DD-WRT v24-sp2 VPN - GUI settings don't match setup guide
Hello,
I'm running a WRT310N with v24-sp2 VPN version of DD-WRT, and as I started using the handy DD-WRT OpenVPN guide in client support, got to Step 9 and got stuck because there was no "Encryption Cipher" option. There was also no "Hash Algorithm" option, nor a NAT or Additional Config. I assume the instructions were written for a build of DD-WRT that has different features than mine, but I was hoping someone might have an older guide for getting my version to work. Failing that, what router can I purchase that will absolutely work as directed based on the instructions from the Client Support section? I am not looking to purchase one from FlashRouters because they cost roughly double what Amazon is charging for the same models.
EDIT: Including a screenshot of what my OpenVPN options are.
I'm running a WRT310N with v24-sp2 VPN version of DD-WRT, and as I started using the handy DD-WRT OpenVPN guide in client support, got to Step 9 and got stuck because there was no "Encryption Cipher" option. There was also no "Hash Algorithm" option, nor a NAT or Additional Config. I assume the instructions were written for a build of DD-WRT that has different features than mine, but I was hoping someone might have an older guide for getting my version to work. Failing that, what router can I purchase that will absolutely work as directed based on the instructions from the Client Support section? I am not looking to purchase one from FlashRouters because they cost roughly double what Amazon is charging for the same models.
EDIT: Including a screenshot of what my OpenVPN options are.
Comments
https://www.privateinternetaccess.com/openvpn/openvpn.zip
Open the ca.crt file in a text editor like notepad. Copy and paste the entire thing into the CA Cert field you see in your screenshot of your router.
10. Set the Hash Algorithm to SHA1.
12. Set the Advanced Options to Enabled.
14. Set NAT to Enable.
15. In the Additional Config enter the following
I'm hoping that someone else has used v24-sp2 and can comment on how to proceed with a setup that is obviously outside of the guide provided in the client support area.
As for the NAT, I see no option for that in your screenshot, but if you add the certificate, I bet it will start right up without any problem. Disregard the steps that seem different until something actually fails to work. Playing with it can often show you what was wrong much easier than finding instructions that perfectly match your exact model router and firmware.
Do not hesitate to keep asking if something does not work. We can find a solution. And if not, the Asus AC68 series routers are the best for the price. You can flash Merlin firmware on them to make them even better and easier to use. Here is an old thread with loads of details on them, and other routers.
https://www.privateinternetaccess.com/forum/discussion/2845/openvpn-router-speeds
It is a big thread, but it has step by step guides for how to do many things.
So I'm halfway to a solution; turns out that sure enough, the v24-sp2 GUI doesn't expose some of the advanced options even though they're supported. I SSH'ed into the device and the OpenVPN config had the following:
dev tun
proto udp
remote us-east.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
comp-lzo
So what would be extremely useful is if someone who has successfully followed the GUI setup in Client Support and is up and running could cat /tmp/openvpncl/openvpn.conf and then I can test with that. Assuming it works, I can just cat the differences between the one mine generates and what I need in the Administration>Startup command field so that my changes persist across device reboots.
dev tun
proto udp
remote us-east.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /tmp/openvpncl/ca.crt
comp-lzo
auth-user-pass /tmp/password.txt
persist-key
persist-tun
tls-client
remote-cert-tls server
Using this guide on adding scripts in DD-WRT, I have configured a script that will write this to the OpenVPN config in /tmp on wanup.
For those of you who want a really braindead-simple solution and don't want to deal with big scripts in your startup, this holds a copy of a stable PIA config in NVRAM and will persist across reboots. Note that this will kill any customization you currently have in your startup, but if you just have the PIA stuff, this will properly replace it.
Add your username/password where indicated in the script below, and then paste and save the following as a "Custom Script" (in Administration>Commands)
for i in `nvram show|grep openvpn|cut -d '=' -f1`; do nvram unset $i; done
nvram set rc_startup='mkdir /tmp/ovpn
cd /tmp/ovpn
nvram get ovpn_up>up
nvram get ovpn_dn>dn
chmod +x up dn
nvram get ovpn_cfg>piavpn.conf
mkdir -p /tmp/etc/config
echo -e "#!/bin/sh\nkillall openvpn\nping -c4 localhost\nopenvpn --daemon --config /tmp/ovpn/piavpn.conf">/tmp/etc/config/ovpn.wanup
chmod +x /tmp/etc/config/ovpn.wanup
echo -e "PIA_USERNAME_GOES_HERE\nPIA_PASSWORD_GOES_HERE"> /tmp/ovpn/pass
openvpn --daemon --config piavpn.conf'
nvram set ovpn_cfg='client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
comp-lzo
auth-user-pass /tmp/ovpn/pass
persist-key
persist-tun
tls-client
remote-cert-tls server
route-up "/tmp/ovpn/up"
down "/tmp/ovpn/dn"
<ca>
-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----
</ca>
'
nvram set ovpn_up='iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
'
nvram set ovpn_dn='iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
'
nvram commit
Once saved, then paste the following and click "Run Commands"
What this is doing is creating a custom script that sets a couple of values in NVRAM (Non-volatile, meaning it persists across router reboots). The first value is "rc_startup" which is the system startup commands that you can see in the Administration>Commands dialog. The next is "ovpn_cfg" and represents the config file OpenVPN should use. The last two are ovpn_up and ovpn_down, and are commands that OpenVPN uses when it starts and stops - in our case, just making a change to iptables to ensure that traffic properly flows through your OpenVPN connection when it starts, and works as a normal router when you turn off OpenVPN. You will need to have about 2,000 bytes free in NVRAM to store this, but all of my devices had enough space and are 4+ years old.
Reboot your router and OpenVPN should be connected to PrivateInternetAccess in about 2 minutes.