Configuring dd-wrt OpenVPN client w/ PureVPN: Some Advice

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8
Author Message
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 298
Location: California

PostPosted: Mon Jan 22, 2018 6:09    Post subject: OpenSSL and PureVPN Reply with quote
Ok so here is the get down.
The Great Developers at ddwrt always have your security in mind.
This being said, DDWRT uses newer OpenSSL that PureVPN is just now deciding to impliment.

HOWEVER, it is not necessary completely...

For all of you out there banging your heads into paste, here is what you ADD to your openvpn "Additional Config" section

Code:
tls-cipher "DEFAULT:@SECLEVEL=0"


Add that to the bottom line.

It will overide the TLS-Cipher options in ddwrt.

This does work and I just tested it to verify.

Again, I hate this company. I only did this because I feel sorry for their victims

I Will update my installation script to have this.

NOTE
INSTALL SCRIPT UPDATED

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Sponsor
EdJanx
DD-WRT Novice


Joined: 09 Nov 2016
Posts: 14

PostPosted: Wed Apr 11, 2018 14:56    Post subject: PureVPN script gone.... Reply with quote
Figures, just when I thought I found a solution to PureVPN's horrible router support, the magic script seems to have disappeared.

eval `wget -q -O - http://vpnsetups.sploitworks.com/purevpn-has-rotten-manuals.sh`

wget: server returned error: HTTP/1.1 404 Not Found


Also tried right-clicking and downloading, but got 'Failed - No File'

Anyone happen to save a copy?

Thanks,
Janx
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 298
Location: California

PostPosted: Wed Apr 11, 2018 16:18    Post subject: Its down? Reply with quote
Shouldnt be down. Let me check

-----

Update

Not down. You didn't copy and paste the code correctly.

Copy and Paste it exactly as it is on my guide on Page 1 of this thread. NOT anybody elses comments or comments to my original post. ONLY my post. Other people modify my posts and change stuff because they think they know what they are doing and clearly don't.

Not gonna explain why, you should be able to see it.
READ.

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
EdJanx
DD-WRT Novice


Joined: 09 Nov 2016
Posts: 14

PostPosted: Thu Apr 12, 2018 13:14    Post subject: Re: Its down? Reply with quote
sploit wrote:
Shouldnt be down. Let me check

-----

Update

Not down. You didn't copy and paste the code correctly.

Copy and Paste it exactly as it is on my guide on Page 1 of this thread. NOT anybody else's comments or comments to my original post. ONLY my post. Other people modify my posts and change stuff because they think they know what they are doing and clearly don't.


Thank you, copied from your post and it worked. Just some observations on non-related VPN settings that it also tweaks:

For Time settings, I had to remove the server name and choose US/Eastern to get things working.

The script re-enabled Telnet, which I had shut off for Security, and it also turned off my System Log and remote monitoring settings.

I changed my DNS back to 1.1.1.1, 1.0.0.1, and 208.67.222.222. I also had to re-tick Forced DNS Redirection. However, in Syslog, it appears that my ISP DNS is leaking:

Code:
Apr 12 08:42:30 FREE daemon.info dnsmasq[1446]: DNSSEC validation enabled
Apr 12 08:42:30 FREE daemon.info dnsmasq-dhcp[1446]: DHCP, IP range 192.168.1.100 -- 192.168.1.149, lease time 1d
Apr 12 08:42:30 FREE user.info : dnsmasq : dnsmasq daemon successfully started
Apr 12 08:42:30 FREE daemon.info dnsmasq[1446]: reading /tmp/resolv.dnsmasq
Apr 12 08:42:30 FREE daemon.info dnsmasq[1446]: using nameserver 1.1.1.1#53
Apr 12 08:42:30 FREE daemon.info dnsmasq[1446]: using nameserver 1.0.0.1#53
Apr 12 08:42:30 FREE daemon.info dnsmasq[1446]: using nameserver 208.67.222.222#53
Apr 12 08:42:30 FREE daemon.info dnsmasq[1446]: using nameserver 75.75.76.76#53
Apr 12 08:42:30 FREE daemon.info dnsmasq[1446]: using nameserver 75.75.75.75#53
Apr 12 08:42:30 FREE daemon.info dnsmasq[1446]: read /etc/hosts - 2 addresses
Apr 12 08:42:32 FREE daemon.notice openvpn[1238]: Initialization Sequence Completed
Apr 12 08:42:34 FREE daemon.info dnsmasq[1446]: reading /tmp/resolv.dnsmasq
Apr 12 08:42:34 FREE daemon.info dnsmasq[1446]: using nameserver 37.230.175.3#53
Apr 12 08:42:34 FREE daemon.info dnsmasq[1446]: using nameserver 10.1.35.11#53
Apr 12 08:42:34 FREE daemon.info dnsmasq[1446]: using nameserver 1.1.1.1#53
Apr 12 08:42:34 FREE daemon.info dnsmasq[1446]: using nameserver 1.0.0.1#53
Apr 12 08:42:34 FREE daemon.info dnsmasq[1446]: using nameserver 208.67.222.222#53
Apr 12 08:42:34 FREE daemon.info dnsmasq[1446]: using nameserver 75.75.76.76#53
Apr 12 08:42:34 FREE daemon.info dnsmasq[1446]: using nameserver 75.75.75.75#53
Apr 12 08:42:34 FREE daemon.info dnsmasq-dhcp[1446]: DHCPDISCOVER(br0) a4:77:33:94:4c:f2
Apr 12 08:42:34 FREE daemon.info dnsmasq-dhcp[1446]: DHCPOFFER(br0) 192.168.1.118 a4:88:33:94:4c:f2
Apr 12 08:42:34 FREE daemon.info dnsmasq-dhcp[1446]: DHCPREQUEST(br0) 192.168.1.118 a4:88:33:94:4c:f2
Apr 12 08:42:34 FREE daemon.info dnsmasq-dhcp[1446]: DHCPACK(br0) 192.168.1.118 a4:88:33:94:4c:f2 Chromecast

SNIP

The 37.230.175.3 is PureVPN and 10.1.35.11 is obviously internal, but the 75.75.76.75 and 75.75.76.76 addresses are Comcast.

Any thoughts on how to block these? Thanks!

Janx
EdJanx
DD-WRT Novice


Joined: 09 Nov 2016
Posts: 14

PostPosted: Sat Apr 14, 2018 3:59    Post subject: Re: Thanks Reply with quote
sploit wrote:

But I got so frustrated with this particular vpn company I just wanted to help out others who don't have that much skill to not want to put a gun to their heads.


I've wasted countless weekends over the years feeling just as you described @sploit, so thank you very much for your help supporting those of us poor suckers who bought lifetime memberships to the absolute worst VPN provider for routers - PureVPN.

Janx
Premoz
DD-WRT Novice


Joined: 09 May 2018
Posts: 4

PostPosted: Wed May 09, 2018 9:34    Post subject: Reply with quote
Thanks for this Spoilt, it worked for me for quite some time but now I'm not sure what is going on. I actually emailed a support email address thinking I might reach you there but decided to try here also.

I have tried resetting the modem and reapplied your script but have to remove this line for it to work at all:

tls-cipher "DEFAULT:@SECLEVEL=0"

Everything still seems to connect for me but I just cant connect to any web addresses due to DNS.

Here is what my log says. If anyone else has any ideas I'd be really keen to hear from you Smile

Client: CONNECTED SUCCESS


Local Address: 23.229.3.195 
Remote Address: 23.229.3.195 

Status
VPN Client Stats


TUN/TAP read bytes 280
TUN/TAP write bytes 167
TCP/UDP read bytes 6131
TCP/UDP write bytes 2421
Auth read bytes 167
pre-compress bytes 0
post-compress bytes 0
pre-decompress bytes 152
post-decompress bytes 167

LogClientlog: 
20180509 02:24:15 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 
20180509 02:24:15 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20180509 02:24:15 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 
20180509 02:24:15 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 
20180509 02:24:15 I TCP/UDP: Preserving recently used remote address: [AF_INET]23.229.3.126:53 
20180509 02:24:15 Socket Buffers: R=[172032->344064] S=[172032->344064] 
20180509 02:24:15 I UDPv4 link local: (not bound) 
20180509 02:24:15 I UDPv4 link remote: [AF_INET]23.229.3.126:53 
20180509 02:24:15 TLS: Initial packet from [AF_INET]23.229.3.126:53 sid=3177ce36 17f0378f 
20180509 02:24:15 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 
20180509 02:24:15 VERIFY OK: depth=1 C=HK ST=HK L=HongKong O=PureVPN OU=IT CN=PureVPN name=PureVPN emailAddress=mail@host.domain 
20180509 02:24:15 VERIFY KU OK 
20180509 02:24:15 Validating certificate extended key usage 
20180509 02:24:15 ++ Certificate has EKU (str) TLS Web Server Authentication expects TLS Web Server Authentication 
20180509 02:24:15 VERIFY EKU OK 
20180509 02:24:15 VERIFY OK: depth=0 C=HK ST=HK L=HongKong O=PureVPN OU=IT CN=PureVPN name=PureVPN emailAddress=mail@host.domain 
20180509 02:24:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:32 D MANAGEMENT: CMD 'state' 
20180509 02:24:32 MANAGEMENT: Client disconnected 
20180509 02:24:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:32 D MANAGEMENT: CMD 'state' 
20180509 02:24:32 MANAGEMENT: Client disconnected 
20180509 02:24:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:32 D MANAGEMENT: CMD 'state' 
20180509 02:24:32 MANAGEMENT: Client disconnected 
20180509 02:24:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:32 D MANAGEMENT: CMD 'status 2' 
20180509 02:24:32 MANAGEMENT: Client disconnected 
20180509 02:24:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:32 D MANAGEMENT: CMD 'log 500' 
20180509 02:24:32 MANAGEMENT: Client disconnected 
20180509 02:24:33 Control Channel: TLSv1.2 cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384 2048 bit RSA 
20180509 02:24:33 I [PureVPN] Peer Connection Initiated with [AF_INET]23.229.3.126:53 
20180509 02:24:34 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:34 SENT CONTROL [PureVPN]: 'PUSH_REQUEST' (status=1) 
20180509 02:24:34 D MANAGEMENT: CMD 'state' 
20180509 02:24:34 MANAGEMENT: Client disconnected 
20180509 02:24:34 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:34 D MANAGEMENT: CMD 'state' 
20180509 02:24:34 MANAGEMENT: Client disconnected 
20180509 02:24:34 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:34 D MANAGEMENT: CMD 'state' 
20180509 02:24:34 MANAGEMENT: Client disconnected 
20180509 02:24:34 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:34 D MANAGEMENT: CMD 'status 2' 
20180509 02:24:34 MANAGEMENT: Client disconnected 
20180509 02:24:34 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 23.229.3.4 dhcp-option DNS 10.16.2.1 sndbuf 393216 rcvbuf 393216 route-gateway 23.229.3.193 topology subnet ping 10 ping-restart 120 ifconfig 23.229.3.195 255.255.255.192' 
20180509 02:24:34 OPTIONS IMPORT: timers and/or timeouts modified 
20180509 02:24:34 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified 
20180509 02:24:34 Socket Buffers: R=[344064->344064] S=[344064->344064] 
20180509 02:24:34 OPTIONS IMPORT: --ifconfig/up options modified 
20180509 02:24:34 OPTIONS IMPORT: route options modified 
20180509 02:24:34 OPTIONS IMPORT: route-related options modified 
20180509 02:24:34 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 
20180509 02:24:34 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 
20180509 02:24:34 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 
20180509 02:24:34 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 
20180509 02:24:34 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 
20180509 02:24:34 I TUN/TAP device tun1 opened 
20180509 02:24:34 TUN/TAP TX queue length set to 100 
20180509 02:24:34 D do_ifconfig tt->did_ifconfig_ipv6_setup=0 
20180509 02:24:34 I /sbin/ifconfig tun1 23.229.3.195 netmask 255.255.255.192 mtu 1500 broadcast 23.229.3.255 
20180509 02:24:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:35 D MANAGEMENT: CMD 'log 500' 
20180509 02:24:35 MANAGEMENT: Client disconnected 
20180509 02:24:36 /sbin/route add -net 23.229.3.126 netmask 255.255.255.255 gw 192.168.1.1 
20180509 02:24:36 W ERROR: Linux route add command failed: external program exited with error status: 255 
20180509 02:24:36 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 23.229.3.193 
20180509 02:24:36 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 23.229.3.193 
20180509 02:24:36 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 23.229.3.193 
20180509 02:24:36 I Initialization Sequence Completed 
20180509 02:24:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:36 D MANAGEMENT: CMD 'state' 
20180509 02:24:36 MANAGEMENT: Client disconnected 
20180509 02:24:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:36 D MANAGEMENT: CMD 'state' 
20180509 02:24:36 MANAGEMENT: Client disconnected 
20180509 02:24:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20180509 02:24:36 D MANAGEMENT: CMD 'state' 
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 298
Location: California

PostPosted: Wed May 09, 2018 19:56    Post subject: Server Reply with quote
Have you tried a different server?

I am not tech support for PureVPN Smile

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Premoz
DD-WRT Novice


Joined: 09 May 2018
Posts: 4

PostPosted: Wed May 09, 2018 23:18    Post subject: Re: Server Reply with quote
sploit wrote:
Have you tried a different server?

I am not tech support for PureVPN Smile


Yeah man I tried a few different ones.

That's all good man, thanks for your reply. I'll keep trying different things. Can I buy you a coffee anyways? This has been a god send while it worked Very Happy
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 298
Location: California

PostPosted: Thu May 10, 2018 0:04    Post subject: IF something changed on PureVPN's side it could cause a prob Reply with quote
IF something changed on PureVPN's side it could cause a problem also. That company does that frequently.

If you are getting a connected success but not getting data throughput it could be dns, but likely it is the encryption algorythm that is off.

I haven't installed them in a while so I should test them on a router really quick

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Premoz
DD-WRT Novice


Joined: 09 May 2018
Posts: 4

PostPosted: Thu May 10, 2018 21:17    Post subject: Reply with quote
I'd be interested if you find anything Smile Just about had enough and might give windscribe a go.
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 298
Location: California

PostPosted: Thu May 10, 2018 22:33    Post subject: PIA Reply with quote
Go with PIA unless you have a good reason not to
_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Premoz
DD-WRT Novice


Joined: 09 May 2018
Posts: 4

PostPosted: Thu May 10, 2018 22:59    Post subject: Reply with quote
Aight thanks for the advise bro.
rnio
DD-WRT User


Joined: 21 Apr 2012
Posts: 94

PostPosted: Sat Nov 17, 2018 0:24    Post subject: Re: Most VPN Manualsare outdated Reply with quote
Works as advertised.

PureVPN still uses the outdated certs as default. The script sets DD-WRT to ignore those errors among many other settings.

Support will try to give you a NEW cert, which works ... with a different set of servers. see : https://bbs.archlinux.org/viewtopic.php?id=233446

Quote:
The server is: nl2-ovpn-udp.pointtoserver.com for UDP and nl2-ovpn-tcp.pointtoserver.com for TCP but I live in Holland. You can simply replace "nl" with the right country-code.



==> sploit's script is sooo much better Smile

THANKS FOR THE WORK !!

Robert
PeterTosh
DD-WRT Novice


Joined: 15 Aug 2017
Posts: 12

PostPosted: Sat Nov 17, 2018 6:09    Post subject: Reply with quote
With the replacement crt script from purevpn can you use a wrt firmware newer than September 2017.
I use Spoilt's code and it works .
I have tried changing the DNS to 1.1.1.1 & 1.0.0.1
They have a slower connection. And crash my router.so I have gone back to the original

_________________
£££££££££££££££

Linksys 1900acsv2 dd-wrt r32170
Asus rtn56u not in use
hard wired
Vusolo2
Android tv
Windows 10 pc
Try Once .. Try Again ... Keep Going
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 298
Location: California

PostPosted: Tue Apr 30, 2019 23:35    Post subject: Script Updated Reply with quote
Thank you @ Peter Tosh

He informed me that purevpn changed their certs and I updated the script with the newest data.

The install from the .com works perfect from start to finish and uses the New Version 2 SSL certs

Make sure and refer to the start page 1 of this thread for anyone who comes to this page by accident.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=307250&postdays=0&postorder=asc&start=0

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8 Display posts from previous:    Page 8 of 8
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum