Double Tunnel using Merlin and PC

I've discovered an interesting scenario:  say my location is Seattle. If I open a VPN tunnel to the PIA Seattle server with my Asus AC-66U Merlin router, and then open a second VPN tunnel on a Windows 7 PC running the PIA app to the same Seattle server, my PC appears to do all the encryption while the router just passes the data through to the PIA server. Note that I am using the same login for both devices, and the PC is statically routed through the router's VPN tunnel.  Also, I am using policy routing in the Asus router with the kill switch enabled.

My assumption is that it's not a double tunnel at all, and that since both devices are logged into the same server, the router somehow knows it doesn't need to encrypt the traffic, and therefore the connection is completed via a single tunnel to the server, passing through the Asus without double encryption. Sound about right? If I'm correct, this is a useful setup for folks like me with underpowered routers that would like a second kill switch at the router for peace of mind.

Comments

  • Posts: 7
    User0 said:
    I've discovered an interesting scenario:  say my location is Seattle. If I open a VPN tunnel to the PIA Seattle server with my Asus AC-66U Merlin router, and then open a second VPN tunnel on a Windows 7 PC running the PIA app to the same Seattle server, my PC appears to do all the encryption while the router just passes the data through to the PIA server. Note that I am using the same login for both devices, and the PC is statically routed through the router's VPN tunnel.  Also, I am using policy routing in the Asus router with the kill switch enabled.

    My assumption is that it's not a double tunnel at all, and that since both devices are logged into the same server, the router somehow knows it doesn't need to encrypt the traffic, and therefore the connection is completed via a single tunnel to the server, passing through the Asus without double encryption. Sound about right? If I'm correct, this is a useful setup for folks like me with underpowered routers that would like a second kill switch at the router for peace of mind.
    At least it was exhibiting this behavior last week when both were connected to the same server. I just changed the PC back to Seattle from SF and it's not doing it anymore. What gives?

    Well... does anyone know how to set Merlin to not use encryption? I'd still like to use the kill switch feature on the router. My logic is this:  if both devices are connected to the same server (Seattle), then they'll both experience any outage that may occur, and the Merlin router will kill the connection to any devices until it can be restored. 
  • Posts: 282
    Two tunnels won't work or will give problems. In any case it achieves nothing extra in terms of security.
  • Posts: 7
    PiaVipper said:
    Two tunnels won't work or will give problems. In any case it achieves nothing extra in terms of security.
    That's a bold statement. It does, in fact, work. I'm posting this message through a two chain cascading VPN connection.  Speedtest shows it bumping up against my ISP's cap, so I'm not aware of any problems associated with doing so.

    Additionally, there are numerous articles on the internet stating that it does increase security.

    Someone, anyone, please help me in my quest to turn off the encryption in Merlin.
  • User0 said:
    PiaVipper said:
    Two tunnels won't work or will give problems. In any case it achieves nothing extra in terms of security.
    That's a bold statement. It does, in fact, work. I'm posting this message through a two chain cascading VPN connection.  Speedtest shows it bumping up against my ISP's cap, so I'm not aware of any problems associated with doing so.

    Additionally, there are numerous articles on the internet stating that it does increase security.

    Someone, anyone, please help me in my quest to turn off the encryption in Merlin.
    posts 1 and 2 in this forum thread explain how to do it >> https://www.snbforums.com/threads/how-to-setup-a-vpn-client-including-policy-rules-for-pia-and-other-vpn-providers-380-68-09-12.30851/
  • edited September 27 Posts: 7
    Thanks p27.  I tried this:

    Port 1195: For nencryption use with encryption type set to none and Auth digest set to none and in custom configuration add autnone. this method is the fastest and full speed but withouencryption. Not versafe.

    And got this in my System Log:

    Sep 26 21:21:24 openvpn[19358]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Sep 26 21:21:24 openvpn[19358]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sep 26 21:21:24 openvpn[19358]: TCP/UDP: Preserving recently used remote address: [AF_INET]104.200.154.39:1195
    Sep 26 21:21:24 openvpn[19358]: Socket Buffers: R=[118784->118784] S=[118784->118784]
    Sep 26 21:21:24 openvpn[19358]: UDP link local: (not bound)
    Sep 26 21:21:24 openvpn[19358]: UDP link remote: [AF_INET]104.200.154.39:1195
    Sep 26 21:21:24 openvpn[19358]: TLS: Initial packet from [AF_INET]104.200.154.39:1195, sid=4eb89d9c 9eb2bbb2
    Sep 26 21:21:24 openvpn[19358]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
    Sep 26 21:21:24 openvpn[19358]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Sep 26 21:21:24 openvpn[19358]: TLS_ERROR: BIO read tls_read_plaintext error
    Sep 26 21:21:24 openvpn[19358]: TLS Error: TLS object -> incoming plaintext read error
    Sep 26 21:21:24 openvpn[19358]: TLS Error: TLS handshake failed
    Sep 26 21:21:24 openvpn[19358]: SIGUSR1[soft,tls-error] received, process restarting
    Sep 26 21:21:24 openvpn[19358]: Restart pause, 5 second(s)

    I see the server certificate verification isn't working... do I need to change it from TLS?
    Post edited by User0 on
  • User0 said:
    Thanks p27.  I tried this:

    Port 1195: For nencryption use with encryption type set to none and Auth digest set to none and in custom configuration add autnone. this method is the fastest and full speed but withouencryption. Not versafe.

    And got this in my System Log:

    Sep 26 21:21:24 openvpn[19358]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Sep 26 21:21:24 openvpn[19358]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sep 26 21:21:24 openvpn[19358]: TCP/UDP: Preserving recently used remote address: [AF_INET]104.200.154.39:1195
    Sep 26 21:21:24 openvpn[19358]: Socket Buffers: R=[118784->118784] S=[118784->118784]
    Sep 26 21:21:24 openvpn[19358]: UDP link local: (not bound)
    Sep 26 21:21:24 openvpn[19358]: UDP link remote: [AF_INET]104.200.154.39:1195
    Sep 26 21:21:24 openvpn[19358]: TLS: Initial packet from [AF_INET]104.200.154.39:1195, sid=4eb89d9c 9eb2bbb2
    Sep 26 21:21:24 openvpn[19358]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
    Sep 26 21:21:24 openvpn[19358]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Sep 26 21:21:24 openvpn[19358]: TLS_ERROR: BIO read tls_read_plaintext error
    Sep 26 21:21:24 openvpn[19358]: TLS Error: TLS object -> incoming plaintext read error
    Sep 26 21:21:24 openvpn[19358]: TLS Error: TLS handshake failed
    Sep 26 21:21:24 openvpn[19358]: SIGUSR1[soft,tls-error] received, process restarting
    Sep 26 21:21:24 openvpn[19358]: Restart pause, 5 second(s)

    I see the server certificate verification isn't working... do I need to change it from TLS?
    Did you paste in the  certificate authority he provides in post 2 ?
  • Posts: 7
    That worked. Thanks, p27!

    I ditched the Win7 virtual machine because it refused to use AES-NI.  It really taxed the CPU.  I am now running Docker DSM (DDSM) on my Synology NAS using Synology's Download Station for bittorrent.  DDSM is running through an OpenVPN connection to PIA using 128-CBC encryption (~1% CPU usage @ 5 MB/s with AES-NI enabled).  My Merlin Asus router is connected to PIA, but without encryption and uses <5% CPU.  The kill switch is activated in policy based routing on Merlin to shut off connection to DDSM in the offchance the connection drops.

    The end result is a fully isolated bittorrent client on a double redundant OpenVPN connection that uses minimal resources. I've just finished setting up scripts and installing FileBot for full HTPC automation to my Plex server.  All that's left now is to crack a cold one, sit back, relax, and enjoy the show!  Thanks for the help!
Sign In or Register to comment.