OpenVPN Private Internet Access client setup for NextGen

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2, 3  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Sep 03, 2020 10:44    Post subject: OpenVPN Private Internet Access client setup for NextGen Reply with quote
Some notes about how to setup an OpenVPN client on Private Internet Access.
As they are (perhaps they do now) not supporting WireGuard on the router although they have been promising this for a long time I quit using PIA so this guide is no longer maintained.

Their current setup: https://helpdesk.privateinternetaccess.com/guides/routers/dd-wrt-v44715-openvpn-setup
is not up to date Sad


Note: The downloadable guide is only visible if you are logged in


For OpenVPN 2.5 see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326913

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sat Feb 17, 2024 16:09; edited 10 times in total
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Thu Sep 03, 2020 19:58    Post subject: Reply with quote
just add somewhere... that NTP time is vital...either use the default DDWRT time zones or time zones + IP if external NTP is preferred...
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Fri Sep 04, 2020 7:32    Post subject: Reply with quote
Good call , guide is updated thanks!
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
lincsat
DD-WRT Novice


Joined: 14 Dec 2018
Posts: 5

PostPosted: Tue Sep 08, 2020 16:14    Post subject: Reply with quote
Thanks for this, finally got a working PIA connection. I did have to use the server IP rather than domain
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Tue Sep 08, 2020 17:16    Post subject: Reply with quote
After changing anything you have to reboot or press apply on setup page so that everything starts in the right order then you can use url.

Otherwise DNS is not working across the tunnel.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
a15995
DD-WRT User


Joined: 18 Oct 2016
Posts: 96
Location: Copenhagen, Denmark

PostPosted: Thu Sep 10, 2020 10:13    Post subject: Reply with quote
Excellent work!

Concerning the killswitch, can you/anyone explain the difference between these two:

Code:
iptables -I FORWARD -s 192.168.1.64/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.64/26 -o $(nvram get wan_iface) -j DROP


Thanks,

_________________
/Søren
Netgear Nighthawk X4S (R7800 ver. 1) | Atheros/Qualcomm(ARMv7) | IPQ8065 dual-core 1.7 GHz | AC2600 | 512 MB RAM | 128 MB FLASH | 128 KB NVRAM
Firmware: DD-WRT v3.0-r55109 std (02/09/24)
Install guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614

egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Sep 10, 2020 10:55    Post subject: Reply with quote
a15995 wrote:
Excellent work!

Concerning the killswitch, can you/anyone explain the difference between these two:

Code:
iptables -I FORWARD -s 192.168.1.64/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.64/26 -o $(nvram get wan_iface) -j DROP


Thanks,


I prefer the first one for three reasons (although both should work)

get_wanface works in about 99% of the cases, nvram get wan_iface works in about 98%.

State NEW will leave a possible port forward open, but still stops clients from making an outbound connection.

REJECT will let the client know it does not work instead of DROP which keeps the client waiting and then time out eventually, as these are you own clients REJECT is better, you would use DROP to stop connections from outside

Just my take

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
a15995
DD-WRT User


Joined: 18 Oct 2016
Posts: 96
Location: Copenhagen, Denmark

PostPosted: Thu Sep 10, 2020 12:33    Post subject: Reply with quote
egc wrote:
a15995 wrote:
Excellent work!

Concerning the killswitch, can you/anyone explain the difference between these two:

Code:
iptables -I FORWARD -s 192.168.1.64/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.64/26 -o $(nvram get wan_iface) -j DROP


Thanks,


I prefer the first one for three reasons (although both should work)

get_wanface works in about 99% of the cases, nvram get wan_iface works in about 98%.

State NEW will leave a possible port forward open, but still stops clients from making an outbound connection.

REJECT will let the client know it does not work instead of DROP which keeps the client waiting and then time out eventually, as these are you own clients REJECT is better, you would use DROP to stop connections from outside

Just my take


Thanks, and I totally agree. Will change to REJECT.

Two quick questions since I am now up and running again on my PIA connection Very Happy :

Do you now if they have moved their speedtest somewhere else as this does not work with next gen?
Code:
http://[VPN IP]:8888/speedtest


I'm a little confused about this in your PBR-guide (which is locked, so sorry if off-topic):

Code:
You can also set a kill switch per interface suppose you have created a VAP wl0.1 and want to prevent WAN access:
iptables -I FORWARD -i wl0.1 -o $(get_wanface) -m state --state NEW -j REJECT
-m state --state NEW is used here so as to allow access from other internal addresses, if you do not want this you can omit this.
Kill switch for PBR on a WAP:
iptables -I FORWARD -i br0 -s 192.168.1.150 -o br0 -j REJECT


I presume I would replace wl0.1 with ath0.1 on R7800?

What is the difference between kill switch per interface and PBR on a WAP?

Thanks,

_________________
/Søren
Netgear Nighthawk X4S (R7800 ver. 1) | Atheros/Qualcomm(ARMv7) | IPQ8065 dual-core 1.7 GHz | AC2600 | 512 MB RAM | 128 MB FLASH | 128 KB NVRAM
Firmware: DD-WRT v3.0-r55109 std (02/09/24)
Install guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614

egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Sep 10, 2020 13:40    Post subject: Reply with quote
No I do not know about the speedtest.

PIA is in a transitional state

wl0.1 is for Broadcom indeed for Atheros you should use ath0.1

A WAP is a Wireless Access Point so totally different it has no WAN:
https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point

For a normal gateway router you block the WAN, but as there is no WAN on a WAP you need a different kill switch

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
csloth
DD-WRT Novice


Joined: 13 Sep 2020
Posts: 1

PostPosted: Sun Sep 13, 2020 18:17    Post subject: Reply with quote
Thank you very much for this guide. Looks like it has fixed my connection/dns problems after pia changed their servers. Pia should be ashamed
a15995
DD-WRT User


Joined: 18 Oct 2016
Posts: 96
Location: Copenhagen, Denmark

PostPosted: Mon Sep 14, 2020 8:12    Post subject: Reply with quote
Thanks for your help egc!

I hope my feedback in this thread will help others. I have read your guides on VPN, PBR and the problems in relation to this. I'm on a R7800 and use PIA VPN and I'm trying to achieve the following with nextgen which worked with the legacy setup (server *.privateinternetaccess.com):

  1. Default (wired/wireless): All new devices are NOT on VPN and on DNS servers specified in the setup tab
  2. Specific devices (kids): Not on VPN but on special DNS servers specified in Dnsmasq
  3. Specifik VPN devices (PBR): On VPN and on PIA DNS servers (through tunnel)
  4. Guest network (0.1 and 1.1): All devices on VPN (PBR specified IP range - 192.168.2.200-254 and 192.168.3.200-254) and on PIA DNS servers (through tunnel)


This is what I have done:

  1. Default (wired/wireless): Specified DNS servers in the setup tab and ticked Ignore WAN DNS, Use DNSMasq for DNS and DHCP-Authoritative (and Forced DNS Redirection). Services tab setup as seen below.
  2. Specific devices (kids): DNS servers specified in conf-file=/jffs/dns/dnsmasq.familyshield.conf (using tags as seen below)
  3. Specific VPN devices (PBR): Right now only one specified as seen below using tags
  4. Guest network (0.1 and 1.1): DNS server 10.0.0.241 specified in the Wireless tab under Optional DNS Target


I have setup VPN as per your guide with the following in Addtional config:

Code:
#block pulling PIA DNS servers
pull-filter ignore "dhcp-option DNS" # If not used ALL DNS requests are sent through the VPN tunnel

#make sure DNS servers are always routed via the tunnel in case of PBR
route 10.0.0.241 255.255.255.255 vpn_gateway #DNS+Streaming+MACE
route 10.0.0.242 255.255.255.255 vpn_gateway #DNS
route 10.0.0.243 255.255.255.255 vpn_gateway #DNS+Streaming
route 10.0.0.244 255.255.255.255 vpn_gateway #DNS+MACE


This works fine except that DNSMasq servers seem to be ignored (DNS servers used are the ones in Setup tab - not the ones specified under Addtitional DNSMasq Options).

So, my questions are:

  • Why are the DNS servers specified in Addtitional DNSMasq Options ignored?
  • As far as I can see, it is not necessary to push PIA DNS servers - you just need to add the route to the config - or am I wrong?
  • Is the "block-outside-dns" still relevant (ensures that once connected to the VPN, you are using only the DNS servers provided by the VPN service)?
  • What are your experiences with the "auth-nocache" option? I have read not to use "auth-nocache" as it prevents reconnection due to a bug. May this is related to the "pull-filter ignore 'auth-token'" as per the nextgen config suggested by PIA...
  • I guess we don't need to send these options anymore: persist-key, persist-tun, tls-client, remote-cert-tls server as they're send/set by the DD-WRT GUI?


I have tried to boil down my questions as much as possible and hope others will benefit from this.

Thanks,

_________________
/Søren
Netgear Nighthawk X4S (R7800 ver. 1) | Atheros/Qualcomm(ARMv7) | IPQ8065 dual-core 1.7 GHz | AC2600 | 512 MB RAM | 128 MB FLASH | 128 KB NVRAM
Firmware: DD-WRT v3.0-r55109 std (02/09/24)
Install guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614

Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Mon Sep 14, 2020 10:17    Post subject: Reply with quote
a15995 wrote:


So, my questions are:

[list][*]Why are the DNS servers specified in Addtitional DNSMasq Options ignored?
[*]As far as I can see, it is not necessary to push PIA DNS servers - you just need to add the route to the config - or am I wrong?
[*]Is the "block-outside-dns" still relevant (ensures that once connected to the VPN, you are using only the DNS servers provided by the VPN service)?
[*]What are your experiences with the "auth-nocache" option? I have read not to use "auth-nocache" as it prevents reconnection due to a bug. May this is related to the "pull-filter ignore 'auth-token'" as per the nextgen config suggested by PIA...
[*]I guess we don't need to send these options anymore: persist-key, persist-tun, tls-client, remote-cert-tls server as they're send/set by the DD-WRT GUI?

I have tried to boil down my questions as much as possible and hope others will benefit from this.

Thanks,


Why are the DNS servers specified in Addtitional DNSMasq Options ignored? - do you have "no-resov" command before those in advanced DNSmasq rules... or did you put any DNS servers in those x3 box's in basic set up ?? you may've created a DNS mess if so...as if you have anything in those x3 box's, it will go with priority...instead of anything in DNSmsaq if there is no 'no-resolv'...

Is the "block-outside-dns" still relevant (ensures that once connected to the VPN, you are using only the DNS servers provided by the VPN service)? yep it suppose to... and that's why you have an options, either to use those x3 box's or use DNSmasq with no-resolv, witch has to be the same i guess, unless there is a bug...

What are your experiences with the "auth-nocache" option? I have read not to use "auth-nocache" as it prevents reconnection due to a bug. May this is related to the "pull-filter ignore 'auth-token'" as per the nextgen config suggested by PIA... - nope you dont want that as it will not reconnect as it should, you dont want to 'nocache' your credential as they are already in the GUI, as well it least im not using it and VPN works as it should...i've never tried to use it, along with those i have too...but it may work i just never needed it...

keepalive 10 120
server-poll-timeout 10
remote xxx.privateinternetaccess.com

I guess we don't need to send these options anymore: persist-key, persist-tun, tls-client, remote-cert-tls server as they're send/set by the DD-WRT GUI? - on the newer builds those are added by default, you can check cat /tmp/openvpncl/openvpn.conf

those are my 2 cents...if your DNS is not working as it should, there must be something wrong...by the way im using stubby (stub resolver) and all goes inside the VPN channel...but not using PBR yet.... i prefer to have to diff AP(routers) for that...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Mon Sep 14, 2020 10:50    Post subject: Reply with quote
Edit: @Alozoros was just ahead of me and basically telling the same Smile

OK, lot of questions all good ones Smile

The PIA next gen is pushing DNS servers which are only reachable via the VPN so when using PBR you have to take special measures.
You have to use pull-filter ignore "dhcp-options DNS" so that the pushed DNS servers are not added on top of resolv.dnsmasq otherwise you will have a DNS problem if you are using Strict order

You can use those PIA DNS servers for clients just like you are doing with the DNSMasq tag or setting Forced DNS direction on unbridged interfaces

But of course make sure those are routed via the VPN.

That you all did, kudos !

Now on to your questions
DNSmasq is using servers from resolv.dnsmasq you can specify additional server like:
server=9.9.9.9
But that does not stop DNSMAsq to read resolv.dnsmasq.
For that you have to add:
no-resolv


You second question I already explained.
In your case use pull-filter .....
Otherwise the pushed DNS servers are used for everybody and that is not what you want

Block-outside DNS is only for Windows clients not for DDWRT so do not use

The problem with auth-nocache is that user credentials are not stored in cache and will not be available on reconnection so do not use this option with DDWRT.
There is one exception a VPN provider can send an auth-token which will be used for reconnection.
Next gen PIA is doing this, so if you allow this auth-token (so do not use pull-filter ignore "auth-token") you should be able to use auth-nocache as the token is used for reconnection (this is theory, I have not tested if it really works).

But PIA itself recommends to use pull-filter ignore "auth-token" and of course in that case you cannot use auth-nocache

This is confusing (well at least for me)

Using auth-nocache is so that your credentials cannot be read from cache but that can only be done if someone has access to your router but if someone has access to your router you are having bigger problems so I personally do not use auth-nocache (and in that case you can ignore the auth-token but not ignoring it so actually using it on reconnection seems to work fine)

Your last question, those are all redundant and have been for a long time.
remote-cert-tls server is a GUI option: Verify server Cert. and is enabled/ticked in my setup guide Smile
Most VPN providers work best without anything added in the Additonal Config.
Less = More

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
joyTECH
DD-WRT Novice


Joined: 14 Sep 2020
Posts: 2

PostPosted: Mon Sep 14, 2020 16:25    Post subject: Reply with quote
egc wrote:
I am working on a Setup guide for PIA to conect to their nextgen servers.

Their current setup: https://www.privateinternetaccess.com/helpdesk/guides/routers/dd-wrt-v40559-openvpn-setup
is wrong Sad

This is a first draft please send me your comments


My comment is Thank You!.

Those 209.222.18.222/218 servers have been messed for weeks on the "Old-Gen" network, and PIA's response to overwhelming complaints on their reddit forum is just "move to the Nextgen network" in their desktop/mobile applications, and pretty much ignoring everyone who uses routers/firewalls etc.

You're guide was the difference between failure and success (the necessary outside, public DNS was the tweak). The resolv.dnsmasq looks good when the tunnel is up.

a15995 wrote:


Code:
route 10.0.0.241 255.255.255.255 vpn_gateway #DNS+Streaming+MACE
route 10.0.0.242 255.255.255.255 vpn_gateway #DNS
route 10.0.0.243 255.255.255.255 vpn_gateway #DNS+Streaming
route 10.0.0.244 255.255.255.255 vpn_gateway #DNS+MACE


I see that PIA pushes the 10.0.0.243/242 servers in the logs, but where did you find the 10.0.0.241/244 servers? Are you sure the latter two are for MACE?

Thanks in advance.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Mon Sep 14, 2020 16:30    Post subject: Reply with quote
Those 4 DNS servers are also what I learned from PIA.
.242 and .243 are the ones being pushed at this moment.

Added the link to the guide, thanks for asking:
https://www.privateinternetaccess.com/helpdesk/kb/articles/next-generation-dns-custom-configuration

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum