What's new

How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

Xentrk

Part of the Furniture
Hello again all,

I noticed on the PIA website merlin router setup guide that they recommend using the persist-key & persist-tun commands in the custom configuration field:

https://www.privateinternetaccess.com/helpdesk/guides/routers/merlin/merlin-firmware-openvpn-setup

...but it's not used in this guide - so was wondering if it's needed & what those two commands actually do?

Thanks.
Best to point you to the guide so you can see the context of how the settings work with the up down scripts:

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 

pusb87

Regular Contributor
Hello again all,

I noticed on the PIA website merlin router setup guide that they recommend using the persist-key & persist-tun commands in the custom configuration field:

https://www.privateinternetaccess.com/helpdesk/guides/routers/merlin/merlin-firmware-openvpn-setup

...but it's not used in this guide - so was wondering if it's needed & what those two commands actually do?

Thanks.
AFAIK if those commands are included in the PIA ovpn config file ( which they are in their latest ovpn files), and you import that file then they are not needed in custom config

I certainly don't have them in my custom config file and my PIA connection is just fine at at full speed on AC86U router

PS I use their 128 GCM files via their configurator >> https://www.privateinternetaccess.com/pages/ovpn-config-generator
 
Last edited:

frooty

Regular Contributor
Thanks for all the responses guys. I've tried my connections both with & without those two commands & I've not noticed any difference tbh, which was why I asked about them. I did check the openvpn wiki but it's all a bit above my paygrade....lol So I'm still none the wiser. It's always been stable using the aes-256-cbc/sha256 combo & it's still running fine with the extra commands so I'll just leave it be in case I break something.
Thanks again.
 

TonyK132

Senior Member
Is there anything you have to do to implement a Kill Switch in the PIA configuration?
 

doczenith1

Very Senior Member
Is there anything you have to do to implement a Kill Switch in the PIA configuration?
Select "Yes"
upload_2019-5-16_18-29-16.png


Just realized that you need to use policy rules to get this option.
 

Wafflestyx

New Around Here
Currently PIA is haveing a DNS issue with Amazon and some other sites.
Is there a command for the custom configuration field that would let me changed the DNS to w/e I want cloudflare, google?

Some googling I came across ( push "dhcp-option DNS 8.8.8.8" ) for a config file but putting that in the field didn't seem to help.

Edit: Looks like you just put
dhcp-option DNS 1.1.1.1
dhcp-option DNS 1.0.0.1
 
Last edited:

Diamond67

Senior Member
PS I use their 128 GCM files via their configurator >> https://www.privateinternetaccess.com/pages/ovpn-config-generator
Did you choose "OpenVPN 2.4 or newer" and Linux?

I have never configured OpenVPN of my router before (I have used PIA client apps with Android, Ubuntu and Windows 10) and now when I tried to get some info when it comes to tweaking with router OpenVPN settings it seems that during this year several links regarding PIA and Asuswrt-Merlin OpenVPN setup settings have disappeared from PIA website and (maybe because of the similarities) they have focused on Asuswrt OpenVPN, and there is even this rather recently updated link with instructions available:

https://www.privateinternetaccess.c...ware-openvpn-setup-2#step-1-advanced-settings

I contacted PIA tech support and they recommended using manual config (= instructions from that site) instead of using Config Generator.

Do you think that those settings from that website are quite OK? There may be some settings missing or a bit different compared with Merlin 384.13.
 
Last edited:

CaptainSTX

Part of the Furniture
I use PIA and while I previously tweaked the settings in the custom configuration I found it never seemed to make an improvement in performance and more recently it seemed to result in instability and the clients would fail.

Instead I would just go to PIA's configurator and download a file for the server you want to use along with the security settings you want. I currently use AES-128-CBC on Port 1198 and for the second client AES-256-CBC on Port 1197. Add your user name and password and then start the clients up. NOTE: If you plan to use multiple VPN clients from any vendor only a single VPN (client or server ) can be running on a particular port. PIA offers at least eleven configuration options but some of the options are not compatible with Merlin's firmware. I have used configurations using Ports 443, 1198 and 1197 and maybe ports 502 and 501. Start with the basic AES-128-CBC on Port 1198.

I have run PIA on an N66, AC1900P and an AC86.

Don't run multiple clients until you are comfortable with just a single client.

PS. I haven't had any problems with Amazon. I am using the DNS policy = relaxed.
 

pusb87

Regular Contributor
Did you choose "OpenVPN 2.4 or newer" and Linux?
Yes, but it doesnt matter as the linux and windows config files are the same as far as i can see
these are my settings on 384.12

for me this works fine with one exception that even though i have
Block routed clients if tunnel goes down set to Yes
if the vpn client goes down then it reconnects using my ISP's IP :( ---- this happens very rarely
 

Attachments

doczenith1

Very Senior Member
Auth digest can be set to none when using GCM ciphers.
 

frooty

Regular Contributor
Just a heads up to all you PIA users out there (me included): PIA have been bought by the notorious malware/adware/data selling company Kape Technologies & as of yesterday can no longer be trusted with your info/privacy. Read more about it:

https://news.ycombinator.com/item?id=21584958
https://www.reddit.com/r/PrivateInt...erger_with_kape_technologies_addressing_your/

I have cancelled my subscription & advise everyone else to do the same if you value your privacy.

Edit: Wonder if this guide works for Mullvad?.....

Edit2: A few more links:

 
Last edited:

Wired

New Around Here
Greetings all! Longtime reader just don't post often because I typically find my answer(s) on here. Have a question though and would appreciate the feedback.

Have the 86U, latest firmware. Also running Skynet. 300 connection from my ISP going through PIA. When I first configured the router, I was able to get 200+ when connecting to their Texas servers. Can't figure out what's changed, now I only see 50-125 from that server. I've used many combinations of referenced settings from this thread and some of the stickied threads. I've tried setting encryption at AES-128-CBC/GSM which doesn't seem to make a difference. Compression adaptive/none etc. I'll attach some screenshots when I get home this evening, but would appreciate any assistance.

Thanks
 

Attachments

doczenith1

Very Senior Member
You're PIA settings are the same as mine. My custom config is:
resolv-retry infinite
tls-client
remote-cert-tls server
disable-occ
persist-key
persist-tun
fast-io (last I heard this was in beta but may help a little with speeds)

These are some recent speedtest results using the Chicago PIA server.

upload_2020-3-9_21-3-7.png
 

Wired

New Around Here
You're PIA settings are the same as mine. My custom config is:
resolv-retry infinite
tls-client
remote-cert-tls server
disable-occ
persist-key
persist-tun
fast-io (last I heard this was in beta but may help a little with speeds)

These are some recent speedtest results using the Chicago PIA server.

View attachment 21842
Ok. Thanks. I’ll add the fast-io, see if there’s any noticeable difference. Closest server to me is Texas but have seem a little difference if I connect thru Denver. Nothing like you posted though.

I’ve been using Speedtest (single connection) to get my results. Are using spdmerlin from the router?
 
Last edited:

doczenith1

Very Senior Member
I’ve been using Speedtest (single connection) to get my results. Are using spdmerlin from the router?
Yes. I get similar results with web based tests also. I would try the multi connection as I seem to remember getting better results.
 

Wired

New Around Here
Then something’s not right with my setup somewhere. Thanks for your replies. I’ll continue looking at my config.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top