What's new

Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

My NAT settings are enabled presently.

Update: so far all has been good except for brief 2-5 minute outages, that happen maybe 2 times a day. I am assuming that this is when PIA is re-issuing a new IP for me. If there was a way to get them to leave the initial connection alone, I think it would be solid but this is not ideal if I were playing an online game or something.

Thanks,

It looks like my problem is solved. I think my compression setting was the trouble maker (it was set to "none"). New setting is LZO.

Connection is stable for almost 24 hours now.

Verzonden vanaf mijn iPhone met Tapatalk
 
Last edited:
I saw in kman's post that his NAT acceleration is disabled, mine is set to auto. This is maybe the cause of my problem.

Question for frooty and DickyDck, what are your NAT setting?


Verzonden vanaf mijn iPhone met Tapatalk

My NAT setting is set to none, I believe this is the default setting as I've never touched it.
It's been a few days now with 380_64_2 & I've not had a single disconnect. Happy again.
 
Thanks for the reply.

I had to remove {mtu-disc yes}, when I put it in the VPN wouldn't stay up and the log said {mtu-disc is not supported on this OS}, I also tried to set the cipher negotiation to disable and switch to the BF-CBC that the log reports the remote server as using but when I do I can't get internet pages to load. I'm going to leave the tnu-mtu and mssfix in place while I go to work today and see what the log file looks like tonight when I get home.

I have to reset the VPN connection on a regular basis, it'd be nice to get it stabilized so I don't have to worry about it. Why do these things always wait until the end of my semester to blow up, I got more than enough to do without having to divide my attention, if he didn't need the internet connection to submit work and take tests I'd put this off for a couple of weeks, my network runs without a hitch...

Again thanks for the help.
Try changing the TLS Renegotiation Time to 0 (zero) to see if that helps with the disconnect issue. From the OpenVPN manual https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

--reneg-sec n
Renegotiate data channel key after n seconds (default=3600).

When using dual-factor authentication, note that this default value may cause the end user to be challenged to reauthorize once per hour.

Also, keep in mind that this option can be used on both the client and server, and whichever uses the lower value will be the one to trigger the renegotiation. A common mistake is to set --reneg-sec to a higher value on either the client or server, while the other side of the connection is still using the default value of 3600 seconds, meaning that the renegotiation will still occur once per 3600 seconds. The solution is to increase --reneg-sec on both the client and server, or set it to 0 on one side of the connection (to disable), and to your chosen value on the other side.
 
Make sure you change it through the webui, not through the custom section, as the two entries will conflict.

reneg.png
 
Make sure you change it through the webui, not through the custom section, as the two entries will conflict.

View attachment 9040

That's the way I did it. I tried the other suggestions in relation to my post and came to work yesterday, I got home and the VPN wouldn't allow web pages to load. So I set this this morning and came to work again, I'll see if it had any affect later when I get home.

You have any suggestions RMerlin?
 
You have any suggestions..?
Did you disable cipher negotiation per my earlier post and set the encryption decipher to match the port and certificate per PIA instructions? Also set Connection Retry to -1. You have it set to 10 right now.

Also, look at the log file and validate it is using the encryption you specified in the web gui. If you see AES-256-GSM being used when you start the tunnel, add the line ncp-disable in Custom Configuration section.

If you are still having issues, please post an updated screen picture and the log contents then the vpn connection starts up.
 
Did you disable cipher negotiation per my earlier post and set the encryption decipher to match the port and certificate per PIA instructions?

I did it to the letter according to PIA and I keep getting the log entry {WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'} EVEN the PIA website says to use AES-128-CBC on port 1198, which is what doesn't make sense to me as to why I'm getting that log entry. Though while flopping around the internet I have found that I'm not the only one getting this log entry and it's been going on a while.

When I disable cipher negotiation and change it to BF-CBC web pages won't load, change the CA and the port to match and still doesn't work.

Also set Connection Retry to -1. You have it set to 10 right now.

I've never had it set to 10, default is -1 and I always left it alone, I didn't know what changing it would do until I did some reading today at the link you provided, thanks for that by the way. It was -1 until I read your post this morning and then I changed it to 0. I could load web pages when I got home this evening it ran about 14 hours without connectivity issues, I'm on it now and didn't have to restart the VPN.

Also, look at the log file and validate it is using the encryption you specified in the web gui. If you see AES-256-GSM being used when you start the tunnel, add the line ncp-disable in Custom Configuration section.

The log says that the local cipher is AES-128-CBC remote cipher is BF-CBC, if I try and change the cipher in the web GUI I can't load web pages, I changed the CA and the port but it still wouldn't let web pages load. Is there any risk to disabling the cipher negotiation with that command, I'm more worried about the user downloading music and my ISP coming down on me than anything, that's why I'm trying to setup a VPN on my router.

If you are still having issues, please post an updated screen picture and the log contents then the vpn connection starts up.

Here's the screen shots of how its' set now, and the log file I can't get to load the site keeps telling me I've been blocked, I think I did something the site didn't like, what I don't know. So off to find an admin I guess...
 

Attachments

  • Screenshot (1254)_LI.jpg
    Screenshot (1254)_LI.jpg
    49.2 KB · Views: 439
  • Screenshot (1255).png
    Screenshot (1255).png
    165.4 KB · Views: 571
I did it to the letter according to PIA and I keep getting the log entry {WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'} EVEN the PIA website says to use AES-128-CBC on port 1198, which is what doesn't make sense to me as to why I'm getting that log entry. Though while flopping around the internet I have found that I'm not the only one getting this log entry and it's been going on a while.

When I disable cipher negotiation and change it to BF-CBC web pages won't load, change the CA and the port to match and still doesn't work.



I've never had it set to 10, default is -1 and I always left it alone, I didn't know what changing it would do until I did some reading today at the link you provided, thanks for that by the way. It was -1 until I read your post this morning and then I changed it to 0. I could load web pages when I got home this evening it ran about 14 hours without connectivity issues, I'm on it now and didn't have to restart the VPN.



The log says that the local cipher is AES-128-CBC remote cipher is BF-CBC, if I try and change the cipher in the web GUI I can't load web pages, I changed the CA and the port but it still wouldn't let web pages load. Is there any risk to disabling the cipher negotiation with that command, I'm more worried about the user downloading music and my ISP coming down on me than anything, that's why I'm trying to setup a VPN on my router.



Here's the screen shots of how its' set now, and the log file I can't get to load the site keeps telling me I've been blocked, I think I did something the site didn't like, what I don't know. So off to find an admin I guess...

1. Please try the following:
Auth Digest = SHA1
Connection Retry = -1 (Sorry, I thought it was set to 10 in my previous post from your screen shot, I see it is set to 30. I had to enlarge the image to see the detail :))
Cipher Negotiation = Disable
Cipher = AES-128-CBC
Redirect Internet Traffic = All (this will route all clients through the VPN BTW, let's start here). The current setting of No will not allow any clients to use the tunnel.
Then, select the Apply button. Your screen shot does not match some of the settings you are posting in the text.
2. You can try to post the log contents at pastebin.com and post the link. .

3. Even though my setup guide is TorGuard centric, I've had several PIA customers send me Private Messages of thanks as it helped them get PIA OpenVPN 2.4 client working on their router. So hang in there, we should be able to figure this out. I am hopeful :)

4. For the {WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'} message, try putting the config settubg disable-occ in Additional Config section as well per yorgi's guide here https://www.snbforums.com/threads/h...ia-and-other-vpn-providers-10-15-fixed.30851/.. And of course, select the Apply button.

--disable-occ
Don't output a warning message if option inconsistencies are detected between peers. An example of an option inconsistency would be where one peer uses --dev tun while the other peer uses --dev tap.

Use of this option is discouraged, but is provided as a temporary fix in situations where a recent version of OpenVPN must connect to an old version.


I'll stay tuned for an update...
 
1. Please try the following:
Auth Digest = SHA1
Connection Retry = -1 (Sorry, I thought it was set to 10 in my previous post from your screen shot, I see it is set to 30. I had to enlarge the image to see the detail :))
Cipher Negotiation = Disable
Cipher = AES-128-CBC
Redirect Internet Traffic = All (this will route all clients through the VPN BTW, let's start here). The current setting of No will not allow any clients to use the tunnel.
Then, select the Apply button.​

All set. On your suggestion for the Connection Retry I was thinking TLS Renegotiation (because of the -1 at the end of the suggestion) and I had to sleep to see the details:eek::oops:
Your screen shot does not match some of the settings you are posting in the text.

Because I was posting when I was tired, I confused myself and read stuff wrong, to much going on between semester end at school and my daily work, sorry for the confusion.
2. You can try to post the log contents at pastebin.com and post the link. .

I only had 2 warnings in the log but we've reconfigured things since then and this setup didn't list any warnings in the log file.

3. Even though my setup guide is TorGuard centric, I've had several PIA customers send me Private Messages of thanks as it helped them get PIA OpenVPN 2.4 client working on their router. So hang in there, we should be able to figure this out. I am hopeful :)

I'm hopeful too. To be honest I saw that post of yours and started to read it but moved on looking for posts that dealt specifically with PIA, and had screen shots that looked like what I was working with. I was looking for a quick solution and ended up making things worse, confusing myself, and reading to react when I should have been trying to read to understand. I knew from the beginning this was a configuration issue on my part. They don't teach advanced routing in the CIT program I am in so my understanding of things is a tad lacking. That and as I've said I've got way to much going on and I'm scatter brained, I should be working on my homework, but here I am making sure someone else can do theirs...

4. For the {WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'} message, try putting the config settubg disable-occ in Additional Config section as well per yorgi's guide here https://www.snbforums.com/threads/h...ia-and-other-vpn-providers-10-15-fixed.30851/.. And of course, select the Apply button.

I'll stay tuned for an update...

OK so, I've set the VPN in the router as directed in this post, click on the Apply and no warnings in the log file, and web pages are loading.

We'll see how it goes throughout the day here. I'm going to move back to my network and do school work, I'll continue to check this router throughout the day and weekend. either way it goes I'll let you know how it goes.

Thanks for your help and putting up with my confusing things:p
 
...OK so, I've set the VPN in the router as directed in this post, click on the Apply and no warnings in the log file, and web pages are loading.

We'll see how it goes throughout the day here. I'm going to move back to my network and do school work, I'll continue to check this router throughout the day and weekend. either way it goes I'll let you know how it goes.

Thanks for your help and putting up with my confusing things:p

You're welcome.. Sometimes a second pair of eyes helps. Good luck with school work and Happy Easter Egg!
 
I'm not 50 yeto_O Close, but I just started back to school, took me a long time to make the decision, I was always to busy working to go to school. Now I have a desk job and a lot of free time.
Hehe I hear you. I misread and I thought that intended for me because I said I was really busy lately. :)
Learning is a great thing :)
 
@Xentrk
Everything seems to be working well over the last couple of days. I've disconnected and connected to the network several times over the weekend, was on it once for longer than I had intended because I forgot I was on a wireless connection. Web pages are loading fine and I've not had any connectivity issues reported at all by the primary user of this network.

The only log file entries are DHCP request, a upnp reset when a network printer wakes from sleep mode and this entry {kernel: nf_ct_ras: decoding error: out of range} last night, which I looked up and according to posts by Merlin from 2012 it can be ignored.

Again thanks for the help.
 
I can confirm that my problem is solved by changing the Compression setting from "None" to "LZO"
My PIA-VPN is running stable on 380.66/alpha 3 for almost a week now.
 
Hey Yorgi, great guide and exactly what I was looking for trying to setup PIA with my TM-AC1900 (AC68U).

I have the stock firmware and would rather not attempt to flash the TM.
I only want to route my Syno NAS (used only for p2p downloads) through PIA and all other devices can go through ISP.
I am perfectly fine with PIA's kill-switch even though it's not perfect.
Aside from PIA's auto config and certs, do I really need to do all the other steps in your guide and would I need
the Merlin build for that?
Guess I'm just not sure if all those added steps are optimization/speed/reliability tweaks specific to Merlin builds...
 
@Xentrk
Everything seems to be working well over the last couple of days. I've disconnected and connected to the network several times over the weekend, was on it once for longer than I had intended because I forgot I was on a wireless connection. Web pages are loading fine and I've not had any connectivity issues reported at all by the primary user of this network.

The only log file entries are DHCP request, a upnp reset when a network printer wakes from sleep mode and this entry {kernel: nf_ct_ras: decoding error: out of range} last night, which I looked up and according to posts by Merlin from 2012 it can be ignored.

Again thanks for the help.
You're very welcome. I'm glad I could help. :)
 
Hey Yorgi, great guide and exactly what I was looking for trying to setup PIA with my TM-AC1900 (AC68U).

I have the stock firmware and would rather not attempt to flash the TM.
I only want to route my Syno NAS (used only for p2p downloads) through PIA and all other devices can go through ISP.
I am perfectly fine with PIA's kill-switch even though it's not perfect.
Aside from PIA's auto config and certs, do I really need to do all the other steps in your guide and would I need
the Merlin build for that?
Guess I'm just not sure if all those added steps are optimization/speed/reliability tweaks specific to Merlin builds...
Merlin Builds are rock solid. I have been using Merlin with PIA VPN for 2 years now.
I would recommend you work your router with PIA as software is always flaky and I never trusted the PIA software because when I use to use it It would often hiccup and if you use the Kill feature its not the best. However with Merlin the kill feature works great :)
Hope that helps
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top