PIA Setup with Asus RT-AC68U and Merlin 380.57
Hi. I am new to PIA and have tried several sets of instructions from this forum and other sites for getting it working, but to no avail. I
have an RT-AC68U with Merlin 380.57, when I turn on the service state, I
lose all internet connection (the state stays active, but I cant access
any url). These are my settings:
Image2
Comments
And personally I would just disable the compression setting entirely. It cannot compress the encrypted data with any real gains since it appears as random garbage to the compressor.
If that does not help then we can work on it a bit, but I do not have the capacity to test it myself since I have an ancient router that really could not begin to handle the encryption, and even if it could, it would still be different from yours.
*Edit* I forgot to welcome you here. Welcome to the new and greatly improved forums.
Thanks OmniNegro for your response and I really appreciate your help.
I tried your suggestions; I have a few different AES cipher settings (CBC, CFB, and OFB for both 128 and 256) so I tried them all with disabled compression. With the various AES 128 and 1196 settings I had no internet connection, but with the AES 256 and 1197, I had internet, but no IP change that would indicate to me that traffic was going through the VPN. That didn’t make much sense to me, but I’m not going to claim to understand much about what most of these settings do.
I am open to any other suggestions you have. I may not get to make many changes tonight but I will try again tomorrow when there is no one else home to drive crazy with the irregular internet.
persist-key
persist-tun
tls-client
comp-lzo
verb 1
Those five lines worked years ago when I was using my router for the VPN. Here is the link to the thread where I explained this.
https://www.privateinternetaccess.com/forum/discussion/comment/15781/#Comment_15781
Good luck.
I tried the script with the following results:
Hi p8661094, that is actually the first article I found and the reason I bought AC68U when my last router died. I was hoping it would work but didn't. I'm curious, what version of merlin are you currently using?
I was thinking of going back to earlier versions to try to get it to work, but all the articles that people explicitly list their version are more than a year old and there are some important security changes since them so I'm not sure I want to do that.
Could you show me your version and settings that you have currently working?
Hope I did this right let me know if the screen shot shows up. Don't understand why the "reddit" link doesn't work for you, originally I followed there instructions to the letter and was able to get PIA working. Currently I'm running Merlins version of the firmware 380.57. Did a factory reset as per Merlins advise and re-entered all my setting manually after the upgrade. Router controls seven (7) devices Windows 10 and iOS. I use port "1194" with "US-East" server with default encryption. There are other ports you can use 9201, 8080, 53, I don't see 1196 as a port to use also these settings are for "udp not tcp
Hi p8661094,
I wasn’t able to see your image. I had difficulties setting up my images when I started this conversation. The only thing that ended up working for me was uploading mine to google drive and using a shared link.
I started over from scratch since I never did a reset the first time and re-entered everything from scratch. That didn’t work for me. So I tried again with a reset and entered only the minimum I could in my router settings to eliminate any other settings that might be causing issues and went through the Redit instructions again.
When that didn’t work, I tried your port suggestions. When that didn’t work, I tried the settings I had in my first post, and then the changes OmniNegro recommended, then settings from other posts on this forum, and I am completely out of ideas.
I am open to any other suggestions, and if you can relink your image again, I’ll keep trying. FYI, I have verified my account works using the desktop application, so I know it’s not that, and that is all I can safely say I know at this point. :-)
Hopefully the link worked this time also what certificate are you using, I'm using the following:
-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----
and past it under certificate authority.
p8661094: I double-checked my cert and that is what I had.
I did finally get it working based on this article (http://www.snbforums.com/threads/privateinternetaccess.10412/). I noticed that one of the users had a user name of RMerlin and seemed to understand the custom configuration information and what was already included in the firmware. I had suspected some of what I had entered in the custom configuration section might be redundant with the GUI settings and this seemed to confirm that suspicion.
I will list below my exact settings (without an image as the image linking doesn’t work very well and requires that those images be perpetually maintained, which is unlikely to happen).
Under <Client Control>:
Select client instance: Client 1
Service state: Leave <Off> until you have entered all the other settings.
Under <Basic Settings>:
Start with WAN: <Yes>
Interface type: <TUN>
Protocol: <UDP>
Server address and port: Address: us-midwest.privateinternetaccess.com Port: 1194
Firewall: <Automatic>
Authorization Mode: <TLS>
Username/password authentication: <Yes>
Username: Your PIA Username
Password: Your PIA Password
Username auth. only: <No>
Extra HMAC authorization: <Disabled>
Create NAT on tunnel: <Yes>
Under <Advanced Settings>:
Poll interval: 0
Accept DNS configuration: <Strict>
Encryption cipher: <Default>
Compression: <Adaptive>
TLS renegotiation time: 0
Connection retry: 30
Verify server certificate: <No>
Redirect internet traffic: <No>
Under <Custom Configuration>:
tls-client
Click <Apply> at the bottom of page.
Click on <Content modifications of Keys and Certificates> link (next to Authorization Mode).
Static key: Leave blank
Certificate authority: Copy and paste certificate authority from ca.crt (or what p8661094 pasted in previous message)
Client Certificate: Leave blank
Client key: Leave blank
Certificate Revocation List: Leave blank
Extra Chain Certificates: Leave blank
Click <Save> at bottom of page
Click <Apply> at the bottom of page.
Under <Basic Settings> switch the <Service State> button to <On>
Click <Reboot> at top of page to reboot your router (mine did not take affect until I rebooted)
Some notes: My setup didnt work when I changed the server to another one besides the midwest, this shouldnt be the case, but is. I can't explain it.
I had to reboot my router to get the vpn to work, I dont think is normal, but its what worked for me.
If I entered anything besides "tls-client" (including leaving it blank) in the custom configuration section it did not work.
Thanks again to p8661094 and OmniNegro for their help!!!!
OmniNegro: Sure, feel free to to copy it elsewhere.
On merlin 380.57 be warned this seems to kill my 2.4ghz radio. I can see it, connect but then no packets move. 5ghz is working fine. I've gone back to the last build until this bug is resolved.
Also on all merlins builds client 1 uses the second cpu core, but on 380.57 build for some reason client 1 is on core 1 so setup PIA to use client 2. Do a speed test and watch the graphs in the network map to confirm openVpn is using the second core.
Hope this helps.
https://helpdesk.privateinternetaccess.com/hc/en-us/articles/227852327-Setting-up-an-Asus-Router-running-Merlin-Firmware
it's easy. it works.
of course, make sure you copy settings correctly...I entered in a "1" instead of a "-1" and it did not work. After checking it three times, I found my mistake.