What's new

PIA AES-256-CBC with OpenVPN is out but not working on Asus routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Rango

Senior Member
PIA AES-256-CBC with OpenVPN is out but not working on Asus routers. Any idea what i need to do to have this working? They have some kind of patch but this asus is router i can not install unless it's vnram command?

It fails with error or authentication failure and i checked my username and password. I did not apply any patch as it's a router not a windows client unless in custom config, some line?

Cert was copied to CA field. Changed port to 1197, using midwest server.
Any ideas? Maybe there needs to be custom configuration settings added.
I tried few configs but none work. Currently using. It might be the case that something in custom config needs to be enabled, or maybe new ovpn file needs to be crated or modified. Not sure.

Customer config line:
tls-client
remote-cert-tls server
reneg-sec 0

Few threads for info and patch?

https://www.privateinternetaccess.c...stock-openvpn-with-strong-encryption-settings

https://www.privateinternetaccess.com/forum/discussion/9093/pia-openvpn-client-encryption-patch/p1

Thank you very much for help
 
Last edited:
PIA AES-256-CBC with OpenVPN is out but not working on Asus routers. Any idea what i need to do to have this working? They have some kind of patch but this asus is router i can not install unless it's vnram command?

It fails with error or authentication failure and i checked my username and password. I did not apply any patch as it's a router not a windows client unless in custom config, some line?

Cert was copied to CA field. Changed port to 1497, using midwest server.
Any ideas? Maybe there needs to be custom configuration settings added.
I tried few configs but none work. Currently using. It might be the case that something in custom config needs to be enabled, or maybe new ovpn file needs to be crated or modified. Not sure.

Customer config line:
tls-client
remote-cert-tls server
reneg-sec 0

Few threads for info and patch?

https://www.privateinternetaccess.c...stock-openvpn-with-strong-encryption-settings

https://www.privateinternetaccess.com/forum/discussion/9093/pia-openvpn-client-encryption-patch/p1

Thank you very much for help
I don't know of it is a typo but port s/b 1197.
 
I'm sorry yes i mistyped. It correctly listed in gui as 1197 and not working for me. I imported config and just changed port and saved it. Then i changed CA to whatever they listed and saved again.
After it failed to authenticate i just played with custom config settings to maybe get it to connect but it didn't work. thanks for reply

They list this in custom config but that doesn't work unless i'm editing and saving ovpn config in incorrect format. I even added auth256 to custom config line but no luck. Added ca_rsa4096.crt cert to folder directory but that didn't help either.

The config options should look like:

remote xxx.privateinternetaccess.com 1197
proto udp
cipher aes-256-cbc
auth sha256
ca ca_rsa4096.crt
 
Last edited:
I got it to work first shot after reading your post
I didnt know that they had it on 256 encreption
great news

copy the certificate from the link below
and paste it in
authorization mode in certificate authority box

https://www.privateinternetaccess.c...stock-openvpn-with-strong-encryption-settings

Port 1197
encrytption chiper type AES-256-CBC

Don't forget to add at the bottom of the commands and use jpg for reference

tls-client
remote-cert-tls server
reneg-sec 0
verb 1
auth sha256

and you don't need a patch
Reboot router to clear NVRAM if you had 128bit encryption
and it works like a charm
thanks :)
 

Attachments

  • Untitled-32.jpg
    Untitled-32.jpg
    69.1 KB · Views: 577
Last edited:
Woo hoo....I didn't have Username/password auth only to yes. I changed that and it took but i also after CA past had to do enter to completly skip to next line so not sure which fixed the issue.
I wasn't skipping to next line with ca aut but i'm all good now. Tunnel connect. Thanks a lot bro.

I have compression to none.

tls-client
remote-cert-tls server
reneg-sec 0
auth SHA256

What does verb1 and reneg-sec 0 does?
 
As side note. I'll probably ask that in overclock thread too but ....

When i overclock in nvram to 1200,800 0r 1400,800 or 1400,1400 it does NOT in any way increase my Mbps speed on vpn where it should, maybe even marginaly by few Mpgs.
Anyone know why. Again if off topic i'll probably address in overclock thread but since this is VPN thread might as well ask too.

No overclocked vpn speeds on 87u router.

256aes 30Mbps
128aes 34Mbps

Overclocked 1400 value same speeds as non-overclocked. Odd. I checked if it too get clock freq and it took but no change.
 
As side note. I'll probably ask that in overclock thread too but ....

When i overclock in nvram to 1200,800 0r 1400,800 or 1400,1400 it does NOT in any way increase my Mbps speed on vpn where it should, maybe even marginaly by few Mpgs.
Anyone know why. Again if off topic i'll probably address in overclock thread but since this is VPN thread might as well ask too.

That means the overclock did not 'take', or possibly you are already at your ISP's or your VPN's limit.
 
Woo hoo....I didn't have Username/password auth only to yes. I changed that and it took but i also after CA past had to do enter to completly skip to next line so not sure which fixed the issue.
I wasn't skipping to next line with ca aut but i'm all good now. Tunnel connect. Thanks a lot bro.

I have compression to none.

tls-client
remote-cert-tls server
reneg-sec 0
auth SHA256

What does verb1 does?
in client control area I imported an openvpn file and verb1 one of the options that it added along with tls-client remote-cert-tls server etc.
in the custom configuration box.
I am not really sure what it does but it never gave me a problem and if OpenVPN software needs it to run the server scripts then I think its important to have in there :)
 
I didn't reboot router, i did nvram commit. When i reboot it goes back to default non-overlcocked speeds. When i do nvram get clock freq it shows overclock speeds of 1400.
When i did same on different vpn isp it also did not do anything. (recently change vpn provider) When i go back to overview even in gui it shows 1400 Mhz so it took yet speed in Mpbs on vpn does not change. Mhz changes but not Mbps.
 
in client control area I imported an openvpn file and verb1 one of the options that it added along with tls-client remote-cert-tls server etc.
in the custom configuration box.
I am not really sure what it does but it never gave me a problem and if OpenVPN software needs it to run the server scripts then I think its important to have in there :)

Sweet. Thank you sir
 
Ok i looked into the config and pasted this into custom configuration. Not sure which is redundant. Ii'm assuming this has same effect as doing those lines in nvram and doing commit so i'm assuming doing it twice does not duplicate anything unless gui is different. Hopefully i'm not screwing anything up. I'm afraid to do it over again so i wont have the issue again.

persist-key
persist-tun
tls-client
remote-cert-tls server
auth SHA256
comp-lzo
verb 1
reneg-sec 0
 
forget the comp-lzo
there is no reason to compress because almost everything on the web is compressed from websites to jpg etc.
I don't know where you got persist key and tunnel from
Just use the ones I gave you and you will be good to go
they are the most important from the research I have done
 
Ok got it. One quick observation. I can't use verb 1 ....if i use that it kicks me from midwest, neighboring town next to me all the way to east coast new jersey. Maybe local server isp don't like verb 1

Second issue i had is case sensitive auth SHA256 in capital letters. It would go back to comcast isp if lower case. I know linux is sensitive with casing so i ended up with this then as final. Thank u for feedback.

tls-client
remote-cert-tls server
auth SHA256
reneg-sec 0
 
Interesting. what fir
Ok got it. One quick observation. I can't use verb 1 ....if i use that it kicks me from midwest, neighboring town next to me all the way to east coast new jersey. Maybe local server isp don't like verb 1

Second issue i had is case sensitive auth SHA256 in capital letters. It would go back to comcast isp if lower case. I know linux is sensitive with casing so i ended up with this then as final. Thank u for feedback.

tls-client
remote-cert-tls server
auth SHA256
reneg-sec 0
Interesting, what version of firmware are you using and what router do you have?
I have the u87 and latest firmware from Merlin and I use the Jersey server as well and I don't have any of those issues.
very weird. as long as you got it to work. But I do advise a router reboot after doing those changes.
 
As side note. I'll probably ask that in overclock thread too but ....

When i overclock in nvram to 1200,800 0r 1400,800 or 1400,1400 it does NOT in any way increase my Mbps speed on vpn where it should, maybe even marginaly by few Mpgs.
Anyone know why. Again if off topic i'll probably address in overclock thread but since this is VPN thread might as well ask too.

No overclocked vpn speeds on 87u router.

256aes 30Mbps
128aes 34Mbps

Overclocked 1400 value same speeds as non-overclocked. Odd. I checked if it too get clock freq and it took but no change.
where do you overclock with merlin?
 
Interesting. what fir

Interesting, what version of firmware are you using and what router do you have?
I have the u87 and latest firmware from Merlin and I use the Jersey server as well and I don't have any of those issues.
very weird. as long as you got it to work. But I do advise a router reboot after doing those changes.

I have 87u with latest Merlin as well. Verb 1 keeps it for me at NJ but removing it i get my home state and neighboring city. I did reboot too after all changes. Same result. Not a problem but closer node better. Plus NJ is east node not midwest node. Yeah odd.

I overclocked in nvram threw ssh by doing nvram set clk freq=1400,800. Then i checked by get clk freq and it took. Also in gui showed it's 1400 but it has zero effect, not even marginal by few % as far as VPN Mbps speeds. I even did 1400,1400. No change. I did nvram commit but did not reboot as then defaults to default again. Also on different Vpn isp it also did not have any effect in change so i know it's not vpn isp. Here is overclocking thread.

http://www.snbforums.com/threads/overclocking-rt-ac87u.22720/

I did however notice that vpn 2 and 4 are 20-30% faster then 1,3,5. I use 2,4. one 256 and one 128. That's due to Merlin vpn optimization. I wonder if same could be done to 1, 3, 5.
 
Last edited:
I did however notice that vpn 2 and 4 are 20-30% faster then 1,3,5. I use 2,4. one 256 and one 128. That's due to Merlin vpn optimization. I wonder if same could be done to 1, 3, 5.

This has to do with CPU scheduling. Clients 1,3 and 5 use the second CPU core, while 2 and 4 use the first CPU core. If you have something that also loads a specific CPU core, using an instanced tied to the other one will improve performance.
 
Thanks Merlin. I use simple setup. Just vpn. No routing of any kind. My cpu util is very low usually.

Can this be flipped getting 1,3,5 where 2,4 is currently at? It would give us extra client that can be used for that 20-30% increase in Mpbs. If i use same vpn and same encryption on 2 and 3, 2 is 20% higher then 3. If not no problem. 87u is working like a champ on this firmware. I had issues with 66u but i sold it. Sorry if i'm all over the place here.

BTW Merlin i'm looking forward to next release of the firmware. I'm liking it a lot.
 
Last edited:
This has to do with CPU scheduling. Clients 1,3 and 5 use the second CPU core, while 2 and 4 use the first CPU core. If you have something that also loads a specific CPU core, using an instanced tied to the other one will improve performance.
Is this why the in the QOS section the VPN DOWNLOAD traffic shows up as UPLOAD?
or is it another Reason?
 
Similar threads
Thread starter Title Forum Replies Date
F Router for VPN with AES-NI VPN 8

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top