What's new

PIA VPN as VPN Client on Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Preskitt.man

Regular Contributor
For several years, I have been using the PIA VPN as a client on my PC's, tablets and phones. What I have discovered over the years is that there are various idiosyncrasies in using PIA and I would just turn off PIA under when doing those things. One of the bigger things was trying to access Netflix. Simply put, I could not stream Netflix when PIA was enabled.

So, here I am, sequestered in my home with tons of time to kill, so I installed the Open VPN client on Merlin following PIA's instructions for CRT and special configs. After activating the VPN client, it shows I am connected, and if i look for my public IP address from my PC, it is showing the Silcon Valley server IP of PIA (as specified) and various other look ups show me to be in Silicon Valley.

But 3 curious things now.
1) If I bring up Netflix on my PC, it streams just fine (and now, I don't have any bypass rules in play for either my PC nor for Netflix)
2) After turning the service state of the client off on Merlin, the client on my PC will not connect.
3) When I turn the service state of the client back on, I am then able to also connect the client on the PC, though there is no real reason to do so.

Any ideas.
 
When you turn the OpenVPN client off can you then do normal browsing on your PC - is it just the PIA client that won't connect?

I don't use the OpenVPN client often but have seen a few times that the PC then can't access the internet when I turn off the VPN until rebooted - I thinkI've had to reboot the router to get it working again too.
 
One of the bigger things was trying to access Netflix. Simply put, I could not stream Netflix when PIA was enabled.

I just received an email from PIA indicating it will now work with Netflix. I don't have Netflix. So I can't validate.

screenshot_299.png
 
Well, did some more testing, and came up with these observations:
1) When I turn off VPN service at the router, nothing on my PC would work
BUT - I had enabled the Kill Switch on the router "Block routed clients if tunnel goes down", which apparently means, kill the client, even if you manually stopped the service
2) Netflix has never been good with PIA on my PC (or other devices), but the way Netflix (and others) detects and blocks VPN's is they have a compiled list of IP's belong to VPN's and block those IP's. PIA uses a different IP address for OpenVPN connections than for their proprietary client. Apparently for some reason this is not on the black list for Netflix (at least the one in PIA's Silicon Valley server.

S0, this leaves me with 2 questions:
1) Should I leave the Kill switch on?
2) Is their any advantage (disadvantage) to using PIA's proprietary client or an OpenVPN client?
 
Ok - didn't see Ein's posting about PIA now working with Netflix. Good News. Still doesn't work with Hulu and Prime :( Also doesn't work with Netflix in UK (was using PIA's London Server).
 
Last edited:
Hmm, yes just done a quick test and looks like the block routed clients if tunnel goes down does trigger if you manually turn the client off. I'm not sure how to "unblock" them other than rebooting the router - there may be a command you can type via SSH but I'l have to have a look.

1 - Well it's up to you - if you leave the kill switch on it will block anything if the VPN goes down - kind of handy if not using your ISP is paramount - but will require a reboot to "unblock"
2) Using the OpenVPN client (I assume you mean on the router) means anything connected to the router can be configure to use the tunnel without any software on each client. The prorietry client usually lets you change country/endpoint easily too.
 
I guess at this point, I don't know that the VPN server goes down all that much - and since I'm not a political dissident in Iran, the consequences of not going through the VPN will not result in a visit by the police, think I might leave the kill switch off. Last thing I need is my wife suddenly wondering why she can't get on the internet. :))
 
2) Is their any advantage (disadvantage) to using PIA's proprietary client or an OpenVPN client?

No right or wrong answer here. If you want ALL of your devices to funnel through the vpn then running the client on the router is the way to go. Note that depending on which router you have this may limit your throughput to less than what your ISP provides. If you only need the vpn on one or two computers then it may be better to run the PIA client on those devices. Any modern computer will have enough processing power to not limit the throughput that the vpn provider is capable of.

The PIA client is also more user friendly when it comes to choosing configuration options.
 
Hmm, yes just done a quick test and looks like the block routed clients if tunnel goes down does trigger if you manually turn the client off.

I'm not sure how to "unblock" them other than rebooting the router - there may be a command you can type via SSH but I'l have to have a look.
If the KILL-Switch is ENABLED for a VPN Client, and there is a reason the VPN Client cannot be started, then rather than REBOOT, you should use the GUI to DISABLE it.

However, if you must use the command line, you can use the following to identify in which table the KILL-Switch is ACTIVE
Code:
echo -e "\n\t"RPDB Rules;ip rule;echo;for I in 1 2 3 4 5;do [ -n "$(nvram get vpn_client${I}_addr)" ] && echo -e "\t"Client ovpnc$I port $(nvram get vpn_client${I}_port) $(nvram get vpn_client${I}_proto) || echo -e "\t"Client ovpnc${I} NOT configured;ip route show table 11$I |  grep -E "^0\.|^128.|^default|^prohibit|tun1";done;echo -e "\n\t"Table main;ip route show table 254 | grep -E "^0\.|^128.|^default"
 
RPDB Rules

0: from all lookup local
9990: from all fwmark 0x8000/0x8000 lookup main
9992: from all fwmark 0x3000/0x3000 lookup London
10802: from 172.16.5.1 lookup London
10803: from 172.16.5.33/28 to 0.255.255.255 lookup London
32766: from all lookup main
32767: from all lookup default

 Client ovpnc1 port 553 udp
 Client ovpnc2 port 1194 udp
prohibit default
 Client ovpnc3 port 25000 udp
 Client ovpnc4 port 1194 udp
 Client ovpnc5 port 1194 udp
 
 Table main
default via wan.xxx.xxx.xxx dev vlan2

e.g. VPN Client 2 is showing the ACTIVE KILL-Switch ('prohibit default'), so to manually DISABLE it issue
Code:
ip route del default table ovpnc2
so the next valid 'default' route used will usually be table main
 
Did some simple performance testing from my PC (Dell 8930) using Speedtest app. PIA / OpenVPN connection to PIA server in San Jose, CA
Note: I live in Peoria, AZ and have a fiber connection to Zona Wyrred (local isp). Pay for 100/30 connection. Zona usually over delivers.
1) No VPN: Ping 2 ms / Down 115.42 Mbs / Up 37.25 Mbs
2) PIA client on PC: Ping 42 ms / Down 113.13 Mbs / Up 37.77 Mbs
3) OpenVPN client on router: Ping 23 ms / Down 85.62 Mbs / Up 37.41 Mbs
 
OpenVPN client on router: Ping 23 ms / Down 85.62 Mbs / Up 37.41 Mbs

I use PIA on my AC86 while speed varies normally I can get 95% of line speed, but what most VPN providers can/will provide tops out between 200 - 250 Mbps. Networks are busy now so speeds are down.
Screenshot_2020-03-25 Internet Speedtest.png
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top