You're missing a closing quote in that command. Should be:
uci set openvpn.provider.config='/etc/openvpn/ipvanish-US-Los-Angeles-lax-a01.ovpn'
Also, from your previous post -- you don't have any openvpn packages installed, and no firewall zone/forwardings configured.
It's missing in the wiki guide.
According to the PIA instructions, he has...from the opkg list-installed output posted above...
openssh-sftp-server - 7.4p1-1
luci-app-openvpn - git-18.039.58469-1c94003-1
I was talking about the actual openvpn package, like openvpn-mbedtls or openvpn-openssl.
The hangup is when he tries to run this command in the PIA instructions...
pscp Documents/PIA_Setup/* root@192.168.1.1:/etc/openvpn
The /etc/openvpn directory doesn't exist, which blows up the rest of the PIA install.
Setting up a quick test, I got it to work by using WinSCP and creating the openvpn directory in /etc using the WinSCP defaults.
@stangri mentioned above that no OpenVPN packages like openvpn-mbedtls or openvpn-openssl were installed.
If either were installed, /etc/openvpn would have been created for you.
Installing openvpn-openssl is in the first section Preparation in the LEDE OpenVPN Client wiki article, so that step was missing in the PIA instructions...
SECTION 3: ROUTER UPDATES
These commands will install the necessary packages to perform the configuration and allow OpenVPN to run on the device. Highlight the following:
opkg update; opkg install openssh-sftp-server luci-app-openvpn
Well I think pia’s guide is pretty messed up. There are now three known problems with it. 1. The lack of openvpn being installed. 2. After installing open vpn as you said and going all the way through the guide to the end, it turns out as seen through the LuCI system log that the formatting credentials.txt step didn’t work either. I solved this by simply not doing the formatting and it works fine. 3. the guide tells you to enter this into LuCi toward the end ca.rsa.2048.crt. Upon attempting to start the connection however, the system log shows that that file has nothing readable. I was able to solve this by going back in the CLI and looking in ls /etc/openvpn/
sure enough for some reason its written this way ca.rsa.2048.cer. once I edited that In LuCi and made .crt into .cer it works. Hopefully this helps somebody else down the line. And to you guys who helped me out thanks a lot. SOLVED!
Let PIA know about it.
I changed the title of the thread to more accurately reflect which VPN service setup guide was causing issues.
Might help someone else who runs into the same thing until PIA corrects it.
Well, if you guys can't get PIA setup despite @jwoods help and can't find the old forum topic...
Below is the list of commands to get PIA setup on a router with the virgin LEDE/OpenWrt install (replace the username on one line and password on the second line with your actual PIA username and password):
opkg update; opkg install openvpn-mbedtls luci-app-openvpn
cat << 'EOF' > /etc/openvpn/pia-login.pem
username
password
EOF
cat << 'EOF' > /etc/openvpn/pia-crl-2048.pem
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----
EOF
cat << 'EOF' > /etc/openvpn/pia-ca-2048.crt
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
EOF
chmod 0400 /etc/openvpn/pia-login.pem
uci del openvpn.custom_config
uci del openvpn.sample_server
uci del openvpn.sample_client
uci set openvpn.pia='openvpn'
uci set openvpn.pia.enabled='1'
uci set openvpn.pia.client='1'
uci set openvpn.pia.dev_type='tun'
uci set openvpn.pia.dev='ovpnc0'
uci set openvpn.pia.resolv_retry='infinite'
uci set openvpn.pia.nobind='1'
uci set openvpn.pia.persist_key='1'
uci set openvpn.pia.persist_tun='1'
uci set openvpn.pia.tls_client='1'
uci set openvpn.pia.remote_cert_tls='server'
uci set openvpn.pia.ca='/etc/openvpn/pia-ca-2048.crt'
uci set openvpn.pia.crl_verify='/etc/openvpn/pia-crl-2048.pem'
uci set openvpn.pia.auth_user_pass='/etc/openvpn/pia-login.pem'
uci set openvpn.pia.auth_nocache='1'
uci set openvpn.pia.auth_retry='interact'
uci set openvpn.pia.pull_filter='ignore "auth-token"'
uci set openvpn.pia.comp_lzo='yes'
uci set openvpn.pia.verb='1'
uci set openvpn.pia.reneg_sec='0'
uci set openvpn.pia.keepalive='10 60'
uci set openvpn.pia.float='1'
uci set openvpn.pia.auth='SHA1'
uci set openvpn.pia.cipher='AES-128-CBC'
uci set openvpn.pia.disable_occ='1'
uci set openvpn.pia.proto='udp'
uci add_list openvpn.pia.remote='us-seattle.privateinternetaccess.com 1198'
uci set openvpn.pia.mute_replay_warnings='1'
uci commit openvpn
uci set network.pia='interface'
uci set network.pia.proto='none'
uci set network.pia.ifname='ovpnc0'
uci commit network
uci add firewall zone
uci set firewall.@zone[-1].name='pia'
uci set firewall.@zone[-1].network='pia'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='pia'
uci commit firewall
Then just reboot the router.
From reading @Greg's post above yours, it seems the issue is already solved.
BTW, were you able to correct the missing single quote mentioned above, in the OpenVPN Client wiki guide?
@stangri I tried your guide just to see. It allowed me to start the connection through LuCi, but when I checked on the PIA website it said I wasn't protected.
Update:
The VPN connection is working, but when I enable wireless it still says started in openvpn services, but on PIA's website it shows I'm not connected. It's not just when I'm connected to the wifi either. All I have to do is enable and configure wifi and it stops working even if I'm still connected to the router with a wire. I f I disable wireless after it still won't connect. Here is the log from LuCi status/system log:
Fri Feb 16 19:46:26 2018 daemon.notice netifd: Interface 'PIA_VPN' is now down
Fri Feb 16 19:46:26 2018 daemon.notice netifd: Interface 'PIA_VPN' is disabled
Fri Feb 16 19:46:26 2018 daemon.notice netifd: Interface 'PIA_VPN' has link connectivity loss
Fri Feb 16 19:46:26 2018 kern.info kernel: [ 727.461869] device wlan0 left promiscuous mode
Fri Feb 16 19:46:26 2018 kern.info kernel: [ 727.466454] br-lan: port 2(wlan0) entered disabled state
Fri Feb 16 19:46:26 2018 kern.info kernel: [ 727.545139] IPv6: ADDRCONF(NETDEV_UP): tun0: link is not ready
Fri Feb 16 19:46:26 2018 daemon.info odhcpd[1995]: Raising SIGUSR1 due to address change on eth1
Fri Feb 16 19:46:26 2018 kern.info kernel: [ 727.669723] IPv6: ADDRCONF(NETDEV_UP): tun0: link is not ready
Fri Feb 16 19:46:26 2018 daemon.notice hostapd: wlan0: interface state ENABLED->DISABLED
Fri Feb 16 19:46:26 2018 daemon.notice hostapd: wlan0: AP-DISABLED
Fri Feb 16 19:46:26 2018 daemon.notice hostapd: wlan0: CTRL-EVENT-TERMINATING
Fri Feb 16 19:46:26 2018 daemon.notice hostapd: nl80211: deinit ifname=wlan0 disabled_11b_rates=0
Fri Feb 16 19:46:26 2018 daemon.notice hostapd: nl80211: Failed to remove interface wlan0 from bridge br-lan: Invalid argument
Fri Feb 16 19:46:27 2018 daemon.notice netifd: radio0 (5375): command failed: Not supported (-95)
Fri Feb 16 19:46:27 2018 daemon.info odhcpd[1995]: Using a RA lifetime of 1800 seconds on br-lan
Fri Feb 16 19:46:27 2018 daemon.err hostapd: Configuration file: /var/run/hostapd-phy0.conf
Fri Feb 16 19:46:27 2018 kern.info kernel: [ 728.830840] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
Fri Feb 16 19:46:27 2018 kern.info kernel: [ 728.863126] device wlan0 entered promiscuous mode
Fri Feb 16 19:46:27 2018 kern.info kernel: [ 728.867972] br-lan: port 2(wlan0) entered forwarding state
Fri Feb 16 19:46:27 2018 kern.info kernel: [ 728.873508] br-lan: port 2(wlan0) entered forwarding state
Fri Feb 16 19:46:27 2018 daemon.notice hostapd: wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE
Fri Feb 16 19:46:27 2018 daemon.err hostapd: Using interface wlan0 with hwaddr 20:aa:4b:6e:fd:1f and ssid "LEDE 2.4"
Fri Feb 16 19:46:28 2018 daemon.notice hostapd: wlan0: interface state COUNTRY_UPDATE->ENABLED
Fri Feb 16 19:46:28 2018 daemon.notice hostapd: wlan0: AP-ENABLED
Fri Feb 16 19:46:28 2018 kern.info kernel: [ 729.483798] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
Fri Feb 16 19:46:28 2018 daemon.notice netifd: Network device 'wlan0' link is up
Fri Feb 16 19:46:28 2018 kern.info kernel: [ 729.895184] IPv6: ADDRCONF(NETDEV_UP): tun0: link is not ready
Fri Feb 16 19:46:29 2018 daemon.info odhcpd[1995]: Using a RA lifetime of 1800 seconds on br-lan
Fri Feb 16 19:46:29 2018 kern.info kernel: [ 730.865066] br-lan: port 2(wlan0) entered forwarding state
Fri Feb 16 19:46:30 2018 daemon.info odhcpd[1995]: Raising SIGUSR1 due to address change on br-lan
Fri Feb 16 19:46:31 2018 daemon.info odhcpd[1995]: Using a RA lifetime of 1800 seconds on br-lan
and if I reboot the router and try and start the connection again this is the log:
Fri Feb 16 14:52:25 2018 daemon.err openvpn(SHA1)[1933]: event_wait : Interrupted system call (code=4)
Fri Feb 16 14:52:25 2018 daemon.notice openvpn(SHA1)[1933]: /sbin/route del -net 10.24.10.1 netmask 255.255.255.255
Fri Feb 16 14:52:25 2018 daemon.warn openvpn(SHA1)[1933]: ERROR: Linux route delete command failed: external program exited with error status: 1
Fri Feb 16 14:52:25 2018 daemon.notice openvpn(SHA1)[1933]: /sbin/route del -net 172.98.67.72 netmask 255.255.255.255
Fri Feb 16 14:52:26 2018 daemon.notice openvpn(SHA1)[1933]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Fri Feb 16 14:52:26 2018 daemon.warn openvpn(SHA1)[1933]: ERROR: Linux route delete command failed: external program exited with error status: 1
Fri Feb 16 14:52:26 2018 daemon.notice openvpn(SHA1)[1933]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Fri Feb 16 14:52:26 2018 daemon.warn openvpn(SHA1)[1933]: ERROR: Linux route delete command failed: external program exited with error status: 1
Fri Feb 16 14:52:26 2018 daemon.notice openvpn(SHA1)[1933]: Closing TUN/TAP interface
Fri Feb 16 14:52:26 2018 daemon.notice openvpn(SHA1)[1933]: /sbin/ifconfig tun0 0.0.0.0
Fri Feb 16 14:52:26 2018 daemon.notice netifd: Network device 'tun0' link is up
Fri Feb 16 14:52:26 2018 daemon.notice netifd: Network device 'tun0' link is down
Fri Feb 16 14:52:26 2018 daemon.notice openvpn(SHA1)[1933]: SIGTERM[hard,] received, process exiting
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: OpenVPN 2.4.4 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Fri Feb 16 14:52:31 2018 daemon.warn openvpn(SHA1)[3171]: WARNING: using --pull/--client and --ifconfig together is probably not what you want
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.98.67.79:1198
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: UDP link local: (not bound)
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: UDP link remote: [AF_INET]172.98.67.79:1198
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: TLS: Initial packet from [AF_INET]172.98.67.79:1198, sid=e6e07607 77bf224e
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: VERIFY KU OK
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: Validating certificate extended key usage
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: VERIFY EKU OK
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=1c215dfe18d735ac7d8ef2a242b48391, name=1c215dfe18d735ac7d8ef2a242b48391
Fri Feb 16 14:52:31 2018 daemon.warn openvpn(SHA1)[3171]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
Fri Feb 16 14:52:31 2018 daemon.warn openvpn(SHA1)[3171]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Feb 16 14:52:31 2018 daemon.notice openvpn(SHA1)[3171]: [1c215dfe18d735ac7d8ef2a242b48391] Peer Connection Initiated with [AF_INET]172.98.67.79:1198
Fri Feb 16 14:52:32 2018 daemon.notice openvpn(SHA1)[3171]: SENT CONTROL [1c215dfe18d735ac7d8ef2a242b48391]: 'PUSH_REQUEST' (status=1)
Any ideas? Thanks
The error message is telling you the routes are wrong.
SSH into the router and run route
Post the results.
Here they are
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1
xxx.xx.xx.xx 192.168.0.1 255.255.255.255 UGH 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
192.168.0.1 * 255.255.255.255 UH 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
I don't know if this is what you need. Let me know if not. Thanks for your help
And in section 5 of the pia guide it says to create custom interface through LuCi on the network interface page and set it to tun0.
It doesn't appear that was completed.
SSH in to the router and run the following...
cat /etc/config/network
cat /etc/config/firewall
What you asked for is below, but something just occurred to me. This was supposed to be a second router solely for the use of a VPN. That means right now it's wired into the ISP Router/Modem (gateway I think that's called). It works fine with wired, so I thought it would work fine wireless, but obviously if turning on wireless can have this kind of effect on the VPN, maybe I'm wrong about that. Thanks again
root@LEDE:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr 'xxx.x.x.x'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option peerdns '0'
option dns '209.222.18.222 209.222.18.218'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
config interface 'PIA_VPN'
option proto 'none'
option ifname 'tun0'
option type 'bridge'
root@LEDE:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'PIA_VPN wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'lan'I would expect to see an interface for vpn rather than PIA_VPN in the network config. It probably works if it's consistent across all configs, but the reference normally used is vpn.
I don't see a vpn zone in the firewall config.
See this post...
Does the ISP gateway have wireless turned on as well? If so, that could cause an issue.
In network create interface I named it PIA_VPN as per the guide. in Firewall - Zone Settings - Zone "wan" The only change I made was to check the box PIA_VPN also as per the guide. Under openvpn instances I named it PIA_VPN and then completed the steps in the guide on how to set up that instance. Once completed the vpn works, until I enable wireless. Even if I'm still connected with a wire, once wireless is enabled and set up the PIA website shows not protected. Disabling wireless after enabling and setting it up doesn't solve the problem either. the only thing I know to do is firstboot reboot and start from scratch. Maybe you could tell me how to configure wireless through LuCi once enabled so it will work with the VPN in case I'm doing something wrong and don't know it. Also yes wireless is enabled on the ISP Gateway. Thanks again.