How to set-up PIA on a router running Shibby Tomato
I'm running Shibby Tomato Firmware Version 3.1-132 on a Netgear R7000, so your mileage may vary, but the interface should look very similar if your running Shibby's version of Tomato on your router. Here's a list of supported routers.
Credit goes to both PIA user rcbarnes and the PIA support staff. I followed his guide found here and tweaked it with the PIA support staff. All changes from his guide are highlighted in yellow.
Credit goes to both PIA user rcbarnes and the PIA support staff. I followed his guide found here and tweaked it with the PIA support staff. All changes from his guide are highlighted in yellow.
- Login to your router (usually by entering 192.168.1.1 in your browser)
- Default username/password are both "admin" if you are logging in for the first time
- Click VPN from the menu on the left, then OpenVPN Client submenu
- Choose the Client 1 tab and then Basic tab below
- Check Start with WAN if you want to auto-connect whenever your router is online/starts up
- Set Interface Type to TUN
- Set Protocol to UDP
- Set the Server Address/Port to us-east.privateinternetaccess.com (or whichever server you prefer) and port to 1198
- There is a tiny chance that entering us-east.privateinternetaccess.com (or whichever server you prefer) might not work. You can replace that web address with the actual IP address of that server. To find the IP address, open the "terminal" application in Linux/OSX or "command prompt" in Windows and type "ping " followed by the address of the server (us-east.privateinternetaccess.com in this example). This will return an IP address that you can enter in the Server Address/Port section DON'T DO THIS, eventually the servers may change addresses and your true IP will be exposed
- Set the Firewall to Automatic
- Set Authorization Mode to TLS
- Check Username/Password Authentication
- Enter Your Username/Password in the boxes that newly appear below the check box (use your actual username starting with "p", not the proxy username that starts with "x")
- Ensure that the Username Authen. Only box is unchecked
- Set Extra HMAC authorization to disabled
- Check Create NAT on tunnel
- Click on the Advanced tab
- Set Poll Interval to 0
- Uncheck Redirect Internet Traffic
- Uncheck Ignore Redirect Gateway (route-nopull)
- Set Accept DNS configuration to Strict
- Set Encryption cipher to AES-128-CBC
- Set Compression to Adaptive
- Set TLS Renegotiation Time to 0
- Leave Connection retry as 30
- Uncheck Verify server certificate (tls-remote)
- In the Custom Configuration textbox, input the following:
- persist-key
- persist-tun
- tls-client
- comp-lzo
- verb 1
- auth SHA1
- Click on the Keys tab
- Paste the contents of ca.crt found in OpenVPN Config Files, into the Certificate Authority text area
- Paste all of the characters found in that file, including "-----BEGIN CERTIFICATE-----" at the beginning and the "-----END CERTIFICATE-----" at the end
- Press the Save button before the Start Now button
Using this setup and a guide found in the pleX forums, I was able to have PIA running while still gaining remote access to my pleX server.
Comments
Installed Tomato Shibby 1.28 (build 1.38) on my Asus RT-N12D1 and got OpenVPN client working with these instructions alright, but when I disconnect my computer's own PIA manager, computer is shown to use my ISP's dynamic IPs by check aka no tunneling in use despite status shows client is up and running.
How to configure Tomato to direct all internet traffic via OpenVPN? Also, how to configure internet traffic to halt if OpenVPN client is not in use to be secure at all times? Tried to google, but no clear instructions on this topic was found - especially not for PIA.
-------------------------------------------------------------------------------------------------------------
I'm very glad that this guide is useful to others!
-------------------------------------------------------------------------------------------------------------
I'm interested in trying this and will dig a bit deeper into it later this week. Please update us if you find out any more information about the errors you were getting and if you find a solution to remove them.
"Without really knowing what's going on behind the scenes I'm only speculating but I think the warnings are the result of negotiations between client and server and how OpenVPN interprets and logs certain events.
With a standard OpenVPN GUI configuration and PIA supplied config files the cipher used is 128 bit Blowfish in CBC mode. That is what the PIA server expects to see. With different encryption settings specified, the warning is triggered but because of the patch the server is able to negotiate with the client the same way it would if using the PIA app.
This patch is really a workaround to address differences between PIA systems and the OpenVPN standard. It all stems from the fact that PIA had implemented AES256 encryption in their client before it was available in OpenVPN. PIA did it one way, OpenVPN did it another.
I believe the Link-MTU/Tun-MTU warning is the result of a similar situation. For the benefit of anyone who doesn't know MTU stands for 'maximum transmission unit' and is the maximum size of an individual packet. I think under some circumstances the value for MTU may also be negotiated between client and server and if there is a difference the result is fragmented traffic. I don't think this necessarily causes problems or performance issues unless you have a firewall that filters fragmented packets."
I'm having the same issues on the asus rt-n12d1, using Tomato Firmware 1.28.0000 MIPSR2-128 K26 Max. I've tried multiple different tomato firmwares, and haven't been successful with any of them. I've also scoured the web for alternate setup guides, but no luck. If I follow the instructions from user1123, when I click "start now" in the OpenVPN settings, it will change to "stop now", but if I click off the openvpn settings and come back, it will say "start now" again, and at no point will a whatsmyip check show anything other than my ISP's. If I remove "auth SHA1" from the custom config, it will remain running, but I'm still not tunneled. I've also noticed there are at least two different versions of the ca.crt, and I've tried them both.
mrmann, were you ever successful with this router? I'm a total noob when it comes to this stuff, and don't really understand what I'm doing, but I can follow instructions, and got PIA working fine on an ASUS RT-AC66U running Merlin. So I thought this should be easy -- but I'm pulling my hair out with this router! I still haven't found any confirmation online, that anyone has actually gotten PIA to run on the RT-N12D1 using Tomato Shibby, dd-WRT, or Merlin, so maybe it's just not possible??
Sadly I have also tried AES-128 as well as the default settings, and the same issues, no tunnel is being setup.
Logs: