What's new

Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

In this guide I used the preferred encryption method which is AES-128-CBC and does the fastest speeds 50-60 mb/s

If you want to use other encryption's then AES, for PIA only!

  • use port 1194 with BF-CBC encryption.
  • use port 1195 with encryption type set to none and in custom configuration add auth none.
  • use port 1197 with AES-256-CBC encryption and in custom configuration add auth sha256.
So if I use the "preferred encryption method", i.e. AES-128-CBC, what port should I use?
Should it be different then the port used with the "default encryption method" Blowfish?

Thanks...
 
So if I use the "preferred encryption method", i.e. AES-128-CBC, what port should I use?
Should it be different then the port used with the "default encryption method" Blowfish?

Thanks...
Yes you need to use port 1196 for aes-128-cbc
Each encryption uses different ports and the reason aes-128 is the preferred method is because from all the encryption's its the fastest.
 
Great thanks. So I'm just going to summarize this all in one post for future reference. :)

  • use port 1194 with BF-CBC encryption. (PIA Default)
  • use port 1195 with encryption type set to none and in custom configuration add auth none.
  • use port 1196 with AES-128-CBC encryption. (Preferred for speed)
  • use port 1197 with AES-256-CBC encryption and in custom configuration add auth sha256.
 
Great thanks. So I'm just going to summarize this all in one post for future reference. :)

  • use port 1194 with BF-CBC encryption. (PIA Default)
  • use port 1195 with encryption type set to none and in custom configuration add auth none.
  • use port 1196 with AES-128-CBC encryption. (Preferred for speed)
  • use port 1197 with AES-256-CBC encryption and in custom configuration add auth sha256.
you got it :)
 
When I set compression to "Disabled" like suggested, I can no longer get internet access through the tunnel to PIA.
upload_2016-4-26_17-58-44.png


The tail end of my log shows "Invalid argument" which doesn't happen when Compressionis set to Adaptive.
Code:
Apr 26 17:52:51 openvpn-routing: Adding route for 10.xx.xx.15 to 0.0.0.0 through VPN client 1
Apr 26 17:52:51 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Apr 26 17:52:51 openvpn-routing: Completed routing policy configuration for client 1
Apr 26 17:52:51 openvpn[10165]: Initialization Sequence Completed
Apr 26 17:52:58 openvpn[10165]: write to TUN/TAP : Invalid argument (code=22)
Apr 26 17:53:08 openvpn[10165]: write to TUN/TAP : Invalid argument (code=22)
Apr 26 17:53:18 openvpn[10165]: write to TUN/TAP : Invalid argument (code=22)

Do I need to do anything else to turn compression off? Perhaps select "None" instead of "Disabled"?
 
I set my Compression setting to "None" and was able to actually get internet access via the tunnel. So I thought I'd run a speed test to compare between "Adaptive" and "None"
With Adaptive Compression
upload_2016-4-26_18-15-59.png


Without Compression
upload_2016-4-26_18-16-52.png


I was expecting something a little different.
 
When I set compression to "Disabled" like suggested, I can no longer get internet access through the tunnel to PIA
I didn't say to disable compression in the article. If you look at the image its set to none.
I said that I don't use compression. I did fix the article to say "none" for compression as it is in the picture.
Speed tests don't test everything. When you are browsing on the web you should notice a quicker experience when you set compression to none.
You can do the same speed tests over and over and never get the same results.
 
Many thanks for the great guide

I've set up PIA on 380.58 on AC87U.

I'm using IP filtering to send my two Kodi boxes to VPN but all other devices to ISP

really daft question, how do I direct the VPN traffic via a particular country? I've downloaded the Ovpn and PIA apps for iPad expecting that these would allow routing of all traffic via a given country but they just allow me to direct the iPad down the VPN routing.
Where do I find the overall control panel that enables master routing of all VPN traffic down a particular route?

Or do I just change the server details I'm connecting to in the VPN client details on the router?

Sorry for dumb question. I'm so pleased I've managed to get this far after so much reading and research. I just can't get the final mile! Any help appreciated
 
Last edited:
Many thanks for the great guide

I've set up PIA on 380.58 on AC87U.

I'm using IP filtering to send my two Kodi boxes to VPN but all other devices to ISP

really daft question, how do I direct the VPN traffic via a particular country? I've downloaded the Ovpn and PIA apps for iPad expecting that these would allow routing of all traffic via a given country but they just allow me to direct the iPad down the VPN routing.
Where do I find the overall control panel that enables master routing of all VPN traffic down a particular route?

Or do I just change the server details I'm connecting to in the VPN client details on the router?

Sorry for dumb question. I'm so pleased I've managed to get this far after so much reading and research. I just can't get the final mile! Any help appreciated


You can change the country server from the VPN client on your router.
Here is a list of all the servers for all countries that PIA supports.
https://www.privateinternetaccess.com/pages/network/
basically if you want to connect to the UK server just change the server name in "Server Address and Port" on the VPN client to uk-london.privateinternetaccess.com
then turn the Service state button to off and then on and the new country will take effect.

You do not need to put the client on your iPad if you are using the router for VPN.
But if you want a different VPN server on your iPad other then the one that your router is currently on then you would need that app on your iPad and you can only use one country server at a time.
The app is pretty straight forward. choose the country, put your username and password and its done.

Personally what I would do is this.
reserve a few more static IP address's for the policy rules that will go through the VPN and when you want to use VPN for your tablet just change the IP address to the one you reserved for VPN and when your done go back to DHCP on your tablet.

Also make sure you have proper DNS filtering for the devices that do not use the VPN via DNS filtering because if you don't as in my article all your ISP traffic will use the DNS of PIA.
On the tablet if you switch back and forth from VPN and ISP don't put a DNS filtering, manually change them every time.

example for iPad that will use VPN and ISP from the router. DNSfiletering will not be used in this case instead you would manually change the following.

IP DHCP
DNS 8.8.8.8 for google

for VPN
IP 192.168.1.50
subnet 255.255.255.0
gateway 192.168.1.1 this is your routers IP
DNS 192.168.1.1 this is your routers IP

Using the PIA software is not recommended because if you use DNSfiltering and point for example google for DNS to your iPad when you use the software to connect to PIA it will use the DNS of ISP being google which is not good.
you need the DNS of PIA when using the VPN and the DNS of ISP when on ISP so the only work around is the example above.

In order to test all your devices and to make sure all DNS works right use the following url

https://ipleak.net/

Its a pain in the butt with the way it all works but at least you know how it all works now :)
I hope this makes some sense.
 
You can change the country server from the VPN client on your router.
Here is a list of all the servers for all countries that PIA supports.
https://www.privateinternetaccess.com/pages/network/
basically if you want to connect to the UK server just change the server name in "Server Address and Port" on the VPN client to uk-london.privateinternetaccess.com
then turn the Service state button to off and then on and the new country will take effect.

You do not need to put the client on your iPad if you are using the router for VPN.
But if you want a different VPN server on your iPad other then the one that your router is currently on then you would need that app on your iPad and you can only use one country server at a time.
The app is pretty straight forward. choose the country, put your username and password and its done.

Personally what I would do is this.
reserve a few more static IP address's for the policy rules that will go through the VPN and when you want to use VPN for your tablet just change the IP address to the one you reserved for VPN and when your done go back to DHCP on your tablet.

Also make sure you have proper DNS filtering for the devices that do not use the VPN via DNS filtering because if you don't as in my article all your ISP traffic will use the DNS of PIA.
On the tablet if you switch back and forth from VPN and ISP don't put a DNS filtering, manually change them every time.

example for iPad that will use VPN and ISP from the router. DNSfiletering will not be used in this case instead you would manually change the following.

IP DHCP
DNS 8.8.8.8 for google

for VPN
IP 192.168.1.50
subnet 255.255.255.0
gateway 192.168.1.1 this is your routers IP
DNS 192.168.1.1 this is your routers IP

Using the PIA software is not recommended because if you use DNSfiltering and point for example google for DNS to your iPad when you use the software to connect to PIA it will use the DNS of ISP being google which is not good.
you need the DNS of PIA when using the VPN and the DNS of ISP when on ISP so the only work around is the example above.

In order to test all your devices and to make sure all DNS works right use the following url

https://ipleak.net/

Its a pain in the butt with the way it all works but at least you know how it all works now :)
I hope this makes some sense.

Thank buddy I really do appreciate your advice

I understand what you mean now with regards country switching

I wasn't sure about DNS as your guide mentioned that it was fixed by latest Merlin firmware. I haven't tested it but will hopefully get a chance to play with this later today

Many thanks once again. My learning curve with this has been so steep. I really appreciate you sharing your knowledge

Cheers
 
I wasn't sure about DNS as your guide mentioned that it was fixed by latest Merlin firmware.
I didn't say that. I said the VPN client now resolves the Proper DNS as its now fixed with the new firmware therefore you don't need to use DNSfiltering for VPN.
But if you notice for Local ISP traffic I still recommend you use DNSfiltering because the DNS resolves to PIA.
This is not a bug from the router, its the way it is. When you connect to a VPN tunnel it automatically binds its DNS with the VPN provider as its set to EXCLUSIVE.
Therefore when one wants to re direct traffic from the VPN tunnel to local ISP the DNS is still the same as from the VPN. This is why we have to use DNSfiltering for ISP
before the new firmware one would have to use DNSfiltering for VPN and ISP because the DNS was not resolving properly but its been fixed with the Exclusive mode and from what Merlin said
he will be most likely be taking out the Strict method because its outdated and even the author who created the Strict method doesn't recommend anyone use it.
 
I didn't say that. I said the VPN client now resolves the Proper DNS as its now fixed with the new firmware therefore you don't need to use DNSfiltering for VPN.
But if you notice for Local ISP traffic I still recommend you use DNSfiltering because the DNS resolves to PIA.

Ah, my bad, thanks for clarifying. I'll give that a go now
 
Ah, my bad, thanks for clarifying. I'll give that a go now
Is there a way to send all DHCP devices to Router / Custom DNS and as well as those devices with static IPs?
The list of DNS rules only allows up to 64 clients so I wondered whether there's a overarching rule
 
Is there a way to send all DHCP devices to Router / Custom DNS and as well as those devices with static IPs?
The list of DNS rules only allows up to 64 clients so I wondered whether there's a overarching rule
Unfortunately no. I have complained about it but Merlin explained that the ASUS routers are wired that way and cannot be done otherwise.
It would be nice if the router can do VPN and ISP as separate connections and DNS but the way it stands when a VPN tunnel is added it goes on top of the existing ISP and pretty much makes everything more complicated.
You have a couple of ways to do it. Most people use VPN to download so they dedicate a PC just for that and as far as the other devices well its up to you.
Personally I have my phones, iPad and Surface all on ISP and one dedicated PC for VPN.
I have scripts also that I run to change between VPN and ISP address but that gets super complicated but if you need to do that let me know and I can provide you with how to guide to setup batch files that you can switch from VPN to ISP. but that will only work for PC using the netsh command. I am not sure how to do that with MAC but there is a way to write scripts for netsh with MAC as well.
As far as phones and iPads that has to be done manually.
It all boils down to which devices really need VPN and which Dont. its easier to just setup some for VPN and others for ISP and forget about them :)
At one point its a compromise :)
 
Great guide. Thanks for taking the time to write it! I have managed to get it working but choosing your recommended encryption settings for speed I am still unable to get anywhere near my BB speeds. I am using an overclocked RT-AC88u so there should be enough juice to handle PIA's VPN. I even tried it with no encryption but this didn't change the speed. Any ideas? Thanks in advance
 
Great guide. Thanks for taking the time to write it! I have managed to get it working but choosing your recommended encryption settings for speed I am still unable to get anywhere near my BB speeds. I am using an overclocked RT-AC88u so there should be enough juice to handle PIA's VPN. I even tried it with no encryption but this didn't change the speed. Any ideas? Thanks in advance

If you are getting 50-60 kbps you are in the pocket. Even if you BB is 200 kbps you wont get faster then what i wrote.
let me know what speeds you are getting so I can help out better
 
If you are getting 50-60 kbps you are in the pocket. Even if you BB is 200 kbps you wont get faster then what i wrote.
let me know what speeds you are getting so I can help out better

I am getting about 10-15Mbps, using their windows client through my laptop I can pull pretty much my full line speedd - 45-50Mbps.

Thanks
 
I am getting about 10-15Mbps, using their windows client through my laptop I can pull pretty much my full line speedd - 45-50Mbps.

Thanks
Hi, I don't understand what you are saying.
What windows client?
You can pull pretty much full line speed 45-50???

Please do the following if you want any help :)

use this site http://www.speedtest.net/ and do a speedtest without VPN and one speedtest with VPN
make sure you are connected to the router via a network cable and not wireless.

Find out what your speed is from your local ISP example 70 mbps
and then turn on the VPN and do the same.

if your ISP is 50 mbps you should be doing the same for VPN.
you will never get faster then 50 or 60mbps using VPN
please let us know exactly what you are talking about when you are saying the speeds are slow.

Overclocking the cpu wont get you faster speeds it will only burn out your router. There have been people who have overclocked their cpu to get faster speeds for VPN but that never helped.

Also you don't need a microsoft VPN client to connect to PIA VPN when using the router. its really slow and you are not using it correctly.

When using a client use the PIA client on your laptop if you are not at your house or office where your router is. It is super fast in comparison to MS client or PPTP or L2TP
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top