Nighthawk [DD-WRT (Kong)] OpenVPN Client (PIA)

148 posts / 0 new
Last post
DougRoberson
DougRoberson's picture
I've installed 24030M and

I've installed 24030M and disabled the Keep Alive functions. I'll keep track of the disconnects.

DougRoberson
DougRoberson's picture
I've got some information to

I've got some information to share.

First, Kong asked if I was running the current build - I was running build 23900, which was multiple versions behind. I updated to the then-current build of 24030 and I'm now on 24045M (which is the current version as of the past few days).

He was then kind enough to review a couple of logs and found the problem - daemon.notice openvpn[1607]: [Private Internet Access] Inactivity timeout (--ping-restart), restarting.

He pointed me to this article for configuration help:

http://www.sparklabs.com/support/error_inactivity_timeout_ping_restart/

I contacted PIA support for assistance with ping settings and was told that they've made recent changes to their PPTP/L2TP/SOCKS5 setup, which requires some users to generate new username/password combinations.

That didn't aply to my question, so I asked for clarification. Tech asked for screen caps of my router settings, then sent back a link with instructions for a different configuration. Here is the link:

https://www.privateinternetaccess.com/forum/index.php?p=/discussion/345/...

I backed up my router configuration. Next, I modified the script linked to on the page above with my username, password, and server of choice. Then I rebooted the router.

Everything is up and running now, no DNS leaks, speed test returns results close to my full capacity (non-VPN).

I'll follow up in a couple of days to let everyone know if I have a significant number of disconnects or service issues.

DougRoberson
DougRoberson's picture
Took less than an hour for

Took less than an hour for the first disconnect. Not resolved.

kamaaina
kamaaina's picture
Hi Doug, thanks for sharing.

Hi Doug, thanks for sharing. My R7000 has been running 5 days and 2h now with Tomato and PIA w/o a problem. So, the OpenVPN client seems to be fine on the Tomato version again, same as for the old E3000.

@ Peter, you were among the first to flash to Tomato, you should be running almost 10 days by now with PIA. Any update on your side?

My 2nd AC56U that I had bricked came back from Asus RMA so I will put the latest Kong build on it and try to connect it to iVPN again. Let's see if I keep getting disconnected there we well.

How can I help to pinpoint to the cause? cat /var/log/messages > /tmp/syslog.txt
Sorry about the newbe question, but how do I get this into shareable format so I can attach this here or otherwise share it? Can I save this on a USB drive or have it mailed somewhere automatically? Thx.

DougRoberson
DougRoberson's picture
Thanks, Kamaaina!

Thanks, Kamaaina!

I just bricked one of my r7000s. I flashed to tomato and was overclocking it using Putty and forgot to change the RAM speed. I have no idea what I was thinking. I'm making a serial cable today, but I've got no idea if I'll be able to recover it. Bleh.

kamaaina
kamaaina's picture
Sorry to hear that, what

Sorry to hear that, what speed did you try? When you just enter cpu speed isn't that safer as it leaves men clock untouched? I thought that was the more conservative approach.
I used:
nvram set clkfreq=1400,800
nvram commit && reboot
Supposedly this sets the CPU to 1400 and memory to 800. CPU indicates this speed, mem I cannot verify.

Take a look at these posts. Maybe it can help.
http://www.myopenrouter.com/article/52395/How-to-Debrick-or-Recover-NETG...
http://forum1.netgear.com/showthread.php?t=88562

DougRoberson
DougRoberson's picture
Sorry, I should have posted.

Sorry, I should have posted. I've already de-bricked it. I'm back on the latest DD-WRT on that one, but I haven't taken it home to plug back into the network yet.

kamaaina
kamaaina's picture
I see. Well, you recovered,

I see. Well, you recovered, that's what counts.

DougRoberson
DougRoberson's picture
I think so, too :-)

I think so, too :-)

BTW, PIA tech support decided a password reset was just the fix for me (out of the blue). Hooray.

DougRoberson
DougRoberson's picture
Just a follow up for everyone

Just a follow up for everyone - within 15 minutes of getting the router set back up, I had my first VPN disconnect. obviously, this is not due to authentication.

Tomorrow, I'll give Tomato another try. This time, I'll hopefully avoid bricking the router along the way.

Kong
Kong's picture
kamaaina said: My connection

kamaaina said: My connection keeps freezing. 3rd restart in about 24h. DD-WRT console can be reached but no external traffic gets through�?� Here is some log stuff I found, maybe that helps find the error: Serverlog Clientlog 20140419 22:31:18 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20140419 22:31:18 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400) 20140419 22:31:18 Socket Buffers: R=[180224->131072] S=[180224->131072] 20140419 22:31:18 I UDPv4 link local: [undef] 20140419 22:31:18 I UDPv4 link remote: [AF_INET]50.23.115.73:1194 20140419 22:32:18 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 20140419 22:32:18 N TLS Error: TLS handshake failed 20140419 22:32:18 I SIGUSR1[soft tls-error] received process restarting 20140419 22:32:18 Restart pause 2 second(s) 20140419 22:32:20 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20140419 22:32:20 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400) 20140419 22:32:20 Socket Buffers: R=[180224->131072] S=[180224->131072] 20140419 22:32:20 I UDPv4 link local: [undef] 20140419 22:32:20 I UDPv4 link remote: [AF_INET]50.23.115.94:1194 20140419 22:33:20 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 20140419 22:33:20 N TLS Error: TLS handshake failed 20140419 22:33:20 I SIGUSR1[soft tls-error] received process restarting 20140419 22:33:20 Restart pause 2 second(s) 20140419 22:33:22 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20140419 22:33:22 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400) 20140419 22:33:22 Socket Buffers: R=[180224->131072] S=[180224->131072] 20140419 22:33:22 I UDPv4 link local: [undef] 20140419 22:33:22 I UDPv4 link remote: [AF_INET]50.23.115.120:1194 20140419 22:34:22 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 20140419 22:34:22 N TLS Error: TLS handshake failed 20140419 22:34:22 I SIGUSR1[soft tls-error] received process restarting 20140419 22:34:22 Restart pause 2 second(s) 20140419 22:34:24 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20140419 22:34:24 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400) 20140419 22:34:24 Socket Buffers: R=[180224->131072] S=[180224->131072] 20140419 22:34:24 I UDPv4 link local: [undef] 20140419 22:34:24 I UDPv4 link remote: [AF_INET]50.23.113.213:1194 20140419 22:35:24 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 20140419 22:35:24 N TLS Error: TLS handshake failed 20140419 22:35:24 I SIGUSR1[soft tls-error] received process restarting 20140419 22:35:24 Restart pause 2 second(s) 20140419 22:35:26 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20140419 22:35:26 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400) 20140419 22:35:26 Socket Buffers: R=[180224->131072] S=[180224->131072] 20140419 22:35:26 I UDPv4 link local: [undef] 20140419 22:35:26 I UDPv4 link remote: [AF_INET]198.23.103.126:1194 20140419 22:36:27 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 20140419 22:36:27 N TLS Error: TLS handshake failed 20140419 22:36:27 I SIGUSR1[soft tls-error] received process restarting 20140419 22:36:27 Restart pause 2 second(s) 20140419 22:36:29 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20140419 22:36:29 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400) 20140419 22:36:29 Socket Buffers: R=[180224->131072] S=[180224->131072] 20140419 22:36:29 I UDPv4 link local: [undef] 20140419 22:36:29 I UDPv4 link remote: [AF_INET]50.23.113.213:1194 20140419 22:37:29 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 20140419 22:37:29 N TLS Error: TLS handshake failed 20140419 22:37:29 I SIGUSR1[soft tls-error] received process restarting 20140419 22:37:29 Restart pause 2 second(s) 20140419 22:37:31 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20140419 22:37:31 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400) 20140419 22:37:31 Socket Buffers: R=[180224->131072] S=[180224->131072] 20140419 22:37:31 I UDPv4 link local: [undef] 20140419 22:37:31 I UDPv4 link remote: [AF_INET]50.23.115.104:1194 20140419 22:38:31 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 20140419 22:38:31 N TLS Error: TLS handshake failed 20140419 22:38:31 I SIGUSR1[soft tls-error] received process restarting 20140419 22:38:31 Restart pause 2 second(s) 20140419 22:38:33 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20140419 22:38:33 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400) 20140419 22:38:33 Socket Buffers: R=[180224->131072] S=[180224->131072] 20140419 22:38:33 I UDPv4 link local: [undef] 20140419 22:38:33 I UDPv4 link remote: [AF_INET]50.23.113.229:1194 20140419 22:39:33 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 20140419 22:39:33 N TLS Error: TLS handshake failed 20140419 22:39:33 I SIGUSR1[soft tls-error] received process restarting 20140419 22:39:33 Restart pause 2 second(s) 20140419 22:39:35 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 20140419 22:39:35 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400) 20140419 22:39:35 Socket Buffers: R=[180224->131072] S=[180224->131072] 20140419 22:39:35 I UDPv4 link local: [undef] 20140419 22:39:35 I UDPv4 link remote: [AF_INET]50.23.115.124:1194 20140419 22:39:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20140419 22:39:47 D MANAGEMENT: CMD 'state' 20140419 22:39:47 MANAGEMENT: Client disconnected 20140419 22:39:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20140419 22:39:47 D MANAGEMENT: CMD 'state' 20140419 22:39:47 MANAGEMENT: Client disconnected 20140419 22:39:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20140419 22:39:47 D MANAGEMENT: CMD 'state' 20140419 22:39:47 MANAGEMENT: Client disconnected 20140419 22:39:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20140419 22:39:47 D MANAGEMENT: CMD 'log 500' 20140419 22:39:47 MANAGEMENT: Client disconnected 20140419 22:40:31 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20140419 22:40:31 D MANAGEMENT: CMD 'state' 20140419 22:40:31 MANAGEMENT: Client disconnected 20140419 22:40:31 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20140419 22:40:31 D MANAGEMENT: CMD 'state' 20140419 22:40:31 MANAGEMENT: Client disconnected 20140419 22:40:31 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20140419 22:40:31 D MANAGEMENT: CMD 'state' 20140419 22:40:31 MANAGEMENT: Client disconnected 20140419 22:40:31 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 20140419 22:40:31 D MANAGEMENT: CMD 'log 500' 19700101 00:00:00

You have config errors, different problem than the others e.g. Doug, you also overclocked the unit to a value that is likely to cause errors, especially crypto functions won't work well.

 

DougRoberson
DougRoberson's picture
Kong, just for clarification

Kong, just for clarification for Kamaaina and the rest of us, what is the top frequency you recommend for overclocking?

Also, Private Internet Access has bumped my report up to Tier II. I'll share any significant news.

Edit: I notified PIA of the possibility that I've also overclocked my unit too far (1400,800) and asked if they'd like for me to reset it to stock for now.

Kong
Kong's picture
DougRoberson said: Kong, just

DougRoberson said: Kong, just for clarification for Kamaaina and the rest of us, what is the top frequency you recommend for overclocking? Also, Private Internet Access has bumped my report up to Tier II. I'll share any significant news.

Maximum stable freq is 1200, 1400 boots but fails in my cpu and mem tests.

I have seen people report that they can do 1400 on the 800Mhz asus units, this is complete bullshit, booting and running it for a while in idle is no tests, you need to run tools like memcheck etc. on the router, just as you would do on your regular pc.

 

kamaaina
kamaaina's picture
In my experience on a PC if

In my experience on a PC if you can over clock 10-15% that's already pretty good. The Asus 68U booted and ran/idled at 1200 but connection hung up sometimes, at 1000 felt more stable. That's already a 25% gain though. I did not do any tests, just perception and looked at the temp. On the R7000, it's running 1400 on my unit so far, which is quite amazing, but again, no tests, just regular traffic. I don't put much load on the machine. 20% increase would be more a value to expect that would make sense. I had to restart due to some config changes yesterday but before did 5+ days of PIA w/ Tomato, that is at 1400. CPU seems to say around 12% load, as I did some file synching over night, but that's about it. No real power test.

kamaaina
kamaaina's picture
 

 

Kong said:

kamaaina said: My connection keeps freezing. 3rd restart in about 24h. DD-WRT console can be reached but no external traffic gets through�?� Here is some l

You have config errors, different problem than the others e.g. Doug, you also overclocked the unit to a value that is likely to cause errors, especially crypto functions won't work well.

Thanks Kong. I had tried 3 different ways to configure this I had found on the web and all had similar issues, but as you pointed out, some might not have been correct. I will see if I can get the second Asus AC56U I have configured this weekend and give it another shot. 

 

DougRoberson
DougRoberson's picture
Kong, you officially kick ass

Kong, you officially kick ass. I've set my clock speed back to stock for now and will see if I continue to have problems.

If I do not see a lot of drops, I'll experiment with 1200 and see if the performance to hassle ration is worth it.

Sky1111
Sky1111's picture
Kong said:

Kong said:

DougRoberson said: Kong, just for clarification for Kamaaina and the rest of us, what is the top frequency you recommend for overclocking? Also, Private Internet Access has bumped my report up to Tier II. I'll share any significant news.

Maximum stable freq is 1200, 1400 boots but fails in my cpu and mem tests. I have seen people report that they can do 1400 on the 800Mhz asus units, this is complete bullshit, booting and running it for a while in idle is no tests, you need to run tools like memcheck etc. on the router, just as you would do on your regular pc.

Hi Kong,

Can you please kindly share the instructions to run those tests?  Thanks :)

DougRoberson
DougRoberson's picture
Update:

Update:

24 hours with no disconnects. I averaged 3-5 per 24 hours when overclocked.

kamaaina
kamaaina's picture
I had mine stable w/ Tomato

I had mine stable w/ Tomato for 5+ days but then redid config settings and started fresh. I switched VPN provider to iVPN and after 2+ days now had a disconnect. I wasn't around and my wife just restarted the box but I assume the VPN got hung. I was still running at 1400 Mhz. I toned it down to 1200 now. I assume given iVPN uses stronger encryption (higher calc need) the higher clock speed could have interfered. I recall from the PC that the over clocked CPU at the limit could handle office apps but would stall with calc intense apps like Prime or flight simulator.

I haven't had time yet to set up the AC56U with DD-WRT and PIA in parallel but will tackle that on Wed.

DougRoberson
DougRoberson's picture
I'm at 60 hours with no

I'm at 60 hours with no disconnects. This weekend, I may bump it up to 1200, but I may not. I like a stable platform.

roadcarver
roadcarver's picture
Hi Doug, I'm getting

Hi Doug, I'm getting disconnects every 48 hours or with my Router, I'm not over clocking.

Are you using the hacked script linked in the original post?

DougRoberson
DougRoberson's picture
No, I'm using the script from

No, I'm using the script from the link below - the suggestion to do this came from Matthew K. at PIA tech support:

 

Edit - the link didn't come out right. Take 3!

 

https://www.privateinternetaccess.com/forum/index.php?p=/discussion/345/...

DougRoberson
DougRoberson's picture
I give up on the link, but

I give up on the link, but the address is right as of the third posting.

roadcarver
roadcarver's picture
Thanks. I remember seeing

Thanks. I remember seeing this as well. I'll give it a shot one more time with the latest FW from Kong.

roadcarver
roadcarver's picture
Now I remember, when I used

Now I remember, when I used this, it didn't work. I think what I did wrong was enable OpenVPN client in addition to the server. I was hoping to enable and disable VPN by using the services/VPN radio button. I guess for the sake of stability, it may trump convenience :)

I'll report the status in a few days.

roadcarver
roadcarver's picture
Additionally, this is what I

Additionally, this is what I have configured. It would disconnect between 24-36 hours, and I simply turn off and back on OpenVPN client under services.

Server IP name: us-florida.privateinternetaccess.com
Port 1194
Tunnel device: TUN
Tunnel protocol: UDP
Encryption Cypher: Blowfish CBC
Hash algorithm: SHA1
Advanced Options: Enabled
TLS Cipher: None
LZO compression: Disabled
NAT: Enable
Tunnel MTU setting: 1500
Tnnel UDP MSS-Fix: Disabled

Additional config:

comp-lzo yes
auth-user-pass /tmp/password.txt
persist-key
persist-tun
tls-client
remote-cert-tls server

CA Cert:
-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----

Under administration, for commands:

Startup:

echo enter_your_username >> /tmp/password.txt
echo enter_your_password >> /tmp/password.txt
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --comp-lzo yes --route-up /tmp/openvpncl/route-up.sh --down-pre
/tmp/openvpncl/route-down.sh --daemon

Firewall:
iptables -N VPN
iptables -F VPN
iptables -I INPUT -i tun0 -j VPN
iptables -I FORWARD -i tun0 -j VPN
iptables -A VPN -i tun0 -o br0 -j ACCEPT
iptables -I POSTROUTING -t nat -o tun0 -j RETURN

DougRoberson
DougRoberson's picture
Please don't be insulted by

Please don't be insulted by me asking this - I am just pointing this out due to many, many years in the IT field, seeing all kinds of crazy things.... you did change the parts that say "enter_your_username" and "enter_your_password," right?

I'm sure you did, but I've come across plenty of people who've just ignored things like that.

roadcarver
roadcarver's picture
LOL - ya. I only put that

LOL - ya. I only put that "enter_your_username" as I was copying and pasting my config from my router setup.

My setup works but it suffers the drop connection after 24-36 hours. It will drop once during that time frame.

I did some minor tweaks this evening in the additional config section. Let's see if it drops connection in 24-36 hrs.

kamaaina
kamaaina's picture
OK, I am back in the game as

OK, I am back in the game as well. Different hardware (RT-AC56U), but same ARM firmware 24045. Router left on stock speed, nothing else configured. PIA configured. I am trying their "official" approach:
https://www.privateinternetaccess.com/pages/client-support/#ddwrt_openvpn 

I basically now have 2 VPN routers running in parallel behind a third router that acts as a GW router (with the SIP adapters connected as well)
1) AC56U with Merlin as gateway to ISP with others behind. Plain connection, no QoS or anything.
2) R7000 w/ Tomato and OpenVPN client (iVPN configured)
3) AC56U with Kong build 24045 and OpenVPN client (PIA configured) 
All routers use OpenDNS. 

DougRoberson
DougRoberson's picture
Nice! Let us know if you see

Nice! Let us know if you see any significant performance differences!

I'm running dual R7000s, with the VPN router running downstream from the main router. In the next week or so, I'm supposed to switch over to Comcast business class.

We're getting have 5 static IPs, so I'll connect each router to a specific port on the new gateway. It is time for my network to grow up a little, but I'm going to miss having my own hardware (DOCSIS 3 Motorola Surfboard).

Pages