Hi guys, I just signed up for PIA and it's amazing all this time I was thinking VPNs are really not for me because of latency and torrent stuff. WRONG. I am on OPTIMUM 50/25 network and using auto settings I went from 11ms latency to 12 and speeds are same according to speedtest.net So I am happy in that perspective.

Now quick question. Instead of putting software on all devices (my computer, my phone, my tablet) separately I am thinking to configure my router to use PIA service on router level so all my connections already on VPN without even putting any software. I looked up some guides and I do see guides for OPENVPN and I also see guide on PIA website on how to configure DD-WRT. Can you point me to the right direction in terms of what works best for PIA + OpenWRT. May be there is some package available that will pre configure router to use PIA and all I have to do is put username and password

Thank you !

Here is what I have found:

https://www.privateinternetaccess.com/p … rt-openvpn

https://www.privateinternetaccess.com/f … n-with-pia

with that internet connection speed you had, you will need a beefy router for that, preferably a x86 machine. Afaik,there's a little (you can say it, there's none) of the consumer grade SOHO routers (even a overclocked 1.4ghz r7000) is capable of getting >50mbit throughput for OpenVPN.

In my case I had a OpenVPN and a server grade 8core atom ITX board from supermicro, with pure software mode, with all cores, I can manage to get a NAT speed of 120mbit/sec, with AES-NI I can get as high as 800-900mbit/sec. Luckily OpenWRT now supports AES-NI so you can just buy a x86 motherboard that supports such function.

(Last edited by remlei on 22 May 2016, 22:56)

I want to try it on my AC1900v2 it's 1.6Ghz dual core.

I managed to find this amazing tutorial
https://www.robertkehoe.com/2015/08/set … ment-10023

I did everything however service wouldn't start in logs I see this:

Sun May 22 18:11:01 2016 daemon.err openvpn(pia_client)[2335]: Options error: specify only one of --tls-server, --tls-client, or --secret
Sun May 22 18:11:01 2016 daemon.warn openvpn(pia_client)[2335]: Use --help for more information.

It looks like one of the options are not correct. Anyone can look at the guide, it's totally possible with openvpn version they used something changed. I am using:

Package: openvpn-openssl
Version: 2.3.10-1

delete everything in /etc/openvpn and /etc/config/openvpn file, make sure you have /etc/openvpn/pia-crl.pem, /etc/openvpn/pia-ca.crt and create /etc/openvpn/pia-login.pem with your login on the first line and password on the second line and then do the following from the console:

    chmod 0400 /etc/openvpn/pia-login.pem
    uci set openvpn.myvpnc=openvpn
    uci set openvpn.myvpnc.enabled=1
    uci set openvpn.myvpnc.client=1
    uci set openvpn.myvpnc.dev=tun
    uci set openvpn.myvpnc.proto=tcp
    uci set openvpn.myvpnc.resolv_retry=infinite
    uci set openvpn.myvpnc.nobind=1
    uci set openvpn.myvpnc.persist_key=1
    uci set openvpn.myvpnc.persist_tun=1
    uci set openvpn.myvpnc.ca=/etc/openvpn/pia-ca.crt
    uci set openvpn.myvpnc.tls_client=1
    uci set openvpn.myvpnc.remote_cert_tls=server
    uci set openvpn.myvpnc.auth_user_pass=/etc/openvpn/pia-login.pem
    uci set openvpn.myvpnc.auth_nocache=1
    uci set openvpn.myvpnc.comp_lzo=yes
    uci set openvpn.myvpnc.verb=1
    uci set openvpn.myvpnc.reneg_sec=0
    uci set openvpn.myvpnc.crl_verify=/etc/openvpn/pia-crl.pem
    uci set openvpn.myvpnc.keepalive='10 120'
    uci set openvpn.myvpnc.float=1
    uci add_list openvpn.myvpnc.remote='us-seattle.privateinternetaccess.com 443'
    uci commit openvpn

    uci set network.myvpnc=interface
    uci set network.myvpnc.proto=none
    uci set network.myvpnc.ifname=tun0
    uci commit network
    
    uci add firewall zone
    uci set firewall.@zone[-1]=zone
    uci set firewall.@zone[-1].name=myvpnc_fw
    uci set firewall.@zone[-1].network=myvpnc
    uci set firewall.@zone[-1].input=REJECT
    uci set firewall.@zone[-1].output=ACCEPT
    uci set firewall.@zone[-1].forward=REJECT
    uci set firewall.@zone[-1].masq=1
    uci set firewall.@zone[-1].mtu_fix=1
    uci add firewall forwarding
    uci set firewall.@forwarding[-1]=forwarding
    uci set firewall.@forwarding[-1].src=lan
    uci set firewall.@forwarding[-1].dest=myvpnc_fw
    uci commit firewall

This is the TCP config for their Seattle server, you may want to change the server and/or protocol/port.

Restart network, firewall and openvpn or just reboot the router.

(Last edited by stangri on 23 May 2016, 10:24)

Thanks man I'll try that because not only by doing that I don't need to worry about individual device on my network, their Windows software is not too stable. I am getting random disconnects, I even had to disable VPN killswitch because of randoms DCs.

Once again thank you.

Quick question. MAy be it's too specific but I'd think one of the most liked VPN services + one of the best software for router is a win win. So the question is this. MAy be there is a WRT1900AC OpenWRT Build available with pre installed PIA service ? Like all settings are there all you have to do is put your username and password ?

You can build it yourself with the image builder. Just include your /etc/openvpn/pia-* files along with the script above (saved as /etc/uci-defaults/99-piasetup). While you're at it, you can also set up your wireless to the channels/passwords of your liking.

I had to make a few changes to get this to work for me, I based this on the Us West.ovpn file included in the openvpn-strong.zip file from PIA.

uci set openvpn.myvpnc.proto=udp
uci set openvpn.myvpnc.auth=sha256
uci set openvpn.myvpnc.cipher=aes-256-cbc
uci add_list openvpn.myvpnc.remote='us-west.privateinternetaccess.com 1197'
uci commit openvpn

Working great now!

This is great news. Care to explain in details ? I actually forgot whole installation detail. But IF follow official direction + what you listed it should be enough unless we need to know something else ?

Thank you !

When I originally posted, PIA didn't use strong (4096) certificates.

Look here :-)

P.S :The 1197 port didn't work for me, but the 1198 did.

(Last edited by b.bo on 8 Oct 2016, 21:33)