Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to Setup a VPN client including Policy Rules for PIA and other VPN providers 380.68 / 09.12

Discussion in 'VPN' started by yorgi, Mar 5, 2016.

  1. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
    Updated firmware 380.68 bug fixes and updates for openVPN along with new look for GUI and in VPN section you can now set a label for each VPN client.

    *** I suggest that every time you update to a new firmware do a Default on OpenVPN client then reboot the router and enter the data again. Otherwise you may get into issues where connection drops or other weird things may happen.

    In recent updates everything is the same with the exception of 2 new options in the advanced settings area ; Cipher Negotiation and Negotiable ciphers which should look like the image below.

    I disabled the Cipher Negotiation for PIA because it doesn't work
    Only legacy Cipher works so it's not needed at the moment.

    Advanced Settings.jpg

    Encryption Cipher has been renamed to Legacy/fallback cipher.
    It is confirmed that PIA has not updated their servers for the new Cipher.
    I will update the article as soon as they make the changes to use the new Cipher.

    *****OpenVPN 2.4 bug causes VPN to have re connection failure for PIA subscribers.
    Add this command to custom configurations for temporary fix. If you are having similar problems and are not with PIA you can try this fix.
    pull-filter ignore "auth-token"

    PART I

    Here is a how to guide using PIA VPN provider as an example which will help you in getting your VPN client up and running with Merlin Firmware.
    I have updated this article to use PIA's new 1197 and 1198 ports with new certificates
    If you do not use PIA read the section where I explain how to connect using other VPN providers
    Please read both sections of this article carefully.

    In the Images below I have set it to use Policy Rules Strict. If you do not want to use Policy rules and want all your traffic to go to the VPN then simply use "ALL" in the Redirect Internet traffic option. When you select "All" if VPN goes down you are protected as it has an automatic feature with the firewall which stops traffic until VPN is re established. Redirect Internet Traffic option is covered in the second part of the guide.

    AES-128-CBC port 1198
    1198.jpg
    AES-256-CBC port 1197
    256..jpg

    Custom configurations to use with PIA.

    AES-128 and AES-256
    custom config.jpg

    In "custom configurations" I have added the following
    auth-nocache this command doesn't cache the password otherwise you may have a security issue.
    mute-replay-warnings this command stops the same warning from appearing over and over in
    system log.

    ***Please take note that this function was not indicated in previous article. You need to put
    disable-occ in custom configurations for 1198 and 1197

    It is important to add this line otherwise the following 2 warnings that will occur

    WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
    WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

    By putting disable-occ on custom configuration for port 1197 and 1198 these warnings will disappear.

    pull-filter ignore "auth-token" This will fix the problem when re connection is not established after one day. This fix is only for PIA but if you experience similar issues try using this command.

    pull-filter ignore "ifconfig-ipv6"
    pull-filter ignore "route-ipv6"
    Adding these 2 lines in custom configurations insures that the VPN doesn't use ipV6 traffic.

    ***Certificates for PIA and other providers are discussed in the next section of this article.

    The VPN's speed will be determined by the encryption method you choose.
    Dual core CPU's are the best choice because they deliver fastest speeds when in VPN client mode. Encryption makes the router work harder therefore
    Models such as ASUS 68U or higher are the best choices.
    Models such as ASUS 66U or inferior are not a great choice because they will give you slower speeds because they have a single core cpu and not as powerful as higher end models.
    If VPN client or server is important to you, then think of upgrading to a better router.

    UDP ports for PIA:

    port 1194: This port uses Blowfish-CBC encryption and Auth digest to SHA1
    No longer supported by PIA but you are free to try it :)
    Speed: 30-35 mb/s

    port 1195: For no encryption use with encryption type set to none and Auth digest set to none and in custom configuration add auth none. this method is the fastest and full speed but without encryption. Not very safe.
    Speed: full bandwidth of your ISP

    port 1197: For stronger encryption use with AES-256-CBC encryption and Auth digest sha256 speeds 20-30 mb/s

    port 1198: Use the preferred encryption method which is AES-128-CBC encryption with Auth digest to SHA1
    This encrytpion method delivers the fastest speeds compared to the other methods.
    Speeds 50-60 mb/s

    **certificates are discussed in Part II of the guide

    TCP Ports:

    PIA also offers TCP protocol on ports 501 AES-256-CBC and 502 AES-128-CBC
    Configure the same as UDP Protocol with the exception of changing UDP to TCP and new port numbers. This TCP protocol has different certificates which are found in PART II of this article.

    Configuring a VPN client which is not from PIA:

    ***Please refer to your VPN provider for encryption and ports

    If you don't use PIA for your VPN provider the image above may not help you connect.
    the easiest way to get your VPN client to work quickly and painlessly is to do the following.
    Every provider will supply a .ovpn file. Simply click on the browse button in the "Import .ovpn file" and go to the location where you stored the .opvn file, select the .opvn file and then click upload. The router will read all the information from the .ovpn file and will then configure the VPN client. After the router has configures the client, Some VPN providers provide the certificates in the .ovpn file while some will have a separate .crt file. Make sure you copy and paste the certificates if they are not included in the .ovpn to the "Content modification of Keys & Certificates." area. If the .ovpn file has the certificates included you will see them copied into the "Content modification of Keys & Certificates." if not, you will have to do this manually.
    Almost all providers will enter different data in the custom configurations area so do not be alarmed if the data is not the same or similar to PIA. The .ovpn file contains all the important information needed to auto configure the VPN client.

    The same example above will work with Stock ASUS firmware
    import the client.ovpn into another ASUS router. It will automatically configure everything you need to connect to the VPN Server, including certificates.
    Simply go to the VPN client on your ASUS router and look for "Import .ovpn file" use the browse button to find the client1.ovpn file then click on upload.
    That's it. you should be ready to connect. Turn the service state button to ON
    You can enable start to WAN option if you want the Client to automatically connect to the VPN server when router gets rebooted.
    My opinion on using Stock Firmware with ASUS is when you have established connection to the VPN server if for some reason there is a glitch and the server drops connection you will leak DNS and your local ISP IP will show. There is no drop connection if tunnel goes down. I strongly suggest using Merlin Firmware if you want to use it as a VPN client.

    Auth digest: refer to your VPN provider or leave it default if you are not sure.
    For Pia use SHA1 for AES-128-CBC and SHA256 if you are using AES-256.CBC

    Accept DNS Configuration should be set to exclusive

    Cipher Negotiation: refer to your VPN provider or leave it default if you are not sure.
    For PIA I have disabled it because It doesn't work.

    Legacy/fallback cipher: For PIA use AES-128-CBC or AES-256-CBC depending on the encryption you use with PIA.

    Redirect Internet traffic:

    Use "POLICY RULES STRICT" in "Redirect Internet traffic" for selective routing
    By enabling Policy rules feature, it gives you the freedom to route specific devices to VPN and other devices to Local ISP. You can even have a device use VPN but have specific address's use Local ISP or vise versa.

    Please note:
    When you are in a VPN tunnel the DNS is determined by the VPN therefore if you redirect specific IP address's to WAN which is Local ISP the DNS will show that of the VPN and not from Local ISP this is also known as a DNS leak.
    However you can route your FTP or SMPT which do not use DNS therefore you can setup that all traffic goes to VPN except for FTP and SMPT so you can get your email or access your FTP without having it routed via the VPN.

    When you enable Policy Rules you have an extra option "block traffic if VPN goes down".
    This is one of the best features when using Merlin firmware because when it's enabled if for some reason the VPN Server drops connection the router will suspend all traffic until the VPN client re connects to the server. This way you won't leak your Local IP address to the public.
    I strongly recommend that you Enable "block internet traffic if VPN goes down"

    Please refer to the second part of this article for examples using Policy Rules.

    If you do not want to use Policy Rules but want all your traffic to go via the VPN client then use the "ALL" option in the Redirect Internet traffic area this will exclusively use the DNS of VPN. You are still safe if the connection drops as the firewall is programed to automatically drop connection if VPN client drops connection.

    set to compression "LZO Addaptive" I use to disable compression but I found that it is needed for best results.

    Here is a good chart you can bookmark for ports, certificates and encryption methods from PIA. They recommend using ports 1198, 1197, 502 and 501 with AES encryption. You are free to explore other methods found in the link below. I will show you examples using these methods in part 2 of this guide.

    https://helpdesk.privateinternetacc...ings-should-I-use-for-ports-on-your-gateways-

    Part II follows;
     
    Last edited: Sep 12, 2017
    Kirkh, taskforce, Dref and 8 others like this.
  2. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
    PART II

    Certificates for PIA:

    Download these zip files from PIA in order to get the certificates you need to make appropriate client work.
    AES-128-CBC https://www.privateinternetaccess.com/openvpn/openvpn.zip
    AES-256-CBC https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip

    extract the content of the zip file.
    For AES-128-CBC
    Look for ca.rsa.2048.crt and crl.rsa.2048.pem for 128 encryption
    which are found in the openvpn.zip

    For AES-256-CBC encryption you are looking for the following certificates which are found in the openvpn-strong.zip;
    crl-verify crl.rsa.4096.pem ca and ca.rsa.4096.crt.

    Go to VPN tab in VPN client and look for the Certificate Authority now click on
    Content modification of Keys & Certificates in Authorization Mode.
    Open ca.rsa.2048.crt with a txt editor and copy and paste the entire content in the "Certificate authority" section,
    Next open crl.rsa.2048.pem with a txt editor and copy its entire content to
    "Certificate Revocation List (Optional)"

    Do the same procedure as above for aes-256-cbc with the exception that you are copying and pasting data from these certificates crl-verify crl.rsa.4096.pem and ca ca.rsa.4096.crt

    Use the image below for reference

    cr.jpg

    Certificates for PIA TCP protocol on ports 501 AES-256-CBC and 502 AES-128-CBC
    Do the same as the other examples with the certificates found in these links.
    https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip
    https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip

    port 1194 blowfish uses the certificate below as well as port 1195 without encryption.

    copy and paste this certificate in Certificate Authority

    -----BEGIN CERTIFICATE-----
    MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
    ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
    cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
    ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
    gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
    IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
    YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
    aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
    AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
    hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
    4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
    CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
    l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
    VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
    ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
    QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
    b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
    atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
    fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
    llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
    -----END CERTIFICATE-----

    POLICY RULES EXAMPLES:

    There are many ways you can use "selective routing" or as its called Policy rules.
    Here are 5 examples. 0.0.0.0 means any IP Address. Local ISP is your Internet Service Provider.

    A: You can use CIDR range 192.168.1.80/28 which is address's between 192.168.1.80-192.168.95
    In this example IP address 192.168.1.80-192.168.1.95 will go to VPN and all other traffic will go to WAN local ISP
    Note: The traffic that goes to WAN Local ISP resolves to the DNS of the Local ISP therefore no more need to use DNSfiltering as in the past in order to resolve the proper DNS.

    ie: source IP 192.168.1.80/28 Destination 0.0.0.0 lface VPN

    B: Selecting an IP address for each client to go through the VPN only and all other traffic goes to Local ISP.
    in the example below 2 IP address's go to VPN and every other address goes to Local ISP
    note: The traffic that goes to Local ISP resolves to the DNS of the Local ISP therefore no more need to use DNSfiltering as in the past in order to resolve the proper DNS.

    ie: source IP 192.168.1.50 Destination IP 0.0.0.0 lface VPN
    source IP 192.168.1.51 Destination IP 0.0.0.0 lface VPN

    C: You can use CIDR range and make rules that IP range traffic goes to VPN and Specific IP address's go to Local ISP
    in the example below 192.168.1.0/24 is the range for 192.168.1.1-192.168.1.254 which is all traffic will go to VPN and for IP 192.168.1.50 all traffic will go to VPN except for Facebook which will route via Local ISP.
    note: Don't forget because you are routing traffic from the VPN tunnel to WAN the DNS will be that of the VPN so Facebook will see your VPN address as DNS. this is called DNS leak, if security is important to you then I suggest you do not route traffic though WAN when on the VPN tunnel.

    ie: source IP 192.168.1.0/24 destination IP 0.0.0.0 lface VPN
    source IP 192.168.1.50 destination IP 173.252.64.0/18 lface WAN

    D: Normally when using a VPN the SMPT port is blocked by the VPN provider for security.
    In this example 24.123.456.78 will be the IP address for the SMPT server
    so basically all Device traffic from IP range 192.168.1.1-192.168.1-254 will go to the VPN but all IP address's will use Local ISP for email and a specific computer 192.168.1.160 will use Local ISP for FTP which will use fiticious address 64.125.65.23

    ie: Source IP 192.168.1.0/24 Destination IP 0.0.0.0 lface VPN
    Source IP 0.0.0.0 Destination IP 24.123.456.78 lface WAN
    Source IP 192.168.1.160 Destination IP 64.125.65.23 lface WAN

    E: All traffic goes to VPN, this is a great alternative from the "redirecting all traffic" because you have the option to "Block routed clients if tunnel goes down"
    The example below says that all traffic goes to VPN

    Source IP 192.168.1.0/24 Destination IP 0.0.0.0 lface VPN

    In this forum we have made tests with many different routers and models and the results are as follows;
    no router until date has given better then 60 mb/s so don't go nuts if you have a 200 mb/s with your ISP and you can't get more then 60 mb/s, this is normal. the routers CPU just can't handle more!
    RT-N66U and RT-AC66u will never give you more then 10 mb/s on a VPN because CPU are not fast enough.
    Dual core CPU's give you better performance.
    If your router has a Dual Core CPU take note that VPN client 2 4 use Core 1 and Clients 1 3 5 use Core 2 Take advantage of this because you can split the load for routing on core 1 and VPN on core 2
    also take note that USB Media drives uses core 2 so use the best configuration for your needs.

    Computer router solution:

    If you need better speeds then mentioned above, you can create a router using a mini computer running pfsence. A computer will easily decrypt the encryption and can give you the maximum bandwidth of you VPN provider. It is extremely difficult to configure but it is an alternative.

    Router Solution for High Speed VPN Client:

    Hardware isn't the only issue. Not all VPN providers have sufficient backbone connections to support high upload and download speeds. One has to try several providers before they can get consistent download speeds of over 70 Mbps.

    Sbabai Technology offers custom routers which claim can reach speeds of your ISP
    http://www.sabaitechnology.com/

    ***Important for ASUS routers and VPN providers

    IPv6 is the future for IP addresses. The problem right now is that IPv4 addresses are running out and many companies are moving forward to IPv6. This is a problem for VPN users.
    When you are connected to the VPN server their Tunnel only supports IPv4 traffic so that means all Traffic that is heading for IPv4 goes through the VPN tunnel but for IPv6 traffic, it will automatically go to local ISP which means DNS leak. This is because PIA and other companies including ASUS WRT do not support IPv6 yet
    This means that one will have to disable IPv6 for any device that will be on a VPN.
    The easiest way is to disable IPv6 directly on the router, But to ensure complete safety it is recommended that one disables IPv6 on all devices OS that are on a VPN.
    For windows OS and MAC disable IPv6 from the TCP adapter. For other Devices OS please research on how to disable IPv6.

    OpenVPN supports IPv6 but ASUS has not added the code on their firmware yet, and neither has PIA or many other VPN service providers.

    This is a serious issue where privacy is important, so take the necessary precautions to avoid any problems in the future.

    here is a site that you can test your device to see if you are connecting to IPv6 addresses

    https://ip6.nl/

    PC.
    Reference:

    Here is a site that will help you create CIDR ranges
    http://networkcalculator.ca/ip-calculator.php

    Here is a whois lookup that show you the CIDR range of IP address's
    http://www.whois.com/whois/

    Here is a site to test to see if you are leaking DNS
    https://ipleak.net/

    Always test with ipleak.net to make sure your VPN is showing the right IP address and that your DNS is that of the VPN server and not your ISP's or others. ipchicken.com is only good to show your IP address but it doesn't show what DNS you are using.
    As a general rule when you are connected to the VPN server and use ipleak.net
    The IP address and DNS should be the same as the VPN Server.

    I will update this guide whenever there are new firmware or changes with PIA
     
    Last edited: Aug 7, 2017
    Smokin_Joe, Kirkh, taskforce and 3 others like this.
  3. scaramonga

    scaramonga Regular Contributor

    Joined:
    Jan 15, 2015
    Messages:
    52
    Thank you for the detailed explanation and time for making this super guide!
     
  4. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
    I really hope it works out for you because you bought a great router :)
     
  5. scaramonga

    scaramonga Regular Contributor

    Joined:
    Jan 15, 2015
    Messages:
    52
    One question buddy...

    If I am using no encryption, what certificate does one use, if any?

    And would these custom settings suffice?

    pia-signal-settings
    tls-client
    remote-cert-tls server
    reneg-sec 0
    auth none
    auth-nocache
    verb 3
    mssfix 0
     
  6. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
    You need to always have that BF and/or AES certificate. and there is a different certificate if you use AES-256 and more custom configuration addons.

    the only difference is the port and putting auth none at the custom configurations

    So you would need to put port 1195 and none for encryption and the following
    at custom configuration

    tls-client
    remote-cert-tls server
    ns-cert-type server
    auth-nocache
    auth none


    I am not sure why you put this pia-signal-settings and missfix 0
    but all of the above would be needed for no encryption
     
    Last edited: Mar 24, 2016
    scaramonga likes this.
  7. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
    OpenVPN 2.X

    no idea why you would want to play with packet size or put it to 0
    -mssfix max
    Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed max bytes.

    also pia-signal-settings
    I would take that out because you have already setup the encryption types with the Merlin VPN client.
    no need to double up on that.

    here is some more literature for different types of encryptions and other commands one can put in custom configurations to achieve what a PIA client would be able to do.

    https://www.privateinternetaccess.com/forum/discussion/9093/pia-openvpn-client-encryption-patch
     
    Last edited: Mar 7, 2016
    scaramonga likes this.
  8. scaramonga

    scaramonga Regular Contributor

    Joined:
    Jan 15, 2015
    Messages:
    52
    Ah I see, thx very much.

    pia-signal-settings is there because John's Fork said it required it with PIA, so I just added it in there. I'll remove the mssfix also, lol.

    Its one big learning curve is VPN stuff, so thank you for all your help.
     
  9. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
    Perhaps pia-signal-settings is required by PIA if we didn't have all the features of Merlin like maybe some other client which is not as sophisticated as Merlin but when you put that option you would have to add the encryption type as well to make it work right as you can see from that PIA article.

    it would probably be used like this

    pia-signal-settings
    cipher aes-128-cbc

    that would probably work but its not needed because we have those setting in Merlin :)
     
  10. Rango

    Rango Regular Contributor

    Joined:
    Nov 24, 2015
    Messages:
    198
    Location:
    IL, USA
    Yorgi just as info the only following are needed based on my testing. I think rest of those u listed are already build in when router is negotiating so you're jut repeating that again in custom settings. I'm not sure if that will interfere or not but it's redundant. Merlin or John would know better. I think rest of those instructions are for open source dd-wrt firmware types. I could be wrong but

    Required
    tls-client
    remote-cert-tls server
    reneg-sec 0

    optional in 380 down firmware. Listing verb in custom config will also work better with some vpn nodes. May connect you to closest node.
    This is all dependent on vpn node server closest to you so one has to experiment a little in their region.

    verb 3 threw 10....i found 3 being best. 5 will report too much unnecessary errors like pockets being dropped due to something like udp error. Not really usefull for avr joe.
     
  11. Rango

    Rango Regular Contributor

    Joined:
    Nov 24, 2015
    Messages:
    198
    Location:
    IL, USA
    Cool bro. But one will get vpn dns threw PIA once set to exclusive so just curious why would you use that? You don't want to point to google dns or opendns as then your're leaking out out of your vpn protecting and essentially advertising your internet activities. Unless this could be used as backup when vpn provider dns goes down.

    I also redirect all traffic, not based on policy but maybe that's how u use dns filtering?

    Great guide bro
     
  12. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
    Hey brother :)
    The only reason that I use DNS filtering is because I use selective IP address for VPN and when you do that the VPN DNS shows up when you are using Local ISP, he is fixing that issue with the new release.
    Also even if you use exclusive and you check on ipleak.net you will see that you get a DNS address for PIA instead of the an IP address. Normally when you use OPENVPN program and check ipleak.net you will see the IP address and the DNS address are the same. When you use Merlins VPN and do the ipleak.net test you will see an IP address and another address for DNS.
    its nothing wrong with that but why not have it resolve as the way PIA and openvpn and Tomaote USB work.
    That is the only reason that I use those DNSfiletering because its really not working the way it should.
    I hope that makes scene. Try it out and you will see.
     
  13. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
    I would almost agree with you but,

    persist-key not sure
    persist-tun not sure
    tls-client for sure
    remote-cert-tls server for sure
    ns-cert-type server f0r sure
    auth-nocache this stops some error about caching a password and now its gone.
    auth none auth none is for no encrytion as we know
    reneg-sec 0 I picked this one off from OpenVPN site.
    verb 3 and I agree with verb 3 being the best :)

    some of the for sure is because I was on the openvpn site and was reading all the switches and I found that they should be used according to them.

    Anyone have something to add I would be glad to listen :)
     
  14. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
    I am not going to put new firmware on my router because its still alpha stage so I will wait
    Maybe the filtering dns is not needed now but for my firmware i had to do this.
    When the new Firmware comes out i will most likely fix this section as there will be new additions
    but for now I will stick to my guns unless Merlin says I am doing something wrong :)
     
  15. Rango

    Rango Regular Contributor

    Joined:
    Nov 24, 2015
    Messages:
    198
    Location:
    IL, USA
    Even in oldest firmware you will ALWAYS get dns from PIA if you set for exclusive or strict and that's available in oldest firmware. Actually that's how it should be setup anyway. You never wanna browse threw ANY other dns but vpn provider one and they are always injected once you connect. That's not dependent on firmware version but when you connect to pia you get re-reroutes you see in log and part of re-routes you get re-routes for dns as well. Again nothing to do with new vs old firmware. Oldest Merlin firmware will act the same, meaning will re-route to pia vpn DNS severs. In fact firmware does not do that but PIA server does. Your router just accepts re-reoutes from vpn provider. That's what router does, routes and part of routes is dns.

    You don't wanna point to opendns or google dns if you're on vpn unless you have specified policy rules setup that are pointing for some custom arrangement.
    I redirect all traffic threw vpn but i guess that depends on what you're doing.

    Once in a while i'll be checking if my dns is leaking but i never seen it does ever

    https://dnsleaktest.com/
     
  16. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
    I know. But when you do a dnsleaktest do you see your IP address and then PIA DNS address?
    or do you See PIA IP address for the DNS as well?
    I don't think you understood. I am exclusive as well and I never said that the DNS is not PIA
    but if you use PIA software or TomatoeUSB or OpenVPN software when you do a DNSleaktest you will see that with the other programs you will see 172.xxx.xxx.xx for IP and DNS when you do it with merlin
    you will get 172.xxx.xxx.xx and DNS 209.222.18.218

    that is not the way the other programs resolve it. also when you use local ISP the DNS will show as 209.222.18.218 and not google or whatever. so thats why I use dns filtering, when I am on ISP i get google and when I am on PIA i get PIA
    but the right way. I am not saying that Merlins is not right but when I tested all the others I didn't get the same resluts as with PIA, openvpn, or TomatoeUSB

    Try it and you will see :)
     
  17. Rango

    Rango Regular Contributor

    Joined:
    Nov 24, 2015
    Messages:
    198
    Location:
    IL, USA
    Hmmm...yeah i'm not sure what' you're saying. If you set dns filtering on and set for opendns you will leak out of PIA to open dns and you don't wanna do that unless i'm not understanding what you're doing. I get PIA dns if dns filtering is off.


    upload_2016-3-21_12-12-22.png
     
  18. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
    1.jpg




    Ok look at the 2 of them.
    the first one is with DNSfiltering and the second one is without DNSfiltering
    they are both right but it shouldnt be showing the actual DNS of PIA it should be showing the IP as in the first image.
    try it with this site and you will see
    https://ipleak.net/
    The first image is the way openvpn.exe, PIA and TomatoeUSB router show it
    and these second image is Merlins
    you tell me if there is no difference?
     
  19. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
  20. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    825
    Location:
    Canada
    Look at the same one you showed all your DNS address
    mine is not the same
    3.jpg
     

Share This Page