Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[frooty]

I already mentioned this in post #268 [emoji4]


Verzonden vanaf mijn iPhone met Tapatalk

Oh wow, so you did - not sure how I missed that.....

So it's official then do you think? Any firmware above 380.64_2 doesn't work correctly with PIA?

 

[Patje]

Oh wow, so you did - not sure how I missed that.....

So it's official then do you think? Any firmware above 380.64_2 doesn't work correctly with PIA?

I really don't know.
I haven't the knowledge to investigate this problem myself so for now I stick to 380.64_2 [emoji18]

Hopefully there's some smart guy around who figures out how to setup the router for PIA with openvpn 2.4.x


Verzonden vanaf mijn iPhone met Tapatalk

 

[DickyDck]

I am experimenting with the Alpha 380.66 right now, I will try plugging PIA into it later and see. I don't think I'll keep it since it kills my internet speed but for the sake of troubleshooting I'm game to give it a go!

 

[Patje]

I am experimenting with the Alpha 380.66 right now, I will try plugging PIA into it later and see. I don't think I'll keep it since it kills my internet speed but for the sake of troubleshooting I'm game to give it a go!

Thanks,

That would be very nice.


Verzonden vanaf mijn iPhone met Tapatalk

 

[penguin22]

Oh wow, so you did - not sure how I missed that.....

So it's official then do you think? Any firmware above 380.64_2 doesn't work correctly with PIA?

I've been using 380.65_2 with PIA with AB-Solution and DNSCrypt without issue. I have gone a week stable with 2048-bit encryption. My distance and media-bridge means that the speed loss is a non-factor and I value stability above all in this case.

 

[DickyDck]

Thanks,

That would be very nice.


Verzonden vanaf mijn iPhone met Tapatalk

OK, I'm home now and I can plug in my PIA for experimental fun time! Can you give me your paramters, without your PIA credentials of course and I'll mirror what you have and lets see how it goes!

 

[frooty]

OK, I'm home now and I can plug in my PIA for experimental fun time! Can you give me your paramters, without your PIA credentials of course and I'll mirror what you have and lets see how it goes!

here's what I'm using on a N66U with PIA:

tls-client
remote-cert-tls server
ns-cert-type server
disable-occ
auth-nocache
persist-key
persist-tun

 

[DickyDck]

here's what I'm using on a N66U with PIA:

tls-client
remote-cert-tls server
ns-cert-type server
disable-occ
auth-nocache
persist-key
persist-tun

OK! settings are plugged in and VPN running. How long were you able to keep a connection for? I started at 6pm eastern standard time

 

[frooty]

OK! settings are plugged in and VPN running. How long were you able to keep a connection for? I started at 6pm eastern standard time

It varied quite a bit tbh, sometimes it would stay connected for a few days & other times it would disconnect multiple times a day. I usually had to restart my clients when booting up in the morning though.

Edit: Since I went back to 380.64_2 I've not had a single disconnect using the exact same settings.

 

[DickyDck]

So far, 12 hours no disconnects. I will add that I updated to alpha 3 to possibly address a WiFi dropping out issue I was having and that seems to be ok too. total up time over 2 days and no errors in logs, total up time for PIA 12 hours and nothing in logs, so far it's good except for the PIA dragging my speed down really bad but I am out of the house today so it won't affect me

 

[Patje]

So far, 12 hours no disconnects. I will add that I updated to alpha 3 to possibly address a WiFi dropping out issue I was having and that seems to be ok too. total up time over 2 days and no errors in logs, total up time for PIA 12 hours and nothing in logs, so far it's good except for the PIA dragging my speed down really bad but I am out of the house today so it won't affect me

Hi DickyDck,

I think frooty's symptoms are similar as my symptoms. The vpn is connected and the vpn status page shows that everything is fine. There's nothing in the logs but for some reason it's not possible to serve the Web anymore.





Verzonden vanaf mijn iPhone met Tapatalk

 

[DickyDck]

Hi DickyDck,

I think frooty's symptoms are similar as my symptoms. The vpn is connected and the vpn status page shows that everything is fine. There's nothing in the logs but for some reason it's not possible to serve the Web anymore.

Verzonden vanaf mijn iPhone met Tapatalk

Gotcha, so far I'm still connected and able to browse out, torrent, etc. I'll keep updating throughout the day to you guys. If it does drop out at all, I'll post up any logs I have and we can compare to see if there are any similarities.

 

[kman]

Didn't get chance to reply earlier. I was able to stay connected on _4 by importing the ovpn file and removing the 2 certificate lines at the end. My configuration is the following (with NAT Acceleration off):

tls-client
persist-key
persist-tun
remote-cert-tls server
verb 1
fast-io
sndbuf 524288
rcvbuf 524288
comp-lzo yes
comp-noadapt​

 

[FatherLandDescendant]

Didn't get chance to reply earlier. I was able to stay connected on _4 by importing the ovpn file and removing the 2 certificate lines at the end. My configuration is the following (with NAT Acceleration off):

tls-client
persist-key
persist-tun
remote-cert-tls server
verb 1
fast-io
sndbuf 524288
rcvbuf 524288
comp-lzo yes
comp-noadapt​

I'll be the first to admit I'm a Noob here. I am in school on a Network Admin track ATM so I'd like to understand what's going on better and I have some questions, lots actually and when my semester is up (3wks) I'll probably be around asking a wider variety of questions in other areas of the forum. But I realize these are custom configs that get input at the bottom of the page, but what do they do what are they for? Is there an article(s) I can read that will help me understand?

I'm getting some log messages since this past weekend, I was more worried about WIFI stability issues to this point, but since those issues are seemingly resolved I'd like to address the log issues that I'm having that deal with my VPN. I've seen a few posts where people import a VPN file, I've not done any of that I know where just not what. And I've seen talk about custom config settings (again I know where just not what) but all of the screen grabs I've seen have been the older _2 firmware and not exactly what I currently have and a couple of things are different like compression now has LZO Adaptive not just Adaptive, and fallback cipher now has Legacy preceding it, does this affect how I need to configure my OpenVPN? I've followed the tutorial on ASUS web site, looked at screen grabs here of peoples setups, read about the custom configs people are using/deleting/replacing/delete or don't doesn't matter.....

So I guess another question, along with the ones above, is what do I have to configure to address the log entries for my AC66u running 380.65_4?

Apr 11 16:27:38 openvpn[555]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Apr 11 16:27:38 openvpn[555]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

The PIA website says I'm good DNS LeakTest says I'm good as does IP/DNS Detect, but I still have multiple entries of the above in my log file. My router has been up and internet accessible for just over 2 days now so what ever this entry is doesn't affect connectivity, but does it compromise security, privacy?

I've included screen grabs of my current setup as it is now.

Thanks for any and all the help you guys/gals give.

 

[Patje]

I saw in kman's post that his NAT acceleration is disabled, mine is set to auto. This is maybe the cause of my problem.

Question for frooty and DickyDck, what are your NAT setting?


Verzonden vanaf mijn iPhone met Tapatalk

 

[kman]

I saw in kman's post that his NAT acceleration is disabled, mine is set to auto. This is maybe the cause of my problem.

Question for frooty and DickyDck, what are your NAT setting?


Verzonden vanaf mijn iPhone met Tapatalk

Disabling NAT Acceleration is only useful for achieving higher throughput. It should not impact the tunnel connectivity. For that just ensure you have the correct options selected.

 

[Xentrk]

I'll be the first to admit I'm a Noob here. I am in school on a Network Admin track ATM so I'd like to understand what's going on better and I have some questions, lots actually and when my semester is up (3wks) I'll probably be around asking a wider variety of questions in other areas of the forum. But I realize these are custom configs that get input at the bottom of the page, but what do they do what are they for? Is there an article(s) I can read that will help me understand?

I'm getting some log messages since this past weekend, I was more worried about WIFI stability issues to this point, but since those issues are seemingly resolved I'd like to address the log issues that I'm having that deal with my VPN. I've seen a few posts where people import a VPN file, I've not done any of that I know where just not what. And I've seen talk about custom config settings (again I know where just not what) but all of the screen grabs I've seen have been the older _2 firmware and not exactly what I currently have and a couple of things are different like compression now has LZO Adaptive not just Adaptive, and fallback cipher now has Legacy preceding it, does this affect how I need to configure my OpenVPN? I've followed the tutorial on ASUS web site, looked at screen grabs here of peoples setups, read about the custom configs people are using/deleting/replacing/delete or don't doesn't matter.....

So I guess another question, along with the ones above, is what do I have to configure to address the log entries for my AC66u running 380.65_4?



The PIA website says I'm good DNS LeakTest says I'm good as does IP/DNS Detect, but I still have multiple entries of the above in my log file. My router has been up and internet accessible for just over 2 days now so what ever this entry is doesn't affect connectivity, but does it compromise security, privacy?

I've included screen grabs of my current setup as it is now.

Thanks for any and all the help you guys/gals give.

You can try something like this to fix the MTU warning messages:

tun-mtu 1500
mssfix 1450
mtu-disc yes

PIA has not updated to OpenVPN 2.4 release. Try changing cipher negotiation to Disable. Then, set encryption decipher to what you want to use e.g. AES-128-CBC. Or, whatever PIA tells you to use for the server and port that is tied to the encryption cipher. I also have Auth Digest set to SHA1. But I use another provider..but my guide has helped some PIA customers:

https://www.snbforums.com/threads/t...for-asus-merlin-380-65-380-65_2-part-i.38281/

 

[Patje]

Disabling NAT Acceleration is only useful for achieving higher throughput. It should not impact the tunnel connectivity. For that just ensure you have the correct options selected.

Thanks kman,

I looked into your guide and saw probably the wrong setting:
Note 1: In prior OpenVPN releases, I always used the setting of “None” for Compression.

My setting was also always set to "None". I changed this setting approx. 15 hours ago and my vpn is still running.
I'll give a status update in a few days.

ps.
Do you mean Disabling or Enabling the NAT acceleration for a higher troughput?

 

[FatherLandDescendant]

You can try something like this to fix the MTU warning messages:

tun-mtu 1500
mssfix 1450
mtu-disc yes

PIA has not updated to OpenVPN 2.4 release. Try changing cipher negotiation to Disable. Then, set encryption decipher to what you want to use e.g. AES-128-CBC. Or, whatever PIA tells you to use for the server and port that is tied to the encryption cipher. I also have Auth Digest set to SHA1. But I use another provider..but my guide has helped some PIA customers:

https://www.snbforums.com/threads/t...for-asus-merlin-380-65-380-65_2-part-i.38281/

Thanks for the reply.

I had to remove {mtu-disc yes}, when I put it in the VPN wouldn't stay up and the log said {mtu-disc is not supported on this OS}, I also tried to set the cipher negotiation to disable and switch to the BF-CBC that the log reports the remote server as using but when I do I can't get internet pages to load. I'm going to leave the tnu-mtu and mssfix in place while I go to work today and see what the log file looks like tonight when I get home.

I have to reset the VPN connection on a regular basis, it'd be nice to get it stabilized so I don't have to worry about it. Why do these things always wait until the end of my semester to blow up, I got more than enough to do without having to divide my attention, if he didn't need the internet connection to submit work and take tests I'd put this off for a couple of weeks, my network runs without a hitch...

Again thanks for the help.

 

[DickyDck]

I saw in kman's post that his NAT acceleration is disabled, mine is set to auto. This is maybe the cause of my problem.

Question for frooty and DickyDck, what are your NAT setting?


Verzonden vanaf mijn iPhone met Tapatalk

My NAT settings are enabled presently.

Update: so far all has been good except for brief 2-5 minute outages, that happen maybe 2 times a day. I am assuming that this is when PIA is re-issuing a new IP for me. If there was a way to get them to leave the initial connection alone, I think it would be solid but this is not ideal if I were playing an online game or something.