Cant turn OpenVPN Client 1 ( or Client 2)ON

[MediaMan09]

What would be preventing me from turning Client 1 on?

I have imported an ovpn file, set my username and password, and saved the settings. When I slide the Service State from OFF to ON, its show ON for a split second, says is applying settings, then Complete! and takes me page to the OpenVPN age, but it remains off still OFF? What am I doing wrong? It used to work!

 

[MediaMan09]

I just checked the System log and fist line says

Aug 16 19:27:49 openvpn[2233]: Options error: You must define CA file (--ca) or CA path (--capath)
Aug 16 19:27:49 openvpn[2233]: Use --help for more information.
Aug 16 19:27:49 syslog: VPN_LOG_ERROR: 433: Starting OpenVPN failed...

I just started my 7 day money-back account with PIA. Yes rebooted everything.

It works fine with OpenVPN as a windows client.

 

[MediaMan09]

Getting closer. Found a ca.crt file.

I think I need to add the content under Content modification of Keys & Certificates.

Unsure if I enter it under Certificate Authority or Client Certificate or both.

PIA online chat could not help ; I will send in a ticket. Its a bit exhausting trying to figure this out. I am surprised they have no tutorials for this.

 

[Calisro]

Getting closer. Found a ca.crt file. How do I add that to the Client 1 page?

There is a link for all the certs on the advanxed page.

 

[MarioCaires]

They don't have a tutorial specifically for Asuswrt but you can follow the Tomato tutorial, isn't much different! Ignore step 1 obviously since is different on asuswrt and you're good to go from there.

https://www.privateinternetaccess.com/pages/client-support/tomato-vpn

 

[MediaMan09]

Thanks for the link. All the settings actually match except for:
1) Connection Retry. I ad -1 ; that tutorial has 30
2) Custom Config has a line items for auth-user-pass /tmp/password.txt, that likely need something else to work

System log is no longer complaining about CA but now reporting:
Aug 17 08:42:31 openvpn[1184]: Options error: Unrecognized option or missing parameter(s) in config.ovpn:18: tls-remote (2.3.7)
Aug 17 08:42:31 openvpn[1184]: Use --help for more information.
Aug 17 08:42:31 syslog: VPN_LOG_ERROR: 433: Starting OpenVPN failed...

 

[MediaMan09]

Still no joy and have not heard back for PIA yet. I need to sort this out (and a ROKU issue) in 6 days before I cancel. Hopeful they will reply as I do like the part of the service that does work

I reloaded the opvn file, and cleared out the log.. When I try to turn on Clinet 1 I now see this:

Aug 17 09:01:50 rc_service: httpd 456:notify_rc start_vpnclient1
Aug 17 09:01:50 kernel: tun: Universal TUN/TAP device driver, 1.6
Aug 17 09:01:50 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Aug 17 09:01:51 openvpn[1343]: OpenVPN 2.3.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 16 2015
Aug 17 09:01:51 openvpn[1343]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
Aug 17 09:01:51 openvpn[1344]: ERROR: username from Auth authfile 'up' is empty
Aug 17 09:01:51 openvpn[1344]: Exiting due to fatal error

What is an 'up' file???

 

[MarioCaires]

Ignoring step 1, obviously you need to delete the line "auth-user-pass /tmp/password.txt" from your custom config too! In Tomato's firmware, that's how the credentials are introduced. In Asuswrt there is no need for that since the credentials are introduced directly in the webUI.
Personally, I wouldn't import an .ovpn with PIA, go manual following the Tomato tutorial...

Thanks for the link. All the settings actually match except for:
1) Connection Retry. I ad -1 ; that tutorial has 30
2) Custom Config has a line items for auth-user-pass /tmp/password.txt, that likely need something else to work

System log is no longer complaining about CA but now reporting:
Aug 17 08:42:31 openvpn[1184]: Options error: Unrecognized option or missing parameter(s) in config.ovpn:18: tls-remote (2.3.7)
Aug 17 08:42:31 openvpn[1184]: Use --help for more information.
Aug 17 08:42:31 syslog: VPN_LOG_ERROR: 433: Starting OpenVPN failed...

 

[MarioCaires]

Still no joy and have not heard back for PIA yet. I need to sort this out (and a ROKU issue) in 6 days before I cancel. Hopeful they will reply as I do like the part of the service that does work

I reloaded the opvn file, and cleared out the log.. When I try to turn on Clinet 1 I now see this:

Aug 17 09:01:50 rc_service: httpd 456:notify_rc start_vpnclient1
Aug 17 09:01:50 kernel: tun: Universal TUN/TAP device driver, 1.6
Aug 17 09:01:50 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Aug 17 09:01:51 openvpn[1343]: OpenVPN 2.3.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 16 2015
Aug 17 09:01:51 openvpn[1343]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
Aug 17 09:01:51 openvpn[1344]: ERROR: username from Auth authfile 'up' is empty
Aug 17 09:01:51 openvpn[1344]: Exiting due to fatal error

What is an 'up' file???

You haven't introduced your credentials as stated!

 

[MediaMan09]

Partial success.

- I used Clinet 2 (just in case it made a difference)
- Again tried to follow the Tomato tutorial. For # 17. (Set Accept DNS configuration to Enabled), my only options are Disabled, Relaxed, Strict and Exclusive. I tried Relaxed.

With that, got the connection to work.

I know to expect the speed is quite low with OpenVPN on the router, but was hoping for at least 30 Mbps. Its now at 18Mbps. My nomral service, even with PIA clinet is 80 Mbps. And Roku works now, but its a moot point as I cannot leave things at 18 Mbps.

As I can now make the VPN connection , this issue is resolved, with thanks!

I'll create a different post re the ROKU issue.

 

[Calisro]

Partial success.

- I used Clinet 2 (just in case it made a difference)
- Again tried to follow the Tomato tutorial. For # 17. (Set Accept DNS configuration to Enabled), my only options are Disabled, Relaxed, Strict and Exclusive. I tried Relaxed.

With that, got the connection to work.

I know to expect the speed is quite low with OpenVPN on the router, but was hoping for at least 30 Mbps. Its now at 18Mbps. My nomral service, even with PIA clinet is 80 Mbps. And Roku works now, but its a moot point as I cannot leave things at 18 Mbps.

Speed aside, what should my other DNS related settings be for:

1) WAN.DNS Setting: Connect to DNS Server automatically ( YES or NO). Now set as YES
2) LAN/DCHP : Forward local somain queries to upstream DNS ( YES or NO). Now set as NO.

(Note-I have DNS primary/secondary already set for 209.222.18.222/209.222.18.218 and static routes for Google, in the hope of getting ROKU working out-of-region, when OpenVPN on router is off --- no luck on that front so far).

for DNS: 1) settings to YES will grab the PIA dns servers. 2) Keep at NO otherwise you'll try to resolve local names on a internet server and that won't work.

For Speed, I can get a full 50 Mbps (my isp max currently) using openvpn client on the router to pia. It isn't true that it will be slow on a router. It depends a lot on the pia target you connect to and their loads. sometimes I get 16 other times I get 50. I get way better UDP performance btw. Not sure what you are using.

calisro@rt-ac68u:/jffs/scripts# taskset  1 wget  --bind-address 10.100.1.1  -O /dev/null http://speedtest.wdc01.softlayer.com/downloads/test100.zip
--2015-08-17 12:14:59--  http://speedtest.wdc01.softlayer.com/downloads/test100.zip
Resolving speedtest.wdc01.softlayer.com... 2607:f0d0:3001:78::2, 208.43.102.250
Connecting to speedtest.wdc01.softlayer.com|2607:f0d0:3001:78::2|:80... failed: Invalid argument.
Connecting to speedtest.wdc01.softlayer.com|208.43.102.250|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 104874307 (100M) [application/zip]
Saving to: '/dev/null'

/dev/null                                        100%[==========================================================================================================>] 100.02M  6.12MB/s   in 41s

EDIT: Also, make sure you are using client 2 rather than client 1. client 2 will use CPU core 2 which is isolated from a lot of the other router activity. CPU 1 gets hit more and you will get less performance.

 

[MediaMan09]

... For Speed, I can get a full 50 Mbps (my isp max currently) using openvpn client on the router to pia. It isn't true that it will be slow on a router. It depends a lot on the pia target you connect to and their loads. sometimes I get 16 other times I get 50. I get way better UDP performance btw. Not sure what you are using.

That's encouraging that sometimes you can get up to your ISP max even on the an AC68U router....but are you referring only to a Sabai/VPN accelerator setup???

While I get a close to full 80 Mbps (my isp max) using PIA client on windows, I only get about 18 Mbps on the router - with UDP on Client 2 . Tried a few PIA servers.

How do I make use of the code you posted? Sorry - still on the learning curve....or is that only for Sabai?

 

[RMerlin]

EDIT: Also, make sure you are using client 2 rather than client 1. client 2 will use CPU core 2 which is isolated from a lot of the other router activity. CPU 1 gets hit more and you will get less performance.

That's incorrect. I'm already swapping CPUs, so client and server 1 are on the second core, and client/server 2 are on the first core.

 

[Calisro]

That's encouraging that sometimes you can get up to your ISP max even on the an AC68U router....but are you referring only to a Sabai/VPN accelerator setup???

While I get a close to full 80 Mbps (my isp max) using PIA client on windows, I only get about 18 Mbps on the router - with UDP on Client 2 . Tried a few PIA servers.

How do I make use of the code you posted? Sorry - still on the learning curve....or is that only for Sabai?

I don't use an accelerator. The post above was just an output from a command line speed test. That's all.

I average about 50 Mbps and I do not use any 'special' settings in my config... So if I can get 50, you should be able to as well. I just tested 50Mbps from US to Amsterdamn.

 

[Calisro]

That's incorrect. I'm already swapping CPUs, so client and server 1 are on the second core, and client/server 2 are on the first core.

Ah you are right! I didn't catch that in the last upgrade. So I need to swap my functionality back. Thanks Merlin.

So Mediaman, you should be using client 1 because that is now defaulting to core 2!.

 

[MediaMan09]

I don't use an accelerator. The post above was just an output from a command line speed test. That's all.

I average about 50 Mbps and I do not use any 'special' settings in my config... So if I can get 50, you should be able to as well. I just tested 50Mbps from US to Amsterdamn.

Thanks for all the help to get me going and out of the ditch, but I think I just ran out of gas. Your settings must be way different than mine (though I didn't think there were that many). I switched to Client 1, best I can ever get is 25Mbps on any server.

The PIA Client for windows on the other hand is solid and fast , so pretty sure I will just need to bite the bullet and install it on individual devices and a call it a day.

I only have one open PIA item left, the deal breaker ; hope they have a solution for it. See Item 4 here :
http://www.snbforums.com/threads/openvpn-speed-issue.26458/page-2#post-198413

 

[Calisro]

Thanks for all the help to get me going and out of the ditch, but I think I just ran out of gas. Your settings must be way different than mine (though I didn't think there were that many). I switched to Client 1, best I can ever get is 25Mbps on any server.

The PIA Client for windows on the other hand is solid and fast , so pretty sure I will just need to bite the bullet and install it on individual devices and a call it a day.

I only have one open PIA item left, the deal breaker ; hope they have a solution for it. See Item 4 here :
http://www.snbforums.com/threads/openvpn-speed-issue.26458/page-2#post-198413

I believe they whitelist your IP when your connected to them from it. I can do dns lookups against PIA servers outside of the VPN as long as I am connected in the recent past from that IP to those servers.

In your case the work around would be to KEEP the vpn on and if you wanted to use the DNS servers outside of hte VPN, then stop routing traffic from your ROKU through the VPN. THat should keep your IP whitelisted.

 

[MediaMan09]

?..In your case the work around would be to KEEP the vpn on and if you wanted to use the DNS servers outside of hte VPN, then stop routing traffic from your ROKU through the VPN. THat should keep your IP whitelisted.

But that's the rub..I cannot simply keep the VPN on.....not when its cutting my speed from 90Mbps to around 20Mbps. I want Netflix Us on Roku without having to run to the router. I need Roku to work without OPENVPN on the router...just like I used to have. I then just run PIA Client on my desktops.

 

[Calisro]

But that's the rub..I cannot simply keep the VPN on.....not when it cutting my speed from 90Mbps to around 20Mbps.

Yes you can. It can be ON and just not routing traffic to it. Mine is always on and I selectively route traffic to it.

 

[Calisro]

On vpn client page there is a line for "redirect internet traffic". You can select policy rules and go from there. So to turn 'off' the roku, jsut disable the policy. or simply ONLY allow traffic from the roku to be routed 24x7.