Properly configuring OpenVPN CLIENT on Asuswrt-Merlin

[CarribbeanPrivate]

Long details below, so BLUF:
I need help determining the best path to protect my system using OpenVPN and PrivateInternetAccess. I'd prefer not to purchase additional hardware. Options I've narrowed down so far, and the challenges I believe each faces:
1 - OpenVPN on Merlin & RT-n66 (been having configuration problems)
2 - pfSense on Dell E6400 (has single NIC - so looks like it'll require using VLANs)

Anyone see a better way, or highly recommend one of the above? If you can point me in the right direction, I'm a few steps above a script-kiddie, even though it's been 20 years since I was programming.

I've been going round and round with PIA tech support trying to get OpenVPN working - first tried using DD-WRT on Linksys WRT400N (later bricked trying to revert from an unstable build...that's what I get for working late into the night & getting careless!) So bought the N66 thinking it was new enough I could VLAN - no joy without DD-WRT/Tomato, and I'm really liking RMerlin's approach. So now I'm back to the router, which understandably will be slower, but my ISP's peak load runs at a snail's pace anyway (think 2x-Dialup speeds).

Scaling: I intend to add AdBlocking on the router & Squid caching on the Dell afterwards to help raise end-user speeds.

Hardware Setup (isolated area):
Local ISP uses commercial satellite to reach backbone
Static IP assigned by ISP
DSL Modem connected in bridge mode
Asus RT-N66 flashed to Merlin 376.48_3

Thanks, and Happy Thanksgiving!

 

[CarribbeanPrivate]

Specifics on the OpenVPN erros

Broke this into two posts, otherwise TLDR!

Since Asuswrt was originally forked off Tomato, I tried adapting PIA's Tomato instructions:
https://www.privateinternetaccess.com/pages/client-support/#tomato_openvpn
which referred me here (newer builds):
https://www.privateinternetaccess.c...-setup-for-newer-branches-including-tomatousb

Once enabled, I consistently get a connection reset error in the logs (see EOF).

PIA tech had me load a new .opvn config file, same results:
client
dev tun
proto tcp
remote 199.193.117.84 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0

1 - changed to us-east.privateInternetAccess.com port 443 (router will resolve; list indicates 254 available IPs)

QUESTION 1: If it's a matter of blocking, is that something the ISP can be doing? Isn't that one of the issues VPNs are designed to solve?
-- 443 is the HTTPS port, which shouldn't be able to be blocked (I can access HTTPS:// websites)
-- I can successfully ping both the Top-Level Domain & the IP(199.193.117.84)
QUESTION 2: could it be the inbound port that is being blocked?
-- Traceroute to the PIA IP only shows the first hop to my ISP. i.e. 1 - 192.168.1.1 (router) 2 - ISP IP 3 - * * * ...
QUESTION 3: If it's a matter of blocking, why does the desktop client work? The only additional configuration is one more step in the routing (goes through the router instead of originating from it)
QUESTION 4: Could it be a port trigger / port forwarding issue on the router?

/-----Config Changes to test if blocked (router log below is from BEFORE this test) -----/
Router Firewall is off
Port forwarding is not enabled
Port triggering is not enabled
2 - turned off VPN on router
3 - started desktop PIA client
4 - client connection set to us-east using TCP port 443
5 - client connects in ~20 seconds to 107.191.33.12 (slower to connect than UDP usually set to )
6 - dnsleaktest.com == VPN SUCCESS; indicates sIP in NY,USA
7 - client disconnected & exited to prevent conflict with further troubleshooting

****NOTE: There was one successful connection in the log while I left it sitting, which subsequently timed out (09:20:xx)***

/----------ROUTER LOG-----------------/

Nov 27 09:19:52 openvpn[1032]: Connection reset, restarting [-1]
Nov 27 09:19:52 openvpn[1032]: SIGUSR1[soft,connection-reset] received, process restarting
Nov 27 09:19:58 openvpn[1032]: Attempting to establish TCP connection with [AF_INET]108.61.19.3:443 [nonblock]
Nov 27 09:19:59 openvpn[1032]: TCP connection established with [AF_INET]108.61.19.3:443
Nov 27 09:19:59 openvpn[1032]: TCPv4_CLIENT link local: [undef]
Nov 27 09:19:59 openvpn[1032]: TCPv4_CLIENT link remote: [AF_INET]108.61.19.3:443
Nov 27 09:20:00 openvpn[1032]: Connection reset, restarting [-1]
Nov 27 09:20:00 openvpn[1032]: SIGUSR1[soft,connection-reset] received, process restarting
Nov 27 09:20:05 openvpn[1032]: Attempting to establish TCP connection with [AF_INET]108.61.13.44:443 [nonblock]
Nov 27 09:20:06 openvpn[1032]: TCP connection established with [AF_INET]108.61.13.44:443
Nov 27 09:20:06 openvpn[1032]: TCPv4_CLIENT link local: [undef]
Nov 27 09:20:06 openvpn[1032]: TCPv4_CLIENT link remote: [AF_INET]108.61.13.44:443
Nov 27 09:20:08 openvpn[1032]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 27 09:20:28 openvpn[1032]: [Private Internet Access] Peer Connection Initiated with [AF_INET]108.61.13.44:443
Nov 27 09:20:31 openvpn[1032]: TUN/TAP device tun12 opened
Nov 27 09:20:31 openvpn[1032]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 27 09:20:31 openvpn[1032]: /usr/sbin/ip link set dev tun12 up mtu 1500
Nov 27 09:20:31 openvpn[1032]: /usr/sbin/ip addr add dev tun12 local 10.30.1.30 peer 10.30.1.29
Nov 27 09:20:31 openvpn[1032]: Initialization Sequence Completed
Nov 27 12:04:10 openvpn[1032]: read TCPv4_CLIENT: Connection timed out (code=145)
Nov 27 12:04:10 openvpn[1032]: Connection reset, restarting [0]
Nov 27 12:04:10 openvpn[1032]: SIGUSR1[soft,connection-reset] received, process restarting
Nov 27 12:04:15 openvpn[1032]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Nov 27 12:04:45 openvpn[1032]: RESOLVE: Cannot resolve host address: us-east.privateinternetAccess.com: Name or service not known
Nov 27 12:05:15 openvpn[1032]: RESOLVE: Cannot resolve host address: us-east.privateinternetAccess.com: Name or service not known

 

[Skywalker1726]

i know its been a long time , but have you been able to solve the problem ?
im having the same issue
or does anyone else have a solution ?
thanks

 

[Viktor Jaep]

i know its been a long time , but have you been able to solve the problem ?
im having the same issue
or does anyone else have a solution ?
thanks

Both vpnmgr and vpnmon-r2 can both assist with managing your VPN connection? What exactly is the problem you're having?

 

[Skywalker1726]

I have setup my router with a tcp openvpn connection ( nordVpn ) , but sometimes it does work and most of the times it does not.
Checked the logs , had this error

openvpn-cli[689]: read TCPv4_CLIENT: Connection timed out (code=145)

But the same server ip is working just fine using the same internet connection , with the android app ( also using openvpn tcp and same dns server ad the router connection)

 

[Viktor Jaep]

I have setup my router with a tcp openvpn connection ( nordVpn ) , but sometimes it does work and most of the times it does not.
Checked the logs , had this error

openvpn-cli[689]: read TCPv4_CLIENT: Connection timed out (code=145)

But the same server ip is working just fine using the same internet connection , with the android app ( also using openvpn tcp and same dns server ad the router connection)

Are you also using the skynet firewall by any chance?

 

[Skywalker1726]

I dont even know what that is
Im using an adsl connection , connectet via a router flashed with a custom firmware .

I wanted to setup the connection on the router so that all the traffic gets through the vpn ( nordVpn )

It connects sometimes , and if it does in fact connect , doesnt disconnect until a drop in the connection or if the router reboots .

But most of the time , that is the error that i have .

And as i mentioned before , while the router is failing to connect , the app connects just fine .

 

[Viktor Jaep]

I dont even know what that is
Im using an adsl connection , connectet via a router flashed with a custom firmware .

I wanted to setup the connection on the router so that all the traffic gets through the vpn ( nordVpn )

It connects sometimes , and if it does in fact connect , doesnt disconnect until a drop in the connection or if the router reboots .

But most of the time , that is the error that i have .

And as i mentioned before , while the router is failing to connect , the app connects just fine .

Please take a look at this post. At the bottom, you'll find a custom configuration. Using this may provide more stability for your connection. The one that NordVPN provides is horrible. Please give this a shot and let me know how it works out?

Post in thread 'VPNMON-R2 v2.35 -Oct 21, 2022- Monitor your VPN connection's Health (New: AMTM, Round Robin, supporting WeVPN/Nord/SurfShark/PerfectPrivacy) (#2)' https://www.snbforums.com/threads/v...-surfshark-perfectprivacy-2.79762/post-776164

 

[ColinTaylor]

@Skywalker1726 Are you still using Padavan firmware on some ancient router? If so it's likely its OpenVPN client is too old.

 

[Skywalker1726]

@ColinTaylor
Yes Still using Padavan FW on Xiaomi Router 3 , with OpenVPN 2.4.7 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]


i do not think that it could be the issue since i'm experiencing the same problem while using the latest OpenVPN version on Windows , but the error is a little different


Log on windows 11 Latest OpenVPN :

MANAGEMENT: >STATE:1666797753,WAIT,,,,,,
2022-10-26 18:52:59 read TCP_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
2022-10-26 18:52:59 Connection reset, restarting [-1]
2022-10-26 18:52:59 SIGUSR1[soft,connection-reset] received, process restarting

@Viktor Jaep
tried your configuration for the connection , same error .

penvpn-cli[2842]: read TCPv4_CLIENT: Connection timed out (code=145)
Oct 26 18:54:13 openvpn-cli[2842]: Connection reset, restarting [0]
Oct 26 18:54:13 openvpn-cli[2842]: TCP/UDP: Closing socket
Oct 26 18:54:13 openvpn-cli[2842]: SIGUSR1[soft,connection-reset] received, process restarting


BUT on windows 11 , if i do connect first to another VPN Provider , like expressVPN for example , using the provided APP , then the OPENVPN will connect and authenticate just fine .

i tried pinging the Server IP , without any VPN , and it does reply .

so i dont know what the problem could be .

 

[ColinTaylor]

Is it possible your country is blocking the VPN?

 

[Skywalker1726]

Yes , it does block vpn .

But my question still remains ,
Why does nordvpn android app work just fine , with the same dns , the same connection , and the same configuration ( OpenVpn TcP )

And im no expert but if its blocked , shouldn't i not be able to open https websites too ?

Thanks again for ur help