Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[yorgi]

Copy that....but, where is it turned on/off? I forget! You and Rango were discussing it, but I didn't see where to actually adjust the filtering...

Airprotection/DNSfiltering

 

[sfx2000]

If someone can take the time to review the attached - it's part of my how-to guide series - I'm familiar enough with OpenVPN, but generally I don't consider myself an expert...

This is a fairly vanilla setup with Server/Client in a routed config (not bridged) and self-signed certs - 1194/UDP is used for this one. The section is long enough as it is, so not going down the path of bridging in the basic setup.

I would appreciate any feedback on this one from some that might be better versed in OpenVPN.

 

[tooandrew]

so, could you perhaps cover routing traffic through the vpn based on the port, and not the ip address? i know that the gui doesn't support this, but i have installed entware and iptables and have ssh access. However, nothing i've found that resembles a guide has worked, and i do not understand iptables, as i am not familiar with it. i posted in the asuswrt merlin forum asking for the same, but perhaps this is a more appropriate place.

 

[yorgi]

so, could you perhaps cover routing traffic through the vpn based on the port, and not the ip address? i know that the gui doesn't support this, but i have installed entware and iptables and have ssh access. However, nothing i've found that resembles a guide has worked, and i do not understand iptables, as i am not familiar with it. i posted in the asuswrt merlin forum asking for the same, but perhaps this is a more appropriate place.

Not sure if this helps but this guy is talking about ports and VPN similar to what you want to do.
http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
you don't need entware, You need to create a script and call it openvpn-event and place it in the scripts folder in JFFS folder
and make sure you Format JFFS partition at next boot and Enable JFFS custom scripts and configs in the administrator/system menu of the router. Use notepad ++ to write scripts and
read the read-me files here https://github.com/RMerl/asuswrt-merlin/wiki
you have a long way ahead of you but it is possible and here are some starting steps,
This guide may help as well.
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing-(manual-method)
this article is mapping ports so you can take a few ideas from this
http://www.snbforums.com/threads/openvpn-port-forwarding-question.32859/
http://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/
Basically a lot of cut and paste and trial and error.

You need to use putty.exe and learn Linux commands in order to test and find out what ports or terms are used by the AUSUS router. With a little google search you and these articles you can probably get it up and running. Be careful with some terms br0 is WAN for asus but vlan1 is used by other firmware. tun11 is AUSUS tun0 is other firmware.

Good luck

 

[tooandrew]

i know a decent amount of linux commands. i did need entware because iptables wasn't installed or enabled by default, and i'm more comfortable with package managers than manual installations. i installed it through putty, and i do have the scripting and jffs enabled, and i actually have read every one of those, those were the ones spitting tons of syntax errors. eventually, i settled on creating an ip alias on all of the desktop and configured it so that the program who's ports i wanted to forward used the alias for outgoing traffic, then forwarded the ip alias through the vpn. doesnt work for smartphones, but it's more of a pc thing anyways

 

[eisendud]

Hi there

I have this Asus rt ac66u with merlin latest firmware, even tryed the beta one today..
Been trying to setup this openvpn on it. But the speed sucks. My link is 150/150 fiber. And i get full speed on speedtest without vpn.
And only 10-14mbit with vpn. Is it not possible to get good speeds on this "old" box or what?
But i had to dobbel check, so i installed openvpn on my debian box. There i got very good speeds. So it has to be the asus box.
I have been reading all over and tryed every compo i have found in here. But maby there is something i havent picked up since the speeds are so bad.
Anyone have a suggestion what to do, buy a bigger asus model

Eis

 

[RMerlin]

And only 10-14mbit with vpn.

That's the normal speed for the low-power 600 MHz CPU in the RT-AC66U.

 

[L&LD]

Hi there

I have this Asus rt ac66u with merlin latest firmware, even tryed the beta one today..
Been trying to setup this openvpn on it. But the speed sucks. My link is 150/150 fiber. And i get full speed on speedtest without vpn.
And only 10-14mbit with vpn. Is it not possible to get good speeds on this "old" box or what?
But i had to dobbel check, so i installed openvpn on my debian box. There i got very good speeds. So it has to be the asus box.
I have been reading all over and tryed every compo i have found in here. But maby there is something i havent picked up since the speeds are so bad.
Anyone have a suggestion what to do, buy a bigger asus model

Eis

Yes, 'buy a bigger Asus model'.

I also have fibre (100d/25u, Mbps) with my RT-AC68U and am using VPN to a client with an 2.5d/0.25U Mbps DSL ISP and even though both of us are on native IPv6 (much more responsive internet, imo), the RT-AC66U is limiting what is possible in 'real time'. Yes, the big issue is the very slow ISP speeds. But the first gen AC class router is not helping matters either.

I find that the RT-AC68U, while a significant improvement over my previous RT-N66U (effectively same processor as the RT-AC66U), is still not powerful enough to really maximize my fibre connection (and would certainly need more than it's 800MHz dual processors to maximize yours).

The 'next step' is the dual core 1.4GHz routers with 128MB flash and 512MB ram. The prices though, skyrocket pretty quickly in that realm today.

 

[yorgi]

Hi there

I have this Asus rt ac66u with merlin latest firmware, even tryed the beta one today..
Been trying to setup this openvpn on it. But the speed sucks. My link is 150/150 fiber. And i get full speed on speedtest without vpn.
And only 10-14mbit with vpn. Is it not possible to get good speeds on this "old" box or what?
But i had to dobbel check, so i installed openvpn on my debian box. There i got very good speeds. So it has to be the asus box.
I have been reading all over and tryed every compo i have found in here. But maby there is something i havent picked up since the speeds are so bad.
Anyone have a suggestion what to do, buy a bigger asus model

Eis

Hi this is perfectly normal because its a single core cpu. You need to get a better router like a 68u will do the job because its dual core but depending on your wi fi needs you may want a better model.

 

[sfx2000]

Sometimes it might be preferable to set up a dedicated box behind the router/AP and run things there - I get very good performance with a small Intel J1800 box... if doing a lot of VPN as part of a workflow, it's something to consider.

 

[lolek74]

Hi all. I have AC3200 router with Merlin firmware. I followed the guide and it seems like everything went OK. I could see service active. Unfortunately when tried to check my ip I could see my real ip and all. I was wondering if someone could help me diagnose a problem. Please let me know what I need to post in order to provide some more info.

 

[yorgi]

Hi all. I have AC3200 router with Merlin firmware. I followed the guide and it seems like everything went OK. I could see service active. Unfortunately when tried to check my ip I could see my real ip and all. I was wondering if someone could help me diagnose a problem. Please let me know what I need to post in order to provide some more info.

Are you getting a green light on when you enable the VPN client?
did you enable all traffic in "Redirect Internet traffic" or Policy rules?
Are you using 2 clients at the same time to the same VPN server?
Is it possible to get a screenshot of your client because your problem can be many things.

 

[lolek74]

Sorry for the late reply. I tried to play with the settings but no luck. I had more luck with Asus firmware. I got vpn working by just selecting vpn file and cert file. No luck with Merlin firmware.
Certificate Authority copied from your post.

 

[yorgi]

Sorry for the late reply. I tried to play with the settings but no luck. I had more luck with Asus firmware. I got vpn working by just selecting vpn file and cert file. No luck with Merlin firmware.
Certificate Authority copied from your post.

View attachment 6779 View attachment 6780

I see your problem. You are using port 1198
you need to choose port 1196 for AES-128-CBC with this certificate which you would copy and paste in content modifications of key & certificates in certificate authority

-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----

If you want to use port 1198 with the new RSA certificates take a look at the how to guide because it got updated.

 

[lolek74]

Thank you for the quick reply. I tried that port before but it failed.

openvpn

client
dev tun
proto udp
remote aus.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt

 

[yorgi]

**I have corrected the new certificates in the article. Please refer to the first pages of the thread for new port and certificates.***

If you want to use port 1198 with the RSA certificates I have updated this thread on how to do it.
Look at page 1 second part. You need to store those RSA certificates on your router and show a path to them
otherwise it will never work. You cannot copy and paste those certificates in the certificate authority.

this is what I posted in the Article

IMPORTANT!!!!

Private internet access has added a new port 1198 with RSA certificates
this port uses AES-128-CBC with SHA1
its a bit tricky to set it up but here simple steps on how to do it.

Look at the pia.jpg I have attached to setup the configurations.

you need to enable ssh in administration system and Format JFFS partition at next boot
Then you need to enable SSH with with file protocol SCP using WinSCP download this zip file from
https://www.privateinternetaccess.com/openvpn/openvpn.zip
Now extract the openvpn.zip file content and copy crl.rsa.2048.pem and ca.rsa.2048.crt to jfffs/config
once you have done that add these lines to custom configurations on VPN client
crl-verify //jffs/configs/crl.rsa.2048.pem
ca //jffs/configs/ca.rsa.2048.crt

There is no need to copy any certificates in Content modification of Keys & Certificates
because the router will read the certificates from the jffs path.

Start the client and you are ready to go

 

[yorgi]

Thank you for the quick reply. I tried that port before but it failed.

View attachment 6781

openvpn

client
dev tun
proto udp
remote aus.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt

If you are going to use 1196
remove this from custom configurations
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
that will work with port 1196

 

[yorgi]

But you need to also add the other certificate I posted on #114

 

[lolek74]

Is there any way you could help me remotely. I'm quite new to it and struggling with basic stuff.

 

[yorgi]

Trying it now. I tried to copy cert to JFFS but it faoled to create folder but got the error when using WinSCP

Command 'mkdir "config"'
failed with return code 1 and error message
mkdir: can't create directory 'config': Read-only file system.

Make sure you use file protocol SCP mode when you connect to the router. Also use a username and password that is admin level.
Did you format the jffs partition and Enable JFFS custom scripts and configs then rebooted the router?
When you reboot the router and use winSCP with SCP protocol it will ask you for your username and password of the router.
one you are connected. Look for JFFS directory in the root of the file system then open that folder and you will see a folder called configs. Drop the 2 files in there.
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
Then put these lines in your custom configurations of your VPN client
crl-verify //jffs/configs/crl.rsa.2048.pem
ca //jffs/configs/ca.rsa.2048.crt