Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[RMerlin]

I am not sure if this is happening to others but every 24 hours or so I get a authentication error can't establish connection with OpenVPN client.
I never had this issue in the past, its only with recent updated firmware .67

I read this on github
https://github.com/RMerl/asuswrt-merlin/issues/1214

If we use this script https://github.com/RMerl/asuswrt-merlin/commit/6dcc3cfd20bd47f6613b4ab25c115fbcaa6d7d3f where do we load it in Jffs scripts?

Thanks

It's a problem introduced with OpenVPN 2.4 and related to the use of an auth-token. It's not specific to Asuswrt, people with DD-WRT also reported similar issues. There's no known solution at this time, and the root cause isn't known either.

 

[Mark Taylor]

It's a problem introduced with OpenVPN 2.4 and related to the use of an auth-token. It's not specific to Asuswrt, people with DD-WRT also reported similar issues. There's no known solution at this time, and the root cause isn't known either.

I just upgraded from 380.64_2 on my RT-AC88u to the current 380.68_beta1 and use PIA with OpenVPN. I had put off upgrading due to the disconnects and failure to reconnect everyday when I tried 380.67. It would appear to be specific to the new OpenVPN 2.4 and PIA as it was rock solid on the older OpenVPN 2.3 with firmware 380.64.x and below. I was mainly upgrading due to the newer security updates.

I might contact PIA and see if they can troubleshoot the issue from their end. Good news is I use policy rules and the option for "Block routed clients if tunnel goes down" works and the VPN Status screen does now show disconnected auth_fail at least which it did not in 380.67.

Not sure if it is possible but would be great to have a push notification to email or SMS when the VPN is down or other router issue so I know to reconnect it. I use TeamViewer and this one VPN client PC disappears from my list and I can only then access it on the LAN via RDP. So I cannot then connect to it remotely although I do know I can setup RDP if needed but generally prefer it disabled expect for LAN access. Not knowing it is down is the key issue for me and in the past possibly causing DNS leaks by not blocking internet access when the VPN was down.

 

[RMerlin]

I tried a couple of things without much luck (PIA's tech support suggested using auth-nocache, which seemed to work around the issue, but it was because of a separate bug in OpenVPN which has since been fixed).

One thing I haven't tested yet is disabling the auth-token support. Give it a try, by adding this to the Custom config section:

pull-filter ignore "auth-token"

 

[Mark Taylor]

I tried a couple of things without much luck (PIA's tech support suggested using auth-nocache, which seemed to work around the issue, but it was because of a separate bug in OpenVPN which has since been fixed).

One thing I haven't tested yet is disabling the auth-token support. Give it a try, by adding this to the Custom config section:

pull-filter ignore "auth-token"

Thanks I have put that in but will need to wait until tomorrow morning to see if it reconnects okay. Will update if it resolves it. I have sent an email to PIA as well and will let you know if they offer anything further on this issue.

 

[RMerlin]

So far the connection has survived the night here with this change.

 

[Mark Taylor]

So far the connection has survived the night here with this change.

All is working with this setting added for me also on 380.68_beta1 so that looks like that setting may have solved the issue. I sleep the only PC using the VPN and nearly everyday the VPN disconnects in the AM and reconnected but with 380.67 or 68 it would not reconnect. Today it has stayed connected with no disconnect at all. Will monitor it over the next few days and report back.

This is my Custom Configuration section now:

tls-client
remote-cert-tls server
auth-nocache
mute-replay-warnings
disable-occ
pull-filter ignore "auth-token"

 

[RMerlin]

So it seems something is broken with auth-token then. Unsure if the problem is specific to PIA's servers, or more generalized with OpenVPN 2.4.x.

If you have an open ticket with them, could you relay them this solution? You can tell them the suggestion came from me (if your support tech is Daniel, we exchanged a few emails in the past regarding this issue, so he might be able to follow-up on it).

 

[Mark Taylor]

So it seems something is broken with auth-token then. Unsure if the problem is specific to PIA's servers, or more generalized with OpenVPN 2.4.x.

If you have an open ticket with them, could you relay them this solution? You can tell them the suggestion came from me (if your support tech is Daniel, we exchanged a few emails in the past regarding this issue, so he might be able to follow-up on it).

Yes I added to the open ticket which was being escalated to the technical team to have a look at and advised on this fix and also I sent them my logs when it would connect and when it wouldn't connect so they might offer some further feedback. Will let you know when I hear back from them and also will monitor it over the next few days to make sure it is working okay and update this thread.

 

[RMerlin]

One thing I noticed is the failed re-connections always occurred after ping inactivity, not just after a TLS expired key.

 

[yorgi]

I tried a couple of things without much luck (PIA's tech support suggested using auth-nocache, which seemed to work around the issue, but it was because of a separate bug in OpenVPN which has since been fixed).

One thing I haven't tested yet is disabling the auth-token support. Give it a try, by adding this to the Custom config section:

pull-filter ignore "auth-token"

great i put the command on my custom settings...lets see if it survives 24 hours.
this issue has been annoying but livable
Thanks Merlin.

 

[yorgi]

So it seems something is broken with auth-token then. Unsure if the problem is specific to PIA's servers, or more generalized with OpenVPN 2.4.x.

If you have an open ticket with them, could you relay them this solution? You can tell them the suggestion came from me (if your support tech is Daniel, we exchanged a few emails in the past regarding this issue, so he might be able to follow-up on it).

PIA should update to 2.4... as it stands now you cannot even use the new protocols for cypher...using the legacy can cause problems in the future. Its been a while now with 2.4 and they have not done much. I wonder if they have to reconfigure entire servers in order to apply this new protocol. I would think its a big job.

 

[RMerlin]

PIA should update to 2.4... as it stands now you cannot even use the new protocols for cypher...using the legacy can cause problems in the future. Its been a while now with 2.4 and they have not done much. I wonder if they have to reconfigure entire servers in order to apply this new protocol. I would think its a big job.

It's possible they might have updated to 2.4 (probably even likely due to security updates). Doesn't require them enabling any of the new 2.4 features however.

 

[yorgi]

It's possible they might have updated to 2.4 (probably even likely due to security updates). Doesn't require them enabling any of the new 2.4 features however.

It could be, but at the same time I doubt it. We will see what Mak Taylor reports back from PIA.
I would be happy if it reconnected properly. I added the command, I will let you know if a couple of days if it works right

 

[Mark Taylor]

One thing I noticed is the failed re-connections always occurred after ping inactivity, not just after a TLS expired key.

I only have 1 PC via the VPN that is in Sleep mode and when I switch it on it seems to generate the inactivity timeout as below. However in the past the VPN when I did not have this setting in pull-filter ignore "auth-token" would not reconnect where with this setting it reconnects okay without error. I had a look at the router log before I woke the sleeping PC and the OpenVPN connection was listed from yesterday and when it was on it then generated the inactivity and restart as below and connected fine. Technically I have no idea what the "auth-token" does and if this has an negative impact but ti does seem to be reconnecting fine now.

Aug 20 09:26:03 openvpn[31100]: [63348e64b146c44823ea43684f8a32df] Inactivity timeout (--ping-restart), restarting
Aug 20 09:26:03 openvpn[31100]: SIGUSR1[soft,ping-restart] received, process restarting
Aug 20 09:26:03 openvpn[31100]: Restart pause, 5 second(s)
Aug 20 09:26:08 openvpn[31100]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

 

[Mark Taylor]

I only have 1 PC via the VPN that is in Sleep mode and when I switch it on it seems to generate the inactivity timeout as below. However in the past the VPN when I did not have this setting in pull-filter ignore "auth-token" would not reconnect where with this setting it reconnects okay without error. I had a look at the router log before I woke the sleeping PC and the OpenVPN connection was listed from yesterday and when it was on it then generated the inactivity and restart as below and connected fine. Technically I have no idea what the "auth-token" does and if this has an negative impact but ti does seem to be reconnecting fine now.

Aug 20 09:26:03 openvpn[31100]: [63348e64b146c44823ea43684f8a32df] Inactivity timeout (--ping-restart), restarting
Aug 20 09:26:03 openvpn[31100]: SIGUSR1[soft,ping-restart] received, process restarting
Aug 20 09:26:03 openvpn[31100]: Restart pause, 5 second(s)
Aug 20 09:26:08 openvpn[31100]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Just a quick update that using this setting under the PIA OpenVPN Custom Configuration section
pull filter ignore "auth-token"
has not stopped daily disconnects via Ping Inactivity but does allow the VPN to reconnect consistently without errors.

I did get this reply from PIA but it was not very helpful as you can see. The policy based rules are working fine with Merlin 380.68_0

Joseph C. (Private Internet Access)

Aug 20, 06:49 MDT

Hi Mark,

Here is a firewall rule that when configured can detect policy based routing rules and prevent non-VPN traffic where desired if the VPN connection drops: https://pastebin.com/332rk3we

I hope pull-filter works for you, please let us know if it does.

If you need assistance with anything else, please don't hesitate to ask.

Regards,

Joseph C.
Senior Technical Engineer
Private Internet Access™

Private Internet Access: We've Got Your Back
Blog Posts: Security Best Practices | The FBI Just Became The Enemy | Investigatory Powers Act

 

[Smokin_Joe]

Okay...Sorry haven't read the whole guide...
I installed Asuswrt-Merlin 380.68 on a RT-AC88u and following your guide and the info from ipvanish I created a working openvpn router that I tested a few subnets from the modem...

Worked wonderfully

Thank you yorgi
{Lovely Kitty on your avatar, btw....I have a stray that makes me feel important...really special and I am ..so not worthy, ...but I love it...lol}
Question....When I restarted the RT-AC88U why did it turn on Client 1 {in VPN}?
Asked another way
I have 2 Clients configured for the VPN...{Client 1 Zurich Client 2 Seattle} and 1 is turned off...Why did the Client 1 turn itself back on, with a power failure/reset ??

 

[Rickyrsx]

I don't know if my problem was discussed before or not but here goes. I have an Asus RT-AC3100 and I can use their stock firmware (Version 3.0.0.4.382.15852) and connect to the VPN (using VPN.ac) on their Toronto server. However, voip.ms doesn't like going through VPN as it drops (I've been playing around with the ports there too but that's another story). So I like using Merlin's firmware and I updated to 360.68 and I can connect fine and I like the policy rules so that I can direct the voip phone to connect through WAN instead of VPN. So the dilemma I have is that when I'm using the stock Asus firmware, I can connect to Netflix with no problems, but when I when I use Merlin firmware, I can't. Somewhere, there's a setting or something in the Merlin firmware that Netflix picks up on that isn't turned on with the stock firmware. I'm not that savvy with this stuff so I don't even know which settings to play around with. I've opened up a ticket with VPN.ac as well. Nothing too concrete of a solution offered yet from them. Here are screenshots of my settings with Merlin.

 

[yorgi]

Okay...Sorry haven't read the whole guide...
I installed Asuswrt-Merlin 380.68 on a RT-AC88u and following your guide and the info from ipvanish I created a working openvpn router that I tested a few subnets from the modem...

Worked wonderfully

Thank you yorgi
{Lovely Kitty on your avatar, btw....I have a stray that makes me feel important...really special and I am ..so not worthy, ...but I love it...lol}
Question....When I restarted the RT-AC88U why did it turn on Client 1 {in VPN}?
Asked another way
I have 2 Clients configured for the VPN...{Client 1 Zurich Client 2 Seattle} and 1 is turned off...Why did the Client 1 turn itself back on, with a power failure/reset ??

Thats one of my Cats on the Avatar. Biggest pest in the world but coolest cat I ever had He can do tricks like a dog and we take walks together in the alley.
I would suggest using client 1 and if you another client put it on 2 this way you are using 1 of each cores from the dual core.
basically 1, 3, 5 using bottom part of the core and 2, and 4 use top part of the core. So I usually leave top core for router and bottom core for VPN

 

[yorgi]

I don't know if my problem was discussed before or not but here goes. I have an Asus RT-AC3100 and I can use their stock firmware (Version 3.0.0.4.382.15852) and connect to the VPN (using VPN.ac) on their Toronto server. However, voip.ms doesn't like going through VPN as it drops (I've been playing around with the ports there too but that's another story). So I like using Merlin's firmware and I updated to 360.68 and I can connect fine and I like the policy rules so that I can direct the voip phone to connect through WAN instead of VPN. So the dilemma I have is that when I'm using the stock Asus firmware, I can connect to Netflix with no problems, but when I when I use Merlin firmware, I can't. Somewhere, there's a setting or something in the Merlin firmware that Netflix picks up on that isn't turned on with the stock firmware. I'm not that savvy with this stuff so I don't even know which settings to play around with. I've opened up a ticket with VPN.ac as well. Nothing too concrete of a solution offered yet from them. Here are screenshots of my settings with Merlin.

Welcome to the wonderful world of ASUS and VPN
the problem is that all VPN traffic shows up as upload. You can check that if you enable the bandwidth meter. So the QOS usually will give priority to uploads and if you are using VOIP you will have problems. Ideally when you use VOIP calls stop transfers on your VPN or if you are using Utorrent then limit the download, Example if you have a 12 mb/s up and down, limit Utorrent at 1MB/s and you will have 500kb/s free. The QOS will be able to handle the job a lot better that way., If your upload speeds are poor then I would stop transfers on VPN and make the call. Normally the QOS works great if you don't use VPN at the same time but as that bug is around since the beginning well, that's why I said welcome to the world of ASUS and VPN
This VPN bug is known for a long time but they are not doing anything about it.

 

[yorgi]

Thats one of my Cats on the Avatar. Biggest pest in the world but coolest cat I ever had He can do tricks like a dog and we take walks together in the alley.
I would suggest using client 1 and if you another client put it on 2 this way you are using 1 of each cores from the dual core.
basically 1, 3, 5 using bottom part of the core and 2, and 4 use top part of the core. So I usually leave top core for router and bottom core for VPN

I don't know if my problem was discussed before or not but here goes. I have an Asus RT-AC3100 and I can use their stock firmware (Version 3.0.0.4.382.15852) and connect to the VPN (using VPN.ac) on their Toronto server. However, voip.ms doesn't like going through VPN as it drops (I've been playing around with the ports there too but that's another story). So I like using Merlin's firmware and I updated to 360.68 and I can connect fine and I like the policy rules so that I can direct the voip phone to connect through WAN instead of VPN. So the dilemma I have is that when I'm using the stock Asus firmware, I can connect to Netflix with no problems, but when I when I use Merlin firmware, I can't. Somewhere, there's a setting or something in the Merlin firmware that Netflix picks up on that isn't turned on with the stock firmware. I'm not that savvy with this stuff so I don't even know which settings to play around with. I've opened up a ticket with VPN.ac as well. Nothing too concrete of a solution offered yet from them. Here are screenshots of my settings with Merlin.

You should use policy rules and make the device that has netflix go to WAN.
If you have all traffic to VPN then that's why your netflix is not working.
Merlin is a way better alternative firmware but you need to do a little more configuring then ASUS firmware.
ASUS firmware doesn't offer any DNS leak protection therefore useless for VPN