OpenVPN on DDWRT/ASUSWRT protocol blocked by Saudi/UAE/china
Hi
Well, I've been struggling with this issue since months, All the servers for PIA are blocked and get "Authentication error" message by the router (DDWRT/ASUSWRT) when the original IP is from Saudi/UAE/China (china sometimes works btw), I tried all the possible way in configurations with no luck. And L2TP and PPTP used to work (even though its not secure) but now, None. Or completely unusable and unstable.
The only way that I can connect is by the PIA app (desktop or mobile), other than that, its not possible.
Now, after some research I found out that due to the fact that there is some kind of DPI to block VPN in addition to the IP block, which render the service almost unusable.
The only way to workaround it, is if PIA implemented such a feature like TrafficObfuscation, or VPN over SSH (stealth VPN) or the likes.
Honestly, my subscription will end within 2 weeks, and unless there is a practical solution to this, I'll look for another service that providing this feature.
PS. I'm more the 3 years customer with PIA, Its good except this issue.
Well, I've been struggling with this issue since months, All the servers for PIA are blocked and get "Authentication error" message by the router (DDWRT/ASUSWRT) when the original IP is from Saudi/UAE/China (china sometimes works btw), I tried all the possible way in configurations with no luck. And L2TP and PPTP used to work (even though its not secure) but now, None. Or completely unusable and unstable.
The only way that I can connect is by the PIA app (desktop or mobile), other than that, its not possible.
Now, after some research I found out that due to the fact that there is some kind of DPI to block VPN in addition to the IP block, which render the service almost unusable.
The only way to workaround it, is if PIA implemented such a feature like TrafficObfuscation, or VPN over SSH (stealth VPN) or the likes.
Honestly, my subscription will end within 2 weeks, and unless there is a practical solution to this, I'll look for another service that providing this feature.
PS. I'm more the 3 years customer with PIA, Its good except this issue.
Comments
ping us-california.privateinternetaccess.com do you get an IP address with replies or do you get a Host Not Found (or words to that effect)?
If you get host not found, then try
ping 198.8.80.214 and tell us if you get replies or no replies.
Attached the ping picture.
https://helpdesk.privateinternetaccess.com/hc/en-us/articles/218984968-What-is-the-difference-between-the-OpenVPN-config-files-on-your-website-
Sorry for the delay, but I tried it all
All tested with default configuration, each with its own CA in the file
- OPENVPN CONFIGURATION FILES (DEFAULT)
Keep showing (connecting...) and nothing happens.- OPENVPN CONFIGURATION FILES (IP)
Shows (connected), but webpage keep loading forever or until timeout.- OPENVPN CONFIGURATION FILES (STRONG)
Keep showing (connecting...) and nothing happens.picture below:
- OPENVPN CONFIGURATION FILES (TCP)
Keep showing (connecting...) and nothing happens.- OPENVPN CONFIGURATION FILES (STRONG-TCP)
Keep showing (connecting...) and nothing happen.Picture below:
- OPENVPN CONFIGURATION FILES (LEGACY-IP)
It says connected, but when you load a site or ping, it is timeout.pic below:
- OPENVPN CONFIGURATION FILES (LEGACY-TCP-IP)
OK, now this is the only one worked for me, which is a progress.Connected and working, though it is a little bit slow.
pic:
So to conclude it:
Also that mean, I can't connect with AES (128 or higher)
So my question remains, how to connect with AES and stronger encryption?
https://sweet32.info/
If you haven't see this video yet, give it a look-see. It might trigger something that you see on your router that is set correctly.
In the meantime, we will notify @Support and hopefully they can dig much deeper than I can. If you haven't done so, please open a Support Request.
https://helpdesk.privateinternetaccess.com/hc/en-us/requests/new?ticket_form_id=296428
Sorry I can't be of any more help.
Unfortunately, support was useless when I contact them before, they kept telling me to change servers and have no idea what they do.
PS. what video?
I'm sorry. Don't know how I did that. The video is here. Must be getting old. I am sure you have seen it. It's one of those videos where no one talks.
Ok, so here is an update and hopefully, it is fixed
I combine configs from the two config files to achieve it, which is basically the (Strong TCP) config + ( IP default), so you can change the nameserver to IP.
Here is a pic of the final config for 1 profile. it shows it is connected, I tested it, it works but a liitle slow.
Don't forget to use CA for the strong profile .
I'll test it for a day and report back, if it succeeds, then the main issue is the nameserver to IP, which means:
1- PIA should make a new configuration file with all IP and strong encryption
2- Still, it would be great if VPN over ssh or TrafficObfuscation feature enabled to attract more customers.
Side note: One of the options is "TLS control channel security tls auth/tls-crypt" , it is disabled, shall I enable it or what it is?
As for the name server, that is why I was asking you to ping both the URL and the IP address. I wanted to see if the URL was getting resolved by the DNS. It looks like it does. So I am a little perplexed why it is not working in your router. The advantage of the OpenVPN config files is the ability to change the host to an IP address.
The pro for having a host name is the fact that there's a range of IP addresses associated with the host name. I have pinged the host name several times and received several different IP addresses. It depends on which server one hits.
The pro for using an IP address as the host is consistency. There was a time when I was having issues with some sites being blocked by IP address. I found a few IP addresses that were not block so I hard coded them into the config file.
I would encourage you to keep experimenting and find the combination that works best for you. I flop back and forth between using the PIA Manager on my Local Machine, and using OpenVPN on my Local Machine. My router has DD-WRT on it but the router is old and slow so I cannot use OpenVPN embedded in the router.
Good luck!
It is a very long shot, so if it is completely beside the point please discard it.
You mentioned that you get "Authentication errors" from the router.
I have seen similar messages recently after updating my router firmware to the latest ASUS 382 branch.
Prior to the update the router operated on a 380 branch firmware without any problems, using the credentials and configuration files that fail on the 382 branch.
The second thing that triggered me is in the screenshots you provided.
The icons on the LH side of the screen seem similar to the icons I saw in the 382 branch of the ASUS firmware, they are slightly different from the earlier icons as in the 380 branch.
This makes me think that you are perhaps running a firmware version that is derived from / related to / modified / ...... ASUS 382 branch. If that is the case I would suggest that you try an earlier build, something from the ASUS 380 branch.
I posted my finding in another post, which can be found here.
Hope this helps,
With that in mind, I wonder if perhaps the login/password are getting corrupted or are not being passed along correctly. So I wonder if AHOHA were to clear the cache of his router and reconfigure the settings then reenter the login credentials. Wonder if that might help.
But the thing is, I was (and still) able to ping both IP and nameserver without any problem, but once it is in the router's openVPN, nameserver won't connect.
It needs deeper inspection I guess, I looked on the log, nothing usefull, it just says (connection drop), If I have some time maybe wireshark will help.
Thank you for the info.
The router use AsusWRT-merlin 380.68_4 not 382.
But this issue (the authentication error) I have since 378.55_0. and if you look again at the screenshot, you'll actually see profile1 still showing the error message ( error connecting, authentication failed), and I'll get this error if only I changed the IP address to nameserver ( like nl.privateinternetaccess.com).
But why not, I'll try the original Asus one and see if it change anything.
I did clear the cache actually before, but as mentioned above, once I change the IP to a nameserver, I get that error.
And I'm sure it is related to some ISP blocking or somekind of DPI, because even PIA app at smartphones (Android), the first time I installed the app and entered my credentials, it gave me an error msg with (authentication error), but I found a workaround to this issue, by making an L2TP VPN profile in the device settings, connect by L2TP, then I'll go to the PIA app and connect, which will work. and I have to do this only the first time I install the app. later times it connect automatically.
Btw, thanks @Omnibus_IV and @hp_pia
AFAIK Merlin has his own VPN routines, different from Asus stock code.
So perhaps you will see different results using stock firmware.....
Good luck!
https://www.privateinternetaccess.com/forum/discussion/comment/52015#Comment_52015