Synology: No PIA VPN connection possible since latest update

MikyCoudMikyCoud
in Other Devices VPN Setup
Hi,
Just want to report that the latest upadte forom PIA is a mess when it comes to SYnology setup.
Everything was working 100% with the old configuration files (prior to two days ago and the Russian incident). Those configuration files used the 1194 port.
Now, the new files have better encryption and use the new 1198 port (which is mandatory).
When one tries to setup a new VPN connection with PIA new config files, one has to specify the new port, and connection seems to happen (at least Synology control panel>Network>Network Interface says "Connected" to the new VPN connection.. However, a quick ckeck shows that there's no received traffic on that connection, and even worse, using an IpMagnet Tracking Link in DOwnload station shows my real IP!!!
Something weird is really going on....
What can I do?
Thanx for any input...

Comments

  • thelemonkidthelemonkid
    Same issue here!
  • MikyCoudMikyCoud
    edited July 2016
    Ok, after a few exchanges with the PIA support team and the usual "We do not support Synology bla bla", I started to compare my windows client config files and my Synology config files and after that firmly believed the problem was related to ports and different enccryyption.
    They went from blowfish to AES128 and SHA1 and something didn't seem to comply in the synology client, causing unexpected and erratic results.

    Thus, we nedded to force the synology client to use two things:

    -The right port (easy enough done in synology vpn interface: UDP 1198 which for some reasons didn't seem to work for me) or TCP 502 (which worked wonders on mine).

    -The right encryption, which was done following Sbar's recommendation here:

    FOr more clarity, I'll copy and paste his finding here. It requires a little SSH knowledge, more very doable.
    Then, I manually edited the VPN configuraiton files (client_*) in  
    /usr/syno/etc/synovpnclient/openvpn 
    and added these two lines (right after the remote line)
    cipher aes-128-cbc
    auth sha1

    After I did those two things, I got my VPN up and working again....
    Hope that helps
  • thelemonkidthelemonkid
    I think this is the very simple and elegant solution without ssh:


  • MikyCoudMikyCoud
    edited July 2016
    Grrrrr!!!!
    WTH!!!
    The SSH method worked for a few days, but doesn't anymore since yesterday!!!
    I tried your method "thelemonkid", by removing the 2048 line, but when I try configuring a connection this way (via importing a opvn file), I get a "Failed to establish network connection".
    COuld you post your exact settings (including advanced ones) when configuring this way in your DSM Network interface? Also, do you remove the: "ca ca.rsa.2048.crt" line, or just the "crl-verify crl.rsa.2048.pem" one?
    FInally, what certifcate do you use? The normal Ca one, or the 2048 one?

    Thanx for helping!

    PS: I'm so angry at you PIA for F&"é''((ING thi sup repeatedly!!!!! If I could, I'd take my money back and head over to HMA! I swear, giving us a "We do not support synology" is absurd and totally unprofessional. Setting up a synology is the same as setting up a normal vpn client. You are able to help but don't want to. Just say it and stop taking us for fools!

  • thelemonkidthelemonkid
    edited July 2016
    Hi MikyCoud,

    I posted the most simple solution here:


    It is working with no issues at all. The above mentioned solution with deleting some line was not my original idea. But the link in this post will lead you to a set up without deleting anything. It is also not my own solution... I just CAREFULLY read the Synology users manual... And I promise it is EXTREMELY easy!
  • MikyCoudMikyCoud
    Oh right, apologies, I thought the "deleting some lines" idea was yours.
    Funny thing is I did try and and get it to work in the end, but, as with my solution to go through SSH to modify the config files, it did not "stick" for long.
    WIth my solution, the connection worked and stuck for a few days, then didn't. Then did... Then didn't.. Well, you get the idea: unreliable.
    WIth the "remove th elines" solution, I also got a connection, which lasted a few hours, then got cut down, then back up, etc. Unrelable also.
    I just tried your solution, which is so simple it makes me ashamed I didn't do it in the first place, and I also managed to connect to a server. It seems to be stable, but how long for? Future will tell....
    Thanx a bunch all the same!

  • thelemonkidthelemonkid
    mine is running for days now.. and seems stable.

    Check sometimes: https://goo.gl/xxc7Xk to see if it's leaking.

    It's indeed funny how we all focus on impossible difficult solutions, while the easy ones are overlooked... hehehehe
  • mtrmtr
    edited July 2016
    Tested on DSM 6.0.x and all works well as expected.
    image

    These are the steps:

    (1) From the Control Panel select Network -> Network Interface Tab
    (2) Select Create Button -> Create VPN Profile
    image
    (3) Select Open VPN (via importing a .ovpn file) -> NEXT
    image
    (4) Ensure you select “Advanced Options” to see the necessary fields.
    image
    (5) Get the openvpn.zip file provided on the PIA client support & download files ready and enter the following information:

    Field

    Value

    Profile name:

    Anything you like

    User name:

    Your PIA username e.g. p1234567

    Password:

    Your PIA password

    Import .ovpn file:

    Specify the .opvn file containing the VPN server you want to connect to. For example: US California.opvn

    CA certificate:

    ca.rsa.2048.crt file

    Client certificate:

    <Leave this field blank>

    Client key:

    <Leave this field blank>

    Certificate Revocation:

    crl.rsa.2048.pem

    TLS-auth key:

    <Leave this field blank>

    You will need to scoll down to see the TLS_auth key field.
    image

    (6) Select NEXT and then select the VPN Connection and select CONNECT.
    image
    image

    My basic VPN gateway settings are as follows:

    image

    Of course I have also set my network DNS to point to a server that is not managed by my ISP just in case.

    Also I can't blame PIA's policy not to "support" NAS devices. There are so many different vendors and operating systems it would be extremely difficult and costly. Most NAS devices are not as friendly as Synology!

    Good luck.

  • optimus789optimus789
    mtr said:
    Tested on DSM 6.0.x and all works well as expected.
    image

    These are the steps:

    (1) From the Control Panel select Network -> Network Interface Tab
    (2) Select Create Button -> Create VPN Profile
    image
    (3) Select Open VPN (via importing a .ovpn file) -> NEXT
    image
    (4) Ensure you select “Advanced Options” to see the necessary fields.
    image
    (5) Get the openvpn.zip file provided on the PIA client support & download files ready and enter the following information:

    Field

    Value

    Profile name:

    Anything you like

    User name:

    Your PIA username e.g. p1234567

    Password:

    Your PIA password

    Import .ovpn file:

    Specify the .opvn file containing the VPN server you want to connect to. For example: US California.opvn

    CA certificate:

    ca.rsa.2048.crt file

    Client certificate:

    <Leave this field blank>

    Client key:

    <Leave this field blank>

    Certificate Revocation:

    crl.rsa.2048.pem

    TLS-auth key:

    <Leave this field blank>

    You will need to scoll down to see the TLS_auth key field.
    image

    (6) Select NEXT and then select the VPN Connection and select CONNECT.
    image
    image

    My basic VPN gateway settings are as follows:

    image

    Of course I have also set my network DNS to point to a server that is not managed by my ISP just in case.

    Also I can't blame PIA's policy not to "support" NAS devices. There are so many different vendors and operating systems it would be extremely difficult and costly. Most NAS devices are not as friendly as Synology!

    Good luck.

    This doesn't work for me.  I've open all ports: 1194, 1197, 1198.  I've tried capitalizing "CBC", "SHA".  I feel like I've tried everything everyone has suggested.  Anybody help on this????
  • shabazzshabazz

    This doesn't work for me.  I've open all ports: 1194, 1197, 1198.  I've tried capitalizing "CBC", "SHA".  I feel like I've tried everything everyone has suggested.  Anybody help on this????
    Up

    I have the same issue.

    I tested all these suggestions but it doesn't work
  • SusjaSusja
    shabazz said:

    This doesn't work for me.  I've open all ports: 1194, 1197, 1198.  I've tried capitalizing "CBC", "SHA".  I feel like I've tried everything everyone has suggested.  Anybody help on this????
    Up

    I have the same issue.

    I tested all these suggestions but it doesn't work
    It does not work for me either. 
    I am clueless why it failed for me while others succeeded 
  • stevep94stevep94
    I can get this to say "Connected" but when I test it with ipleak.net it still shows my real location!?!? (when I click on the "Geolocation Detection" button on the torrent address detection bit!)

    Anyone got any further with this??

    (also, I know this is probably a stupid question but I assume I should be using my PIA username and password rather than the PPTP/L2TP/SOCKS username and password I can generate??)

    Thanks for any hep getting this to work!
  • SjonnieSjonnie
    The guide from mtr seems to work for me. In Manually configure DNS I use 8.8.8.8 as Preferred DNS server and enabled enable multiple gateways in the advanced settings 

    Running stable for 20 minutes or so.

    HTH

    Greetz,

    Sjonnie
  • OpenVPNOpenVPN
    MikyCoud said:
    Hi,
    Just want to report that the latest upadte forom PIA is a mess when it comes to SYnology setup.
    Everything was working 100% with the old configuration files (prior to two days ago and the Russian incident). Those configuration files used the 1194 port.
    Now, the new files have better encryption and use the new 1198 port (which is mandatory).
    When one tries to setup a new VPN connection with PIA new config files, one has to specify the new port, and connection seems to happen (at least Synology control panel>Network>Network Interface says "Connected" to the new VPN connection.. However, a quick ckeck shows that there's no received traffic on that connection, and even worse, using an IpMagnet Tracking Link in DOwnload station shows my real IP!!!
    Something weird is really going on....
    What can I do?
    Thanx for any input...
    https://helpdesk.privateinternetaccess.com/hc/en-us/articles/219458567-How-can-I-improve-connection-speed-for-a-router-based-VPN-

    https://helpdesk.privateinternetaccess.com/hc/en-us/articles/226851548-I-have-trouble-connecting-or-the-connection-drops-frequently-changing-ports

    https://helpdesk.privateinternetaccess.com/hc/en-us/articles/225274288-Which-encryption-auth-settings-should-I-use-for-ports-on-your-gateways-

    https://helpdesk.privateinternetaccess.com/hc/en-us/articles/219059608-Why-is-the-VPN-connection-not-working-or-slow-with-the-PIA-App-

    ~ Private Internet Access VPN Customer
Sign In or Register to comment.