Posted: Wed Nov 18, 2020 14:34 Post subject: Re: Best practice - encryption and data ciphers...
a15995 wrote:
Hello!
FYI: PIA has closed down the nl.privacy.network (92.119.179.123 - not responding) - use nl-amsterdam.privacy.network (143.244.43.71) instead (seems a bit slower though)...
Thanks,
Same with some US servers.
I have two routers were using 2 different servers and both lost connections (yesterday I think-name does not resolve).
Switching to IP addresses did not help.
Had to search the nexgen files for working servers
To take IPV6 out of the mix while correcting some of PIA's seemingly confused settings for GCM over NextGen, adding the following to the DD-WRT Additional Config seems to help:
Note that "ncp-disable" is needed for OpenVPN GCM (but not CBC) to work over PIA NextGen, but that it's also a deprecated command slated for removal in OpenVPN 2.6. Thus, PIA will either have to make changes or GCM may no longer be workable over PIA NextGen in the future. I'm with @egc on some of the recent PIA issues combined with their delay in supporting WireGuard router configs. My guess is that they're intentionally dumbing down their offerings to focus on a particular market niche. YMMV _________________ My DD-WRT Routers:
Linksys WRT3200ACM - Marvell
Linksys WRT1900ACS - Marvell
Netgear R9000 - Atheros
Netgear R7000 - Broadcom
PC x86-64 VM - Atheros
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Thu Apr 29, 2021 6:02 Post subject:
yep it works for me...if its not working for you, it means you didn't follow the settings... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sometime in the last few weeks my openvpn on DD-WRT stopped and will not start. After a lot of reading and searching I have found this thread. I was connected to a PIA server via IP address and using AES 128 + SHA1. Perhaps that server was dropped from service. Unfortunately trying other servers has not alleviated the problem. The settings I have used have worked just fine for about 2 years, even through firmware upgrades. Now, even though I have not changed anything, something is broken. So I assume this has to do with the changes in openvpn 2.5 as discussed in the guide and around places. Somewhere I picked up that 2.5 won't let you use IPs with PIA, so made a change there too.
The DDWRT OpenVPN Client setup guide just links back to this thread. So, where do we find the PIA specific settings? I'm assuming that my openvpon doesn't start because I have a setting incorrect.
Things I have done:
1. I found a guide on PIA's website and followed it to a T, but I cannot get the openvpn to start. Each time I make changes, I apply, then restart my router via the webgui.Figure this is out of date.
2. Changed the PIA server from IP to known namesakes
3. Upgraded DDWRT to r47692
4. Tried using a setup that uses AES 128 +SHA1 (found on youtube), as well as AES256+SH256
Each setup has different values to be entered under "additional config" and "Ca Cert".
5. I read this guide
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
One thing for sure, I won't be using an IP, just namesake now.
My current hardware setup:
Router Model: Netgear 7800
Firmware Version: DD-WRT v3.0-r47692 std (11/28/21)
Under status>openvpn, all fields are blank, so nothing is even connecting.
My idea for fix:
Clearly something has changed with 2.5 OPNVPN, I think without question there is an issue with my config. Perhaps I need to reduce what is in additional config. I know changing from IP to a name will help too but is not the complete answer.
Thank you for your assistance
Last edited by pongman on Fri Dec 03, 2021 1:46; edited 4 times in total
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Thu Dec 02, 2021 23:02 Post subject:
here are the settings you need
also use the large 4k Cert in CA Cert section make sure you paste it correctly..the one that starts with
-----BEGIN CERTIFICATE-----
MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
in additional config, i do have some stuff too, but its not needed anyway, but ill share it..
bear in mind...unless you need it for a specific purpose/reason....you can turn off SFE option from Basic Setup page... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
also use the large 4k Cert in CA Cert section make sure you paste it correctly..the one that starts with
-----BEGIN CERTIFICATE-----
MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
in additional config, i do have some stuff too, but its not needed anyway, but ill share it..
bear in mind...unless you need it for a specific purpose/reason....you can turn off SFE option from Basic Setup page...
Those are interesting things. I will search the ones I dont' know and find out what they do. Thank you for offering a screen shot.
There is so much wrong / outdated /incomplete information out there it gets difficult to mine through it all. Having recently upgraded my firmware, 1st/2nd/3rd data ciphers weren't even an option until that upgrade. Cheers
Last edited by pongman on Fri Dec 03, 2021 1:50; edited 1 time in total
There is an OpenVPN Client setup guide with specific instructions for a lot of providers including PIA.
I cannot guarantee it is all up to date but usually a hell of a lot better than what the providers tell you.
If you cannot get it to work, post a screenshot of your OpenVPN settings page and everything you have (wrongly) put in the Additional Config
Thank you for your assistance. It felt strange to delete everything in my 'additional config' as it has worked for years. However, once I did that (plus using a name server and not IP) - the openvpn service started after I rebooted the router. Thanks
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Fri Dec 03, 2021 11:34 Post subject:
its odd why PIA suggests using an IP instead of name server...but provides a list of names too...
from one side its a good and more precise, as well it doesn't need DNS to resolve the IP...but using a name gives you a chance to get one of the IP's as they are few in the stack behind the name...
and their DDWRT guide must be updated i tried to contact them and provided a new details...but still no update on it..
since a 2-3 years their customer support went down dramatically...on few occasions they ware not elaborative at all... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913