READ ENTIRE GUIDE BEFORE YOU BEGIN
This is a tutorial which will enable you to run PIA OPENVPN on OpenWrt / Lede. First, I would suggest that you run PIA VPN with the recommended encryption algorithm which they have available - which is AES-128-CBC. See here: https://www.privateinternetaccess.com/pages/vpn-encryption
In Luci Gui go to System > Software, do update first ( ssh command opkg update )
then search for openvpn and install openvpn-openssl and luci-app-openvpn. ( uci ssh command - opkg install openvpn-openssl luci-app-openvpn )
These are necessary - Luci is GUI frontend for Openwrt - it comes pre-installed with davidc502's firmware. Also installed on OpenWrt / Lede 18.06.0-rc1
opkg install nano - if you need to install nano - ( if not already there / comes pre-installed in davidc502's builds ). SSH into router then type ( copy and paste ) -" nano /etc/config/openvpn " ( without parenthesis ) - erase all contents of file ( hold Ctrl + k ) and replace ( copy and paste ) with contents of config file below:
config openvpn 'myvpnc'
option enabled '1'
option client '1'
option port '1198'
option dev 'tun'
option proto 'udp'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option ca '/etc/openvpn/ca.rsa.2048.crt'
option tls_client '1'
option remote_cert_tls 'server'
option auth_user_pass '/etc/openvpn/piavpn-login.pem'
option auth_nocache '1'
option compress 'lzo' # necessary for OpenVpn 2.4 and above
option verb '3'
option reneg_sec '0'
option keepalive '10 120'
option auth 'sha1'
option cipher 'aes-128-cbc'
option engine 'cryptodev'
option script_security '2'
list remote 'us-east.privateinternetaccess.com' # change to resolver of your choice if you wish
option tun_mtu_extra '32'
option float "0" # you can enable with '1' and list additional remote servers
option mute_replay_warnings '1'
option disable_occ '1'
option log '/tmp/openvpn.log'
Then hit Ctrl + o - you will be asked to write file - hit enter to save file - then Ctrl + x to close file and go back into shell
3 ) opkg install wget ( if you need to install wget ) ssh into router use wget ( install wget if not already there / comes pre-installed in davidc502's builds ) to issue following commands in order to install necessary credentials to /etc/openvpn/ for PIA OPENVPN successful connection
A ) wget -P /etc/openvpn https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt
B ) Then enter nano /etc/openvpn/piavpn-login.pem ( here you will in the new file enter your PIA OPENVPN username on first line and PIA OPENVPN password on second line )
C ) Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file - then ( Ctrl + x ) to close file and go back into shell - /piavpn-login.pem is now added under /etc/openvpn/ folder as well.
4 ) Change permissions to the files you downloaded and created:
A ) chmod 0777 /etc/openvpn/ca.rsa.2048.crt
B ) chmod 0400 /etc/openvpn/piavpn-login.pem
Create a PIA OPENVPN Network Interface:
By way of SSH shell enter:
uci set network.myvpnc=interface
uci set network.myvpnc.proto=none
uci set network.myvpnc.ifname=tun0
uci commit network
Create firewall rules for PIA OPENVPN:
By way of SSH shell enter:
uci add firewall zone
uci set firewall.@zone[-1]=zone
uci set firewall.@zone[-1].name=myvpnc_fw
uci set firewall.@zone[-1].network=myvpnc
uci set firewall.@zone[-1].input=REJECT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].forward=REJECT
uci set firewall.@zone[-1].masq=1
uci set firewall.@zone[-1].mtu_fix=1
uci add firewall forwarding
uci set firewall.@forwarding[-1]=forwarding
uci set firewall.@forwarding[-1].src=lan
uci set firewall.@forwarding[-1].dest=myvpnc_fw
uci commit firewall
Reboot your router with reboot; exit command
Optional Setup - YOU CAN NOT USE ONE ABOVE IN STEP 2 IF YOU USE THIS METHOD
You can select to use uci in SSH to create /etc/config/openvpn file if you prefer - commands are as follows:
uci set openvpn.myvpnc=openvpn
uci set openvpn.myvpnc.enabled=1
uci set openvpn.myvpnc.client=1
uci set openvpn.myvpnc.port='1198'
uci set openvpn.myvpnc.dev=tun
uci set openvpn.myvpnc.proto=udp
uci set openvpn.myvpnc.resolv_retry=infinite
uci set openvpn.myvpnc.nobind=1
uci set openvpn.myvpnc.persist_key=1
uci set openvpn.myvpnc.persist_tun=1
uci set openvpn.myvpnc.ca=/etc/openvpn/ca.rsa.2048.crt
uci set openvpn.myvpnc.tls_client=1
uci set openvpn.myvpnc.remote_cert_tls=server
uci set openvpn.myvpnc.auth_user_pass=/etc/openvpn/piavpn-login.pem
uci set openvpn.myvpnc.auth_nocache=1
uci set openvpn.myvpnc.compress=lzo
uci set openvpn.myvpnc.verb=3
uci set openvpn.myvpnc.reneg_sec=0
uci set openvpn.myvpnc.keepalive='10 120'
uci set openvpn.myvpnc.float=0
uci set openvpn.myvpnc.proto=udp
uci set openvpn.myvpnc.auth=sha1
uci set openvpn.myvpnc.cipher=aes-128-cbc
uci add_list openvpn.myvpnc.remote='us-east.privateinternetaccess.com'
uci commit openvpn
@directnupe First and foremost, thank you for taking the substantial amount of time it must have taken you to do a tutorial write up, as well as for contributing your knowledge. With that being said, something like this really belongs in a wiki, not a thread.
If creating/adding to a wiki, please check out the two DokuWiki plugins Wrap(it's the most versatile plugin for formatting OpenWrt wikis), and Code1 & Code2.
There are multiple OpenVPN Client wikis which could have a PIA section added, however certain options in your configs are not efficient and should not be utilized:
TLS Ciphers should be utilized, especially EC TLS ciphers, which are more efficient and don't tax CPUs as heavily as SSL ciphers.
It could be PIA doesn't offer TLS Ciphers with their servers, and if not, users would gain more by looking for a 3rd party VPN that does offer TLS ciphers, especially EC TLS ciphers.
SSL cipher should be aes-128-cbc, as there's zero benefit for an encryption level higher than that since AES128 will remain uncrackable until at least 2030.
Even if one is the target of a nation state, setting a rekeying limit to 5min or 10min would be far more efficient.
As of OpenVPN 2.4, lz4 should be utilized if the client is using OpenVPN 2.4 (see 2.4 man page)
option push "comp-lzo adaptive" needs to match server's compression option, as comp-lzo is depreciated as of 2.4.
Unfortunately, as with many 3rd party VPN providers, they don't bother tuning their tunnel MTU values, as the tunnel MTU should be closer to 48000, especially if using an SSL cipher. This must be echoed in both client and server configs, so if PIA's server config doesn't have it, you can't utilize it, and throughput will suffer.
There's no reason to reboot the router...
cd /etc/init.d && ./network restart && ./firewall reload
I really appreciate you letting me know about this. I run AES-GCM on my Pfsense Hardware router which has AES-NI. So I erroneously assumed that it was the same across the board. Thanks for that.
Peace takimata and God Bless
Hi, after doing all the instructions, when I try to start it by going to Services => OpenVPN=> Start button, nothing happens. Any idea? I use an BT Home Hub 5A with Firmware Version OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152) and Kernel Version 4.9.120
daemon.err openvpn(myvpnc): Options error: Unrecognized option or missing or extra parameter(s) in openvpn-myvpnc.conf:15: engine (2.4.5)
Sun Oct 28 16:39:25 2018 daemon.warn openvpn(myvpnc): Use --help for more information.
Not sure where you're referencing the yes from, however the client config must match the server config, so if the server config is not using compression, it cannot be applied in the client config.
Also, just a general FYI, PIA is using an extremely old and unsupported OpenVPN server version if they're still utilizing comp-lzo directives, as comp-lzo was depreciated in OpenVPN 2.4 (released around two years ago), with compress lzo or compress lz4 [preferred] superseding it.
This also means they're utilizing inefficient ciphers, since 2.4 gained support for the faster and more efficient EC TLS ciphers.
Unless I missed it in their wiki write-up, they're also not utilizing any means of HMAC authentication, leaving the connection open to a MITM attack.
Right, but the server dictates the compression utilized. With OpenVPN, 99% of config options must mirror each other between the server <--> client configs, with the server dictating most settings, of which then must be mirrored in the client config.
Since PIA is utilizing OpenVPN servers running <v2.4, even if the client is utilizing >v2.4, the client config must match the capabilities of the server.
There's no difference (that I'm aware of) in option/command structure when utilizing /etc/config/openvpn or a separate *.conf referenced via /etc/config/openvpn... both are treated as normal config files utilizing OpenWrt's distinctive underscores in place of dashes.
Have you verified PIA offers compression on their server(s), as their wiki stipulated to specify no compression, and it's not possible for the client to compress traffic if the server isn't configured with compression enabled.
Almost all OpenVPN option parameters must be an exact mirror between the client and server configs, else the tunnel won't function properly, if at all. You should be able to verify if the server has compression enabled via the client log (do a search for lines with "remote" in them).
I'm not sure what the minimum verbosity level would be to show that, as all my clients are set to 7 by default.