SOLUTION: ASUSWRT Merlin OpenVPN Client Settings

I finally got the correct settings on my ASUSWRT Merlin Router to fix errors such as:

Authenticate/Decrypt packet error: cipher final failed
SIGUSR1[soft,decryption-error] received, process restarting
Authenticate/Decrypt packet error: packet HMAC authentication failed

First I uploaded the ovpn file, then changes the settings to this: 

Basic Settings
Start with WAN: Yes
Interface Type: TUN
Protocol: UDP
Server Address and Port: (actual IP address, not the domain) Port: 1198
Firewall: Auto
Authorization Mode: TLS (Click "Content modification of Keys & Certificates" to add the CA)
Username/Password Authentication: Yes
Username: your user
Password: your pass
Username / Password Auth. Only: No
TLS control channel security (tls-auth / tls-crypt): Disabled
Auth digest: SHA 1
Create NAT on tunnel: Yes

Advanced Settings
Global Log verbosity: 1
Poll Interval: 0
Accept DNS Configuration: Disabled
Cipher Negotiation: Enable with fallback
Negotiable ciphers: AES-128-CBC:AES-256-CBC
Legacy/fallback cipher: AES-128-CBC
Compression: LZO Adaptive
TLS Renegotiation Time: -1
Connection Retry: -1
Verify Server Certificate: No
Redirect Internet traffic: Policy Rules (for my XBONE)
Block routed clients if tunnel goes down: Yes

Custom Config
tls-client
remote-cert-tls server
reneg-sec 0
disable-occ
cipher aes-128-cbc
auth sha1
nobind
persist-key
persist-tun

I hope this helps someone!

Comments

  • Beauty!  After going back and looking at the system log while trying to apply this configuration to my router, and correcting my numerous incorrect spelling incidences, this worked!  I had previously attempted to use the configuration that was posted online by PIA, and it got me connected and would stay green (according to the VPN status of the router) but no access to internet.  Logs showed "Authenticate/Decrypt packet error: cipher final failed" among other problems.  I have to work with an ARRIS router using IP passthrough to the ASUS router due to my internet provider.  I had figured that maybe it was some issue with the way that was set up, but it is now working with this configuration.  Thanks!
  • Posts: 1
    This worked great for me. Although I was able to get it working using us-east.privateinternetaccess.com for the server address.
  • Posts: 2
    Many thanks. I had been fiddling with various older/not-quite-correct configurations for a couple of hours before I came across this!
  • edited May 6 Posts: 1
    Drwolf (or anyone else on here), your config worked for me - was having the same issue. Question though - when you go the PIA homepage, do you see that you are "protected?" I can now get to the internet, etc, but this is the only thing I see that doesn't jive.  I downloaded the desktop client and when I activate it that way and go to the PIA homepage it says I'm "protected." Thoughts?

    ****Edit****

    The tests on the site show that I'm still exposed - DNS leak, check my IP, email IPleak fail.  Are you seeing this too?  Service is still connected though.
    Post edited by Frizank on
  • Posts: 1
    This guide worked wonderfully for me! thanks.
    I also cross referenced with this https://helpdesk.privateinternetaccess.com/hc/en-us/articles/227852327-Setting-up-an-Asus-Router-running-Merlin-Firmware
  • Posts: 1
    Frizank said:
    Drwolf (or anyone else on here), your config worked for me - was having the same issue. Question though - when you go the PIA homepage, do you see that you are "protected?" I can now get to the internet, etc, but this is the only thing I see that doesn't jive.  I downloaded the desktop client and when I activate it that way and go to the PIA homepage it says I'm "protected." Thoughts?

    ****Edit****

    The tests on the site show that I'm still exposed - DNS leak, check my IP, email IPleak fail.  Are you seeing this too?  Service is still connected though.
    I'm running into the same issue.  Any updates or resolution?
  • Hi, 

    Can anyone tell me where to find the cert files needed for this?

    Authorization Mode: TLS (Click "Content modification of Keys & Certificates" to add the CA)
  • Posts: 357
    Try here - https://www.privateinternetaccess.com/openvpn/openvpn.zip

    When you unzip the file it will contain the .crt and .pem files. The .crt is your certificate file.

  • Posts: 7
    Any idea how to change the cipher to "none"? 
  • Posts: 282
    >>> Any idea how to change the cipher to "none"? 

    Why woudl you want to do that?
  • millserd said:
    This guide worked wonderfully for me! thanks.
    I also cross referenced with this https://helpdesk.privateinternetaccess.com/hc/en-us/articles/227852327-Setting-up-an-Asus-Router-running-Merlin-Firmware


    This link is not working for me.


    I have an AC-5300 and have followed the instructions listed above.  The router says I am connected to the vpn, however my ip does not change and the PIA website says I am not protected as well.  Any ideas?

Sign In or Register to comment.