Trying to using PIA with a ASUS RT-AC86U cant get it to work.

dfrer

New Around Here
Hi i've set up my VPN with the proper config file but everytime i start the vpn anything connected to the router drops out immediately.

Thanks for any help.
 

L&LD

Part of the Furniture
Much more information needed.
 

dfrer

New Around Here
Much more information needed.
Trying to use OpenVPN with private internet access on a Asus AC 86 U with the merlin firmware installed

I used the config file generated on PIA's website and whenever I start the VPN my computer cannot connect to any websites.

Jul 6 20:56:07 ntpd: Initial clock set
Jul 6 20:56:08 rc_service: ntpd_synced 1949:notify_rc restart_diskmon
Jul 6 20:56:08 disk_monitor: Finish
Jul 6 20:56:08 disk_monitor: be idle
Jul 6 20:56:08 miniupnpd[1973]: HTTP listening on port 34772
Jul 6 20:56:08 miniupnpd[1973]: Listening for NAT-PMP/PCP traffic on port 5351
Jul 6 20:56:08 rc_service: udhcpc 1887:notify_rc stop_samba
Jul 6 20:56:08 rc_service: udhcpc 1887:notify_rc start_samba
Jul 6 20:56:08 rc_service: waitting "stop_samba" via udhcpc ...
Jul 6 20:56:08 wsdd2[1728]: Terminated received.
Jul 6 20:56:08 Samba_Server: smb daemon is stopped
Jul 6 20:56:09 dhcp_client: bound 10.0.0.55/255.255.255.0 via 10.0.0.1 for 172800 seconds.
Jul 6 20:56:09 Samba_Server: daemon is started
Jul 6 20:56:10 WAN_Connection: WAN was restored.
Jul 6 20:56:11 roamast: ROAMING Start...
Jul 6 20:56:46 crond[1655]: time disparity of 1668891 minutes detected
Jul 6 20:58:27 rc_service: httpd 1658:notify_rc start_vpnclient1
Jul 6 20:58:27 ovpn-client1[2541]: DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.
Jul 6 20:58:27 ovpn-client1[2541]: OpenVPN 2.5.2 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 6 2021
Jul 6 20:58:27 ovpn-client1[2541]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.08
Jul 6 20:58:27 ovpn-client1[2542]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 6 20:58:27 ovpn-client1[2542]: CRL: loaded 1 CRLs from file crl.pem
Jul 6 20:58:27 ovpn-client1[2542]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.98.89.202:1198
Jul 6 20:58:27 ovpn-client1[2542]: UDP link local: (not bound)
Jul 6 20:58:27 ovpn-client1[2542]: UDP link remote: [AF_INET]172.98.89.202:1198
Jul 6 20:58:27 ovpn-client1[2542]: [vancouver409] Peer Connection Initiated with [AF_INET]172.98.89.202:1198
Jul 6 20:58:27 ovpn-client1[2542]: TUN/TAP device tun11 opened
Jul 6 20:58:27 ovpn-client1[2542]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jul 6 20:58:27 ovpn-client1[2542]: /usr/sbin/ip link set dev tun11 up
Jul 6 20:58:27 ovpn-client1[2542]: /usr/sbin/ip addr add dev tun11 10.8.112.177/24
Jul 6 20:58:27 ovpn-client1[2542]: ovpn-up 1 client tun11 1500 1553 10.8.112.177 255.255.255.0 init
Jul 6 20:58:30 ovpn-client1[2542]: WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun11, therefore the route installation may fail or may not work as expected.
Jul 6 20:58:30 ovpn-client1[2542]: add_route_ipv6(2000::/3 -> :: metric -1) dev tun11
Jul 6 20:58:30 ovpn-client1[2542]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 6 20:58:30 ovpn-client1[2542]: Initialization Sequence Completed

heres a log frm the router

Thanks again.
 

L&LD

Part of the Furniture
Which RMerlin firmware are you using?

When did you install it?

Have you ever performed a full reset to factory defaults after flashing the firmware you want to use?

Followed by a minimal and manual configuration of the router? And without importing a saved backup config file.
 

dfrer

New Around Here
Which RMerlin firmware are you using?

When did you install it?

Have you ever performed a full reset to factory defaults after flashing the firmware you want to use?

Followed by a minimal and manual configuration of the router? And without importing a saved backup config file.
Merlin version - RT-AC86U_386.2_6

Installed earlier tonight.

Just tried full reset now - No luck.

I am quite new to networking so im not 100% sure what I would change within the config.
 

L&LD

Part of the Furniture

dfrer

New Around Here
This is what a full (nuclear) reset looks like.

Fully Reset Router and Network

As long as you use the WPS method appropriate for your router, the router should be reset. But it has helped others get their routers back to a good/known state (or, indicated possible hardware issues).

That isn't the recommended method anymore. Not even by Asus

Here are the best practices to get the router configured to a default level.

Best Practice Update/Setup Router/AiMesh Node(s) 2021
Okay thanks a lot man ill try all of those out

Thank you very much for the help.
 

RMerlin

Asuswrt-Merlin dev
No need for a factory default reset...

Jul 6 20:58:30 ovpn-client1[2542]: add_route_ipv6(2000::/3 -> :: metric -1) dev tun11
Asuswrt's OpenVPN implementation does not support IPv6. Add these to your Custom settings:

Code:
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "router-ipv6"

Also make sure you set DNS Mode to "Exclusive", as some tunnels will block DNS traffic that doesn't use their own DNS servers.
 

dfrer

New Around Here
No need for a factory default reset...


Asuswrt's OpenVPN implementation does not support IPv6. Add these to your Custom settings:

Code:
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "router-ipv6"

Also make sure you set DNS Mode to "Exclusive", as some tunnels will block DNS traffic that doesn't use their own DNS servers.
Hey Merlin thanks so much for responding.
I added your code to the the Custom Configuration, but still no luck. I also set DNS in the 'Accept DNS Configuration' to exclusive not 100% sure if thats the one you meant.
Also I am using the preconfigured config sent by PIA should I just clear it and do it myself?
Thanks a lot again for responding.
 

dfrer

New Around Here
Hey Merlin thanks so much for responding.
I added your code to the the Custom Configuration, but still no luck. I also set DNS in the 'Accept DNS Configuration' to exclusive not 100% sure if thats the one you meant.
Also I am using the preconfigured config sent by PIA should I just clear it and do it myself?
Thanks a lot again for responding.
Another odd thing I just noticed is that while I cant use google or YouTube or any normal browsing sites like reddit - for some reason my phone can specifically use snapchat and nothing else?
 

L&LD

Part of the Furniture
Did you reboot the router (and possibly the client devices too)?
 

RMerlin

Asuswrt-Merlin dev
Also I am using the preconfigured config sent by PIA should I just clear it and do it myself?
Uploading their config file should be fine (and also entering your username/password, and selecting Exclusive DNS and Policy routing).
 

Kingp1n

Very Senior Member
Also, ensure you have the certificates loaded under "Crypto Settings". Sometimes these did not get transferred from the opvn, at least for me.

Clik on the edit button and ensure you see them under "Certificate Authority" and "Certificate Revocation List". If they're missing copy and paste from the file you downloaded.
 

dfrer

New Around Here
Uploading their config file should be fine (and also entering your username/password, and selecting Exclusive DNS and Policy routing).
Sorry for the late response.
Exclusive DNS is on, is the policy routing under Advanced settings? I could only find Policy Rules.
 

dfrer

New Around Here
Also, ensure you have the certificates loaded under "Crypto Settings". Sometimes these did not get transferred from the opvn, at least for me.

Clik on the edit button and ensure you see them under "Certificate Authority" and "Certificate Revocation List". If they're missing copy and paste from the file you downloaded.
Checked it out seems like they are there.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top