PIA OPENVPN on OpenWrt / Lede

READ ENTIRE GUIDE BEFORE YOU BEGIN
This is a tutorial which will enable you to run PIA OPENVPN on OpenWrt / Lede. First, I would suggest that you run PIA VPN with the recommended encryption algorithm which they have available - which is AES-128-CBC. See here: https://www.privateinternetaccess.com/pages/vpn-encryption

So let's get started. OK - I decided to put this up on the Forum as I could not find a tutorial anywhere with specific step by step instructions for getting PIA OPENVPN working with OpenWrt/ Lede. I use davidc502 firmware which is described as Moderately Customized LEDE Development Builds found here - https://davidc502sis.dynamic-dns.net/releases/ and here - https://davidc502sis.dynamic-dns.net/snapshots/ -- davidc502's forum found here - Davidc502- wrt1200ac wrt1900acx wrt3200acm wrt32x builds - Dave's builds are for Linksys WRT1900AC v1 Linksys WRT1900AC v2 Linksys WRT1900ACS Linksys WRT3200ACM Linksys WRT1200AC models ONLY !!! One of the many benefits of using Dave's custom firmware is that it comes with many pre-installed and configured software packages - including OpenVpn . For full list of packages see Dave's configuration seed found here - https://davidc502sis.dynamic-dns.net/releases/config.seed - However, the guide tutorial here will work on any and every OpenWrt/ Lede firmware based router. I also tested this with OpenWrt / Lede 18.06.0-rc1 found here - : ( download and do fresh install of squashfs-factory.img ) on your device for best performance ) https://downloads.openwrt.org/releases/18.06.0-rc1/

1. In Luci Gui go to System > Software, do update first ( ssh command opkg update )
   then search for openvpn and install openvpn-openssl and luci-app-openvpn. ( uci ssh command - opkg install openvpn-openssl luci-app-openvpn )
   These are necessary - Luci is GUI frontend for Openwrt - it comes pre-installed with davidc502's firmware. Also installed on OpenWrt / Lede 18.06.0-rc1

2. opkg install nano - if you need to install nano - ( if not already there / comes pre-installed in davidc502's builds ). SSH into router then type ( copy and paste ) -" nano /etc/config/openvpn " ( without parenthesis ) - erase all contents of file ( hold Ctrl + k ) and replace ( copy and paste ) with contents of config file below:

config openvpn 'myvpnc'
        option enabled '1'
        option client '1'
        option port '1198'
        option dev 'tun'
        option proto 'udp'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/ca.rsa.2048.crt'
        option tls_client '1'
        option remote_cert_tls 'server'
        option auth_user_pass '/etc/openvpn/piavpn-login.pem'
        option auth_nocache '1'
        option compress 'lzo' # necessary for OpenVpn 2.4 and above
        option verb '3'
        option reneg_sec '0'
        option keepalive '10 120'
        option auth 'sha1'
        option cipher 'aes-128-cbc'
        option engine 'cryptodev'
        option script_security '2'
        list remote 'us-east.privateinternetaccess.com' # change to resolver of your choice if you wish
        option tun_mtu_extra '32'
        option float "0"   # you can enable with '1' and list additional remote servers
        option mute_replay_warnings '1'
        option disable_occ '1'
        option log '/tmp/openvpn.log'

Then hit Ctrl + o - you will be asked to write file - hit enter to save file - then Ctrl + x to close file and go back into shell

3 ) opkg install wget ( if you need to install wget ) ssh into router use wget ( install wget if not already there / comes pre-installed in davidc502's builds ) to issue following commands in order to install necessary credentials to /etc/openvpn/ for PIA OPENVPN successful connection
A ) wget -P /etc/openvpn https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt
B ) Then enter nano /etc/openvpn/piavpn-login.pem ( here you will in the new file enter your PIA OPENVPN username on first line and PIA OPENVPN password on second line )
C ) Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file - then ( Ctrl + x ) to close file and go back into shell - /piavpn-login.pem is now added under /etc/openvpn/ folder as well.

4 ) Change permissions to the files you downloaded and created:
A ) chmod 0777 /etc/openvpn/ca.rsa.2048.crt
B ) chmod 0400 /etc/openvpn/piavpn-login.pem

5. Create a PIA OPENVPN Network Interface:
   By way of SSH shell enter:

uci set network.myvpnc=interface
uci set network.myvpnc.proto=none
uci set network.myvpnc.ifname=tun0
uci commit network

6. Create firewall rules for PIA OPENVPN:
   By way of SSH shell enter:

uci add firewall zone
uci set firewall.@zone[-1]=zone
uci set firewall.@zone[-1].name=myvpnc_fw
uci set firewall.@zone[-1].network=myvpnc
uci set firewall.@zone[-1].input=REJECT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].forward=REJECT
uci set firewall.@zone[-1].masq=1
uci set firewall.@zone[-1].mtu_fix=1
uci add firewall forwarding
uci set firewall.@forwarding[-1]=forwarding
uci set firewall.@forwarding[-1].src=lan
uci set firewall.@forwarding[-1].dest=myvpnc_fw
uci commit firewall

7. Reboot your router with reboot; exit command

8. Optional Setup - YOU CAN NOT USE ONE ABOVE IN STEP 2 IF YOU USE THIS METHOD
   You can select to use uci in SSH to create /etc/config/openvpn file if you prefer - commands are as follows:

uci set openvpn.myvpnc=openvpn
uci set openvpn.myvpnc.enabled=1
uci set openvpn.myvpnc.client=1
uci set openvpn.myvpnc.port='1198'
uci set openvpn.myvpnc.dev=tun
uci set openvpn.myvpnc.proto=udp
uci set openvpn.myvpnc.resolv_retry=infinite
uci set openvpn.myvpnc.nobind=1
uci set openvpn.myvpnc.persist_key=1
uci set openvpn.myvpnc.persist_tun=1
uci set openvpn.myvpnc.ca=/etc/openvpn/ca.rsa.2048.crt
uci set openvpn.myvpnc.tls_client=1
uci set openvpn.myvpnc.remote_cert_tls=server
uci set openvpn.myvpnc.auth_user_pass=/etc/openvpn/piavpn-login.pem
uci set openvpn.myvpnc.auth_nocache=1
uci set openvpn.myvpnc.compress=lzo
uci set openvpn.myvpnc.verb=3
uci set openvpn.myvpnc.reneg_sec=0
uci set openvpn.myvpnc.keepalive='10 120'
uci set openvpn.myvpnc.float=0
uci set openvpn.myvpnc.proto=udp
uci set openvpn.myvpnc.auth=sha1
uci set openvpn.myvpnc.cipher=aes-128-cbc
uci add_list openvpn.myvpnc.remote='us-east.privateinternetaccess.com'
uci commit openvpn

9. Bonus Feature- For Adding DNS-Over-TLS support to OpenWRT (LEDE) with Unbound see here:
   https://torguard.net/forums/index.php?/topic/1374-adding-dns-over-tls-support-to-openwrt-lede-with-unbound/ or here:
   Adding DNS-Over-TLS support to OpenWrt (LEDE) with Unbound

Final Advice - I always setup DNS before configuring OPENVPN - I believe that this is the best way to proceed.

This post desperately needs code blocks.

type or paste code here

What do you mean by code blocks? I do not know what you are referring to. Sorry

@directnupe First and foremost, thank you for taking the substantial amount of time it must have taken you to do a tutorial write up, as well as for contributing your knowledge. With that being said, something like this really belongs in a wiki, not a thread.

• As @lantis1008 mentioned, if a wiki is going to be written, it should be done properly with the correct formatting... may I suggest learning what the proper formatting is for a wiki (as well as how code is supposed to be output in the forum)?
  • If creating/adding to a wiki, please check out the two DokuWiki plugins Wrap (it's the most versatile plugin for formatting OpenWrt wikis), and Code1 & Code2.
    
    

There are multiple OpenVPN Client wikis which could have a PIA section added, however certain options in your configs are not efficient and should not be utilized:

• Ciphers
  • TLS Ciphers should be utilized, especially EC TLS ciphers, which are more efficient and don't tax CPUs as heavily as SSL ciphers.
    • It could be PIA doesn't offer TLS Ciphers with their servers, and if not, users would gain more by looking for a 3rd party VPN that does offer TLS ciphers, especially EC TLS ciphers.
      
      
  • SSL cipher should be aes-128-cbc, as there's zero benefit for an encryption level higher than that since AES128 will remain uncrackable until at least 2030.
    • Even if one is the target of a nation state, setting a rekeying limit to 5min or 10min would be far more efficient.
      
      
• Compression
  • As of OpenVPN 2.4, lz4 should be utilized if the client is using OpenVPN 2.4 (see 2.4 man page)
    • option push "comp-lzo adaptive" needs to match server's compression option, as comp-lzo is depreciated as of 2.4.
      
      
• Unfortunately, as with many 3rd party VPN providers, they don't bother tuning their tunnel MTU values, as the tunnel MTU should be closer to 48000, especially if using an SSL cipher. This must be echoed in both client and server configs, so if PIA's server config doesn't have it, you can't utilize it, and throughput will suffer.
  
  

There's no reason to reboot the router...

cd /etc/init.d && ./network restart && ./firewall reload

May I also suggest checking out the OpenWrt Wikis section?

In addition:

On machines without AES-NI, GCM is not faster than CBC, actually quite significantly slower.

Thanks for the corrections and informing me of my missteps. I will do my best to amend the errors. I am not all the good at editing for the wiki but I will study.
Peace JW and God Bless,

directnupe

I really appreciate you letting me know about this. I run AES-GCM on my Pfsense Hardware router which has AES-NI. So I erroneously assumed that it was the same across the board. Thanks for that.
Peace takimata and God Bless

directnupe

If you are not sure about your wiki editing skills, start in the inbox.

https://openwrt.org/inbox/path/to/your/new_page

The wiki syntax is easy: https://openwrt.org/wiki/syntax

When you think you are finished with the page, ask here in the forum for a review.

There's a full PIA tutorial here!
https://www.privateinternetaccess.com/helpdesk/guides/routers/lede/lede-firmware-openvpn-setup

The only caveat is an incorrect port 1197 listed, should be 1198.

I've been using this PIA setup for months now without a hitch.

In additon, I have also created a script used to re-establish the VPN connection in case the 'internet' goes down using a 'cron' entry that executes the script every 5 minutes.

Hi, after doing all the instructions, when I try to start it by going to Services => OpenVPN=> Start button, nothing happens. Any idea? I use an BT Home Hub 5A with Firmware Version OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152) and Kernel Version 4.9.120

daemon.err openvpn(myvpnc)[1810]: Options error: Unrecognized option or missing or extra parameter(s) in openvpn-myvpnc.conf:15: engine (2.4.5)
Sun Oct 28 16:39:25 2018 daemon.warn openvpn(myvpnc)[1810]: Use --help for more information.

Options error: Unrecognized option or missing or extra parameter(s) in openvpn-myvpnc.conf:15: engine (2.4.5)

• See line 15 in openvpn-myvpnc.conf

Also, OpenVPN is one of the services that is far easier and more efficient to manage via SSH than through LuCI.

Thank you for reply, I followed these instructions and now is working.
The only problem is if I do

tr -d '\15\32' < /etc/openvpn/credentials.txt > /etc/openvpn/credentials.txt

will delete the credentials from file.
Port should be 1198 not 1197 and auth_user_pass /etc/openvpn/credentials/txt should be * auth_user_pass /etc/openvpn/credentials.txt

Anyway, in their config files you can see comp-lzo no but in your example is Yes and here I am a little confused

Not sure where you're referencing the yes from, however the client config must match the server config, so if the server config is not using compression, it cannot be applied in the client config.

Also, just a general FYI, PIA is using an extremely old and unsupported OpenVPN server version if they're still utilizing comp-lzo directives, as comp-lzo was depreciated in OpenVPN 2.4 (released around two years ago), with compress lzo or compress lz4 [preferred] superseding it.

• This also means they're utilizing inefficient ciphers, since 2.4 gained support for the faster and more efficient EC TLS ciphers.
  
  
• Unless I missed it in their wiki write-up, they're also not utilizing any means of HMAC authentication, leaving the connection open to a MITM attack.

From here, I thought is Yes

Right, but the server dictates the compression utilized. With OpenVPN, 99% of config options must mirror each other between the server <--> client configs, with the server dictating most settings, of which then must be mirrored in the client config.

• Since PIA is utilizing OpenVPN servers running <v2.4, even if the client is utilizing >v2.4, the client config must match the capabilities of the server.

It seems PIA OpenVPN config files don't reflect OpenWrt's version of OpenVPN (currently 2.4.5-4,OpenWrt 18.06.1 r7258-5eb055306f )

If your using:

• openvpn-myvpnc.conf method of configuring OpenVPN, change the compression option to:
  compress

If your using:

• /etc/config/openvpn method, change the compression option to:
  option compress 'lzo'

I use PIA and both of these options work for me.

Once you re-insert the username and password into the file, SSH into the router using PuTTY, and set the credentials.txt file as read-only...

chmod 0444 /etc/openvpn/credentials.txt

There's no difference (that I'm aware of) in option/command structure when utilizing /etc/config/openvpn or a separate *.conf referenced via /etc/config/openvpn... both are treated as normal config files utilizing OpenWrt's distinctive underscores in place of dashes.

Have you verified PIA offers compression on their server(s), as their wiki stipulated to specify no compression, and it's not possible for the client to compress traffic if the server isn't configured with compression enabled.

• Almost all OpenVPN option parameters must be an exact mirror between the client and server configs, else the tunnel won't function properly, if at all. You should be able to verify if the server has compression enabled via the client log (do a search for lines with "remote" in them).
  • I'm not sure what the minimum verbosity level would be to show that, as all my clients are set to 7 by default.

You're probably correct, I haven't personally tried utilizing OpenWrt's distinctive underscores in place of dashes.

If the compression parameters are left out of either the PIA /etc/config/openvpn or a separate *.conf file, the result is a warning...

WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

Entering compression dismisses the message.

However, I've noticed that 'comp-lzo no' is mentioned in a subsequent log...

PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,....
OPTIONS IMPORT: compression parms modified

you can't use the same file for input and output you need to use temp file and then rename it