How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

yorgi

Very Senior Member
I am not saying that either is wrong but if PIA and openvpn and tomaoteUSB all resolve it like that then why not have it like that with the merlin way as well :)
there is a difference and when you are on local ISP with selective routing IP you will see that the DNS of PIA shows up instead of the local ISP thus having to use the DNSfiltering.
According to Merlin this will change with the new release of firmware.
I don't know yet because I have no tried it :)
 

Rango

Senior Member
lol....that's odd cause mine without any dns filtering shows as it should with both dns showing same pia dns server.
I've visited this website before and it always showed like that.

And with dns filtering you i got opendns leak ....lol

One thing that should also not leak is my private ip but i don't care about that. In yours it does not. I do have plugin for webrtc to be disabled in chrome but apparently it does not work too well and i don't like firefox due to tabs management so i have to have chrome.

upload_2016-3-21_14-30-0.png
 

yorgi

Very Senior Member
when I put the DNS filtering I put the PIA filters not google :p
Weird that you get it to work like that. but I don't have it setup the same way
I have it with policy rules for VPN so maybe it doesn't work the same way
I never tried it all traffic to VPN and see what it gives.
So the way you have it all traffic goes to the VPN and you don't care about local ISP?
what happens if the tunnel drops does it kill connections so that your IP doesn't leak?
because only in policy rules you have the drop connections if tunnel goes down.
I will do some more tests and see because its weird I dont get the same thing at all

Merlin where are you to answer this question :p

Ahha so when you put all traffic it works like you
when I put policy rules it doesn't work the same way
strange.
 
Last edited:

yorgi

Very Senior Member
lol....that's odd cause mine without any dns filtering shows as it should with both dns showing same pia dns server.
I've visited this website before and it always showed like that.

And with dns filtering you i got opendns leak ....lol

One thing that should also not leak is my private ip but i don't care about that. In yours it does not. I do have plugin for webrtc to be disabled in chrome but apparently it does not work too well and i don't like firefox due to tabs management so i have to have chrome.

View attachment 5792
btw you have a problem with your browser.
its not suppose to give you the IP of your network.
go here
https://ipleak.net/#dnsleak
and read up on chrome and firefox. there are problems with those browsers leaking your IP
so you can easily fix it with that url
 

yorgi

Very Senior Member
One last thing. When you create a network of 192.xx.xx.xx
its safer to do it 192.168.8.xx don't use 1 like everyone else. if you have a hacker outside your place and is probing wireless chances are he will not bother with you because almost everyone has .1.x or .0.x so they never think of going to higher numbers, or they are not pros hehe. the pros will get on any network :p
this is why when I sleep my wireless is off :)
less radiation too lol from those bionic antennas lol
 

Rango

Senior Member
So the way you have it all traffic goes to the VPN and you don't care about local ISP?

Yes indeed. When you go back to ISP traffic you're defeating the purpose of vpn use in first place so yes I'm gone with the wind essentially lol

what happens if the tunnel drops does it kill connections so that your IP doesn't leak?

Yeah so my internet is down then but then i know my vpn is down and i can then react. Give me notice how may times they were down in a month but
MAYBE relaxed dns settings would then default to comcast IP DNS ??? I think that's how that works??? I didn't try this. I always use exclusive but that only uses PIA dns. I think with relaxed or strict it uses pia then if tunnel goes down uses comcast??? I'm not sure. Do you know?

because only in policy rules you have the drop connections if tunnel goes down.

Yes....so maybe i should set it up to default to comcast then but i didnt look into how to do that. I'm not too savy with policy setups. How did you set this up. If too much work for you to show then don't bother. I'm curious however.

One last thing. When you create a network of 192.xx.xx.xx its safer to do it 192.168.8.xx don't use 1 like everyone else

Good point. Didn't even thought about it. May change to different sub then. I'll see.

his is why when I sleep my wireless is off :) less radiation too lol from those bionic antennas lol

Hahahah.....and i thought i was paranoid hahahah....JK bud.......I ordered my pfsense low power 8W NUC, no fans so firewall will be strong once i get it. I will then implement snort and other firewall goodies. Didn't even look into packages yet.

It's 1.6-2.0Ghz with AES instructions so it will annihilate openvpn speeds past my ISP speed, no worries. Total cost $230 with good parts. Great deal. It took some time to research the hardware i wanted. Most were out of my price range of $340 plus.

BTW my power hosue pc uses 7-18W of power idle but i have good PSU so i suspect with Dell one it would be slightly higher since i doubt they use best PSU units. That's acceptable but found better solution anyway without the FANS!

upload_2016-3-21_15-37-17.png
 
Last edited:

yorgi

Very Senior Member
So the way you have it all traffic goes to the VPN and you don't care about local ISP?

Yes indeed. When you go back to ISP traffic you're defeating the purpose of vpn use in first place so yes I'm gone with the wind essentially lol

what happens if the tunnel drops does it kill connections so that your IP doesn't leak?

Yeah so my internet is down then but then i know my vpn is down and i can then react. Give me notice how may times they were down in a month but
MAYBE relaxed dns settings would then default to comcast IP DNS ??? I think that's how that works??? I didn't try this. I always use exclusive but that only uses PIA dns. I think with relaxed or strict it uses pia then if tunnel goes down uses comcast??? I'm not sure. Do you know?

because only in policy rules you have the drop connections if tunnel goes down.

Yes....so maybe i should set it up to default to comcast then but i didnt look into how to do that. I'm not too savy with policy setups. How did you set this up. If too much work for you to show then don't bother. I'm curious however.

One last thing. When you create a network of 192.xx.xx.xx its safer to do it 192.168.8.xx don't use 1 like everyone else

Good point. Didn't even thought about it. May change to different sub then. I'll see.

his is why when I sleep my wireless is off :) less radiation too lol from those bionic antennas lol

Hahahah.....and i thought i was paranoid hahahah....JK bud.......I ordered my pfsense low power 8W NUC, no fans so firewall will be strong once i get it. I will then implement squid and other firewall goodies. Didn't even look into packages yet.

It's 1.6-2.0Ghz with AES instructions so it will annihilate openvpn speeds past my ISP speed, no worries. Total cost $230 with good parts. Great deal. It took some time to research the hardware i wanted. Most were out of my price range of $340 plus.
NO the way I have it is POLICY RULES so I have specific IP address that will go to the VPN and all other traffic goes to Local ISP.
For example I have my server and tv box that are always on the VPN
but the rest is local ISP.
So when I use DNSfiltering I use google for local ISP and PIA for VPN
it all works out great. If my vpn tunnel goes down there is no DNS leak but the rest of my devices are still online with Local isp. so it works just right except that everything uses the Same DNS that is why I am changing the DNS with filtering but I know this is fixed in the new release according to Merlin that mentioned that in the alpha page.

You mentioned how often does the VPN go down.
Well from my experience I have seen the vpn go down way to many times in the past expecially if you push the hell out of the VPN the Program would go nuts and crash hehe and that is why I went via the router way.
R0uter never crashed on me
I don't trust any provider and the only way I can sleep at night is knowing that the if the vpn drops I will be secure
otherwise why have a VPN :p

I see everyone on 192.168.1.1 why not 192.168.24.8 for the router
a dumb hacker would never think about it :p only the smart ones...and why would any smart hacker want to hack us right? hehe
I don't think changing the subnet mask can make a difference but why not hehe

And to answer the paranoid question, well I think everyone who is on a VPN has a bit of paranoia in them LOL
 
Last edited:

yorgi

Very Senior Member
So the way you have it all traffic goes to the VPN and you don't care about local ISP?

Yes indeed. When you go back to ISP traffic you're defeating the purpose of vpn use in first place so yes I'm gone with the wind essentially lol

what happens if the tunnel drops does it kill connections so that your IP doesn't leak?

Yeah so my internet is down then but then i know my vpn is down and i can then react. Give me notice how may times they were down in a month but
MAYBE relaxed dns settings would then default to comcast IP DNS ??? I think that's how that works??? I didn't try this. I always use exclusive but that only uses PIA dns. I think with relaxed or strict it uses pia then if tunnel goes down uses comcast??? I'm not sure. Do you know?

because only in policy rules you have the drop connections if tunnel goes down.

Yes....so maybe i should set it up to default to comcast then but i didnt look into how to do that. I'm not too savy with policy setups. How did you set this up. If too much work for you to show then don't bother. I'm curious however.

One last thing. When you create a network of 192.xx.xx.xx its safer to do it 192.168.8.xx don't use 1 like everyone else

Good point. Didn't even thought about it. May change to different sub then. I'll see.

his is why when I sleep my wireless is off :) less radiation too lol from those bionic antennas lol

Hahahah.....and i thought i was paranoid hahahah....JK bud.......I ordered my pfsense low power 8W NUC, no fans so firewall will be strong once i get it. I will then implement snort and other firewall goodies. Didn't even look into packages yet.

It's 1.6-2.0Ghz with AES instructions so it will annihilate openvpn speeds past my ISP speed, no worries. Total cost $230 with good parts. Great deal. It took some time to research the hardware i wanted. Most were out of my price range of $340 plus.

BTW my power hosue pc uses 7-18W of power idle but i have good PSU so i suspect with Dell one it would be slightly higher since i doubt they use best PSU units. That's acceptable but found better solution anyway without the FANS!

View attachment 5793
I honestly can't wait to see what you will finally end up with :)
man you have gone all kinds of directions hehe but I love it :)
 

Rango

Senior Member
I have confidence it will work out with the NUC. At worst case i'll sell it on ebay or use it for something else. It's cheap enough and quad core. Has HDMI, can be used for multimedia or whatever, practice pc for ESX but like i 'm saying, worst case i'll sell it on ebay but i dont anticipate that. P3 was running on pf and only issue i had was fan noise and electricity use, heat etc. This is non existent with that nuc.

BTW that extension helped but it's still not really saying i'm not leaking like on yours. Only one that worked is proxy setting. Rest of them still were showing my VPN ip or private depending on setting but this is proxy one and seems to be gone so partial fix? Do you use firefox?

upload_2016-3-21_15-55-11.png
 
Last edited:

yorgi

Very Senior Member
Ok so I updated to 380.58

VPN CPU order has been changed :) 2 4 on core 1 and 1 3 5 on core 2 :)
VPN DNS works properly when in exclusive and policy rules :)
no more need for DNSfiltering :)
also no need to have Verb 3 in custom configuration as it now has Global Log verbosity feature in the advanced VPN client :)

thumbs up for the changes :)

When in Local ISP with Policy rules and the VPN client is running in the Background it shows the DNS of VPN :(
I still need to enable DNSfiltering to fix that only for Local ISP
When I disable the VPN client the DNS resolves to Local ISP. this was the same in previous firmware version.

Am I missing something?
I was under the impression that with the new firmware the DNS for Local ISP should show instead of the VPN DNS.
 
Last edited:

yorgi

Very Senior Member
I have confidence it will work out with the NUC. At worst case i'll sell it on ebay or use it for something else. It's cheap enough and quad core. Has HDMI, can be used for multimedia or whatever, practice pc for ESX but like i 'm saying, worst case i'll sell it on ebay but i dont anticipate that. P3 was running on pf and only issue i had was fan noise and electricity use, heat etc. This is non existent with that nuc.

BTW that extension helped but it's still not really saying i'm not leaking like on yours. Only one that worked is proxy setting. Rest of them still were showing my VPN ip or private depending on setting but this is proxy one and seems to be gone so partial fix? Do you use firefox?

View attachment 5794
I use firefox and they show you a fix for that.
there is also a fix for Chrome but I don't use that
 

yorgi

Very Senior Member
Yorgi just as info the only following are needed based on my testing. I think rest of those u listed are already build in when router is negotiating so you're jut repeating that again in custom settings. I'm not sure if that will interfere or not but it's redundant. Merlin or John would know better. I think rest of those instructions are for open source dd-wrt firmware types. I could be wrong but

Required
tls-client
remote-cert-tls server
reneg-sec 0

optional in 380 down firmware. Listing verb in custom config will also work better with some vpn nodes. May connect you to closest node.
This is all dependent on vpn node server closest to you so one has to experiment a little in their region.

verb 3 threw 10....i found 3 being best. 5 will report too much unnecessary errors like pockets being dropped due to something like udp error. Not really usefull for avr joe.
something to think about :)
ns-cert-type server
This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert-type, --tls-remote, or --tls-verify
 

Rango

Senior Member
You would think if it was so important PIA would list that in their config, odd but cool thanks.
 

yorgi

Very Senior Member
You would think if it was so important PIA would list that in their config, odd but cool thanks.
they do on their forums, but all they really care is for their PIA software which they totally support
the rest is just trial and error :) They don't support routers or OpenVPN for that matter. anytime you have a question about one of those topics they give you the bullshit speech hehe.
that's what I do, I go to openvpn and see the switches and try them out. :)
 

mirage22

Regular Contributor
If you want to use Blowfish instead of AES encrytption
use port 1194 with BF-CBC encryption. this will slow your speed from maximum 50 mbps to 35 mbps
use port 1195 with encryption type set to none and in custom configuration add auth none
this method is the fastest and full speed but without encryption, great for geometric zones.
use port 1197 with AES-256-CBC encryption and add auth sha256 at the bottom on custom configurations. slower then all other encryption's 25-30 mbps max
Interesting article. Where did you configure the port on the router?
 

mirage22

Regular Contributor
In fact, this is what I have in my settings. with Merlin's new .380 firmware, what are the options not required anymore?

Also an FYI - I think my VPN provider is using BF-CBC.

Code:
tls-client
remote-cert-tls server
ns-cert-type server
auth-nocache
tls-version-min 1.2
reneg-sec 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
fast-io
ping-restart 0
route-delay 2
route-method exe
script-security 3 system
mute-replay-warnings
verb 3
 

yorgi

Very Senior Member
In fact, this is what I have in my settings. with Merlin's new .380 firmware, what are the options not required anymore?

Also an FYI - I think my VPN provider is using BF-CBC.

Code:
tls-client
remote-cert-tls server
ns-cert-type server
auth-nocache
tls-version-min 1.2
reneg-sec 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
fast-io
ping-restart 0
route-delay 2
route-method exe
script-security 3 system
mute-replay-warnings
verb 3
I don't know what most of them do but this is the settings I now use
Untitled-2.jpg


You can always go here and check out all the switches you have and what they do

https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
 

RMerlin

Asuswrt-Merlin dev
"reneg-sec" is the same thing as what is configured under "TLS Renegotiation Time" on the webui. You should remove that line, and change that setting from -1 to 0 instead.
 

yorgi

Very Senior Member
"reneg-sec" is the same thing as what is configured under "TLS Renegotiation Time" on the webui. You should remove that line, and change that setting from -1 to 0 instead.
Great thanks.
I will update the guide as well :)
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top