Manual setup for PIA (VPN Service Provider) with Gargoyle OpenVPN

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

ispyisail
Moderator
Posts: 5180
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Manual setup for PIA (VPN Service Provider) with Gargoyle OpenVPN

Post by ispyisail »

can you draw a network diagram?

User avatar
twf85
Posts: 20
Joined: Tue Nov 14, 2017 3:59 pm

Re: Manual setup for OpenVPN

Post by twf85 »

Thank you for the settings/guide, encro.

I made a few small adjustments to your config:

Code: Select all

client
dev tun
proto udp
remote VPN_SERVER_ADDRESS_HERE 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
keysize aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
tun-mtu 1500
tun-mtu-extra 32
comp-lzo no
sndbuf 393216
rcvbuf 393216
verb 1
reneg-sec 0
auth-user-pass '/etc/openvpn/AUTH_FILE_NAME_HERE'
crl-verify '/etc/openvpn/crl.rsa.2048.pem'
On a WRT1200ACv1, these settings boosted my speedtests from ~20Mbit to ~28Mbit (on a 150Mbit line).

Source for edits (posts by user "MrGenie):
https://www.privateinternetaccess.com/f ... -speeds/p8

I couldn't get these two settings from MrGenie to work:

Code: Select all

push "sndbuf 393216"
push "rcvbuf 393216"
Though Gargoyle showed a successful connection to the PIA VPN server, I could not access the internet from any connected devices.

He claims that "Speed is simply doubled using these settings", which includes the settings I couldn't get to work.. So, maybe there is room for improvement?
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"

These 5 settings in the server definately have a huge impact on the router!
Speed is simply doubled by using these settings.
I'm unsure of the 5th setting he's referencing..
in the end, my recommended settings for encrypted connections:
t;s-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
cipher AES-256-CBC
auth SHA256
tun-mtu 1500
tun-mtu-extra 32 (for tap)
comp-lzo no

sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"

On the 2 windows clients you'll get roughly 120-150Mbps
on the WRT3200ACM you'll get roughly 80Mbps
If you are copy+pasting this block of settings, make sure to correct "t;s-cipher" -> "tls-cipher" and remove " (for tap)".

JasonB11
Posts: 15
Joined: Thu Sep 03, 2015 7:21 pm

Re: Manual setup for OpenVPN

Post by JasonB11 »

encro wrote:Despite the TLS standard stating that a client key isn't required Gargoyle won't unfortunately let you bypass it. Private Internet Access (PIA) does not generally have a client key.

Download the PIA Certificate files (ca.rsa.2048.crt and crl.rsa.2048.pem) from https://www.privateinternetaccess.com/o ... penvpn.zip

Copy those 2 certificate files into /etc/openvpn on the Gargoyle Router using WinSCP.

While you are in the /etc/openvpn directory, create a file called pia.auth and edit the file:
The first line should have your L2TP Username
The second line should have your L2TP Password.
Save this file and change the permissions on the file to 0600 (rw-------) for security and ensure the group and owner are root.

Create a OpenVPN client from the Open VPN menu option in Connections in the Gargoyle UI.

OpenVPN Server Address: Select the address from https://www.privateinternetaccess.com/pages/network/
Port: 1198
UDP
Encryption Type: Other
aes-128-cbc

Enter the following into the 'OpenVPN Configuration:'
(Change the PIA Server name to your preferred/geographically closer option).

Code: Select all

keysize aes-128-cbc
client
dev tun
proto udp
remote aus-melbourne.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/pia.auth
comp-lzo
verb 1
reneg-sec 0
auth-user-pass '/etc/openvpn/pia.auth'
crl-verify '/etc/openvpn/crl.rsa.2048.pem'
CA Certificate:

Code: Select all

-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
Client Certificate:

Code: Select all

-----BEGIN CERTIFICATE-----
MIID6jCCA1OgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCSEsx
DDAKBgNVBAgTA0tMTjEMMAoGA1UEBxMDVFdTMQ4wDAYDVQQKEwVLSFZQTjERMA8G
A1UECxMIY2hhbmdlbWUxDjAMBgNVBAMTBUtIVlBOMREwDwYDVQQpEwhjaGFuZ2Vt
ZTEhMB8GCSqGSIb3DQEJARYSS0hLRzIwMDlAR01BSUwuQ09NMB4XDTEyMTEwMjE3
Mjg1NloXDTIyMTAzMTE3Mjg1NlowgZUxCzAJBgNVBAYTAkhLMQwwCgYDVQQIEwNL
TE4xDDAKBgNVBAcTA1RXUzEOMAwGA1UEChMFS0hWUE4xETAPBgNVBAsTCGNoYW5n
ZW1lMREwDwYDVQQDEwhDTElFTlQwMTERMA8GA1UEKRMIY2hhbmdlbWUxITAfBgkq
hkiG9w0BCQEWEktIS0cyMDA5QEdNQUlMLkNPTTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAlm1IYDeyrJESPlRvoUvfneJyNIvtQKT38F9VAs4HpFRA8bUTVwn0
0+v9T71YSIl7KS+P/fA9CYIHLyfboUWgPGtiXWLMFd1zlAfLIiD6p5d6l+d3cC/d
njSbVikZINxotTpgNVmLaIAikZd3b7ZwSAl+pvYvRMmWdxLWsJ7nqtsCAwEAAaOC
AUkwggFFMAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVy
YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUs0IidaQauq68YrEv0N09qr+F4O8w
gccGA1UdIwSBvzCBvIAUVzid2kkwXgDaDOFQXM2Byb5yR5uhgZikgZUwgZIxCzAJ
BgNVBAYTAkhLMQwwCgYDVQQIEwNLTE4xDDAKBgNVBAcTA1RXUzEOMAwGA1UEChMF
S0hWUE4xETAPBgNVBAsTCGNoYW5nZW1lMQ4wDAYDVQQDEwVLSFZQTjERMA8GA1UE
KRMIY2hhbmdlbWUxITAfBgkqhkiG9w0BCQEWEktIS0cyMDA5QEdNQUlMLkNPTYIJ
ANM7BA7OD4HlMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkq
hkiG9w0BAQQFAAOBgQDKSmxD9hGJiHCMMhKfUaAVh4sxNkOL79QvlhtNb/ZVtnyV
2a+OnzjbEdc6feAiU+g2BQEUYLHdet/mw7nu5eg0Y/TbAj0hSokqnGWsGzaIGArD
R6StWueMlqT+R/js5/ISgUehiWDfwGsvSm3uw7eIoKT7Hw1ij8pvz5/ViTkQ2Q==
-----END CERTIFICATE-----
Client Key:

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJZtSGA3sqyREj5U
b6FL353icjSL7UCk9/BfVQLOB6RUQPG1E1cJ9NPr/U+9WEiJeykvj/3wPQmCBy8n
26FFoDxrYl1izBXdc5QHyyIg+qeXepfnd3Av3Z40m1YpGSDcaLU6YDVZi2iAIpGX
d2+2cEgJfqb2L0TJlncS1rCe56rbAgMBAAECgYBKrXALzDrYbqCm7tYINhmKUPuv
WHPs7rjjzP/wB4ZFr0oadHFoeVngxzwXFQG56P6KgME0KMq0aKfWYiwnkOAtu64A
3i/KsDVcah/XKe3TfWycO7Y9WjgT9OSOf5dGktnP7RjusZ6w61vjQwWAviuc0J6w
jACa9ZK53WWmkcBE8QJBAMR9gWYENs7Cly4CFDKLqS83Wf6yx/3oZU9enNc4EDZn
F1JfX9Xt1Rdx8XmES8BxVT/E8zmOC/jNlVcORo57REkCQQDD/FejfAE02lroBnck
aUUmiWZNp1q6BgsqDPWXS+DAkTG1OrFAgKOoKo7UqjWs5SvlNrr+dL3sumB0NRf2
Ku4DAkAsfJXteQrHqTr9Sa80+nXloMyZY/TvwcweOjecaq8RAio/liRmlSBn3H5l
mtRjz8UTWQ4Qe96uCC3Ftg+3dqUxAkBJ5O0OQQUbbnD0JuvpGJ/wBcJC6SS2Gu0+
r6AxqXRWZug9EqIeVeJe15z+5iZSyB2i0N30bwPlK+iOKC6erFUNAkEAr/LPOTF3
0rSBsvISYcPNjX8kRyPQXMG6ebbi20CcmIpqGzb9xnMlDixLPoMemk6JtG2hJcc4
lwi3blIK1CLBVg==
-----END RSA PRIVATE KEY-----
Click the 'Save Changes' button.

Gargoyle will then create 4 files in /etc/openvpn:
grouter_client_{randomidentifier}.conf
grouter_client_{randomidentifier}.crt
grouter_client_{randomidentifier}.key
grouter_client_{randomidentifier}_ca.crt

The grouter_client_{randomidentifier}.conf will be referenced as the configuration file in:
/etc/config/openvpn
/etc/config/openvpn_gargoyle

You should now see that OpenVPN is running and it will also appear on the Gargoyle login screen. If you go to the Private Internet Access website it will also show that you are protected at the top of the page.

I hope you find this useful, I've been trying to get this working for the last 2 days and it is finally working :D

Note that the Certificate and RSA Key data above comes from this post:
https://www.privateinternetaccess.com/f ... -on-ios/p1

This totally worked for me too! Thanks a lot!

Post Reply