Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[penguin22]

I think I answered myself after reading further on here:

My question is whether it is expected that OpenDNS is used even when Accept DNS Configuration is set to Exclusive or if I should be seeing the PIA VPN DNS instead? If it should show as PIA VPN, any thoughts what might be configured incorrectly?\​

What I gather is that OpenDNS in my case is functioning as expected, as specified through DNSCrypt, and is sending requests through the OpenVPN tunnel due to the policy route for the /24 going over the PIA VPN. From a DNS leak test, it will show OpenDNS rather than PIA as that is what is defined for name resolution.

What would be handy is determining how to confirm that all DNS queries, including clients that are set to WAN to bypass PIA VPN (e.g. Roku & Amazon FireTV), are still using DNSCrypt as opposed to the local ISP DNS or leaking otherwise.

 

[frooty]

I followed this thread and was able to get a good configuration of PIA OpenVPN with Merlin 380.65_2, however had noticed a number of things.

First, in speaking with PIA support, I inquired about the persist custom configurations and they provided the following detail:

The persist options ( persist-key persist-tun ) when used will try to avoid accessing certain resources on restart that may no longer be accessible because of the privilege downgrade. Such as when or if the VPN restarts, the client will keep the TUN/TAP interface open. When it renegotiates with the server, it will check that server is giving it the same virtual IP address as it gave before. If so, everything is good. If not,( i.e. the client detects that the new IP address given is different than the old, it will close and reopen the TUN/TAP interface.)​

​

This is interesting, I wonder if this is related to my problem of having to restart my vpn clients in order to get connections after every reboot/start of connected devices - maybe the "persist-key persist-tun" commands no longer work with the latest versions? I'll remove them & see if the clients stay connected after reboots & report back.

@Xentrk: Thanks for uploading your settings, but I still have the same problem. Also, AB updates work fine for me using the "exclusive" option so I'm not sure why some users are having problems.

 

[Xentrk]

​

This is interesting, I wonder if this is related to my problem of having to restart my vpn clients in order to get connections after every reboot/start of connected devices - maybe the "persist-key persist-tun" commands no longer work with the latest versions? I'll remove them & see if the clients stay connected after reboots & report back.

@Xentrk: Thanks for uploading your settings, but I still have the same problem. Also, AB updates work fine for me using the "exclusive" option so I'm not sure why some users are having problems.

I had to remove both

persist-key
persist-tun

from Additional Config section with OpenVPN 2.4 release to get things to work. In fact, pull and nobind had to be removed from this section as well.

 

[penguin22]

I had to remove both

persist-key
persist-tun

from Additional Config section with OpenVPN 2.4 release to get things to work. In fact, pull and nobind had to be removed from this section as well.

So very odd as having those two options in additional config don't make a difference in my case. AB-Solution is working with Exclusive as mentioned following implementation of OpenDNS. There appear to be too many variables to isolate at this point, however it is working perfectly with 3 days and 5 hours of consistent uptime (based on pixelserv statistics).

I have to say that the community here, information, and development efforts are nothing short of amazing. I can only hope that Merlin's new endeavor is taking over a company that gives him greater input ability in whatever he does. I've been reliant on his and John's firmware for the better part of a decade now and don't want to look at a future without.

 

[john9527]

I had to remove both

persist-key
persist-tun

from Additional Config section with OpenVPN 2.4 release to get things to work.

Both of those options along with nobind are added automatically by the firmware....having or not having them in the custom config section makes no difference. If you want to remove them, you need to use a postconf script.

 

[DickyDck]

Agreed, great article. The new stuff on _4 I haven't played with yet, but I'll tweak here and there later. In the meantime, does anyone else get ridiculously slow speed when using PIA on the router? the workstation client allows me almost 80% of unrestricted download, but having VPN on the router kills it to 20% of the normal unfiltered download speed. I could turn down the encryption I'm sure which might help... what is the lowest level of auth and encryption I can use?

 

[CaptainSTX]

Agreed, great article. The new stuff on _4 I haven't played with yet, but I'll tweak here and there later. In the meantime, does anyone else get ridiculously slow speed when using PIA on the router? the workstation client allows me almost 80% of unrestricted download, but having VPN on the router kills it to 20% of the normal unfiltered download speed. I could turn down the encryption I'm sure which might help... what is the lowest level of auth and encryption I can use?

There is a limit on how fast a router's limited processor can handle a VPN. I have a 180/25 ISP connection. Running the VPN on a PC with an I7 2.8 Ghz processor I can get 170/22 running the VPN app.

Running it on an AC1900P router with a 1.4 Ghz processor 55/22 is the best I can get even after adjusting encryption, MTU, etc.

If you search previous threads the consensus seemed to be that you would need a 2.4 Ghz processor to get 100 down.


Sent from my iPhone using Tapatalk

 

[kman]

Hi all, thanks to this guide I was able to run on PIA on 1198 after the latest upgrade 380.65_4 (ac68u), however I am facing an issue where after ~1 hour the vpn connection stays connected but there is no internet connectivity. I have to stop/start the VPN again to regain connectivity. Any idea, what may be causing this? If any specific logs are required, let me know and I can attach to the post.

in my options all I have are the options that are imported as part of the ovpn file:

tls-client
remote-cert-tls server
reneg-sec 0
disable-occ​

thanks.

 

[Sammage]

Hi all, thanks to this guide I was able to run on PIA on 1198 after the latest upgrade 380.65_4 (ac68u), however I am facing an issue where after ~1 hour the vpn connection stays connected but there is no internet connectivity. I have to stop/start the VPN again to regain connectivity. Any idea, what may be causing this? If any specific logs are required, let me know and I can attach to the post.

in my options all I have are the options that are imported as part of the ovpn file:

tls-client
remote-cert-tls server
reneg-sec 0
disable-occ​

thanks.

Same thing with mine. My options are a little different but the symptom is the same. An hour or two online and the VPN stops allowing internet access. Spent part of the last few days trying different things suggested in this thread and others. Something is shutting down internet access for the tunnel for some reason it seems to me. I have policy rules in place to allow me to use Netflix on my smart tv and this past time it stayed active when the internet access on my laptop died. The VPN Client isn't showing any issues on the router and the log doesn't indicate any errors. Really odd.

 

[Xentrk]

I found some anomalies with policy rules on 380.65 which require changes to the settings. See if this helps

https://www.snbforums.com/threads/t...for-asus-merlin-380-65-380-65_2-part-i.38281/

 

[Sammage]

I did use your "dhcp-option DNS" finding to get it working at all. But haven't beaten the periodic connectivity issue yet.

 

[DickyDck]

There is a limit on how fast a router's limited processor can handle a VPN. I have a 180/25 ISP connection. Running the VPN on a PC with an I7 2.8 Ghz processor I can get 170/22 running the VPN app.

Running it on an AC1900P router with a 1.4 Ghz processor 55/22 is the best I can get even after adjusting encryption, MTU, etc.

If you search previous threads the consensus seemed to be that you would need a 2.4 Ghz processor to get 100 down.


Sent from my iPhone using Tapatalk

Makes sense, I didn't really think about the fact that the router is doing the encryption/decryption of the traffic. So it seems it would be simpler to put a decent PC (with 2 NICs) between my router and modem, run PIA on incoming traffic NIC from Moem, bridge to second NIC which goes to Router and in theory the traffic going to all the devices in my home (wired or WiFi) should be protected via PIA IP hiding and whatever level of encryption I setup through the PIA interface. I have spare DELL worktations with decent processors. You said 2.4 however a lot of flavors of 2.4 exist. Would more cores or or better tech/type of cores be better? like a 2.4 i3 8 core vs a 2.4 i5 6 core or 2.4 i7 4 core?

 

[CaptainSTX]

Makes sense, I didn't really think about the fact that the router is doing the encryption/decryption of the traffic. So it seems it would be simpler to put a decent PC (with 2 NICs) between my router and modem, run PIA on incoming traffic NIC from Moem, bridge to second NIC which goes to Router and in theory the traffic going to all the devices in my home (wired or WiFi) should be protected via PIA IP hiding and whatever level of encryption I setup through the PIA interface. I have spare DELL worktations with decent processors. You said 2.4 however a lot of flavors of 2.4 exist. Would more cores or or better tech/type of cores be better? like a 2.4 i3 8 core vs a 2.4 i5 6 core or 2.4 i7 4 core?

Search for the recent thread where this was discussed. Some posters believed that clock speed was the key so even an I3 would get the job done.

 

[frooty]

Same thing with mine. My options are a little different but the symptom is the same. An hour or two online and the VPN stops allowing internet access. Spent part of the last few days trying different things suggested in this thread and others. Something is shutting down internet access for the tunnel for some reason it seems to me. I have policy rules in place to allow me to use Netflix on my smart tv and this past time it stayed active when the internet access on my laptop died. The VPN Client isn't showing any issues on the router and the log doesn't indicate any errors. Really odd.

This is the exact same problem I've been battling with for weeks, I'm constantly having to restart my vpn clients on my router to get connected again. I've tried every setting mentioned here as well as the ones on the PIA website. I've noticed that an issue has been reported on merlins github page about it a while ago, but so far there doesn't seem to be any reaction to it - maybe if other sufferers of this problem would report it also, merlin might have a look into the issue?

 

[Sammage]

Rolled back to 380.64_2 this morning. I'll keep monitoring to see if a solution is discovered, but for now having a stable connection is more important than running the latest OPVPN version (and consequently latest merlin).

 

[DickyDck]

Search for the recent thread where this was discussed. Some posters believed that clock speed was the key so even an I3 would get the job done.

Seems the general consensus is a high clock speed is the best way to go unless you code it in a way to use multiple cores/threads but for what I'm doing which is simple 1in/1out a simpler machine would work best. For anyone else that might be considering this don't go cheap on the NICs, I'm reading NICs using Marvell don't play nice in this configuration. Thanks again for the help!

 

[frooty]

Rolled back to 380.64_2 this morning. I'll keep monitoring to see if a solution is discovered, but for now having a stable connection is more important than running the latest OPVPN version (and consequently latest merlin).

Please post back if reverting back to 380.64_2 fixes the disconnect issues.

Thanks.

 

[Sammage]

So far it seems to have stopped it. Haven't disconnected since I posted this morning.

 

[frooty]

So far it seems to have stopped it. Haven't disconnected since I posted this morning.

So, after reading your response I thought I'd revert back to 380.64_2 myself last night before going to bed to see if it would stay connected until this morning - SUCCESS!! All my devices are still connected and so far I've not had to restart any of my vpn clients once. Keeping my fingers crossed that this will be the case for the future - I'll report back in 24-48 hours with an update.

HURRAAAAA!

 

[Patje]

So, after reading your response I thought I'd revert back to 380.64_2 myself last night before going to bed to see if it would stay connected until this morning - SUCCESS!! All my devices are still connected and so far I've not had to restart any of my vpn clients once. Keeping my fingers crossed that this will be the case for the future - I'll report back in 24-48 hours with an update.

HURRAAAAA!

I already mentioned this in post #268 [emoji4]


Verzonden vanaf mijn iPhone met Tapatalk