1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

Discussion in 'VPN' started by yorgi, Mar 5, 2016.

  1. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Airprotection/DNSfiltering
     
  2. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,279
    Location:
    San Diego, CA
    If someone can take the time to review the attached - it's part of my how-to guide series - I'm familiar enough with OpenVPN, but generally I don't consider myself an expert...

    This is a fairly vanilla setup with Server/Client in a routed config (not bridged) and self-signed certs - 1194/UDP is used for this one. The section is long enough as it is, so not going down the path of bridging in the basic setup.

    I would appreciate any feedback on this one from some that might be better versed in OpenVPN.
     

    Attached Files:

  3. tooandrew

    tooandrew Occasional Visitor

    Joined:
    Jun 13, 2015
    Messages:
    20
    so, could you perhaps cover routing traffic through the vpn based on the port, and not the ip address? i know that the gui doesn't support this, but i have installed entware and iptables and have ssh access. However, nothing i've found that resembles a guide has worked, and i do not understand iptables, as i am not familiar with it. i posted in the asuswrt merlin forum asking for the same, but perhaps this is a more appropriate place.
     
  4. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Not sure if this helps but this guy is talking about ports and VPN similar to what you want to do.
    http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
    you don't need entware, You need to create a script and call it openvpn-event and place it in the scripts folder in JFFS folder
    and make sure you Format JFFS partition at next boot and Enable JFFS custom scripts and configs in the administrator/system menu of the router. Use notepad ++ to write scripts and
    read the read-me files here https://github.com/RMerl/asuswrt-merlin/wiki
    you have a long way ahead of you but it is possible and here are some starting steps,
    This guide may help as well.
    https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing-(manual-method)
    this article is mapping ports so you can take a few ideas from this
    http://www.snbforums.com/threads/openvpn-port-forwarding-question.32859/
    http://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/
    Basically a lot of cut and paste and trial and error.

    You need to use putty.exe and learn Linux commands in order to test and find out what ports or terms are used by the AUSUS router. With a little google search you and these articles you can probably get it up and running. Be careful with some terms br0 is WAN for asus but vlan1 is used by other firmware. tun11 is AUSUS tun0 is other firmware.

    Good luck :)
     
    Last edited: Jun 17, 2016
  5. tooandrew

    tooandrew Occasional Visitor

    Joined:
    Jun 13, 2015
    Messages:
    20
    i know a decent amount of linux commands. i did need entware because iptables wasn't installed or enabled by default, and i'm more comfortable with package managers than manual installations. i installed it through putty, and i do have the scripting and jffs enabled, and i actually have read every one of those, those were the ones spitting tons of syntax errors. eventually, i settled on creating an ip alias on all of the desktop and configured it so that the program who's ports i wanted to forward used the alias for outgoing traffic, then forwarded the ip alias through the vpn. doesnt work for smartphones, but it's more of a pc thing anyways
     
  6. eisendud

    eisendud New Around Here

    Joined:
    Jun 21, 2016
    Messages:
    1
    Hi there

    I have this Asus rt ac66u with merlin latest firmware, even tryed the beta one today..
    Been trying to setup this openvpn on it. But the speed sucks. My link is 150/150 fiber. And i get full speed on speedtest without vpn.
    And only 10-14mbit with vpn. Is it not possible to get good speeds on this "old" box or what?
    But i had to dobbel check, so i installed openvpn on my debian box. There i got very good speeds. So it has to be the asus box.
    I have been reading all over and tryed every compo i have found in here. But maby there is something i havent picked up since the speeds are so bad.
    Anyone have a suggestion what to do, buy a bigger asus model :)

    Eis
     
  7. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,521
    Location:
    Canada
    That's the normal speed for the low-power 600 MHz CPU in the RT-AC66U.
     
  8. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,851
    Yes, 'buy a bigger Asus model'. :)

    I also have fibre (100d/25u, Mbps) with my RT-AC68U and am using VPN to a client with an 2.5d/0.25U Mbps DSL ISP and even though both of us are on native IPv6 (much more responsive internet, imo), the RT-AC66U is limiting what is possible in 'real time'. :) Yes, the big issue is the very slow ISP speeds. But the first gen AC class router is not helping matters either. ;)

    I find that the RT-AC68U, while a significant improvement over my previous RT-N66U (effectively same processor as the RT-AC66U), is still not powerful enough to really maximize my fibre connection (and would certainly need more than it's 800MHz dual processors to maximize yours).

    The 'next step' is the dual core 1.4GHz routers with 128MB flash and 512MB ram. The prices though, skyrocket pretty quickly in that realm today. :(
     
  9. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Hi this is perfectly normal because its a single core cpu. You need to get a better router like a 68u will do the job because its dual core but depending on your wi fi needs you may want a better model.
     
  10. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,279
    Location:
    San Diego, CA
    Sometimes it might be preferable to set up a dedicated box behind the router/AP and run things there - I get very good performance with a small Intel J1800 box... if doing a lot of VPN as part of a workflow, it's something to consider.
     
  11. lolek74

    lolek74 New Around Here

    Joined:
    Jul 12, 2016
    Messages:
    5
    Hi all. I have AC3200 router with Merlin firmware. I followed the guide and it seems like everything went OK. I could see service active. Unfortunately when tried to check my ip I could see my real ip and all. I was wondering if someone could help me diagnose a problem. Please let me know what I need to post in order to provide some more info.
     
  12. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Are you getting a green light on when you enable the VPN client?
    did you enable all traffic in "Redirect Internet traffic" or Policy rules?
    Are you using 2 clients at the same time to the same VPN server?
    Is it possible to get a screenshot of your client because your problem can be many things.
     
  13. lolek74

    lolek74 New Around Here

    Joined:
    Jul 12, 2016
    Messages:
    5
    Sorry for the late reply. I tried to play with the settings but no luck. I had more luck with Asus firmware. I got vpn working by just selecting vpn file and cert file. No luck with Merlin firmware.
    Certificate Authority copied from your post.

    vpn.PNG Wan.PNG
     
    Last edited: Jul 14, 2016
  14. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    I see your problem. You are using port 1198
    you need to choose port 1196 for AES-128-CBC with this certificate which you would copy and paste in content modifications of key & certificates in certificate authority

    -----BEGIN CERTIFICATE-----
    MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
    ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
    cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
    ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
    gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
    IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
    YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
    aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
    AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
    hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
    4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
    CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
    l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
    VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
    ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
    QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
    b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
    atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
    fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
    llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
    -----END CERTIFICATE-----

    If you want to use port 1198 with the new RSA certificates take a look at the how to guide because it got updated.
     
  15. lolek74

    lolek74 New Around Here

    Joined:
    Jul 12, 2016
    Messages:
    5
    Thank you for the quick reply. I tried that port before but it failed.

    fail.PNG

    openvpn

    client
    dev tun
    proto udp
    remote aus.privateinternetaccess.com 1198
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    cipher aes-128-cbc
    auth sha1
    tls-client
    remote-cert-tls server
    auth-user-pass
    comp-lzo
    verb 1
    reneg-sec 0
    crl-verify crl.rsa.2048.pem
    ca ca.rsa.2048.crt
     
  16. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    **I have corrected the new certificates in the article. Please refer to the first pages of the thread for new port and certificates.***

    If you want to use port 1198 with the RSA certificates I have updated this thread on how to do it.
    Look at page 1 second part. You need to store those RSA certificates on your router and show a path to them
    otherwise it will never work. You cannot copy and paste those certificates in the certificate authority.

    this is what I posted in the Article

    IMPORTANT!!!!

    Private internet access has added a new port 1198 with RSA certificates
    this port uses AES-128-CBC with SHA1
    its a bit tricky to set it up but here simple steps on how to do it.

    Look at the pia.jpg I have attached to setup the configurations.

    you need to enable ssh in administration system and Format JFFS partition at next boot
    Then you need to enable SSH with with file protocol SCP using WinSCP download this zip file from
    https://www.privateinternetaccess.com/openvpn/openvpn.zip
    Now extract the openvpn.zip file content and copy crl.rsa.2048.pem and ca.rsa.2048.crt to jfffs/config
    once you have done that add these lines to custom configurations on VPN client
    crl-verify //jffs/configs/crl.rsa.2048.pem
    ca //jffs/configs/ca.rsa.2048.crt

    There is no need to copy any certificates in Content modification of Keys & Certificates
    because the router will read the certificates from the jffs path.

    Start the client and you are ready to go
     

    Attached Files:

    • pia.jpg
      pia.jpg
      File size:
      51.3 KB
      Views:
      415
    Last edited: Jul 14, 2016
  17. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    If you are going to use 1196
    remove this from custom configurations
    crl-verify crl.rsa.2048.pem
    ca ca.rsa.2048.crt
    that will work with port 1196
     
  18. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    But you need to also add the other certificate I posted on #114
     
  19. lolek74

    lolek74 New Around Here

    Joined:
    Jul 12, 2016
    Messages:
    5
    Is there any way you could help me remotely. I'm quite new to it and struggling with basic stuff.
     
    Last edited: Jul 14, 2016
  20. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Make sure you use file protocol SCP mode when you connect to the router. Also use a username and password that is admin level.
    Did you format the jffs partition and Enable JFFS custom scripts and configs then rebooted the router?
    When you reboot the router and use winSCP with SCP protocol it will ask you for your username and password of the router.
    one you are connected. Look for JFFS directory in the root of the file system then open that folder and you will see a folder called configs. Drop the 2 files in there.
    crl-verify crl.rsa.2048.pem
    ca ca.rsa.2048.crt
    Then put these lines in your custom configurations of your VPN client
    crl-verify //jffs/configs/crl.rsa.2048.pem
    ca //jffs/configs/ca.rsa.2048.crt