Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Thu Sep 03, 2020 10:44 Post subject: OpenVPN Private Internet Access client setup for NextGen
Some notes about how to setup an OpenVPN client on Private Internet Access.
As they are (perhaps they do now) not supporting WireGuard on the router although they have been promising this for a long time I quit using PIA so this guide is no longer maintained.
Joined: 16 Nov 2015 Posts: 6407 Location: UK, London, just across the river..
Posted: Thu Sep 03, 2020 19:58 Post subject:
just add somewhere... that NTP time is vital...either use the default DDWRT time zones or time zones + IP if external NTP is preferred... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Thu Sep 10, 2020 10:55 Post subject:
a15995 wrote:
Excellent work!
Concerning the killswitch, can you/anyone explain the difference between these two:
Code:
iptables -I FORWARD -s 192.168.1.64/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.64/26 -o $(nvram get wan_iface) -j DROP
Thanks,
I prefer the first one for three reasons (although both should work)
get_wanface works in about 99% of the cases, nvram get wan_iface works in about 98%.
State NEW will leave a possible port forward open, but still stops clients from making an outbound connection.
REJECT will let the client know it does not work instead of DROP which keeps the client waiting and then time out eventually, as these are you own clients REJECT is better, you would use DROP to stop connections from outside
Joined: 18 Oct 2016 Posts: 96 Location: Copenhagen, Denmark
Posted: Thu Sep 10, 2020 12:33 Post subject:
egc wrote:
a15995 wrote:
Excellent work!
Concerning the killswitch, can you/anyone explain the difference between these two:
Code:
iptables -I FORWARD -s 192.168.1.64/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.64/26 -o $(nvram get wan_iface) -j DROP
Thanks,
I prefer the first one for three reasons (although both should work)
get_wanface works in about 99% of the cases, nvram get wan_iface works in about 98%.
State NEW will leave a possible port forward open, but still stops clients from making an outbound connection.
REJECT will let the client know it does not work instead of DROP which keeps the client waiting and then time out eventually, as these are you own clients REJECT is better, you would use DROP to stop connections from outside
Just my take
Thanks, and I totally agree. Will change to REJECT.
Two quick questions since I am now up and running again on my PIA connection :
Do you now if they have moved their speedtest somewhere else as this does not work with next gen?
Code:
http://[VPN IP]:8888/speedtest
I'm a little confused about this in your PBR-guide (which is locked, so sorry if off-topic):
Code:
You can also set a kill switch per interface suppose you have created a VAP wl0.1 and want to prevent WAN access:
iptables -I FORWARD -i wl0.1 -o $(get_wanface) -m state --state NEW -j REJECT
-m state --state NEW is used here so as to allow access from other internal addresses, if you do not want this you can omit this.
Kill switch for PBR on a WAP:
iptables -I FORWARD -i br0 -s 192.168.1.150 -o br0 -j REJECT
I presume I would replace wl0.1 with ath0.1 on R7800?
What is the difference between kill switch per interface and PBR on a WAP?
Joined: 18 Oct 2016 Posts: 96 Location: Copenhagen, Denmark
Posted: Mon Sep 14, 2020 8:12 Post subject:
Thanks for your help egc!
I hope my feedback in this thread will help others. I have read your guides on VPN, PBR and the problems in relation to this. I'm on a R7800 and use PIA VPN and I'm trying to achieve the following with nextgen which worked with the legacy setup (server *.privateinternetaccess.com):
Default (wired/wireless): All new devices are NOT on VPN and on DNS servers specified in the setup tab
Specific devices (kids): Not on VPN but on special DNS servers specified in Dnsmasq
Specifik VPN devices (PBR): On VPN and on PIA DNS servers (through tunnel)
Guest network (0.1 and 1.1): All devices on VPN (PBR specified IP range - 192.168.2.200-254 and 192.168.3.200-254) and on PIA DNS servers (through tunnel)
This is what I have done:
Default (wired/wireless): Specified DNS servers in the setup tab and ticked Ignore WAN DNS, Use DNSMasq for DNS and DHCP-Authoritative (and Forced DNS Redirection). Services tab setup as seen below.
Specific devices (kids): DNS servers specified in conf-file=/jffs/dns/dnsmasq.familyshield.conf (using tags as seen below)
Specific VPN devices (PBR): Right now only one specified as seen below using tags
Guest network (0.1 and 1.1): DNS server 10.0.0.241 specified in the Wireless tab under Optional DNS Target
I have setup VPN as per your guide with the following in Addtional config:
Code:
#block pulling PIA DNS servers
pull-filter ignore "dhcp-option DNS" # If not used ALL DNS requests are sent through the VPN tunnel
#make sure DNS servers are always routed via the tunnel in case of PBR
route 10.0.0.241 255.255.255.255 vpn_gateway #DNS+Streaming+MACE
route 10.0.0.242 255.255.255.255 vpn_gateway #DNS
route 10.0.0.243 255.255.255.255 vpn_gateway #DNS+Streaming
route 10.0.0.244 255.255.255.255 vpn_gateway #DNS+MACE
This works fine except that DNSMasq servers seem to be ignored (DNS servers used are the ones in Setup tab - not the ones specified under Addtitional DNSMasq Options).
So, my questions are:
Why are the DNS servers specified in Addtitional DNSMasq Options ignored?
As far as I can see, it is not necessary to push PIA DNS servers - you just need to add the route to the config - or am I wrong?
Is the "block-outside-dns" still relevant (ensures that once connected to the VPN, you are using only the DNS servers provided by the VPN service)?
What are your experiences with the "auth-nocache" option? I have read not to use "auth-nocache" as it prevents reconnection due to a bug. May this is related to the "pull-filter ignore 'auth-token'" as per the nextgen config suggested by PIA...
I guess we don't need to send these options anymore: persist-key, persist-tun, tls-client, remote-cert-tls server as they're send/set by the DD-WRT GUI?
I have tried to boil down my questions as much as possible and hope others will benefit from this.
Joined: 16 Nov 2015 Posts: 6407 Location: UK, London, just across the river..
Posted: Mon Sep 14, 2020 10:17 Post subject:
a15995 wrote:
So, my questions are:
[list][*]Why are the DNS servers specified in Addtitional DNSMasq Options ignored?
[*]As far as I can see, it is not necessary to push PIA DNS servers - you just need to add the route to the config - or am I wrong?
[*]Is the "block-outside-dns" still relevant (ensures that once connected to the VPN, you are using only the DNS servers provided by the VPN service)?
[*]What are your experiences with the "auth-nocache" option? I have read not to use "auth-nocache" as it prevents reconnection due to a bug. May this is related to the "pull-filter ignore 'auth-token'" as per the nextgen config suggested by PIA...
[*]I guess we don't need to send these options anymore: persist-key, persist-tun, tls-client, remote-cert-tls server as they're send/set by the DD-WRT GUI?
I have tried to boil down my questions as much as possible and hope others will benefit from this.
Thanks,
Why are the DNS servers specified in Addtitional DNSMasq Options ignored? - do you have "no-resov" command before those in advanced DNSmasq rules... or did you put any DNS servers in those x3 box's in basic set up ?? you may've created a DNS mess if so...as if you have anything in those x3 box's, it will go with priority...instead of anything in DNSmsaq if there is no 'no-resolv'...
Is the "block-outside-dns" still relevant (ensures that once connected to the VPN, you are using only the DNS servers provided by the VPN service)? yep it suppose to... and that's why you have an options, either to use those x3 box's or use DNSmasq with no-resolv, witch has to be the same i guess, unless there is a bug...
What are your experiences with the "auth-nocache" option? I have read not to use "auth-nocache" as it prevents reconnection due to a bug. May this is related to the "pull-filter ignore 'auth-token'" as per the nextgen config suggested by PIA... - nope you dont want that as it will not reconnect as it should, you dont want to 'nocache' your credential as they are already in the GUI, as well it least im not using it and VPN works as it should...i've never tried to use it, along with those i have too...but it may work i just never needed it...
I guess we don't need to send these options anymore: persist-key, persist-tun, tls-client, remote-cert-tls server as they're send/set by the DD-WRT GUI? - on the newer builds those are added by default, you can check cat /tmp/openvpncl/openvpn.conf
those are my 2 cents...if your DNS is not working as it should, there must be something wrong...by the way im using stubby (stub resolver) and all goes inside the VPN channel...but not using PBR yet.... i prefer to have to diff AP(routers) for that... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Mon Sep 14, 2020 10:50 Post subject:
Edit: @Alozoros was just ahead of me and basically telling the same
OK, lot of questions all good ones
The PIA next gen is pushing DNS servers which are only reachable via the VPN so when using PBR you have to take special measures.
You have to use pull-filter ignore "dhcp-options DNS" so that the pushed DNS servers are not added on top of resolv.dnsmasq otherwise you will have a DNS problem if you are using Strict order
You can use those PIA DNS servers for clients just like you are doing with the DNSMasq tag or setting Forced DNS direction on unbridged interfaces
But of course make sure those are routed via the VPN.
That you all did, kudos !
Now on to your questions
DNSmasq is using servers from resolv.dnsmasq you can specify additional server like:
server=9.9.9.9
But that does not stop DNSMAsq to read resolv.dnsmasq.
For that you have to add:
no-resolv
You second question I already explained.
In your case use pull-filter .....
Otherwise the pushed DNS servers are used for everybody and that is not what you want
Block-outside DNS is only for Windows clients not for DDWRT so do not use
The problem with auth-nocache is that user credentials are not stored in cache and will not be available on reconnection so do not use this option with DDWRT.
There is one exception a VPN provider can send an auth-token which will be used for reconnection.
Next gen PIA is doing this, so if you allow this auth-token (so do not use pull-filter ignore "auth-token") you should be able to use auth-nocache as the token is used for reconnection (this is theory, I have not tested if it really works).
But PIA itself recommends to use pull-filter ignore "auth-token" and of course in that case you cannot use auth-nocache
This is confusing (well at least for me)
Using auth-nocache is so that your credentials cannot be read from cache but that can only be done if someone has access to your router but if someone has access to your router you are having bigger problems so I personally do not use auth-nocache (and in that case you can ignore the auth-token but not ignoring it so actually using it on reconnection seems to work fine)
This is a first draft please send me your comments
My comment is Thank You!.
Those 209.222.18.222/218 servers have been messed for weeks on the "Old-Gen" network, and PIA's response to overwhelming complaints on their reddit forum is just "move to the Nextgen network" in their desktop/mobile applications, and pretty much ignoring everyone who uses routers/firewalls etc.
You're guide was the difference between failure and success (the necessary outside, public DNS was the tweak). The resolv.dnsmasq looks good when the tunnel is up.
I see that PIA pushes the 10.0.0.243/242 servers in the logs, but where did you find the 10.0.0.241/244 servers? Are you sure the latter two are for MACE?