Asus Router RT-AC68U - stock firmare - Please help setup PIA VPN within my router

[john91783]

Hello Everyone,

I am new to this forum but have been referred here by a helpful friend from Slickdeals.
My router is an Asus RT-AC68U with the latest stock firmware.

I have tried to setup my PIA account for VPN access from my router but am now stuck.
I have also gone to tech support at PIA with no success.

Please help me figure this out.
Regards,
John

 

[yorgi]

Hello Everyone,

I am new to this forum but have been referred here by a helpful friend from Slickdeals.
My router is an Asus RT-AC68U with the latest stock firmware.

I have tried to setup my PIA account for VPN access from my router but am now stuck.
I have also gone to tech support at PIA with no success.

Please help me figure this out.
Regards,
John

Its real simple with the stock firmware.
download this file from PIA
click on this link and download openvpn.zip "OpenVPN Configuration Files (Default)"
extract the contents and you will need 2 files from that zip file.
one would be the ca.crt and the other would be whatever country you want the VPN to come from
example CA Toronto.ovpn

when you go on the VPN client tab it asks you for a .ovpn file and a .crt file
just upload those 2 files to your router and your username and password and you are set to go.

 

[john91783]

Its real simple with the stock firmware.
download this file from PIA
click on this link and download openvpn.zip "OpenVPN Configuration Files (Default)"
extract the contents and you will need 2 files from that zip file.
one would be the ca.crt and the other would be whatever country you want the VPN to come from
example CA Toronto.ovpn

when you go on the VPN client tab it asks you for a .ovpn file and a .crt file
just upload those 2 files to your router and your username and password and you are set to go.

Yorgi thank you for the help.
After following your directions I was able to add a VPN connection with a confirmation of connection within the router....

However when this connection is enabled - None of my devices connected to my router can access the internet.

What am I doing wrong?

This is what I did
1) Downloaded the link
2) In My Asus Router VPN client setup I clicked add profile.
3) Selected OpenVPN
4) Decription - PIA VPN - NYC
imputed my PIA user id & password
Imported Ovpn file - PIA US New York City.ovpn
Also Uploaded CA file - ca.crt

5) when I clicked activate I get a confirmation of successful VPN connection.... but none of my devices can access the internet.

 

[yorgi]

reboot the router. if it says enabled it should work

 

[yorgi]

I would suggest you flash the router with Merlin Firmware
and follow this example to get on the VPN

http://www.snbforums.com/threads/important-things-to-know-when-using-vpn-with-merlin-firmware.30351/

http://www.snbforums.com/threads/setting-up-vpn-on-router-couple-of-questions.29412/

Its a better way to go because you set it up that if the VPN tunnel goes down the traffic will be stopped. This way you wont get your IP leaked.

 

[john91783]

I would suggest you flash the router with Merlin Firmware
and follow this example to get on the VPN

http://www.snbforums.com/threads/important-things-to-know-when-using-vpn-with-merlin-firmware.30351/

http://www.snbforums.com/threads/setting-up-vpn-on-router-couple-of-questions.29412/

Its a better way to go because you set it up that if the VPN tunnel goes down the traffic will be stopped. This way you wont get your IP leaked.

Yorgi

I reset my router and am still having the same issues... the internet connection drops whenever I enable the VPN...
Should I try another VPN point or flash merlin?
I'll wait for your advice.

 

[john91783]

Ok I just flashed the latest version of Merlin
RT-AC68U_380.57_0.trx

 

[john91783]

Yorgi I don't want to make any errors so I'll wait until I hear back from you.

here is a setup guide for VPN with Merlin and PIA
http://www.thinhammer.com/index.php...-vpn-client-using-private-internet-access-pia

You need to change a couple of options from that illustration as follows;

accept dns configuartions input "Strict"
encryption chipper "BF-CBC"
Username / Password Auth. Only "YES"
and for custom configurations at the bottom use the following;

tls-client
remote-cert-tls server
reneg-sec 0
verb 3


also you have to put the .crt from PIA in
Authorization Mode
Content modification of Keys & Certificates. and paste it in the second box
Certificate Authority

This is where I am no longer seeing how to input the .crt let alone content modification...
Please help

 

[john91783]

Ok Yorgi I was able to copy and paste the contents of the .crt file...
But I am not able to get a connection to the VPN. It just is stuck on connecting

This is the error log:

Feb 14 18:16:45 openvpn[6638]: Attempting to establish TCP connection with [AF_INET]209.95.50.138:1194 [nonblock]
Feb 14 18:16:46 openvpn[6638]: TCP: connect to [AF_INET]209.95.50.138:1194 failed, will try again in 5 seconds: Connection refused
Feb 14 18:16:52 openvpn[6638]: TCP: connect to [AF_INET]209.95.50.162:1194 failed, will try again in 5 seconds: Connection refused
Feb 14 18:16:58 openvpn[6638]: TCP: connect to [AF_INET]209.95.50.138:1194 failed, will try again in 5 seconds: Connection refused
Feb 14 18:17:04 openvpn[6638]: TCP: connect to [AF_INET]209.95.50.140:1194 failed, will try again in 5 seconds: Connection refused
Feb 14 18:17:10 openvpn[6638]: TCP: connect to [AF_INET]209.95.50.30:1194 failed, will try again in 5 seconds: Connection refused
Feb 14 18:17:16 openvpn[6638]: TCP: connect to [AF_INET]209.95.50.59:1194 failed, will try again in 5 seconds: Connection refused

 

[john91783]

I changed the port to 443 and it's now connecting!

Bt damn my internet speed is really slow

before I had a speed of 90mbps
now getting 1.84 on the east coast server...

What is wrong?

 

[yorgi]

in the VPN client look where it says
Authorization Mode
you will see TLS and next to it you will see Content modification of Keys & Certificates.
click on that
then copy and paste this exactly as is to certificate authority which is the second box then save.
You should be getting great speeds and dont change to port 443 stay on 1194

-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----

 

[john91783]

in the VPN client look where it says
Authorization Mode
you will see TLS and next to it you will see Content modification of Keys & Certificates.
click on that
then copy and paste this exactly as is to certificate authority which is the second box then save.
You should be getting great speeds and dont change to port 443 stay on 1194

-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----

I deleted the post where I said I changed it to port 1196 because the VPN doesn;t connect when on that port setting.
It connects when on port 443 but I'm getting speed of 15mbps
What are your thoughts? What are the preferred ports and Why?
Is 1196 a port that should connect?

 

[yorgi]

if it doesn't connect it means that you did something wrong.
look follow these images here
use port 1196 its AES-128-CBC encryption which will makes things faster
you need to copy that certificate properly

 

[john91783]

if it doesn't connect it means that you did something wrong.
look follow these images here
use port 1196 its AES-128-CBC encryption which will makes things faster
you need to copy that certificate properly

Ok Yorgi thanks again for your help, I am very appreciative.
I noticed you changed some of the settings on your recently attached pics from your last tutoruial
these may be minor changes but can you please explain why you have these settings now

ex1 is now UDP
Accept DNS Configuration now you have it as Exclusive
Compression - NONE

The only modification I did myself was assign the vpn to a specific IP on my lan for the VPN
(from one of your earlier tutorials)

My result I am getting a connection to the VPN with the proxy 1196

but my speed is not very fast
average 15 mbps

If you can give me more advice I will get back to you tomorrow thanks again for this education haha

 

[yorgi]

Ok Yorgi thanks again for your help, I am very appreciative.
I noticed you changed some of the settings on your recently attached pics from your last tutoruial
these may be minor changes but can you please explain why you have these settings now

ex1 is now UDP
Accept DNS Configuration now you have it as Exclusive
Compression - NONE

The only modification I did myself was assign the vpn to a specific IP on my lan for the VPN
(from one of your earlier tutorials)

My result I am getting a connection to the VPN with the proxy 1196

but my speed is not very fast
average 15 mbps

If you can give me more advice I will get back to you tomorrow thanks again for this education haha

those changes wont make or break your bandwith.
The other Article used Blowfish port 1194 I am using port 1196 and AES-128 encryption its faster.
Look here for details
http://www.snbforums.com/threads/wh...pn-service-provider-for-maximum-speeds.30425/

that other article picture was not mine I just used that as an example. Now you are seeing my parameters
You don't need compression because JPG and everything else on the Web is compressed today.
Accept DNS is exclusive instead of strict. this is to do with DNS better setting then strict.
ex1 is now UDP I have no idea what you are refereeing too.
If you are going to give IP address and you want to do selective routing
then you go to the bottom of the VPN client where it says Redirect Internet traffic and enable policy rules
say yes to Block routed clients if tunnel goes down
and for ip put something in the static range like 192.168.1.50 and destination ip 0.0.0.0 and lface VPN
now you will VPN only on 192.168.1.50 and if the tunnel disconnects the firewall will kick in and wont let any traffic leak until the VPN has re established connection.

To answer your question about speed.
What I would recommend you do is, connect to your Local ISP and do a speed test which is close to your area.
see if you get your full band with
http://www.speedtest.net/
here is a list of PIA servers
https://www.privateinternetaccess.com/pages/network/
then connect to PIA with the software they provide and do a speed test and see what your findings are.
Depending on which server you use the speeds may vary. Example if you are in the UK and you use a California server don't expect the speeds to go through the roof.
Try and see which server works the best for you and then use that server to connect on your router. For example if you take the Canadian servers Toronto rocks but north york is not as fast.

You are almost there don't worry be happy
You shouldn't have to change port.
The router will behave the same way that software does with the bandwith. I guarantee you that your router can do at least 50mbps on VPN
I doubt you can get much faster then that because PIA to some extent caps their Servers.


Make sure that interface is TUN and Protocol is UDP
clone that image except for the policy rules I explained above.

Take a look here for DNS
http://www.snbforums.com/threads/important-things-to-know-when-using-vpn-with-merlin-firmware.30351/
I would suggest you DNSfilter for VPN and Local ISP because by default if you use Local ISP the DNS will point to the VPN's DNS

Follow this to the letter and everything will work
have fun!

 

[john91783]

Feb 15 09:03:36 openvpn[20440]: Authenticate/Decrypt packet error: cipher final failed
Feb 15 09:03:46 openvpn[20440]: Authenticate/Decrypt packet error: cipher final failed
Feb 15 09:03:50 openvpn[20440]: event_wait : Interrupted system call (code=4)
Feb 15 09:03:50 openvpn[20440]: OpenVPN STATISTICS
Feb 15 09:03:50 openvpn[20440]: Updated,Mon Feb 15 09:03:50 2016
Feb 15 09:03:50 openvpn[20440]: TUN/TAP read bytes,0
Feb 15 09:03:50 openvpn[20440]: TUN/TAP write bytes,0
Feb 15 09:03:50 openvpn[20440]: TCP/UDP read bytes,4511
Feb 15 09:03:50 openvpn[20440]: TCP/UDP write bytes,1666
Feb 15 09:03:50 openvpn[20440]: Auth read bytes,0
Feb 15 09:03:50 openvpn[20440]: pre-compress bytes,0
Feb 15 09:03:50 openvpn[20440]: post-compress bytes,0
Feb 15 09:03:50 openvpn[20440]: pre-decompress bytes,0
Feb 15 09:03:50 openvpn[20440]: post-decompress bytes,0
Feb 15 09:03:50 openvpn[20440]: END
Feb 15 09:03:56 openvpn[20440]: Authenticate/Decrypt packet error: cipher final failed
Feb 15 09:04:06 openvpn[20440]: Authenticate/Decrypt packet error: cipher final failed
Feb 15 09:04:14 rc_service: httpd 451:notify_rc stop_vpnclient3
Feb 15 09:04:14 openvpn[20440]: event_wait : Interrupted system call (code=4)
Feb 15 09:04:14 openvpn[20440]: vpnrouting.sh tun13 1500 1558 10.156.1.6 10.156.1.5 init
Feb 15 09:04:14 openvpn-routing: Configuring policy rules for client 3
Feb 15 09:04:15 openvpn-routing: Removing rule 1501 from routing policy
Feb 15 09:04:15 openvpn-routing: Tunnel down - VPN client access blocked
Feb 15 09:04:15 openvpn-routing: Added 192.168.1.193 to 0.0.0.0 through VPN to routing policy
Feb 15 09:04:15 openvpn-routing: Completed routing policy configuration
Feb 15 09:04:15 openvpn[20440]: /usr/sbin/ip route del 10.156.1.1/32
Feb 15 09:04:15 openvpn[20440]: ERROR: Linux route delete command failed: external program exited with error status: 2
Feb 15 09:04:15 openvpn[20440]: /usr/sbin/ip route del 216.144.236.10/32
Feb 15 09:04:15 openvpn[20440]: /usr/sbin/ip route del 0.0.0.0/1
Feb 15 09:04:15 openvpn[20440]: ERROR: Linux route delete command failed: external program exited with error status: 2
Feb 15 09:04:15 openvpn[20440]: /usr/sbin/ip route del 128.0.0.0/1
Feb 15 09:04:15 openvpn[20440]: ERROR: Linux route delete command failed: external program exited with error status: 2
Feb 15 09:04:15 openvpn[20440]: Closing TUN/TAP interface
Feb 15 09:04:15 openvpn[20440]: /usr/sbin/ip addr del dev tun13 local 10.156.1.6 peer 10.156.1.5
Feb 15 09:04:15 openvpn[20440]: updown.sh tun13 1500 1558 10.156.1.6 10.156.1.5 init
Feb 15 09:04:15 rc_service: service 21821:notify_rc updateresolv
Feb 15 09:04:15 rc_service: waitting "stop_vpnclient3" via httpd ...
Feb 15 09:04:17 dnsmasq[21847]: warning: interface ppp1* does not currently exist
Feb 15 09:04:18 rc_service: service 21849:notify_rc restart_dnsmasq
Feb 15 09:04:19 dnsmasq[21855]: warning: interface ppp1* does not currently exist
Feb 15 09:04:33 smbd[21857]: [2016/02/15 09:04:33.259948, 0] smbd/sesssetup.c:1355(reply_sesssetup_and_X)
Feb 15 09:04:33 smbd[21857]: reply_sesssetup_and_X: Rejecting attempt at SPNEGO session setup when it was not negotiated.
Feb 15 09:04:33 smbd[21858]: [2016/02/15 09:04:33.330459, 0] smbd/sesssetup.c:1355(reply_sesssetup_and_X)
Feb 15 09:04:33 smbd[21858]: reply_sesssetup_and_X: Rejecting attempt at SPNEGO session setup when it was not negotiated.

 

[john91783]

those changes wont make or break your bandwith.
The other Article used Blowfish port 1194 I am using port 1196 and AES-128 encryption its faster.
Look here for details
http://www.snbforums.com/threads/wh...pn-service-provider-for-maximum-speeds.30425/

that other article picture was not mine I just used that as an example. Now you are seeing my parameters
You don't need compression because JPG and everything else on the Web is compressed today.
Accept DNS is exclusive instead of strict. this is to do with DNS better setting then strict.
ex1 is now UDP I have no idea what you are refereeing too.
If you are going to give IP address and you want to do selective routing
then you go to the bottom of the VPN client where it says Redirect Internet traffic and enable policy rules
say yes to Block routed clients if tunnel goes down
and for ip put something in the static range like 192.168.1.50 and destination ip 0.0.0.0 and lface VPN
now you will VPN only on 192.168.1.50 and if the tunnel disconnects the firewall will kick in and wont let any traffic leak until the VPN has re established connection.

To answer your question about speed.
What I would recommend you do is, connect to your Local ISP and do a speed test which is close to your area.
see if you get your full band with
http://www.speedtest.net/
here is a list of PIA servers
https://www.privateinternetaccess.com/pages/network/
then connect to PIA with the software they provide and do a speed test and see what your findings are.
Depending on which server you use the speeds may vary. Example if you are in the UK and you use a California server don't expect the speeds to go through the roof.
Try and see which server works the best for you and then use that server to connect on your router. For example if you take the Canadian servers Toronto rocks but north york is not as fast.

You are almost there don't worry be happy
You shouldn't have to change port.
The router will behave the same way that software does with the bandwith. I guarantee you that your router can do at least 50mbps on VPN
I doubt you can get much faster then that because PIA to some extent caps their Servers.


Make sure that interface is TUN and Protocol is UDP
clone that image except for the policy rules I explained above.

Take a look here for DNS
http://www.snbforums.com/threads/important-things-to-know-when-using-vpn-with-merlin-firmware.30351/
I would suggest you DNSfilter for VPN and Local ISP because by default if you use Local ISP the DNS will point to the VPN's DNS

Follow this to the letter and everything will work
have fun!

I posted my error logs. Oh man nothing is working now. But at least i did the DNS custom settings...

 

[john91783]

I have never put my modem into bridge mode, so I know the modem must have a router enabled. Is this making any problems? If not I'm not going to change the modem's setup.

 

[yorgi]

I have never put my modem into bridge mode, so I know the modem must have a router enabled. Is this making any problems? If not I'm not going to change the modem's setup.

Test the router first alone directly on modem!!!!! Why bridge mode?
Do it first Wireless router mode (Default)
Once you got things working right then attempt to do whatever else you want.
Right now you are running before you can even walk and are expecting instant results
Go back and start again. You will never see the light at the end of the tunnel the way your going

 

[john91783]

Test the router first alone directly on modem!!!!! Why bridge mode?
Do it first Wireless router mode (Default)
Once you got things working right then attempt to do whatever else you want.
Right now you are running before you can even walk and are expecting instant results
Go back and start again. You will never see the light at the end of the tunnel the way your going

I didn't change anything on the modem.
I was just asking if that was something you recommend (put the modem into bridge mode)
- I am unsure if the firewall from the modem could be interfere with my router when I attempt to enable a VPN connection.