Posted: Wed Jan 24, 2024 14:56 Post subject: Setting up dd-wrt with openVPN (privateinternetaccess.com)
Hello everyone, we are setting up our router to work with the VPN provided by private internet access. Their guides include support for versions different from the one we own. We have tried using repurposing the guides for our router with no success.
Could someone kindly give us some directions on how to properly set it up? Thank you
Router/Version: Asus RT-AC68U C1
Firmware: DD-WRT v3.0-r42617 std (03/05/20)
Kernel: Linux 4.4.215 #1052 SMP Wed Mar 4 12:16:22 +04 2020 armv7l
CPU Model: Broadcom BCM4708
CPU Cores: 2
CPU Features: EDSP
CPU Clock: 1000 MHz
Load Average: 0.07, 0.04, 0.00
Temperatures: CPU 68.0 °C / WL0 50.1 °C / WL1 53.0 °C
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Wed Jan 24, 2024 15:29 Post subject:
Welcome to the forum
Unfortunately you are running an outdated and no longer supported build.
Latest build as of today is 55009 (do not use it if you need port forwarding as it is broken but will be repaired in the upcoming build).
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Upgrade first and *after* upgrade reset to defaults and put settings in manually, this is unfortunately necessary as you are coming from an ancient build.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Jan 24, 2024 22:36 Post subject:
Yep all the relevant settings are in the egc client guide (the link posted above),
despite the fact PIA does not support WG on router level (yep that's true and sux), there was
an attempt for it made by one forum member and although it was working, it was not reliable in long term use…
I never made it to work…all the few times i tried it….
If you struggle with the Open VPN settings call us, i can share my PIA set up….
PIA online support is very out of the matter totally, they will advise you tons of old settings and lower security ciphers or..to disable your inbound firewall, all in order to keep their servers less busy…and with less CPU load…
Overall PIA is not that bad and has reliable servers worldwide, plus their 3 years plan for 70Euro is unbeatable price...but the lack of WG(router level) puts them in another category...where Mullvad VPN despite its higher price takes the win... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
PIA (Also CyberGhost, ExpressVPN & Zenmate) are owned by Former Malware Distributor KAPE Technologies, say no more! _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Jan 25, 2024 10:06 Post subject:
foz111 wrote:
PIA (Also CyberGhost, ExpressVPN & Zenmate) are owned by Former Malware Distributor KAPE Technologies, say no more!
IT sounds like, more like a PROS than a CONS
in fact most of the VPN's are owned by PIA very few left as a single...and than again you'd never know what is going on behind the closed doors at any VPN provider....
Back in the days Obama was smoking weed and doing drugs at the collage, but one day became a president... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
PIA (Also CyberGhost, ExpressVPN & Zenmate) are owned by Former Malware Distributor KAPE Technologies, say no more!
IT sounds like, more like a PROS than a CONS
in fact most of the VPN's are owned by PIA very few left as a single...and than again you'd never know what is going on behind the closed doors at any VPN provider....
Back in the days Obama was smoking weed and doing drugs at the collage, but one day became a president...
Agreed Alozaros, one never knows, I just don't like putting my trust in proven untrust worthy companies.
OP. I set up a PIA VPN a few months back, PIA wouldn't run without adding
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Jan 25, 2024 12:46 Post subject:
"proven untrust worthy companies"... --- Microsoft, Google, Apple, Clouflare, Netflix, Amazon and ect.. all those are trusty...so we "may" use their products...and all others are the proven untrust...
tls-client is not needed as it comes by default in DDWRT ... --client
same for remote-cert-tls server...
Tunnel MTU Setting is left at default as 1400 (works best)
and forced all Data Cipher's to ChaChaPoly (prefer it that way, it wont hurt if your servers support it) as well Hash Algorithm is set to 512
persist-tun & persist-key must be coming by default if im not wrong.., persist-local-ip, and persist-remote-ip options are a bit hardcore.. but if you use persist-tun i key, must force to reneg-sec 0
P.S.
persist-tun & persist-key ---> just checked at cat /tmp/openvpncl/openvpn.conf
and those 2 are not added by default...DDWRT...however in OpenVPN changelog it said persist-key is defaulted now but nothing about persist-tun, what ever that means..
so adding to OpenVPN config those 2 it wont hurt...i guess _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sat Jan 27, 2024 12:27; edited 1 time in total
Google = biggest spyware on the planet!
Crossrider = Kape, were caught distributing malware + adware as your aware, a simple name change doesn't cut it with me. Time will tell if their to be trusted.
I was always a fan of PIA until they were purchased by Kape.
It's all about who you trust with your info.
Online motto, If you don't pay for the product, your the product!
So you shouldn't be the product if your paying, that's my gripe.
Hopefully this thread, although now off subject, may help someone that wasn't aware of there history, research before subscribing to them and make there own minds up. _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Hm. Interesting to know PIA is now owned by someone with less than a totally clean record of ethics. Thanks for that.
The book 'Permanent Record' by Edward Snowden reveals that even Intelligence agencies (e.g. NSA, FBI) of US government cunningly LIED to obtain, illegally, private information of US citizens. And of course, intelligence agencies of other countries such as GCHQ (UK), IDF (Israel), GRU (Russia), etc. are not naive either.
To borrow an analogy. It's GIVEN that the use of highway in one's own car exposes oneself to accidents, serious ịnury or even fatality, regardless of how carefully one drives. The 100% safe bet is not using one's car on the highway at all. Fat chance. Of course.
The Internet is the Superhighway of Information.
For the OP. The 'latest' version that seems to work fine for PIA OpenVPN is DD-WRT v3.0-r54545 std (12/18/23).
Last edited by D.F.Cruizer on Sun Jan 28, 2024 0:35; edited 1 time in total
An article you may find an interesting read.
https://restoreprivacy.com/kape-technologies-crossrider-malware/
Just depends what you believe, as I said above time will tell! _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Fri Jan 26, 2024 13:14 Post subject:
D.F.Cruizer wrote:
Here is my settings for PIA OpenVPN settings. See pic.
Per DDWRT OpenVPN client setup guide:
Quote:
Most instructions from VPN providers are wrong/outdated so do not use those.
Especially do not add anything in the OpenVPN Additional Config, almost all settings can and should be done with the GUI!
Only add 'verb 5' if you want to have more log verbosity
Furthermore you have enabled TLS-auth key but the TLS key box is empty.
(The openvpn log will complain about this)
Per DDWRT OpenVPN client setup guide:
Most instructions from VPN providers are wrong/outdated so do not use those.
Especially do not add anything in the OpenVPN Additional Config, almost all settings can and should be done with the GUI!
Thanks. Now only has verb 5. I'd like the KISS principle.
Quote:
Furthermore you have enabled TLS-auth key but the TLS key box is empty.
(The openvpn log will complain about this)
So either add your TLS auth key in the box or disable the use
You're absolutely right, egc. I got it crossed wired when working on the Server side. It can be rather confusing at times, b/w the Server and Client part. I wish each part is easily distinguished such as with a slightly different background color.
Lastly, PIA OpenVPN only works on Firmware of r54545 std (12/18/23) on my R9000.
