Nighthawk [DD-WRT (Kong)] OpenVPN Client (PIA)

148 posts / 0 new
Last post
kamaaina
kamaaina's picture
Switching to the new Tomato

Switching to the new Tomato update 119 which will reset the clock, but Tomato has been stable with iVPN for 5 days and 15h as well, similar of what I had done with PIA before. The OpenVPN client there seems fine. I had to dismantle my second VPN setup with the Kong build so no further input on that side from me right now.

kallsop
kallsop's picture
Running 24045M on R7000 here,

Running 24045M on R7000 here, stock CPU speed, getting daily PIA disconnects too.

Also having problems excluding a LAN attached VOIP adapter, OBi202, from the VPN by adding to OpenVPN Client ... Additional Config:

route 192.168.0.112 255.255.255.255 net_gateway

where 192.168.0.112 is the OBi202 static IP. The route gets added, but VOIP is dead. Also tried using that IP for a PC and that PC lost internet access.

Maybe try the new Tomato build to see if it fixes both issues? My old E3000 ran a Tomato build and was rock solid until the hardware died.

kamaaina
kamaaina's picture
Kallsop, I think the VoIP

Kallsop, I think the VoIP exclusion topic deserves it's own thread. I was about to ask on SNB for help and will probably do so soon. I did not manage to exclude the SIP adapters (OBI) either yet. My work-around is to have an extra gateway router (AC56U) running unfiltered internet and the R7000 behind it with the VPN. The N66 is a second AP. The Obi sits right behind the GW as well. I tried putting the OBI in a DMZ setting but that did not work for all SIP providers. I would love to reduce the extra box. I tried putting the OBI 202 as the Gateway router instead but it (switch) cannot handle the internet speed. It maxed out at 15 mbps down or so. Try putting your OBI in the DMZ at 192.168.0.112, maybe that works for you. Try it with and without the rule in the OBI maybe.

My understanding of the DMZ is that it should treat the IP configured in the DMZ and fully exposed to the Internet, but that might only be partially true. I think some firewall rules still apply and it might need port forward configured or something to make it work. For another weekend.

kallsop
kallsop's picture
Thanks for the reply. I am

Thanks for the reply. I am trying the R7000 Tomato shibby build v119 now, but haven't had time to configure it for PIA VPN or VPN IP exclusion.

Update: for me, Tomato seems to be not ready for prime time. Horrible ping times, wireless drops, WAN drops. Not worth trying out OpenVPN Client, too many other issues. Now to be sure how to get from Tomato --> Netgear firmware --> newest Kong and give that a try.

kamaaina
kamaaina's picture
For those running a VPN on

For those running a VPN on the box and are trying to exclude a SIP/VoIP device, I started a separate thread: http://www.myopenrouter.com/forum/thread/56534/SIP-phones-OBI-etc.-and-O...

For the KONG DD-WRT and PIA users, how are things going now? Everything stable with PIA and the latest Kong build? Have you guys gone beyond a week uptime etc. Thanks. Are you using 128 AES or 256 etc. Supposedly PIA now supports everything but I haven't been able yet to test other than the default 128.
https://www.privateinternetaccess.com/pages/vpn-encryption It might only support higher encryption when using their apps at this time.

Sky1111
Sky1111's picture
I recently had a very strange

I recently had a very strange problem with my router - suddenly it refused to work with my cable modem. Long story short, I ended up cloning one of my PCs MAC address to the router in order to get back online :(

I am currently running 24170 and I am having frequent disconnects from PIA. Kong already posted 24200 - will try it soon.

P.S. I reduced my overclock to 1200/800 MHz

P.P.S. I really would like to exclude a couple of devices from VPN, but the complexity of doing it scares me :(

Sky1111
Sky1111's picture
Folks, I updated FW to 24200m

Folks, I updated FW to 24200m new drivers and while wireless seems fine, I still see disconnects on VPN (PIA). Torrent activity seems to accelerate disconnections.

If anyone here does NOT have disconnects, OR his/her disconnects from VPN are rare, can you please share your working settings?

thanks in advance!

DougRoberson
DougRoberson's picture
Sky1111 said: Folks, I

Sky1111 said: Folks, I updated FW to 24200m new drivers and while wireless seems fine, I still see disconnects on VPN (PIA). Torrent activity seems to accelerate disconnections. If anyone here does NOT have disconnects, OR his/her disconnects from VPN are rare, can you please share your working settings? thanks in advance!

I changed my expectations.

Go to the Administration tab.

Select the Keep Alive tab.

Enable "WDS/Connection Watchdog"

Set Interval to 180

Enter 8.8.8.8 for IP address.

Click Apply.

Every 3 minutes, your router will ping Google's DNS server. If it reaches it, the clock resets. If it can't reach it, your router reboots. Because of this, the longest your VPN-protected connection should be down is less than 4 minutes. 

My router is rebooting itself once or twice a day.

Now, you're likely still concerned that your IP address will show up for a minute or two after your router reboots. That is very easy to overcome.

PIA includes a SOCKS5 proxy with your account. Go to your Support Control panel on PIA's website and generate a user name & password for the proxy.

In your Torrent client, enter the proxy address (proxy-nl.privateinternetaccess.com) and port (1080), enable authentication, then put in your user name and password.

uTorrent and qBittorrent both have this feature.

The IP address reported to the swarm will change a couple of times an hour with the proxy, so you'll be all set. You can verify it using a magnet link from this site:  http://dev.cbcdn.com/ipmagnet 

The one bit of odd behavior I've noticed while using the proxy is that I'll have to occasionally restart either client (uTorrent or qBittorrent) to get new torrents to start downloading. I've scheduled a job for twice a day that ends task and then restarts it.

Pay close attention to the data reported by the ipmagnet page. You can try different configurations of your network settings and torrent clients to strip away all identifying information about you.

For example, whenever my torrent machine reboots, I run a BAT file with this command:

netsh interface teredo set state disabled

Also, I've disabled IPv6 networking in Windows. In both torrent clients, I've used options for removing identifying information. 

When I check my connection using the link I gave you above, all I see reported is the IP from the proxy, nothing else.

The bottom line is that I like DD-WRT enough that I looked for alternative answers to my problems, which are likely the same as you're dealing with. I hope this information helps you.

Kong
Kong's picture
By the way I updated openvpn

By the way I updated openvpn today and plan to release a new build soon. The 2.3.3 had a few regressions maybe the reason why you guys have problems.
Thus watch out for a new release and let me know if that fixes the issue.

DougRoberson
DougRoberson's picture
Nice! Thanks, Kong!

Nice! Thanks, Kong!

Sky1111
Sky1111's picture
Many thanks Doug - followed

Many thanks Doug - followed your instructions, let's see if I get that disconnect again.

Always looking forward for your new Firmware Kong :)

Sky1111
Sky1111's picture
... And thanks Kong - running

... And thanks Kong - running new 24320 firmware already :)

DougRoberson
DougRoberson's picture
Sky - you are very welcome!

Sky - you are very welcome! Two points -

One, QBittorent's Anonymouse Mode doesn't display a "user agent" value, which is just a description of your client, but it still is less information than uTorrent displays.

Two, prior to installing Kong's latest version (which I just installed a couple of hours ago), I still had disconnects, but my connection was never down for more than 4 minutes, so I never actually noticed it. We'll see how long the router goes without a reboot on this build :)

Sky1111
Sky1111's picture
DougRoberson said: Sky - you

DougRoberson said: Sky - you are very welcome! Two points - One, QBittorent's Anonymouse Mode doesn't display a "user agent" value, which is just a description of your client, but it still is less information than uTorrent displays. Two, prior to installing Kong's latest version (which I just installed a couple of hours ago), I still had disconnects, but my connection was never down for more than 4 minutes, so I never actually noticed it. We'll see how long the router goes without a reboot on this build :)

I am using an older version of utorrent - 2.0.4 (cannot stand their new versions). I did try QBittorent a while ago, kind of did not click with me and I went back to utorrent...

Observation: once I started using the PIA proxy on ut, my download speeds became half :( - is it expected?

As of this morning, I still had the internet connection up - but I haven't check the logs.

P.S. Doug - really love the idea of the router rebooting itself when it senses loss of connectivity - million thanks!

 

DougRoberson
DougRoberson's picture
Yes, I am afraid so. You will

Yes, I am afraid so. You will significantly reduce your speed going through the proxy.

For me, that is not as big an issue as privacy. The proxy not only covers your ass when the router reboots, it actually randomizes the IP address - it switches every fifteen minutes or so.

Nothing in this world is perfect, but I'm very satisfied with the setup I've got. I feel the trade-off of speed for privacy is well worth it.

I really don't mess with this part of my setup any more. It is very stable and does exactly what i want.

I spend a lot more time with my upstream router (also an R7000 running Kong's DD-WRT) for my non-VPN side. I've got to figure out how to set it up with multiple Static IP addresses from my ISP :)

Sky1111
Sky1111's picture
After flashing , I discovered

After flashing , I discovered yesterday that there is another build posted - seems like direct replacement 34354

There is no indication of the changes in the ChangeLog - as a matter of fact, seems like 34340 was renamed to 34345. - do you mind sharing what is the delta?

Kong
Kong's picture
Nand support was missing in

Nand support was missing in the newd build, thus some people couldn't use the internal flash to store files or configs. And since I already committed the privoxy transparent exclude rule, it is also included, but this is a hidden feature only a handful folks would be affected by this anyways:-)
This was more a fix for myself:-)

Sky1111
Sky1111's picture
Kong said: Nand support was

Kong said: Nand support was missing in the newd build, thus some people couldn't use the internal flash to store files or configs. And since I already committed the privoxy transparent exclude rule, it is also included, but this is a hidden feature only a handful folks would be affected by this anyways:-) This was more a fix for myself:-)

Thank you Kong!

One more question - I see some people are using some commands for the Firewall - is it nessesary for regular use (i.e. just one router)?

 

 

 

Kong
Kong's picture
Sky1111 said:

Sky1111 said:

Kong said: Nand support was missing in the newd build, thus some people couldn't use the internal flash to store files or configs. And since I already committed the privoxy transparent exclude rule, it is also included, but this is a hidden feature only a handful folks would be affected by this anyways:-) This was more a fix for myself:-)

Thank you Kong! One more question - I see some people are using some commands for the Firewall - is it nessesary for regular use (i.e. just one router)?

If you want to do things which can't be done with the gui, then yes, but this is only for advanced setups, e.g. when setting up vlans with extra subnets etc.

DougRoberson
DougRoberson's picture
Kong - the router has been up

Kong - the router has been up for 25.5 hours without restarting itself due to a dropped connection. It would have been up longer, but I had to change the server to a US-base so my wife could listen to Pandora.

DougRoberson
DougRoberson's picture
Update: after 31.75 hours, I

Update: after 31.75 hours, I had to reboot because the VPN had dropped - however, this was a different symptom, as Internet connectivity was not lost.

kamaaina
kamaaina's picture
I am happy that lies behind

I am happy that lies behind me. There are a few other items missing with Tomato (no QoS, no bandwidth monitoring etc.), but the OpenVPN client connection is stable. I reached past 7-10 days three times now and then had to reboot myself due to config changes or updates. It's been only 3 releases with Tomato for the R7000 so it is "beta" at its best. But VPN seems to work fine, both with iVPN and PIA. Became more confident again and have it running at 1400 mhz the last 10 days now.

Kong
Kong's picture
 

 

DougRoberson said: Update: after 31.75 hours, I had to reboot because the VPN had dropped - however, this was a different symptom, as Internet connectivity was not lost.

 

If you can send me your conf which is generated under:

 

/tmp/openvpn/openvpn.conf

 

If you use WinSCP you can just logon via ssh and then copy it to your windows machine.

I'm going to check it. I'm going to setup a testbed for openvpn in the next few days. So I can test and also improve the current implementation.

DougRoberson
DougRoberson's picture
Okay, here is a link to the

Okay, here is a link to the file:

https://www.dropbox.com/s/xrgmu49ket2op37/openvpn.conf

BUT - there is nothing in it. I double checked that the path is correct.

I should point out that I don't use the openvpn client in DD-WRT. Per instructions from PIA, I use a script in Administration|Commands|Startup. I have copied that script to this file:

https://www.dropbox.com/s/868yez7ccnzvanl/startup.txt

Please let me know when you've had a chance to get the files. I'll delete them once I've had confirmation from you.

Kong
Kong's picture
OK, got them.

OK, got them.

Can you check if it works better by changing:

tun-mtu 1500

to:

tun-mtu 1400

This is our new default. If it still drops connections, then add the following line right under the tun-mtu:

keepalive 10 120

DougRoberson
DougRoberson's picture
Great!

Great!

Let me know if you need anything else

kallsop
kallsop's picture
Also running 24345M build

Also running 24345M build with OpenVPN Client. VPN provider is PIA (PrivateInternetAccess). I used the VPN setup suggested by PIA:

1.Access the Administration area and then go to Commands and finally Startup.
2.Enter the following:
echo username >> /tmp/password.txt
echo password >> /tmp/password.txt
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon
3.Access the VPN tab found under the Services section.
4.Enable the OpenVPN Client.
5.Set the Server IP/name to us-east.privateinternetaccess.com [*].
6.Set the Port to 1194.
7.Set the Tunnel Device to TUN.
8.Set the Tunnel Protocol to UDP.
9.Set the Encryption Cipher to Blowfish CBC (Default).
10.Set the Hash Algorithm to SHA1.
11.Set the nsCertType to unchecked.
12.Set the Advanced Options to Enabled.
13.Set Use LZO Compression to Enable.
14.Set NAT to Enable.
15.In the Additional Config enter the following:
auth-user-pass /tmp/password.txt
persist-key
persist-tun
tls-client
remote-cert-tls server
16.Copy and paste the contents of ca.crt found in our OpenVPN Config Files, into the CA cert field.

I also added Policy Based Routing to create an IP range that goes through VPN, other IP's excluded from VPN:
192.168.0.128/26
192.168.0.192/27

IP's 192.168.0.128 through 192.168.0.223 go through VPN. PC's in the VPN IP range will run for a while, then lose internet. The OpenVPN status screen gives no indication that VPN has died. PC's outside the VPN range do not lose internet.

See anything wrong with the VPN config?

kamaaina
kamaaina's picture
Just configured a 2nd AC56U

Just configured a 2nd AC56U with PIA as well, latest 24345 build. Let's see if we can collect some data to give Kong some clues on what might cause these freezes. Now, for a plain freshly flashed box, what do I need to enable to collect the right/useful info? It says syslogd disabled but I can't seem to find a check box to turn it on. Wow, seem like I only needed 15 min for it to hang. Just turned VPN off and on again and it's working again. I did not have to restart the router.

Where does the keepalive 10 120 go?

Tunnel MTU setting (Default: 1400)
Tunnel UDP Fragment (Default: Disable)
Tunnel UDP MSS-FixEnable Disable
Additional Config ??

Kong
Kong's picture
kamaaina said: Just

kamaaina said: Just configured a 2nd AC56U with PIA as well, latest 24345 build. Let's see if we can collect some data to give Kong some clues on what might cause these freezes. Now, for a plain freshly flashed box, what do I need to enable to collect the right/useful info? It says syslogd disabled but I can't seem to find a check box to turn it on. Wow, seem like I only needed 15 min for it to hang. Just turned VPN off and on again and it's working again. I did not have to restart the router. Where does the keepalive 10 120 go? Tunnel MTU setting (Default: 1400) Tunnel UDP Fragment (Default: Disable) Tunnel UDP MSS-FixEnable Disable Additional Config ??

Well it looks like I can also reproduce it on my test setup. So now I can start digging.

kamaaina
kamaaina's picture
Kong said:

Kong said:

kamaaina said: Just configured a 2nd AC56U with PIA as well, latest 24345 build. Let's see if we can collect some data to give Kong some clues on what might cause these freezes. Now, for a plain freshly flashed box, what do I need to enable to collect the right/useful info? It says syslogd disabled but I can't seem to find a check box to turn it on. Wow, seem like I only needed 15 min for it to hang. Just turned VPN off and on again and it's working again. I did not have to restart the router. Where does the keepalive 10 120 go? Tunnel MTU setting (Default: 1400) Tunnel UDP Fragment (Default: Disable) Tunnel UDP MSS-FixEnable Disable Additional Config ??

Well it looks like I can also reproduce it on my test setup. So now I can start digging.

Great. If you want me to change some settings or try anything modified/tweaked/patched, please let me know. This is a second box running in parallel so it does not get anybody screeming when it hangs and can easily be restarted. 

Pages