OpenVPN withprivateinternetaccess

[Lucky75]

Hi all,

I'm trying to set up openvpn to connect to my privateinternetaccess vpn, but I can't seem to figure out how to do it.

They have instructions (https://www.privateinternetaccess.com/p ... rt_openvpn) for how to get it to work with dd-wrt, but not gargoyle or even openwrt.

I'd appreciate if someone could help guide me through how to do this, as I'm really rather lost.

Thanks


I've tried manually doing it by creating a .ovpn file in /etc/openvpn with the following settings:

Code: Select all

client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ./ca.crt
tls-client
remote-cert-tls server
auth-user-pass ./password.txt
comp-lzo
verb 1
reneg-sec 0

and then running openvpn --config config.ovpn. This is the output I get

Code: Select all

Sun Oct  6 21:32:14 2013 OpenVPN 2.2.2 mips-openwrt-linux [SSL] [LZO2] [EPOLL] b                                                                                                                               uilt on May 20 2013
Sun Oct  6 21:32:14 2013 WARNING: file './password.txt' is group or others acces                                                                                                                               sible
Sun Oct  6 21:32:14 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig                                                                                                                               her to call user-defined scripts or executables
Sun Oct  6 21:32:14 2013 LZO compression initialized
Sun Oct  6 21:32:14 2013 RESOLVE: NOTE: us-east.privateinternetaccess.com resolv                                                                                                                               es to 4 addresses
Sun Oct  6 21:32:14 2013 UDPv4 link local: [undef]
Sun Oct  6 21:32:14 2013 UDPv4 link remote: 209.222.5.231:1194
Sun Oct  6 21:32:14 2013 WARNING: this configuration may cache passwords in memo                                                                                                                               ry -- use the auth-nocache option to prevent this
Sun Oct  6 21:32:15 2013 [server] Peer Connection Initiated with 209.222.5.231:1                                                                                                                               194
Sun Oct  6 21:32:17 2013 TUN/TAP device tun0 opened
Sun Oct  6 21:32:17 2013 /sbin/ifconfig tun0 10.167.1.6 pointopoint 10.167.1.5 m                                                                                                                               tu 1500
Sun Oct  6 21:32:17 2013 Initialization Sequence Completed

But I can't connect anywhere. I'd also like to have this run in the background and on startup, and specify for it to only route through the vpn for netflix, but I have no idea how to do that either :p

[Lucky75]

Hi Guys,

Still stuck here. Does anyone have any suggestions? Thanks

[craigrose]

This may be too late for Lucky but I hope it helps someone.

TP-Link TL-WR1043ND ver 1.8 S/N: 11.......
Gargoyle (v1.5.5) is built on OpenWRT r29594 Backfire 10.03.1
Note that this is a buggy version and improvements in OpenVPN are claimed for the latest version of Gargoyle.
The procedure is pretty much along the lines of https://www.privateinternetaccess.com/p ... rt_openvpn with tweaks to work around issues with Gargoyle. Note that I know very little about what all the openvpn settings mean and someone may be able to improve on them.

Why 1.5.5? - well sometimes we just like to leave well enough alone

1. First replace /www/common.js with https://raw.github.com/ericpaulbishop/g ... /common.js (this does something to Gargoyle with "undefined" appearing in various places in the interface. But it still seems to work OK - maybe upgrade to 1.6 will fix that).
2. Login to Gargolye web interface and select "OpenVPN disabled" then save. Wait a long time.
3. SSH to Gargoyle and delete the contents of /etc/openvpn
4. The following are those provided by PIA
echo username >> /tmp/password
echo password >> /tmp/password
5. Download https://www.privateinternetaccess.com/o ... penvpn.zip
6. Back to Gargoyle web interface and:
7. OpenVPN Client
8. Configure Client Manually
9. Open VPN Server Address: us-west.privateinternetaccess.com
10. OpenVPN Server Port: 1194
11. OpenVPN Protocol: UDP
12. OpenVPN Cipher: Blowfish CBC-128bit
13. Now manually finish up the OpenVPN Configuration so it looks like this:
client
dev tun
proto udp
remote us-west.privateinternetaccess.com 1194
resolv-retry infinite
cipher BF-CBC
keysize 128
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
comp-lzo
auth-user-pass /tmp/password
14. Place the contents of the ca.crt from the openvpn.zip download earlier in the CA Certificate field:
-----BEGIN CERTIFICATE-----
Stuff in here
-----END CERTIFICATE-----
15. Gargoyle will choke unless you put something in the Client certificate and Client key fields. Anything will do.
eg
Client certificate: fake
Client key: fake
16. Save and wait a long time.
17. If successful /etc/openvpn will look like this (I've "obfuscatedpart" of the file names because they look like they may give away some part of the encryption - the fact I don't actually know is a good enough reason for me to do so):
current_status
grouter_client_obfuscatedpart.key
grouter_client_obfuscatedpart.conf
grouter_client_obfuscatedpart_ca.crt
grouter_client_obfuscatedpart.crt

the contents of grouter_client_obfuscatedpart.conf
client
dev tun
proto udp
remote us-west.privateinternetaccess.com 1194
resolv-retry infinite
cipher BF-CBC
keysize 128
nobind
persist-key
persist-tun
ca /etc/openvpn/grouter_client_obfuscatedpart_ca.crt
tls-client
remote-cert-tls server
comp-lzo

And the following process will be running:
/usr/sbin/openvpn --syslog openvpn(custom_config) --writepid /var/run/openvpn-custom_config.pid --config /etc/openvpn/grouter_client_obfuscatedpart.conf

Gargoyle web interface will also report: Running, Connected, IP: 10.148.1.6
18. Note that in this version 1.5.5 QoS and Quotas will not work so may as well turn them off. They may be OK in later versions?
19. If it breaks repeat this entire process. Especially stopping the VPN and removing the contents of /etc/openvpn
20. If you want to complete your security and stop DNS leakage use DNS servers provided by PIA (209.222.18.222, 209.222.18.218 at time of writing)
21. Some advice on checking security: http://freedomhacker.net/check-and-see- ... is-secure/

[craigrose]

OK I just learnt that OpenVPN uses a tmpfs so the method I am using to get the username/password into /tmp or /var will not allow them to survive a reboot. You'll need to repeat the step where we create /tmp/password. Anyone know how I could make these persist?

[n0pin]

OK I just learnt that OpenVPN uses a tmpfs so the method I am using to get the username/password into /tmp or /var will not allow them to survive a reboot. You'll need to repeat the step where we create /tmp/password. Anyone know how I could make these persist?

You can echo username and password to different location. Like:

Code: Select all

echo username >> /usr/password
echo password >> /usr/password

Here we echo them in /usr location, which persists after reboot. After that you will have to change config file to reflect this change (last line):

Code: Select all

client
dev tun
proto udp
remote us-west.privateinternetaccess.com 1194
resolv-retry infinite
cipher BF-CBC
keysize 128
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
comp-lzo
auth-user-pass /usr/password

Also:

First replace /www/common.js with H:\Computer\gargoyle router\common.js (this does something to Gargoyl with "undefined" appearing in various places in the interface. But it still seems to work OK - maybe upgrade to 1.6 will fix that).

What is this? Did you want to share some file with us? If so, you have to upload it to some file hosting website and then link it here, as we can't download files, which are on your computer .

[craigrose]

Thanks nOpin

Sorry about that - copy and pasted from my notes

The file common.js is one supplied by Eric discussed here:
http://www.gargoyle-router.com/phpbb/vi ... .js#p13388

I'll update in the OP.