1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

Discussion in 'VPN' started by yorgi, Mar 5, 2016.

  1. ImaStinker

    ImaStinker Occasional Visitor

    Joined:
    Sep 16, 2015
    Messages:
    23
    So if I use the "preferred encryption method", i.e. AES-128-CBC, what port should I use?
    Should it be different then the port used with the "default encryption method" Blowfish?

    Thanks...
     
  2. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Yes you need to use port 1196 for aes-128-cbc
    Each encryption uses different ports and the reason aes-128 is the preferred method is because from all the encryption's its the fastest.
     
  3. ImaStinker

    ImaStinker Occasional Visitor

    Joined:
    Sep 16, 2015
    Messages:
    23
    Great thanks. So I'm just going to summarize this all in one post for future reference. :)

    • use port 1194 with BF-CBC encryption. (PIA Default)
    • use port 1195 with encryption type set to none and in custom configuration add auth none.
    • use port 1196 with AES-128-CBC encryption. (Preferred for speed)
    • use port 1197 with AES-256-CBC encryption and in custom configuration add auth sha256.
     
  4. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    you got it :)
     
  5. ImaStinker

    ImaStinker Occasional Visitor

    Joined:
    Sep 16, 2015
    Messages:
    23
    Perfecto! Much faster now. Thanks
     
    yorgi likes this.
  6. ImaStinker

    ImaStinker Occasional Visitor

    Joined:
    Sep 16, 2015
    Messages:
    23
    When I set compression to "Disabled" like suggested, I can no longer get internet access through the tunnel to PIA.
    upload_2016-4-26_17-58-44.png

    The tail end of my log shows "Invalid argument" which doesn't happen when Compressionis set to Adaptive.
    Code:
    Apr 26 17:52:51 openvpn-routing: Adding route for 10.xx.xx.15 to 0.0.0.0 through VPN client 1
    Apr 26 17:52:51 openvpn-routing: Tunnel re-established, restoring WAN access to clients
    Apr 26 17:52:51 openvpn-routing: Completed routing policy configuration for client 1
    Apr 26 17:52:51 openvpn[10165]: Initialization Sequence Completed
    Apr 26 17:52:58 openvpn[10165]: write to TUN/TAP : Invalid argument (code=22)
    Apr 26 17:53:08 openvpn[10165]: write to TUN/TAP : Invalid argument (code=22)
    Apr 26 17:53:18 openvpn[10165]: write to TUN/TAP : Invalid argument (code=22)
    Do I need to do anything else to turn compression off? Perhaps select "None" instead of "Disabled"?
     
  7. ImaStinker

    ImaStinker Occasional Visitor

    Joined:
    Sep 16, 2015
    Messages:
    23
    I set my Compression setting to "None" and was able to actually get internet access via the tunnel. So I thought I'd run a speed test to compare between "Adaptive" and "None"
    With Adaptive Compression
    upload_2016-4-26_18-15-59.png

    Without Compression
    upload_2016-4-26_18-16-52.png

    I was expecting something a little different.
     
  8. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    I didn't say to disable compression in the article. If you look at the image its set to none.
    I said that I don't use compression. I did fix the article to say "none" for compression as it is in the picture.
    Speed tests don't test everything. When you are browsing on the web you should notice a quicker experience when you set compression to none.
    You can do the same speed tests over and over and never get the same results.
     
  9. SteveBM

    SteveBM New Around Here

    Joined:
    Mar 11, 2016
    Messages:
    5
    Many thanks for the great guide

    I've set up PIA on 380.58 on AC87U.

    I'm using IP filtering to send my two Kodi boxes to VPN but all other devices to ISP

    really daft question, how do I direct the VPN traffic via a particular country? I've downloaded the Ovpn and PIA apps for iPad expecting that these would allow routing of all traffic via a given country but they just allow me to direct the iPad down the VPN routing.
    Where do I find the overall control panel that enables master routing of all VPN traffic down a particular route?

    Or do I just change the server details I'm connecting to in the VPN client details on the router?

    Sorry for dumb question. I'm so pleased I've managed to get this far after so much reading and research. I just can't get the final mile! Any help appreciated
     
    Last edited: May 2, 2016
  10. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada

    You can change the country server from the VPN client on your router.
    Here is a list of all the servers for all countries that PIA supports.
    https://www.privateinternetaccess.com/pages/network/
    basically if you want to connect to the UK server just change the server name in "Server Address and Port" on the VPN client to uk-london.privateinternetaccess.com
    then turn the Service state button to off and then on and the new country will take effect.

    You do not need to put the client on your iPad if you are using the router for VPN.
    But if you want a different VPN server on your iPad other then the one that your router is currently on then you would need that app on your iPad and you can only use one country server at a time.
    The app is pretty straight forward. choose the country, put your username and password and its done.

    Personally what I would do is this.
    reserve a few more static IP address's for the policy rules that will go through the VPN and when you want to use VPN for your tablet just change the IP address to the one you reserved for VPN and when your done go back to DHCP on your tablet.

    Also make sure you have proper DNS filtering for the devices that do not use the VPN via DNS filtering because if you don't as in my article all your ISP traffic will use the DNS of PIA.
    On the tablet if you switch back and forth from VPN and ISP don't put a DNS filtering, manually change them every time.

    example for iPad that will use VPN and ISP from the router. DNSfiletering will not be used in this case instead you would manually change the following.

    IP DHCP
    DNS 8.8.8.8 for google

    for VPN
    IP 192.168.1.50
    subnet 255.255.255.0
    gateway 192.168.1.1 this is your routers IP
    DNS 192.168.1.1 this is your routers IP

    Using the PIA software is not recommended because if you use DNSfiltering and point for example google for DNS to your iPad when you use the software to connect to PIA it will use the DNS of ISP being google which is not good.
    you need the DNS of PIA when using the VPN and the DNS of ISP when on ISP so the only work around is the example above.

    In order to test all your devices and to make sure all DNS works right use the following url

    https://ipleak.net/

    Its a pain in the ass with the way it all works but at least you know how it all works now :)
    I hope this makes some sense.
     
  11. SteveBM

    SteveBM New Around Here

    Joined:
    Mar 11, 2016
    Messages:
    5
    Thank buddy I really do appreciate your advice

    I understand what you mean now with regards country switching

    I wasn't sure about DNS as your guide mentioned that it was fixed by latest Merlin firmware. I haven't tested it but will hopefully get a chance to play with this later today

    Many thanks once again. My learning curve with this has been so steep. I really appreciate you sharing your knowledge

    Cheers
     
  12. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    I didn't say that. I said the VPN client now resolves the Proper DNS as its now fixed with the new firmware therefore you don't need to use DNSfiltering for VPN.
    But if you notice for Local ISP traffic I still recommend you use DNSfiltering because the DNS resolves to PIA.
    This is not a bug from the router, its the way it is. When you connect to a VPN tunnel it automatically binds its DNS with the VPN provider as its set to EXCLUSIVE.
    Therefore when one wants to re direct traffic from the VPN tunnel to local ISP the DNS is still the same as from the VPN. This is why we have to use DNSfiltering for ISP
    before the new firmware one would have to use DNSfiltering for VPN and ISP because the DNS was not resolving properly but its been fixed with the Exclusive mode and from what Merlin said
    he will be most likely be taking out the Strict method because its outdated and even the author who created the Strict method doesn't recommend anyone use it.
     
  13. SteveBM

    SteveBM New Around Here

    Joined:
    Mar 11, 2016
    Messages:
    5
    Ah, my bad, thanks for clarifying. I'll give that a go now
     
  14. SteveBM

    SteveBM New Around Here

    Joined:
    Mar 11, 2016
    Messages:
    5
    Is there a way to send all DHCP devices to Router / Custom DNS and as well as those devices with static IPs?
    The list of DNS rules only allows up to 64 clients so I wondered whether there's a overarching rule
     
  15. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Unfortunately no. I have complained about it but Merlin explained that the ASUS routers are wired that way and cannot be done otherwise.
    It would be nice if the router can do VPN and ISP as separate connections and DNS but the way it stands when a VPN tunnel is added it goes on top of the existing ISP and pretty much makes everything more complicated.
    You have a couple of ways to do it. Most people use VPN to download so they dedicate a PC just for that and as far as the other devices well its up to you.
    Personally I have my phones, iPad and Surface all on ISP and one dedicated PC for VPN.
    I have scripts also that I run to change between VPN and ISP address but that gets super complicated but if you need to do that let me know and I can provide you with how to guide to setup batch files that you can switch from VPN to ISP. but that will only work for PC using the netsh command. I am not sure how to do that with MAC but there is a way to write scripts for netsh with MAC as well.
    As far as phones and iPads that has to be done manually.
    It all boils down to which devices really need VPN and which Dont. its easier to just setup some for VPN and others for ISP and forget about them :)
    At one point its a compromise :)
     
    JemTheWire likes this.
  16. SteveBM

    SteveBM New Around Here

    Joined:
    Mar 11, 2016
    Messages:
    5
    Sure no problem. Thanks again
     
  17. GazD

    GazD New Around Here

    Joined:
    Apr 25, 2016
    Messages:
    4
    Great guide. Thanks for taking the time to write it! I have managed to get it working but choosing your recommended encryption settings for speed I am still unable to get anywhere near my BB speeds. I am using an overclocked RT-AC88u so there should be enough juice to handle PIA's VPN. I even tried it with no encryption but this didn't change the speed. Any ideas? Thanks in advance
     
  18. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    If you are getting 50-60 kbps you are in the pocket. Even if you BB is 200 kbps you wont get faster then what i wrote.
    let me know what speeds you are getting so I can help out better
     
  19. GazD

    GazD New Around Here

    Joined:
    Apr 25, 2016
    Messages:
    4
    I am getting about 10-15Mbps, using their windows client through my laptop I can pull pretty much my full line speedd - 45-50Mbps.

    Thanks
     
  20. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Hi, I don't understand what you are saying.
    What windows client?
    You can pull pretty much full line speed 45-50???

    Please do the following if you want any help :)

    use this site http://www.speedtest.net/ and do a speedtest without VPN and one speedtest with VPN
    make sure you are connected to the router via a network cable and not wireless.

    Find out what your speed is from your local ISP example 70 mbps
    and then turn on the VPN and do the same.

    if your ISP is 50 mbps you should be doing the same for VPN.
    you will never get faster then 50 or 60mbps using VPN
    please let us know exactly what you are talking about when you are saying the speeds are slow.

    Overclocking the cpu wont get you faster speeds it will only burn out your router. There have been people who have overclocked their cpu to get faster speeds for VPN but that never helped.

    Also you don't need a microsoft VPN client to connect to PIA VPN when using the router. its really slow and you are not using it correctly.

    When using a client use the PIA client on your laptop if you are not at your house or office where your router is. It is super fast in comparison to MS client or PPTP or L2TP