SOLUTION: ASUSWRT Merlin OpenVPN Client Settings

drwolfdrwolf
in Other Devices VPN Setup
I finally got the correct settings on my ASUSWRT Merlin Router to fix errors such as:

Authenticate/Decrypt packet error: cipher final failed
SIGUSR1[soft,decryption-error] received, process restarting
Authenticate/Decrypt packet error: packet HMAC authentication failed

First I uploaded the ovpn file, then changes the settings to this: 

Basic Settings
Start with WAN: Yes
Interface Type: TUN
Protocol: UDP
Server Address and Port: (actual IP address, not the domain) Port: 1198
Firewall: Auto
Authorization Mode: TLS (Click "Content modification of Keys & Certificates" to add the CA)
Username/Password Authentication: Yes
Username: your user
Password: your pass
Username / Password Auth. Only: No
TLS control channel security (tls-auth / tls-crypt): Disabled
Auth digest: SHA 1
Create NAT on tunnel: Yes

Advanced Settings
Global Log verbosity: 1
Poll Interval: 0
Accept DNS Configuration: Disabled
Cipher Negotiation: Enable with fallback
Negotiable ciphers: AES-128-CBC:AES-256-CBC
Legacy/fallback cipher: AES-128-CBC
Compression: LZO Adaptive
TLS Renegotiation Time: -1
Connection Retry: -1
Verify Server Certificate: No
Redirect Internet traffic: Policy Rules (for my XBONE)
Block routed clients if tunnel goes down: Yes

Custom Config
tls-client
remote-cert-tls server
reneg-sec 0
disable-occ
cipher aes-128-cbc
auth sha1
nobind
persist-key
persist-tun

I hope this helps someone!

Comments

  • railgeekrailgeek
    Beauty!  After going back and looking at the system log while trying to apply this configuration to my router, and correcting my numerous incorrect spelling incidences, this worked!  I had previously attempted to use the configuration that was posted online by PIA, and it got me connected and would stay green (according to the VPN status of the router) but no access to internet.  Logs showed "Authenticate/Decrypt packet error: cipher final failed" among other problems.  I have to work with an ARRIS router using IP passthrough to the ASUS router due to my internet provider.  I had figured that maybe it was some issue with the way that was set up, but it is now working with this configuration.  Thanks!
  • fonetikfonetik
    This worked great for me. Although I was able to get it working using us-east.privateinternetaccess.com for the server address.
  • 1053810538
    Many thanks. I had been fiddling with various older/not-quite-correct configurations for a couple of hours before I came across this!
  • FrizankFrizank
    edited May 2017
    Drwolf (or anyone else on here), your config worked for me - was having the same issue. Question though - when you go the PIA homepage, do you see that you are "protected?" I can now get to the internet, etc, but this is the only thing I see that doesn't jive.  I downloaded the desktop client and when I activate it that way and go to the PIA homepage it says I'm "protected." Thoughts?

    ****Edit****

    The tests on the site show that I'm still exposed - DNS leak, check my IP, email IPleak fail.  Are you seeing this too?  Service is still connected though.
  • millserdmillserd
    This guide worked wonderfully for me! thanks.
    I also cross referenced with this https://helpdesk.privateinternetaccess.com/hc/en-us/articles/227852327-Setting-up-an-Asus-Router-running-Merlin-Firmware
  • BAyalaBAyala
    Frizank said:
    Drwolf (or anyone else on here), your config worked for me - was having the same issue. Question though - when you go the PIA homepage, do you see that you are "protected?" I can now get to the internet, etc, but this is the only thing I see that doesn't jive.  I downloaded the desktop client and when I activate it that way and go to the PIA homepage it says I'm "protected." Thoughts?

    ****Edit****

    The tests on the site show that I'm still exposed - DNS leak, check my IP, email IPleak fail.  Are you seeing this too?  Service is still connected though.
    I'm running into the same issue.  Any updates or resolution?
  • p8630716p8630716
    Hi, 

    Can anyone tell me where to find the cert files needed for this?

    Authorization Mode: TLS (Click "Content modification of Keys & Certificates" to add the CA)
  • Omnibus_IVOmnibus_IV
    Try here - https://www.privateinternetaccess.com/openvpn/openvpn.zip

    When you unzip the file it will contain the .crt and .pem files. The .crt is your certificate file.

  • User0User0
    Any idea how to change the cipher to "none"? 
  • PiaVipperPiaVipper
    >>> Any idea how to change the cipher to "none"? 

    Why woudl you want to do that?
  • birmjambirmjam
    millserd said:
    This guide worked wonderfully for me! thanks.
    I also cross referenced with this https://helpdesk.privateinternetaccess.com/hc/en-us/articles/227852327-Setting-up-an-Asus-Router-running-Merlin-Firmware


    This link is not working for me.


    I have an AC-5300 and have followed the instructions listed above.  The router says I am connected to the vpn, however my ip does not change and the PIA website says I am not protected as well.  Any ideas?

  • [Deleted User][Deleted User]
    edited May 2018
    @birmjam (and anyone else following this guide) -

    Make sure that if you enable Policy Rules, you really intend to use policy-based routing. If you're setting up the VPN for general-purpose use and you intend to cover your whole network, enabling policy rules will cause your IP to be unmasked, since the client requires that rules be added to route client traffic through the tunnel. 

    In general, you should leave this setting on "None" to be sure your IP is masked.
  • p2777564p2777564
     im sure thats not entirely the best way to do it
    you can set up a rule that sets all traffic through the vpn and then add other rules for devices that you dont wish to go through the vpn (using asus merlin firmware)



Sign In or Register to comment.