Manual setup for PIA (VPN Service Provider) with Gargoyle OpenVPN
Moderator: Moderators
Re: Manual setup for PIA (VPN Service Provider) with Gargoyle OpenVPN
can you draw a network diagram?
Re: Manual setup for OpenVPN
Thank you for the settings/guide, encro.
I made a few small adjustments to your config:
On a WRT1200ACv1, these settings boosted my speedtests from ~20Mbit to ~28Mbit (on a 150Mbit line).
Source for edits (posts by user "MrGenie):
https://www.privateinternetaccess.com/f ... -speeds/p8
I couldn't get these two settings from MrGenie to work:
Though Gargoyle showed a successful connection to the PIA VPN server, I could not access the internet from any connected devices.
He claims that "Speed is simply doubled using these settings", which includes the settings I couldn't get to work.. So, maybe there is room for improvement?
I made a few small adjustments to your config:
Code: Select all
client
dev tun
proto udp
remote VPN_SERVER_ADDRESS_HERE 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
keysize aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
tun-mtu 1500
tun-mtu-extra 32
comp-lzo no
sndbuf 393216
rcvbuf 393216
verb 1
reneg-sec 0
auth-user-pass '/etc/openvpn/AUTH_FILE_NAME_HERE'
crl-verify '/etc/openvpn/crl.rsa.2048.pem'Source for edits (posts by user "MrGenie):
https://www.privateinternetaccess.com/f ... -speeds/p8
I couldn't get these two settings from MrGenie to work:
Code: Select all
push "sndbuf 393216"
push "rcvbuf 393216"He claims that "Speed is simply doubled using these settings", which includes the settings I couldn't get to work.. So, maybe there is room for improvement?
I'm unsure of the 5th setting he's referencing..sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
These 5 settings in the server definately have a huge impact on the router!
Speed is simply doubled by using these settings.
If you are copy+pasting this block of settings, make sure to correct "t;s-cipher" -> "tls-cipher" and remove " (for tap)".in the end, my recommended settings for encrypted connections:
t;s-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
cipher AES-256-CBC
auth SHA256
tun-mtu 1500
tun-mtu-extra 32 (for tap)
comp-lzo no
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
On the 2 windows clients you'll get roughly 120-150Mbps
on the WRT3200ACM you'll get roughly 80Mbps
Re: Manual setup for OpenVPN
encro wrote:Despite the TLS standard stating that a client key isn't required Gargoyle won't unfortunately let you bypass it. Private Internet Access (PIA) does not generally have a client key.
Download the PIA Certificate files (ca.rsa.2048.crt and crl.rsa.2048.pem) from https://www.privateinternetaccess.com/o ... penvpn.zip
Copy those 2 certificate files into /etc/openvpn on the Gargoyle Router using WinSCP.
While you are in the /etc/openvpn directory, create a file called pia.auth and edit the file:
The first line should have your L2TP Username
The second line should have your L2TP Password.
Save this file and change the permissions on the file to 0600 (rw-------) for security and ensure the group and owner are root.
Create a OpenVPN client from the Open VPN menu option in Connections in the Gargoyle UI.
OpenVPN Server Address: Select the address from https://www.privateinternetaccess.com/pages/network/
Port: 1198
UDP
Encryption Type: Other
aes-128-cbc
Enter the following into the 'OpenVPN Configuration:'
(Change the PIA Server name to your preferred/geographically closer option).CA Certificate:Code: Select all
keysize aes-128-cbc client dev tun proto udp remote aus-melbourne.privateinternetaccess.com 1198 resolv-retry infinite nobind persist-key persist-tun cipher aes-128-cbc auth sha1 tls-client remote-cert-tls server auth-user-pass /etc/openvpn/pia.auth comp-lzo verb 1 reneg-sec 0 auth-user-pass '/etc/openvpn/pia.auth' crl-verify '/etc/openvpn/crl.rsa.2048.pem'Client Certificate:Code: Select all
-----BEGIN CERTIFICATE----- MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1 MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50 ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/ 8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB /5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3 7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz 1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt YDQ8z9v+DMO6iwyIDRiU -----END CERTIFICATE-----Client Key:Code: Select all
-----BEGIN CERTIFICATE----- MIID6jCCA1OgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCSEsx DDAKBgNVBAgTA0tMTjEMMAoGA1UEBxMDVFdTMQ4wDAYDVQQKEwVLSFZQTjERMA8G A1UECxMIY2hhbmdlbWUxDjAMBgNVBAMTBUtIVlBOMREwDwYDVQQpEwhjaGFuZ2Vt ZTEhMB8GCSqGSIb3DQEJARYSS0hLRzIwMDlAR01BSUwuQ09NMB4XDTEyMTEwMjE3 Mjg1NloXDTIyMTAzMTE3Mjg1NlowgZUxCzAJBgNVBAYTAkhLMQwwCgYDVQQIEwNL TE4xDDAKBgNVBAcTA1RXUzEOMAwGA1UEChMFS0hWUE4xETAPBgNVBAsTCGNoYW5n ZW1lMREwDwYDVQQDEwhDTElFTlQwMTERMA8GA1UEKRMIY2hhbmdlbWUxITAfBgkq hkiG9w0BCQEWEktIS0cyMDA5QEdNQUlMLkNPTTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEAlm1IYDeyrJESPlRvoUvfneJyNIvtQKT38F9VAs4HpFRA8bUTVwn0 0+v9T71YSIl7KS+P/fA9CYIHLyfboUWgPGtiXWLMFd1zlAfLIiD6p5d6l+d3cC/d njSbVikZINxotTpgNVmLaIAikZd3b7ZwSAl+pvYvRMmWdxLWsJ7nqtsCAwEAAaOC AUkwggFFMAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVy YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUs0IidaQauq68YrEv0N09qr+F4O8w gccGA1UdIwSBvzCBvIAUVzid2kkwXgDaDOFQXM2Byb5yR5uhgZikgZUwgZIxCzAJ BgNVBAYTAkhLMQwwCgYDVQQIEwNLTE4xDDAKBgNVBAcTA1RXUzEOMAwGA1UEChMF S0hWUE4xETAPBgNVBAsTCGNoYW5nZW1lMQ4wDAYDVQQDEwVLSFZQTjERMA8GA1UE KRMIY2hhbmdlbWUxITAfBgkqhkiG9w0BCQEWEktIS0cyMDA5QEdNQUlMLkNPTYIJ ANM7BA7OD4HlMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkq hkiG9w0BAQQFAAOBgQDKSmxD9hGJiHCMMhKfUaAVh4sxNkOL79QvlhtNb/ZVtnyV 2a+OnzjbEdc6feAiU+g2BQEUYLHdet/mw7nu5eg0Y/TbAj0hSokqnGWsGzaIGArD R6StWueMlqT+R/js5/ISgUehiWDfwGsvSm3uw7eIoKT7Hw1ij8pvz5/ViTkQ2Q== -----END CERTIFICATE-----Click the 'Save Changes' button.Code: Select all
-----BEGIN RSA PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAJZtSGA3sqyREj5U b6FL353icjSL7UCk9/BfVQLOB6RUQPG1E1cJ9NPr/U+9WEiJeykvj/3wPQmCBy8n 26FFoDxrYl1izBXdc5QHyyIg+qeXepfnd3Av3Z40m1YpGSDcaLU6YDVZi2iAIpGX d2+2cEgJfqb2L0TJlncS1rCe56rbAgMBAAECgYBKrXALzDrYbqCm7tYINhmKUPuv WHPs7rjjzP/wB4ZFr0oadHFoeVngxzwXFQG56P6KgME0KMq0aKfWYiwnkOAtu64A 3i/KsDVcah/XKe3TfWycO7Y9WjgT9OSOf5dGktnP7RjusZ6w61vjQwWAviuc0J6w jACa9ZK53WWmkcBE8QJBAMR9gWYENs7Cly4CFDKLqS83Wf6yx/3oZU9enNc4EDZn F1JfX9Xt1Rdx8XmES8BxVT/E8zmOC/jNlVcORo57REkCQQDD/FejfAE02lroBnck aUUmiWZNp1q6BgsqDPWXS+DAkTG1OrFAgKOoKo7UqjWs5SvlNrr+dL3sumB0NRf2 Ku4DAkAsfJXteQrHqTr9Sa80+nXloMyZY/TvwcweOjecaq8RAio/liRmlSBn3H5l mtRjz8UTWQ4Qe96uCC3Ftg+3dqUxAkBJ5O0OQQUbbnD0JuvpGJ/wBcJC6SS2Gu0+ r6AxqXRWZug9EqIeVeJe15z+5iZSyB2i0N30bwPlK+iOKC6erFUNAkEAr/LPOTF3 0rSBsvISYcPNjX8kRyPQXMG6ebbi20CcmIpqGzb9xnMlDixLPoMemk6JtG2hJcc4 lwi3blIK1CLBVg== -----END RSA PRIVATE KEY-----
Gargoyle will then create 4 files in /etc/openvpn:
grouter_client_{randomidentifier}.conf
grouter_client_{randomidentifier}.crt
grouter_client_{randomidentifier}.key
grouter_client_{randomidentifier}_ca.crt
The grouter_client_{randomidentifier}.conf will be referenced as the configuration file in:
/etc/config/openvpn
/etc/config/openvpn_gargoyle
You should now see that OpenVPN is running and it will also appear on the Gargoyle login screen. If you go to the Private Internet Access website it will also show that you are protected at the top of the page.
I hope you find this useful, I've been trying to get this working for the last 2 days and it is finally working
Note that the Certificate and RSA Key data above comes from this post:
https://www.privateinternetaccess.com/f ... -on-ios/p1
This totally worked for me too! Thanks a lot!