1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

Discussion in 'VPN' started by yorgi, Mar 5, 2016.

  1. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    I am not saying that either is wrong but if PIA and openvpn and tomaoteUSB all resolve it like that then why not have it like that with the merlin way as well :)
    there is a difference and when you are on local ISP with selective routing IP you will see that the DNS of PIA shows up instead of the local ISP thus having to use the DNSfiltering.
    According to Merlin this will change with the new release of firmware.
    I don't know yet because I have no tried it :)
     
  2. Rango

    Rango Senior Member

    Joined:
    Nov 24, 2015
    Messages:
    204
    Location:
    IL, USA
    lol....that's odd cause mine without any dns filtering shows as it should with both dns showing same pia dns server.
    I've visited this website before and it always showed like that.

    And with dns filtering you i got opendns leak ....lol

    One thing that should also not leak is my private ip but i don't care about that. In yours it does not. I do have plugin for webrtc to be disabled in chrome but apparently it does not work too well and i don't like firefox due to tabs management so i have to have chrome.

    upload_2016-3-21_14-30-0.png
     
  3. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    when I put the DNS filtering I put the PIA filters not google :p
    Weird that you get it to work like that. but I don't have it setup the same way
    I have it with policy rules for VPN so maybe it doesn't work the same way
    I never tried it all traffic to VPN and see what it gives.
    So the way you have it all traffic goes to the VPN and you don't care about local ISP?
    what happens if the tunnel drops does it kill connections so that your IP doesn't leak?
    because only in policy rules you have the drop connections if tunnel goes down.
    I will do some more tests and see because its weird I dont get the same thing at all

    Merlin where are you to answer this question :p

    Ahha so when you put all traffic it works like you
    when I put policy rules it doesn't work the same way
    strange.
     
    Last edited: Mar 21, 2016
  4. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    btw you have a problem with your browser.
    its not suppose to give you the IP of your network.
    go here
    https://ipleak.net/#dnsleak
    and read up on chrome and firefox. there are problems with those browsers leaking your IP
    so you can easily fix it with that url
     
  5. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    One last thing. When you create a network of 192.xx.xx.xx
    its safer to do it 192.168.8.xx don't use 1 like everyone else. if you have a hacker outside your place and is probing wireless chances are he will not bother with you because almost everyone has .1.x or .0.x so they never think of going to higher numbers, or they are not pros hehe. the pros will get on any network :p
    this is why when I sleep my wireless is off :)
    less radiation too lol from those bionic antennas lol
     
  6. Rango

    Rango Senior Member

    Joined:
    Nov 24, 2015
    Messages:
    204
    Location:
    IL, USA
    So the way you have it all traffic goes to the VPN and you don't care about local ISP?

    Yes indeed. When you go back to ISP traffic you're defeating the purpose of vpn use in first place so yes I'm gone with the wind essentially lol

    what happens if the tunnel drops does it kill connections so that your IP doesn't leak?

    Yeah so my internet is down then but then i know my vpn is down and i can then react. Give me notice how may times they were down in a month but
    MAYBE relaxed dns settings would then default to comcast IP DNS ??? I think that's how that works??? I didn't try this. I always use exclusive but that only uses PIA dns. I think with relaxed or strict it uses pia then if tunnel goes down uses comcast??? I'm not sure. Do you know?

    because only in policy rules you have the drop connections if tunnel goes down.

    Yes....so maybe i should set it up to default to comcast then but i didnt look into how to do that. I'm not too savy with policy setups. How did you set this up. If too much work for you to show then don't bother. I'm curious however.

    One last thing. When you create a network of 192.xx.xx.xx its safer to do it 192.168.8.xx don't use 1 like everyone else

    Good point. Didn't even thought about it. May change to different sub then. I'll see.

    his is why when I sleep my wireless is off :) less radiation too lol from those bionic antennas lol

    Hahahah.....and i thought i was paranoid hahahah....JK bud.......I ordered my pfsense low power 8W NUC, no fans so firewall will be strong once i get it. I will then implement snort and other firewall goodies. Didn't even look into packages yet.

    It's 1.6-2.0Ghz with AES instructions so it will annihilate openvpn speeds past my ISP speed, no worries. Total cost $230 with good parts. Great deal. It took some time to research the hardware i wanted. Most were out of my price range of $340 plus.

    BTW my power hosue pc uses 7-18W of power idle but i have good PSU so i suspect with Dell one it would be slightly higher since i doubt they use best PSU units. That's acceptable but found better solution anyway without the FANS!

    upload_2016-3-21_15-37-17.png
     
    Last edited: Mar 21, 2016
  7. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    NO the way I have it is POLICY RULES so I have specific IP address that will go to the VPN and all other traffic goes to Local ISP.
    For example I have my server and tv box that are always on the VPN
    but the rest is local ISP.
    So when I use DNSfiltering I use google for local ISP and PIA for VPN
    it all works out great. If my vpn tunnel goes down there is no DNS leak but the rest of my devices are still online with Local isp. so it works just right except that everything uses the Same DNS that is why I am changing the DNS with filtering but I know this is fixed in the new release according to Merlin that mentioned that in the alpha page.

    You mentioned how often does the VPN go down.
    Well from my experience I have seen the vpn go down way to many times in the past expecially if you push the hell out of the VPN the Program would go nuts and crash hehe and that is why I went via the router way.
    R0uter never crashed on me
    I don't trust any provider and the only way I can sleep at night is knowing that the if the vpn drops I will be secure
    otherwise why have a VPN :p

    I see everyone on 192.168.1.1 why not 192.168.24.8 for the router
    a dumb hacker would never think about it :p only the smart ones...and why would any smart hacker want to hack us right? hehe
    I don't think changing the subnet mask can make a difference but why not hehe

    And to answer the paranoid question, well I think everyone who is on a VPN has a bit of paranoia in them LOL
     
    Last edited: Mar 21, 2016
  8. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    I honestly can't wait to see what you will finally end up with :)
    man you have gone all kinds of directions hehe but I love it :)
     
  9. Rango

    Rango Senior Member

    Joined:
    Nov 24, 2015
    Messages:
    204
    Location:
    IL, USA
    I have confidence it will work out with the NUC. At worst case i'll sell it on ebay or use it for something else. It's cheap enough and quad core. Has HDMI, can be used for multimedia or whatever, practice pc for ESX but like i 'm saying, worst case i'll sell it on ebay but i dont anticipate that. P3 was running on pf and only issue i had was fan noise and electricity use, heat etc. This is non existent with that nuc.

    BTW that extension helped but it's still not really saying i'm not leaking like on yours. Only one that worked is proxy setting. Rest of them still were showing my VPN ip or private depending on setting but this is proxy one and seems to be gone so partial fix? Do you use firefox?

    upload_2016-3-21_15-55-11.png
     
    Last edited: Mar 21, 2016
  10. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Ok so I updated to 380.58

    VPN CPU order has been changed :) 2 4 on core 1 and 1 3 5 on core 2 :)
    VPN DNS works properly when in exclusive and policy rules :)
    no more need for DNSfiltering :)
    also no need to have Verb 3 in custom configuration as it now has Global Log verbosity feature in the advanced VPN client :)

    thumbs up for the changes :)

    When in Local ISP with Policy rules and the VPN client is running in the Background it shows the DNS of VPN :(
    I still need to enable DNSfiltering to fix that only for Local ISP
    When I disable the VPN client the DNS resolves to Local ISP. this was the same in previous firmware version.

    Am I missing something?
    I was under the impression that with the new firmware the DNS for Local ISP should show instead of the VPN DNS.
     
    Last edited: Mar 22, 2016
    patrick sullivan likes this.
  11. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    I use firefox and they show you a fix for that.
    there is also a fix for Chrome but I don't use that
     
  12. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    something to think about :)
    ns-cert-type server
    This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert-type, --tls-remote, or --tls-verify
     
  13. Rango

    Rango Senior Member

    Joined:
    Nov 24, 2015
    Messages:
    204
    Location:
    IL, USA
    You would think if it was so important PIA would list that in their config, odd but cool thanks.
     
  14. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    they do on their forums, but all they really care is for their PIA software which they totally support
    the rest is just trial and error :) They don't support routers or OpenVPN for that matter. anytime you have a question about one of those topics they give you the bullshit speech hehe.
    that's what I do, I go to openvpn and see the switches and try them out. :)
     
  15. mirage22

    mirage22 Regular Contributor

    Joined:
    Apr 30, 2015
    Messages:
    73
    Interesting article. Where did you configure the port on the router?
     
  16. mirage22

    mirage22 Regular Contributor

    Joined:
    Apr 30, 2015
    Messages:
    73
    In fact, this is what I have in my settings. with Merlin's new .380 firmware, what are the options not required anymore?

    Also an FYI - I think my VPN provider is using BF-CBC.

    Code:
    tls-client
    remote-cert-tls server
    ns-cert-type server
    auth-nocache
    tls-version-min 1.2
    reneg-sec 0
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    fast-io
    ping-restart 0
    route-delay 2
    route-method exe
    script-security 3 system
    mute-replay-warnings
    verb 3
     
  17. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    On the VPN client - Server Address and Port - port
    you have address section and next to it the port
     
  18. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    I don't know what most of them do but this is the settings I now use
    Untitled-2.jpg

    You can always go here and check out all the switches you have and what they do

    https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
     
  19. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,556
    Location:
    Canada
    "reneg-sec" is the same thing as what is configured under "TLS Renegotiation Time" on the webui. You should remove that line, and change that setting from -1 to 0 instead.
     
  20. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Great thanks.
    I will update the guide as well :)