OpenVPN Private Internet Access client setup for NextGen

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3  Next
Author Message
joyTECH
DD-WRT Novice


Joined: 14 Sep 2020
Posts: 2

PostPosted: Mon Sep 14, 2020 17:05    Post subject: Reply with quote
egc wrote:
Those 4 DNS servers are also what I learned from PIA.
.242 and .243 are the ones being pushed at this moment.

Added the link to the guide, thanks for asking:
https://www.privateinternetaccess.com/helpdesk/kb/articles/next-generation-dns-custom-configuration


Their support staff NEVER mentioned this on PIA's reddit, and I didn't see it posted on their forum on their site either.

Thank you again!
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10065
Location: Netherlands

PostPosted: Mon Sep 14, 2020 17:14    Post subject: Reply with quote
Their support sucks big time.

Their current setup guide is not only outdated it is wrong.

I contacted them and explained to them what is wrong and that I was willing to provide a working one (for free mind you) (which you fortunately found Smile ) but they were not interested.

I will not renew my subscription, I also have Keepsolid which I use for WireGuard and VPN and Azire which I use for Wireguard, both are OK (but I have a developers account with them so I could be prejudiced Smile ).

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 4123

PostPosted: Mon Sep 14, 2020 18:25    Post subject: Reply with quote
I want my VPN to be run by an Israeli company that keeps changing names after creating malware.

https://duckduckgo.com/?q=PIA+kape+crossrider+cyberghost+zenmate
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 5180
Location: UK, London, just across the river..

PostPosted: Mon Sep 14, 2020 20:36    Post subject: Reply with quote
well...so far still useful to use stub resolvers or DNSCrypt..probb Unbound and SmartDNS(DoT) too...
as they go inside the VPN channel stealthy Razz Twisted Evil Twisted Evil Twisted Evil
otherwise if PIA fksup badly, ive 1 more year to go... Sad hope not, so far they are solid, but their guide is a total mess... god bless egc for his useful guides...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 49599 WAP
TP-Link WR1043NDv2 -DD-WRT 49599 Gateway,DNS,AP Isolation,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 49599 Gateway,DNS,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.13.0b AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 49626 Gateway,DNS,AD-Block,AP&Net Isolation,VLAN's,Firewall,DoT,Vanilla
Netgear R9000 --DD-WRT 49599 Gateway,DNS,AD-Block,AP Isolation,Firewall,Forced DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 49626 Gateway,DNS,AD-Block,Firewall,Forced DNS,VLAN's,DoT,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
a15995
DD-WRT User


Joined: 18 Oct 2016
Posts: 73
Location: Copenhagen, Denmark

PostPosted: Tue Sep 15, 2020 18:03    Post subject: Reply with quote
egc wrote:
Edit: @Alozoros was just ahead of me and basically telling the same Smile

Now on to your questions
DNSmasq is using servers from resolv.dnsmasq you can specify additional server like:
server=9.9.9.9
But that does not stop DNSMAsq to read resolv.dnsmasq.
For that you have to add:
no-resolv


Thanks egc and Alozoros!

I finally figured it out and I'm embarrassed to say that it was an error 40.

I don't know why I keep forgetting that DNS servers are stored in cache and this cache wasn't flushed. That meant that I kept getting wrong DNS servers because I changed the DD-WRT settings all the time.

In the end I used an old computer (new to the network) to verify all the settings.

Basically there was nothing wrong with the settings I posted.

The main point for achieving what I wanted (PBR) was to make sure no servers were pushed from PIA:

Code:
pull-filter ignore "dhcp-option DNS" # If not used ALL DNS servers default to the ones pushed by PIA (global DNS requests through PIA DNS)


But thanks for struggling with me - I guess I still have a lot to learn about DNSMasq and the workings of DD-WRT.

_________________
/Søren
Netgear Nighthawk X4S (R7800 ver. 1) | Atheros/Qualcomm | IPQ8065 dual-core 1.7 GHz | AC2600 | 512 MB RAM | 128 MB FLASH | 128 KB NVRAM
Firmware: DD-WRT v3.0-r49139 std (06/10/22)
Install guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614

portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 158

PostPosted: Tue Sep 29, 2020 7:56    Post subject: Reply with quote
I have updated my previous post about PIA, portforwarding and transmission so it works with next gen.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1218149
a15995
DD-WRT User


Joined: 18 Oct 2016
Posts: 73
Location: Copenhagen, Denmark

PostPosted: Tue Oct 27, 2020 12:12    Post subject: Speedtest... Reply with quote
I have come about a new Android client and tried speedtesting it.

When using PBR on the router (VPN on the router) and not connecting the VPN-client on the Android client I get around 30 Mbps downstream.

When not using PBR on the router (direct) and connecting the VPN-client on the Android client I get around 70 Mbps downstream.

So, half of the bandwith by using the VPN client on the router. My total downstream bandwith is 300 Mbps. Upstream bandwith is at 90% of total, regardless.

I have tried different servers and DNS on the router but the speed remains half.

I prefer PIA-servers in the Netherlands but apparently there are at least two NS: nl-amsterdam.privacy.network and the one used in the guide - nl.privacy.network.

Any obvious reasons why I get so different results?

_________________
/Søren
Netgear Nighthawk X4S (R7800 ver. 1) | Atheros/Qualcomm | IPQ8065 dual-core 1.7 GHz | AC2600 | 512 MB RAM | 128 MB FLASH | 128 KB NVRAM
Firmware: DD-WRT v3.0-r49139 std (06/10/22)
Install guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614

egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10065
Location: Netherlands

PostPosted: Tue Oct 27, 2020 12:59    Post subject: Reply with quote
VPN speed is CPU intensive so dependant on router used (and how the router is taxed)

I mostly use WireGuard which is about 3 times faster

About PIA servers ask PIA

I canceled my subscription no WireGuard on the router (yet, they have been promising it) and bad support

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
a15995
DD-WRT User


Joined: 18 Oct 2016
Posts: 73
Location: Copenhagen, Denmark

PostPosted: Tue Oct 27, 2020 13:08    Post subject: Reply with quote
egc wrote:
VPN speed is CPU intensive so dependant on router used (and how the router is taxed)

I mostly use WireGuard which is about 3 times faster

About PIA servers ask PIA

I canceled my subscription no WireGuard on the router (yet, they have been promising it) and bad support


OK, but on my old router (DIR-825) I used to register around 70 Mbps (old servers). This router should be able to do better than 30 Mbps. Probably something to do with the new servers...

_________________
/Søren
Netgear Nighthawk X4S (R7800 ver. 1) | Atheros/Qualcomm | IPQ8065 dual-core 1.7 GHz | AC2600 | 512 MB RAM | 128 MB FLASH | 128 KB NVRAM
Firmware: DD-WRT v3.0-r49139 std (06/10/22)
Install guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614

egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10065
Location: Netherlands

PostPosted: Tue Oct 27, 2020 13:12    Post subject: Reply with quote
a15995 wrote:
egc wrote:
VPN speed is CPU intensive so dependant on router used (and how the router is taxed)

I mostly use WireGuard which is about 3 times faster

About PIA servers ask PIA

I canceled my subscription no WireGuard on the router (yet, they have been promising it) and bad support


OK, but on my old router (DIR-825) I used to register around 70 Mbps (old servers). This router should be able to do better than 30 Mbps. Probably something to do with the new servers...


As far as I know the DIR 825 has a single core Atheros CPU at around 600 MHz, 70 Mb/s running VPN seems higher than expected Shocked

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
a15995
DD-WRT User


Joined: 18 Oct 2016
Posts: 73
Location: Copenhagen, Denmark

PostPosted: Wed Oct 28, 2020 12:38    Post subject: Reply with quote
egc wrote:
a15995 wrote:
egc wrote:
VPN speed is CPU intensive so dependant on router used (and how the router is taxed)

I mostly use WireGuard which is about 3 times faster

About PIA servers ask PIA

I canceled my subscription no WireGuard on the router (yet, they have been promising it) and bad support


OK, but on my old router (DIR-825) I used to register around 70 Mbps (old servers). This router should be able to do better than 30 Mbps. Probably something to do with the new servers...


As far as I know the DIR 825 has a single core Atheros CPU at around 600 MHz, 70 Mb/s running VPN seems higher than expected Shocked


I've had some help from PIA and managed to achieve 74 Mbps (peaking at 80 Mbps) downstream and 56 Mbps upstream with DD-WRT. This is with a capacity of max 110 Mbps (wireless 5 Ghz). So around 70% down and close to 90% up. This is roughly the same result the client gets when connected through the Android app.

This is what I've changed/added:

Code:
Compression: Adaptive
MTU: 1438

Additional Config:
sndbuf 393216
rcvbuf 393216


I also changed the name of the server to an IP to prevent DNS lookup errors. This didn't do much for the speed though.

I could probably tune it even more but right now I'm pretty pleased with gaining more than 100% from the outset...

_________________
/Søren
Netgear Nighthawk X4S (R7800 ver. 1) | Atheros/Qualcomm | IPQ8065 dual-core 1.7 GHz | AC2600 | 512 MB RAM | 128 MB FLASH | 128 KB NVRAM
Firmware: DD-WRT v3.0-r49139 std (06/10/22)
Install guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614

a15995
DD-WRT User


Joined: 18 Oct 2016
Posts: 73
Location: Copenhagen, Denmark

PostPosted: Wed Nov 04, 2020 9:28    Post subject: Old router as Wireguard client/proxy... Reply with quote
Hello egc and others!

Just a quick question - would it make sense to use my old DIR-825 as a Wireguard proxy to a cloud PiHole? I mean, I could decentralize the processing power to a 680 Mhz single core CPU on that old thing...

I realize that I would encounter some bridging challenges but is it worth the while?

I'm thinking R7800/DNS-request ---LAN---> DIR-825/proxy/WG-client ---VPN---> Cloud PiHole ---> DNS-response/PiHole

I would set the DIR-825 up as non-DHCP and connect it to a LAN-port. DD-WRT would be set up as minimum as possible (build?).

The main challenge in this setup would be how to connect to the internet - can DNS requests be sent back through my R7800 to the internet or should both devices be connected directly to the internet (I have a modem with multiple ports but my provider would probably only allow one connection at a time)?

So, is this achievable/feasible?

Thanks,

_________________
/Søren
Netgear Nighthawk X4S (R7800 ver. 1) | Atheros/Qualcomm | IPQ8065 dual-core 1.7 GHz | AC2600 | 512 MB RAM | 128 MB FLASH | 128 KB NVRAM
Firmware: DD-WRT v3.0-r49139 std (06/10/22)
Install guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614

egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10065
Location: Netherlands

PostPosted: Wed Nov 04, 2020 9:36    Post subject: Re: Old router as Wireguard client/proxy... Reply with quote
a15995 wrote:
Hello egc and others!

Just a quick question - would it make sense to use my old DIR-825 as a Wireguard proxy to a cloud PiHole? I mean, I could decentralize the processing power to a 680 Mhz single core CPU on that old thing...

I realize that I would encounter some bridging challenges but is it worth the while?

I'm thinking R7800/DNS-request ---LAN---> DIR-825/proxy/WG-client ---VPN---> Cloud PiHole ---> DNS-response/PiHole

I would set the DIR-825 up as non-DHCP and connect it to a LAN-port. DD-WRT would be set up as minimum as possible (build?).

The main challenge in this setup would be how to connect to the internet - can DNS requests be sent back through my R7800 to the internet or should both devices be connected directly to the internet (I have a modem with multiple ports but my provider would probably only allow one connection at a time)?

So, is this achievable/feasible?

Thanks,


Theoretically yes I think so, you set the DIR as DNS server for the R7800 and then on the DIR make a connection with WG to the PiHole and set this as the DNS server for the DIR

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
a15995
DD-WRT User


Joined: 18 Oct 2016
Posts: 73
Location: Copenhagen, Denmark

PostPosted: Wed Nov 18, 2020 9:07    Post subject: Best practice - encryption and data ciphers... Reply with quote
Hello!

Does anyone know what to put in these (see attached) - new in OpenVPN 2.5.0 (DD-WRT r-44809 std)?

What is best practice and what do they mean? I have set mine as can be seen.

FYI: PIA has closed down the nl.privacy.network (92.119.179.123 - not responding) - use nl-amsterdam.privacy.network (143.244.43.71) instead (seems a bit slower though)...

Thanks,

_________________
/Søren
Netgear Nighthawk X4S (R7800 ver. 1) | Atheros/Qualcomm | IPQ8065 dual-core 1.7 GHz | AC2600 | 512 MB RAM | 128 MB FLASH | 128 KB NVRAM
Firmware: DD-WRT v3.0-r49139 std (06/10/22)
Install guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614

egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10065
Location: Netherlands

PostPosted: Wed Nov 18, 2020 11:47    Post subject: Reply with quote
For some general OVPN 2.5 information see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326913

You are using their new network so that should support AES-128-GCM.

So set this as Encryption cipher and as the first Data cipher
Second datacipher AES-256-GCM
Third datacipher their old cipher: AES-128-CBC

If you use verb 6 you will see what TLS and Encryption is used

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum