Asus RT-AC86U no connection with PIA VPN

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Daanol

New Around Here
Hi all,

I read a lot of posts regarding VPN and what router to buy the last couple of weeks.
I had a Netgear R7000 with ExpressVPN but the download speed is terrible, so i stumbled onto this forum searching for a better setup.

Reading a lot i found that the Asus RT-AC86U should work fine and isnt that expansive. so i bought it.
After installation i found that ExpressVPN was still disappointing so a subscribed to PIA, here comes my problem.

I followed the manual supplied by PIA but its based on older firmware, i run 386.1_2. i uploaded the .opvn file accordingly and entered my authentication setting.
When i save the settings all seem fine but when i try to connect to the VPN my router is unresponsive for almost a minute.
Then, when it is reacting again, i see that the VPN is connected but my public IP is unknown and i have no connection to the web.

Does anybody know what my problem might be?

Regards,
Daan
 

Centrifuge

Senior Member
Are you trying to connect from your lan or from wan side? Look at your system log when you are trying this to see if there is are any error messages, add some more details. If this is AsusMerlin FW I would post in that sub forum.
 

Daanol

New Around Here
I'm just trying to access the internet from the lan.

underneath the log from when i try to connect. to be clear, i dont understand any of this. only the ipv6 error wich i didnt setup.
my isp supplies ipv4

i use the merlin fw 386.1_2
 

Daanol

New Around Here
Mar 28 12:29:41 acsd: selected channel spec: 0x1002 (2)
Mar 28 12:29:41 acsd: Adjusted channel spec: 0x1002 (2)
Mar 28 12:29:41 acsd: selected channel spec: 0x1002 (2)
Mar 28 12:29:41 acsd: acs_set_chspec: 0x1002 (2) for reason APCS_CSTIMER
Mar 28 12:31:38 rc_service: httpd 3417:notify_rc start_vpnclient1
Mar 28 12:31:38 ovpn-client1[16730]: DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.
Mar 28 12:31:38 ovpn-client1[16730]: OpenVPN 2.5.0 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 12 2021
Mar 28 12:31:38 ovpn-client1[16730]: library versions: OpenSSL 1.1.1i 8 Dec 2020, LZO 2.08
Mar 28 12:31:38 ovpn-client1[16731]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 28 12:31:38 ovpn-client1[16731]: CRL: loaded 1 CRLs from file crl.pem
Mar 28 12:31:38 ovpn-client1[16731]: TCP/UDP: Preserving recently used remote address: [AF_INET]143.244.49.171:1198
Mar 28 12:31:38 ovpn-client1[16731]: UDP link local: (not bound)
Mar 28 12:31:38 ovpn-client1[16731]: UDP link remote: [AF_INET]143.244.49.171:1198
Mar 28 12:32:36 dnsmasq-dhcp[3477]: DHCPREQUEST(br0) 10.0.0.184 10:0c:6b:4b:20:6e
Mar 28 12:32:36 dnsmasq-dhcp[3477]: DHCPACK(br0) 10.0.0.184 10:0c:6b:4b:20:6e MS60
Mar 28 12:32:38 ovpn-client1[16731]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 28 12:32:38 ovpn-client1[16731]: TLS Error: TLS handshake failed
Mar 28 12:32:38 ovpn-client1[16731]: SIGUSR1[soft,tls-error] received, process restarting
Mar 28 12:32:43 ovpn-client1[16731]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 28 12:32:43 ovpn-client1[16731]: TCP/UDP: Preserving recently used remote address: [AF_INET]143.244.49.131:1198
 

Daanol

New Around Here
Mar 28 12:32:43 ovpn-client1[16731]: UDP link local: (not bound)
Mar 28 12:32:43 ovpn-client1[16731]: UDP link remote: [AF_INET]143.244.49.131:1198
Mar 28 12:32:43 ovpn-client1[16731]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mar 28 12:32:44 ovpn-client1[16731]: [losangeles409] Peer Connection Initiated with [AF_INET]143.244.49.131:1198
Mar 28 12:32:45 ovpn-client1[16731]: TUN/TAP device tun11 opened
Mar 28 12:32:45 ovpn-client1[16731]: /usr/sbin/ip link set dev tun11 up mtu 1500
Mar 28 12:32:45 ovpn-client1[16731]: /usr/sbin/ip link set dev tun11 up
Mar 28 12:32:45 ovpn-client1[16731]: /usr/sbin/ip addr add dev tun11 10.2.112.180/24
Mar 28 12:32:45 ovpn-client1[16731]: ovpn-up 1 client tun11 1500 1553 10.2.112.180 255.255.255.0 init
 

Daanol

New Around Here
apperantly I cannot post the text underneath, i'm sorry for the many messages.

1616937590103.png
 

bertradio

Occasional Visitor
I am running PIA OpenVPN on an AC68U with no problems. Some things to check...

Make sure you are using the latest PIA OpenVPN files dated 11/19/20. As per PIA instructions, make sure you add these lines to the file you are going to use:

dhcp-option DNS 10.0.0.241
dhcp-option DNS 10.0.0.243

PIA has recently changed their OpenVPN config, so set "Username / Password Auth. Only" to No.

Keep in mind that it is normal to have drastically reduced speeds running OPenVPN from a router. PIA recommends against it. Without it my download speed is around 230mbps even through PIA. Through OpenVPN on the router it's 20mbps. Depending on your needs, this may be OK.

I suggest setting up rules for VPN only for those devices where you think you need it. I do it for mobiles but on my desktop I run the PIA client which is 10x faster. What I did was to set up a policy for one device, check the IP and DNS servers on that device to make sure it was going through PIA and then set up the others.
 
Last edited:

CaptainSTX

Part of the Furniture
PIA used to be the go to VPN on this forum as users would often report download speeds when running in on an AC86 of 200 Mbps or better myself included. With the recent upgrade in Merlin's firmware to use OpenVPN 2.51 the best I can get is 110 - 120 Mbps when using PIA.

PIA is still easy to use:

Go to configuration generator www.privateinternetaccess.com/pages/ovpn-config-generator

Select OPEN VPN 2.4 or newer
Select Linux

Then select region/ country/ city you want

Then select recommended settings

Once you have downloaded the OVPN file to your computer then select and upload it to your router

Add your user name and password and click apply

Then turn the VPN on.

Once you get the VPN running you can change some of the settings in the router's firmware such as policy routing, blocking if tunnel goes down etc.

Based on my experience adding anything to the custom configuration doesn't improve throughput. If you want to experiment go ahead but run some speedtests first so you can test your changes.
 

pusb87

Regular Contributor
PIA used to be the go to VPN on this forum as users would often report download speeds when running in on an AC86 of 200 Mbps or better myself included. With the recent upgrade in Merlin's firmware to use OpenVPN 2.51 the best I can get is 110 - 120 Mbps when using PIA.
Interesting ??
I also use PIA and currently running 384.19 and thinking about going to 386.2.
My ISP is 200 down and 20 up and until recently I got pretty much the same using PIA and openvpn config files etc . I believe 384.19 has Open VPN 2.4.9. My router is also Asus AC86U

Recently my download speed has dropped , albeit somewhat intermitently, to more like an average of 160. I had put it down to the PIA servers ??

So my question is do you think the drop in speed on 386.2 is definetly due to the change to openvpn 2.5.1 or maybe it is the PIA servers ??
 

bertradio

Occasional Visitor
I get 220 down and 11 up on my desktop with and without the PIA app.

But if I enable OpenVPN and PIA on my AC68U and disconnect the PIA app on my desktop I only get 20-30 down. Same on my Pixel connected to the network.

Could it be that the AC68U just doesn't have the CPU horsepower to handle the PIA encryption?
 
Last edited:

pusb87

Regular Contributor
Could it be that the AC68U just doesn't have the CPU horsepower to handle the PIA encryption?
Yes, The AC68U is no where near as powerful as the AC86U
Reckon you should be getting nearer 30 to 40 download though as i had a 68U prior and from memory thats about what i got.
 

bertradio

Occasional Visitor
Sometimes I get up to 30 down but mostly 20-30.

My system is at my home with 17 devices over half of which are IoT and on my guest network.

I have set up policy (strict) on the VPN client page and only have my 2 mobiles and one desktop using the VPN. Frankly I don't feel any difference in speed and responsiveness with VPN on the router vs without. But I don't do any gaming or huge downloads.

So at the moment, I see no reason to upgrade --- and I don't have any WiFi 5 or 6 devices.

I really like the feature of Merlin that permits me to just run some of my clients on the VPN and have the rest on the WAN.
 

CaptainSTX

Part of the Furniture
Interesting ??
I also use PIA and currently running 384.19 and thinking about going to 386.2.
My ISP is 200 down and 20 up and until recently I got pretty much the same using PIA and openvpn config files etc . I believe 384.19 has Open VPN 2.4.9. My router is also Asus AC86U

Recently my download speed has dropped , albeit somewhat intermitently, to more like an average of 160. I had put it down to the PIA servers ??

So my question is do you think the drop in speed on 386.2 is definetly due to the change to openvpn 2.5.1 or maybe it is the PIA servers ??
I don't know. I mentioned previously on this forum that when going to 386.1 my VPN PIA client download speeds dropped significantly. I also mentioned that when going to 386.2 beta that my speeds improved but not to what they were previously. Never sparked any conversation. I also asked PIA what the problem might be and never got any response.

Currently I am using StrongVPN and I am getting 140 - 160 Mbps on my AC86. I am also running StrongVPN WireGuard on a VPN appliance and I usually get 440 Mbps downloads so I know that Strong has have the ability and resources to deliver higher speeds.
 

Daanol

New Around Here
PIA used to be the go to VPN on this forum as users would often report download speeds when running in on an AC86 of 200 Mbps or better myself included. With the recent upgrade in Merlin's firmware to use OpenVPN 2.51 the best I can get is 110 - 120 Mbps when using PIA.

PIA is still easy to use:

Go to configuration generator www.privateinternetaccess.com/pages/ovpn-config-generator

Select OPEN VPN 2.4 or newer
Select Linux

Then select region/ country/ city you want

Then select recommended settings

Once you have downloaded the OVPN file to your computer then select and upload it to your router

Add your user name and password and click apply

Then turn the VPN on.

Once you get the VPN running you can change some of the settings in the router's firmware such as policy routing, blocking if tunnel goes down etc.

Based on my experience adding anything to the custom configuration doesn't improve throughput. If you want to experiment go ahead but run some speedtests first so you can test your changes.
1617018804458.png


These are my settings. It tells me its connected, but i am unable to load any website.

*edit picture
 
Last edited:

Daanol

New Around Here
I found out something (what i find) strange. When i am connected to the vpn, my sonos keeps playing radio and the youtube video i was watching still plays and keeps buffering. But when i try to visit any website, i get this message DNS_PROBE_FINISHED_BAD_CONFIG.
I also have a pingbox open pinging to 8.8.8.8 and that goes (almost) uninterrupted.

I did downgrade to 384.16
 

Daanol

New Around Here
I dont know why but IPVanish works instantly. when i connect to my closest server (amsterdam) i get 250 down and 20 up.
Thanks for your help.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top