERTIFICATE-----
</ca>

#
# 2048 bit OpenVPN static key
#
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
e30af995f56d07426d9ba1f824730521
d4283db4b4d0cdda9c6e8759a3799dcb
7939b6a5989160c9660de0f6125cbb1f
585b41c074b2fe88ecfcf17eab9a33be
1352379cdf74952b588fb161a93e13df
9135b2b29038231e02d657a6225705e6
868ccb0c384ed11614690a1894bfbeb2
74cebf1fe9c2329bdd5c8a40fe882062
4d2ea7540cd79ab76892db51fc371a3a
c5fc9573afecb3fffe3281e61d72e915
79d9b03d8cbf7909b3aebf4d90850321
ee6b7d0a7846d15c27d8290e031e951e
19438a4654663cad975e138f5bc5af89
c737ad822f27e19057731f41e1e254cc
9c95b7175c622422cde9f1f2cfd3510a
dd94498b4d7133d3729dd214a16b27fb
-----END OpenVPN Static key V1-----

</tls-auth>
key-direction 1

verb 1
mute 20
route-method exe
route-delay 2
auth-user-pass
auth-retry interact
explicit-exit-notify 2
ifconfig-nowarn

 

[Xentrk]

Both would be nice, Thanks!

I am almost done with the OpenVPN 2.4 client setup guide and hope to have it posted by this weekend. It is TorGuard centric but may apply to other vpn providers. It is undergoing a peer review by two other forum members.

UPDATE March 23, 2017:
After upgrading to OpenVPN 2.4 with the 380.65 and 380.65_2 release, I started having issues with Policy rules that I did not have before.

1. In prior OpenVPN releases, I always used the setting of “None” for Compression. This setting no longer works for me in OpenVPN 2.4. As a result, I use the default LZO Adaptive, which is the recommended setting of TorGuard.
2. I had Accept DNS Cofiguration set to “Exclusive” in prior releases and still do for All Traffic. I have the VPN providers DNS servers specified on the WAN configuration tab. I use AB-Solution 3.6.5 on all my routers. I discovered that ad blocking only worked for devices connected to the WAN and not for devices connected to the VPN tunnel when Accept DNS Configuration was set to “Exclusive”. Changing Accept DNS Configuration to “Strict” solved this problem. Ad blocking now works for the WAN and VPN tunnel. I found this very strange.
3. As mentioned above, I use AB-Solution 3.6.5 on all of my routers. A few days after upgrading to 380.65, I attempted to update AB-Solution on the router with Policy Rules. I was unable to connect to the AB-Solution server to perform the update and unable to ping the server. I could on my other router though. This is a symptom of a routing issue. The other item that no longer worked was the email function built into AB-Solution. My AB-Solution email settings are the same on the router with Redirect Internet traffic set to ALL, and on the router with Redirect Internet traffic set to Policy Rules. Having the dhcp-option DNS setting in the Custom Configuration section resolved these two issues. Set the IP address to the DNS server IP addresses of your VPN provider. I shared this with a PIA customer and he sent me a very thankful PM. He had struggled in getting his set up to work and this fixed the problem for him. He also shared it with PIA support and they said many others are contacting them with this issue as well.

----end of update----
These examples are for AES-128-CBC. First one is ALL Traffic and Second one is Policy Rules. Note the Differences in Accept DNS Configuration between the two, and the dhcp-option DNS in Additional Config for Policy Rules. I just ask that you let me know if this worked out for you or if you still have issues so I can test on my end and make any necessary changes to the guide I am working on.

All Traffic

Policy Rules

 

[penguin22]

I followed this thread and was able to get a good configuration of PIA OpenVPN with Merlin 380.65_2, however had noticed a number of things.

First, in speaking with PIA support, I inquired about the persist custom configurations and they provided the following detail:

The persist options ( persist-key persist-tun ) when used will try to avoid accessing certain resources on restart that may no longer be accessible because of the privilege downgrade. Such as when or if the VPN restarts, the client will keep the TUN/TAP interface open. When it renegotiates with the server, it will check that server is giving it the same virtual IP address as it gave before. If so, everything is good. If not,( i.e. the client detects that the new IP address given is different than the old, it will close and reopen the TUN/TAP interface.)​

Further, I found that similar to Xentrk, AB-Solution only worked initially when Accept DNS Configuration is set to Strict rather than Exclusive. However, when selecting Strict, I found that DNS was leaking from the ISP (https://ipleak.net/ & https://dnsleaktest.com). This appears to be due to the fact that I am using Policy Rules with the full /24 through VPN along with specific IP exceptions going through WAN. I believe that if I didn't have a requirement for Policy Rules, that the DNS leak might not occur.

As I consider AB-Solution a must and require Policy Rules, I opted to try getting DNSCrypt in place instead and followed the install at: https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/ with good success. After installing DNSCrypt, DNS leak tests showed DNS from only OpenDNS (what I selected at install) rather than the local ISP. After clearing DNS cache and restarting the router, all clients reported OpenDNS, which I wasn't sure if was expected or if it should show as using PIA DNS for clients through the VPN. I decided to test and switched Accept DNS Configuration back to Exclusive, gave the router a reboot, cleared client cache and found that DNS still shows as OpenDNS, but that AB-Solution also remained functioning (verified by following the log).

I am quite content to stick with Accept DNS Configuration set to Exclusive, having a verified functioning PIA VPN (4096/256-bit AES encryption), working AB-Solution, and possibly OpenDNS showing as it is at least not leaking ISP DNS or using a transparent DNS proxy back to the ISP from what I can tell.

My question is whether it is expected that OpenDNS is used even when Accept DNS Configuration is set to Exclusive or if I should be seeing the PIA VPN DNS instead? If it should show as PIA VPN, any thoughts what might be configured incorrectly?

Two other points, I believe that in Merlin 380.65_2, Cipher Negotiation must be set to Enable (with fallback) and the Negotiation ciphers and Legacy/fallback cipher both need to be set to the desired cipher (AES-256-CBC in my case) or the cipher validation fails and the VPN will not pass traffic. This appears as TUN/TAP write bytes not increasing past 0 on the VPN Status page. Lastly, in my case, I did not see a performance increase when using 2048/128-bit AES encryption using an AC68 router; both 128 and 256 measured at around 25Mbps down and about 50Mbps down with no VPN on the same wireless from the remote location I'm at.