[bushant]

[o2bad455]

To take IPV6 out of the mix while correcting some of PIA's seemingly confused settings for GCM over NextGen, adding the following to the DD-WRT Additional Config seems to help:

resolv-retry infinite
nobind
persist-key
persist-tun
auth sha256
ncp-disable
tls-client
remote-cert-tls server
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
auth-nocache
fast-io
sndbuf 300000
rcvbuf 300000
compress
verb 0
reneg-sec 3600
disable-occ
<crl-verify>
-----BEGIN X509 CRL-----
{copy/paste X509 cert here}
-----END X509 CRL-----
</crl-verify>

Note that "ncp-disable" is needed for OpenVPN GCM (but not CBC) to work over PIA NextGen, but that it's also a deprecated command slated for removal in OpenVPN 2.6. Thus, PIA will either have to make changes or GCM may no longer be workable over PIA NextGen in the future. I'm with @egc on some of the recent PIA issues combined with their delay in supporting WireGuard router configs. My guess is that they're intentionally dumbing down their offerings to focus on a particular market niche. YMMV

[chong67]

I could not get it to work.

I have the latest build : DD-WRT v3.0-r46446 std (04/24/21)

Anyone else successful?

Thanks.

[Alozaros]

yep it works for me...if its not working for you, it means you didn't follow the settings...

[portsup]

I have scripts for connecting PIA wireguard, transmission and portforwarding
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330429&start=15

wireguard works much better than openvpn

[pongman]

Sometime in the last few weeks my openvpn on DD-WRT stopped and will not start. After a lot of reading and searching I have found this thread. I was connected to a PIA server via IP address and using AES 128 + SHA1. Perhaps that server was dropped from service. Unfortunately trying other servers has not alleviated the problem. The settings I have used have worked just fine for about 2 years, even through firmware upgrades. Now, even though I have not changed anything, something is broken. So I assume this has to do with the changes in openvpn 2.5 as discussed in the guide and around places. Somewhere I picked up that 2.5 won't let you use IPs with PIA, so made a change there too.

The DDWRT OpenVPN Client setup guide just links back to this thread. So, where do we find the PIA specific settings? I'm assuming that my openvpon doesn't start because I have a setting incorrect.

Things I have done:
1. I found a guide on PIA's website and followed it to a T, but I cannot get the openvpn to start. Each time I make changes, I apply, then restart my router via the webgui.Figure this is out of date.
2. Changed the PIA server from IP to known namesakes
3. Upgraded DDWRT to r47692
4. Tried using a setup that uses AES 128 +SHA1 (found on youtube), as well as AES256+SH256
Each setup has different values to be entered under "additional config" and "Ca Cert".
5. I read this guide
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
One thing for sure, I won't be using an IP, just namesake now.


My current hardware setup:
Router Model: Netgear 7800
Firmware Version: DD-WRT v3.0-r47692 std (11/28/21)

Upgraded from: DD-WRT v3.0-r44715 std (08/12/21)
Reset: Yes



Under status>openvpn, all fields are blank, so nothing is even connecting.

My idea for fix:
Clearly something has changed with 2.5 OPNVPN, I think without question there is an issue with my config. Perhaps I need to reduce what is in additional config. I know changing from IP to a name will help too but is not the complete answer.

Thank you for your assistance

[kernel-panic69]

Did you bother reading the OP and the attached guide that was updated in March of this year?

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1216021

[egc]

You probably added things in the Additional config.

Almost everything can/should be setup via the GUI, golden rule:
Do not put anything in the Additional Config

OpenVPN guides are a sticky in this forum:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

There is an OpenVPN Client setup guide with specific instructions for a lot of providers including PIA.

I cannot guarantee it is all up to date but usually a hell of a lot better than what the providers tell you.

If you cannot get it to work, post a screenshot of your OpenVPN settings page and everything you have (wrongly) put in the Additional Config

[Alozaros]

here are the settings you need




also use the large 4k Cert in CA Cert section make sure you paste it correctly..the one that starts with
-----BEGIN CERTIFICATE-----
MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD


in additional config, i do have some stuff too, but its not needed anyway, but ill share it..

verb 5
pull-filter ignore "dhcp-option DNS"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
reneg-sec 0
keepalive 10 120
server-poll-timeout 10
remote nl-amsterdam.privacy.network 1197
remote uk-southampton.privacy.network 1197
remote ro.privacy.network 1197


bear in mind...unless you need it for a specific purpose/reason....you can turn off SFE option from Basic Setup page...

[pongman]

[pongman]

[Alozaros]

its odd why PIA suggests using an IP instead of name server...but provides a list of names too...
from one side its a good and more precise, as well it doesn't need DNS to resolve the IP...but using a name gives you a chance to get one of the IP's as they are few in the stack behind the name...

and their DDWRT guide must be updated i tried to contact them and provided a new details...but still no update on it..
since a 2-3 years their customer support went down dramatically...on few occasions they ware not elaborative at all...