PIA OPENVPN on OpenWrt / Lede

Right, because the same value must be mirrored in both the server and client config, so what's happening is if you leave comp-lzo out, the log will barf the error because it's expecting comp-lzo no (as that's what the server is configured with)

This is because the command parameter specified in the client config is only half the parameter with no directive (I missed that last night). Compress requires a directive of either lzo or lz4, and comp-lzo requires a directive of either yes or no

What's occurring is the directive to utilize comp-lzo in the client config is being ignored due to it missing the proper directive, so the server is pushing comp-lzo no to the client. Specifying comp-lzo yes in the client config should result with similar behavior.

With option compress 'lzo' in /etc/config/openvpn I have no warnings related to "lzo" in logs, Without compress 'lzo' I have these:
WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
but the connection is made and can use VPN. However when it comes to speed, enabled VPN reach a maximum of 8Mbps and If it is disabled I reach 55Mbps and that really hurts me.

My reasoning is because we're using......

However if you were to configure no 'comp_lzo' via the GUI, which places option comp_lzo 'no' in /etc/config/openvpn, you will receive this error:

WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

Go figure, PIA's expectation is option comp_lzo 'no' ?

I believe 'comp_lzo' should not be a GUI configurable option, MAYBE replaced with 'compress' ?

I had similar speed issues when using PIA's default OpenVPN setup: UDP on port 1198.

I originally thought it might be my ISP, but since changing configs to: TCP on port 502, this fixed it for me!

I'm on a 50/20Mbps plan, here's my speedtest using PIA this morning

Changing port to 502 and TCP is cutting speed to 0.8mbps for download http://www.speedtest.net/my-result/i/2918283521

This is my '/etc/config/openvpn' config... hope this helps?

config openvpn 'PIA'
	option dev 'tun'
	option nobind '1'
	option compress 'lzo'
	option verb '2'
	option port '502'
	option persist_tun '1'
	option persist_key '1'
	option client '1'
	option auth_user_pass '/etc/openvpn/credentials.txt'
	list remote 'YOUR_PIA_SERVER.privateinternetaccess.com'
	option proto 'tcp'
	option resolv_retry 'infinite'
	option auth 'SHA1'
	option cipher 'AES-128-CBC'
	option mute_replay_warnings '1'
	option tls_client '1'
	option ca '/etc/openvpn/ca.rsa.2048.crt'
	option auth_nocache '1'
	option remote_cert_tls 'server'
	option remote_random '0'
	option crl_verify '/etc/openvpn/crl.rsa.2048.pem'
	option reneg_sec '0'
	option enabled '1'

TCP only has two uses with OpenVPN:

• If receiving high packet loss with UDP
  AND
• Troubleshooting

If you're not receiving high packet loss with UDP and are not troubleshooting an issue, TCP should not be utilized:

• Without providing a lengthy explanation, all OpenVPN traffic is TCP, however TCP cannot efficiently encapsulate itself, combined with TCP being restricted by packet size.
  • UDP provides a wrapper around TCP packets and UDP is not restricted by packet size, which is why the tun-mtu should always be set in the 48000 range when using AES encryption (this should not be confused with the link-mtu, which should never exceed ~1500) .
    • Unfortunately, I've yet to come across a single third party VPN service that takes the time to tune their tunnels, as MTU values must be mirrored.

I don't have any idea as to why TCP increases the connection bandwidth when used, I'm talking speeds of ~42Mpbs vs ~22Mbps with UDP.

As you mentioned I might have experienced high packet loss with UDP?

TCP should never increase bandwidth, and should always decrease it, due to the inefficient encapsulation of TCP within TCP.

• Please change your client verbosity to 7, disconnect from the VPN, reconnect, then please post your client log (please remove your WAN IP)

No, this is something you would know. My hunch is the server is disregarding your TCP protocol and pushing UDP.

Thanks for taking the time to look at this @JW0914, appreciate it!

Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: LZO compression initializing
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 56 bytes
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: calc_options_string_link_mtu: link-mtu 1624 -> 1560
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 56 bytes
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: calc_options_string_link_mtu: link-mtu 1624 -> 1560
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:502
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:502 [nonblock]
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:502
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT link local: (not bound)
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:502
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT WRITE [14] to [AF_INET]xxx.xxx.xxx.xxx:502: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT READ [26] from [AF_INET]xxx.xxx.xxx.xxx:502: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:502, sid=760d63ec 81f9802b
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:502: P_ACK_V1 kid=0 [ 0 ]
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT WRITE [178] to [AF_INET]xxx.xxx.xxx.xxx:502: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=164
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT READ [1196] from [AF_INET]xxx.xxx.xxx.xxx:502: P_CONTROL_V1 kid=0 [ 1 ] pid=1 DATA len=1170
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:502: P_ACK_V1 kid=0 [ 1 ]
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT READ [1184] from [AF_INET]xxx.xxx.xxx.xxx:502: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1170
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: VERIFY KU OK
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: Validating certificate extended key usage
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: VERIFY EKU OK
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=cbec5b2c51b914d981476e7db519d774, name=cbec5b2c51b914d981476e7db519d774
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT READ [22] from [AF_INET]xxx.xxx.xxx.xxx:502: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=8
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:502: P_ACK_V1 kid=0 [ 2 ]
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT WRITE [344] to [AF_INET]xxx.xxx.xxx.xxx:502: P_CONTROL_V1 kid=0 [ 3 ] pid=2 DATA len=318
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT READ [77] from [AF_INET]xxx.xxx.xxx.xxx:502: P_CONTROL_V1 kid=0 [ 2 ] pid=4 DATA len=51
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT WRITE [469] to [AF_INET]xxx.xxx.xxx.xxx:502: P_CONTROL_V1 kid=0 [ 4 ] pid=3 DATA len=443
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT READ [263] from [AF_INET]xxx.xxx.xxx.xxx:502: P_CONTROL_V1 kid=0 [ 3 ] pid=5 DATA len=237
Tue Oct 30 22:31:02 2018 daemon.warn openvpn(PIA)[11285]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1544'
Tue Oct 30 22:31:02 2018 daemon.warn openvpn(PIA)[11285]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:502: P_ACK_V1 kid=0 [ 5 ]
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Oct 30 22:31:02 2018 daemon.notice openvpn(PIA)[11285]: [cbec5b2c51b914d981476e7db519d774] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:502
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: SENT CONTROL [cbec5b2c51b914d981476e7db519d774]: 'PUSH_REQUEST' (status=1)
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT WRITE [56] to [AF_INET]xxx.xxx.xxx.xxx:502: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=42
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT READ [22] from [AF_INET]xxx.xxx.xxx.xxx:502: P_ACK_V1 kid=0 [ 4 ]
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: TCP_CLIENT READ [274] from [AF_INET]xxx.xxx.xxx.xxx:502: P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=260
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.30.1.1,topology net30,ifconfig 10.30.1.6 10.30.1.5,auth-token 4FKptUzb8opaRmwX6EBRMi3U2Z+1HHiBSrl1nPReTg='
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: auth-token received, disabling auth-nocache for the authentication token
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: OPTIONS IMPORT: compression parms modified
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: OPTIONS IMPORT: route options modified
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 56 bytes
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:406 ET:0 EL:3 ]
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 30 22:31:03 2018 daemon.notice netifd: Interface 'PIA_VPN' is enabled
Tue Oct 30 22:31:03 2018 daemon.notice netifd: Network device 'tun0' link is up
Tue Oct 30 22:31:03 2018 daemon.notice netifd: Interface 'PIA_VPN' has link connectivity
Tue Oct 30 22:31:03 2018 daemon.notice netifd: Interface 'PIA_VPN' is setting up now
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: TUN/TAP device tun0 opened
Tue Oct 30 22:31:03 2018 daemon.notice netifd: Interface 'PIA_VPN' is now up
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: TUN/TAP TX queue length set to 100
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: /sbin/ifconfig tun0 10.30.1.6 pointopoint 10.30.1.5 mtu 1500
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: /sbin/route add -net xxx.xxx.xxx.xxx netmask 255.255.255.255 gw 192.168.10.1
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.30.1.5
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.30.1.5
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: /sbin/route add -net 10.30.1.1 netmask 255.255.255.255 gw 10.30.1.5
Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: Initialization Sequence Completed

The server is running TCP, so I'm not sure what explains your boost in speed, as that's not normal behavior due to the inefficiency of TCP encapsulating TCP.

Tue Oct 30 22:31:01 2018 daemon.notice openvpn(PIA)[11285]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'

• Out of curiosity, did you try port 502 with UDP?

Just an FYI, the server is disregarding at least one of your settings:

Tue Oct 30 22:31:03 2018 daemon.notice openvpn(PIA)[11285]: auth-token received, disabling auth-nocache for the authentication token

Also, your config should be utilizing SHA256 or SHA512 (preferred if x64 CPU), as SHA1 is not secure.

No, I have used 1198, as PIA only provide a certain number of configurations when connecting with OpenVPN, see:
https://www.privateinternetaccess.com/helpdesk/kb/articles/which-encryption-auth-settings-should-i-use-for-ports-on-your-gateways-2

So should I just omit option auth_nocache '1' or set this to '0' from my config?

I chose SHA1 after reading https://www.privateinternetaccess.com/pages/vpn-encryption where it mentions that AES-128 (is the fastest encryption mode), and based on PIA's configs SHA1 (is the fastest authentication mode) is also required for it's use.

I noticed in the first link I provided, which has been updated recently, it notes:

'You are also able to use gcm ciphers (such as aes-128-gcm) on all of these ports. Simply change the cipher, and also add the line 'ncp-disable' to your config file.'

I wonder if this will make any difference to the speed issue?

EDIT: Looks positive!
https://www.privateinternetaccess.com/helpdesk/kb/articles/what-s-the-difference-between-aes-cbc-and-aes-gcm

• 'AES-GCM is written in parallel which means throughput is significantly higher than AES-CBC by lowering encryption overheads'

• 'The additional security that this method provides also allows the VPN use only a 128 bit key, whereas AES-CBC typically requires a 256 bit key to be considered secure.'

Use option auth_nocache '1'

Here is my /etc/config/openvpn

config openvpn 'PIA_VPN'
        option dev 'tun'
        option nobind '1'
        option persist_tun '1'
        option persist_key '1'
        option client '1'
        option resolv_retry 'infinite'
        option auth 'SHA1'
        option cipher 'AES-128-CBC'
        option mute_replay_warnings '1'
        option tls_client '1'
        option auth_nocache '1'
        option remote_cert_tls 'server'
        option enabled '1'
        list remote '*myserver*.privateinternetaccess.com'
        option ca '/etc/openvpn/ca.rsa.2048.crt'
        option compress 'lzo'
        option crl_verify '/etc/openvpn/crl.rsa.2048.pem'
        option auth_user_pass '/etc/openvpn/mylogin.pem'
        option reneg_sec '0'
        option verb '3'
        option port '1198'
        option proto 'udp'

Yes i did leave the option auth_nocache '1' in, as it generated an error otherwise.

Well that's really all you need to connect, as PIA default using OpenWrt.

All I suggest now, is to use the closest PIA server to your location.

EDIT I was going to mention this last night but forgot...

If you want to mask these warnings....

add option disable_occ '1' in your /etc/config/openvpn 'PIA_VPN' config!

Can someone help with speedup this OpenVPN via PIA on my OpenWRT because I've got only 20/10 Mbits/sec while on Windows client got 200/244? Some cheats maybe?

Hi
I'm trying to configure a PIA openvpn on OpenWrt with TCP protocol, I pretty much used the TCP config posted here, and looking at the log file it's connecting to the server (TCP connection established with [AF_INET]XXX:XXX:XXX:XXX:502) but always fails at the TLS key negociation (failed to occur within 60 seconds)
Can somebody point me in the right direction ? I can paste log if needed
I may add that I'm on a heavily secured network and PIA TCP is the only thing passing through on my computer client

Firstly post your

/etc/config/openvpn

contents, and references to any openvpn log entries in the system log.

What comes to mind is if you've got the PIA credentials.txt file, *.crt file, and *.pem file in their proper locations?

option auth_user_pass '/etc/openvpn/credentials.txt'
option ca '/etc/openvpn/ca.rsa.2048.crt'
option crl_verify '/etc/openvpn/crl.rsa.2048.pem'

Also the PIA 'credentials.txt' file must be read only.

Ok so here is my openvpn config:

config openvpn 'PIA_VPN'
	option dev 'tun'
	option nobind '1'
	option comp_lzo 'yes'
	option persist_tun '1'
	option persist_key '1'
	option client '1'
	list remote 'swiss.privateinternetaccess.com'
	option resolv_retry 'infinite'
	option auth 'SHA1'
	option cipher 'AES-128-CBC'
	option mute_replay_warnings '1'
	option tls_client '1'
	option auth_nocache '1'
	option remote_cert_tls 'server'
	option auth_user_pass '/etc/openvpn/credentials.txt'
	option crl_verify '/etc/openvpn/crl.rsa.2048.pem'
	option reneg_sec '0'
	option ca '/etc/openvpn/ca.rsa.2048.crt'
	option log '/tmp/openvpn.log'
	option port '502'
	option proto 'tcp-client'
	option verb '4'

And here is the openvpn log up to the point where it starts again:

Sun May 26 11:32:13 2019 us=299080 OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun May 26 11:32:13 2019 us=303746 library versions: OpenSSL 1.1.1b  26 Feb 2019, LZO 2.10
Sun May 26 11:32:13 2019 us=598553 LZO compression initializing
Sun May 26 11:32:13 2019 us=642623 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sun May 26 11:32:13 2019 us=729060 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sun May 26 11:32:13 2019 us=734150 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun May 26 11:32:13 2019 us=734605 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun May 26 11:32:13 2019 us=738221 TCP/UDP: Preserving recently used remote address: [AF_INET]185.230.125.50:502
Sun May 26 11:32:13 2019 us=738917 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sun May 26 11:32:13 2019 us=739388 Attempting to establish TCP connection with [AF_INET]185.230.125.50:502 [nonblock]
Sun May 26 11:32:14 2019 us=740381 TCP connection established with [AF_INET]185.230.125.50:502
Sun May 26 11:32:14 2019 us=740837 TCP_CLIENT link local: (not bound)
Sun May 26 11:32:14 2019 us=741301 TCP_CLIENT link remote: [AF_INET]185.230.125.50:502
Sun May 26 11:33:14 2019 us=524073 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun May 26 11:33:14 2019 us=524503 TLS Error: TLS handshake failed
Sun May 26 11:33:14 2019 us=530464 Fatal TLS error (check_tls_errors_co), restarting
Sun May 26 11:33:14 2019 us=531320 TCP/UDP: Closing socket
Sun May 26 11:33:14 2019 us=532043 SIGUSR1[soft,tls-error] received, process restarting

I am also showing the TLS attempts with higher verb which shows that apparently I never hear back from the server:

Sun May 26 11:39:28 2019 us=14819 Attempting to establish TCP connection with [AF_INET]185.156.175.90:502 [nonblock]
Sun May 26 11:39:29 2019 us=30819 TCP connection established with [AF_INET]185.156.175.90:502
Sun May 26 11:39:29 2019 us=31283 TCP_CLIENT link local: (not bound)
Sun May 26 11:39:29 2019 us=31746 TCP_CLIENT link remote: [AF_INET]185.156.175.90:502
Sun May 26 11:39:29 2019 us=33063 TCP_CLIENT WRITE [14] to [AF_INET]185.156.175.90:502: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun May 26 11:39:31 2019 us=334144 TCP_CLIENT WRITE [14] to [AF_INET]185.156.175.90:502: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun May 26 11:39:35 2019 us=923840 TCP_CLIENT WRITE [14] to [AF_INET]185.156.175.90:502: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun May 26 11:39:43 2019 us=613742 TCP_CLIENT WRITE [14] to [AF_INET]185.156.175.90:502: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun May 26 11:40:00 2019 us=77619 TCP_CLIENT WRITE [14] to [AF_INET]185.156.175.90:502: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sun May 26 11:40:29 2019 us=745674 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun May 26 11:40:29 2019 us=746103 TLS Error: TLS handshake failed

I have double checked the 3 files you mention, they are indeed in /etc/openvpn
the ca.rsa.2048.crt and crl.rsa.2048.pem have a permission -777
the credentials.txt has permission -400
about this file, since my computer is running windows and the PIA procedure is more than unclear about "proper formatting" with the command

tr -d '\15\32' < /etc/openvpn/credentials.txt > /etc/openvpn/credentials.txt

I ignored that and just created the file through command line with

cat > /etc/openvpn/credentials.txt << EOF
p-login
p@ssW0rd
EOF

and set the permission, so it's a UNIX (LF) formatted file

Sorry for the long post, I tried to give you all relevant info
Than you so much for looking into this

sed -i -e "s/\r//g" /etc/openvpn/*

I guess this command was to help fixing the format ? Anyway I ran it, didn't seem to change much, still the same results in the connexion attempts / logs