Suggestions & Concerns
I'm putting this in feedback because it seems to fit best here. First of all, great service, great price. I love the security it provides at a lower cost than your competition. I don't personally use it to torrent but from what I've seen, I could and that is great.
I primarily use your service as part of my Android devices, to secure traffic while at an open access point or an access point that I don't trust, even if it has WPA. I do this at work, coffee shops, McDonald's, hotels, etc.. I would love the ability to configure rules, right now it is all or nothing. I use my LAN at home to do work between computers, my Roku at my TV, and some file sharing within my LAN. If I've got the VPN running, I can't do these things. So at home, I don't want the VPN running. I was using Avast! SecureLine which had the really awesome feature of letting me define rules, if I connected to any insecure network it would automatically start the VPN and when I went back to the cellular network or to a secured network it would stop the VPN. I could also setup rules to automatically start the VPN if I connect to say, my neighbors network. The easiest (for you) way to do something similar is allow Tasker to control your app. There is an OpenVPN app that does this, basically I'd like to setup Tasker so that it can enable my VPN automatically and disable it again when I get home.
My second concern is you've got some issues with crashes. About half the time when I tap on the key icon in the notification pulldown and tap "Disconnect" on the pop-up with my network stats on it, your app force closes. It isn't huge because it still works, but it does make me tap the "I Trust this app" next time I want to turn on the VPN.
As a continued suggestion, I will soon have my laptop back from a friend and I'll be using your service on it as well. I would like similar ability to automate the VPN connection and disconnection on my Windows machine as well. I think this feature would bring you more users because the one HUGE problem with security of this type is the user has to keep it up. This is a similar effect to backup. Everyone knows they should backup but no one does until someone makes it automated. No one would question the need to encrypt traffic, but no one does because there is little or no automation. If you would fix the automation issues I would be able to get you at least 4 more regular subscribers who aren't technically savvy enough to want to deal with VPN manually, but who would do it if it were automated.
Comments
Could you check the device's routing table when you're on your LAN and connected to the VPN?
PIA Manager, and probably also the smartphone app, should have a setting to connect automatically. Paired with the ability to access local resources regardless of VPN connection, it is the most basic and simplest form of automation.
I do understand that configurability is a huge factor for power users, but for those users it also has to be working right. I myself don't want to live with the restrictions PIA Manager would set for me, so I use my own set of scripts to manage the VPN connections. PIA could probably include the features I use within their software, but there are already very good alternatives out there, and while competition is usually a good thing, it would take a lot of resources to actually make a difference, and I'd rather have them spend those resources elsewhere, like publishing the information needed to change default encryption settings with plain OpenVPN.
PIA has a few people that occasionally get involved in discussions here, but they would not mislead you like that.
I could list the people who work for PIA here, but the way the forums work, they would get annoying messages telling them they were mentioned in a thread. So unless you really want that, I will abstain from listing them.
As for the topic, I cannot really offer any help. I own only one PC, and have no mobile devices whatsoever, nor any 'droid devices either. But I am interested. Technically adept people are most welcomed here. Welcome to the forums!
I know Android has limitations on the routing commands and such, and the VPN API is limited in ways too. For now, the service does what I need if a little cumbersome.
OpenVPN itself does not modify local routes at all. And why should it? Local routes do not affect internet routing in any way, because all sensible providers drop packets from RFC1918 networks.
I have no idea why mobile devices would or should not have access to a local network while having a VPN connection. If this is enforced by PIA's app, I'd view it as a bug, or at least a very misguided feature, and demand that it'd be changed.
If it's a limitation of the OS, it might be best to use the OS' integrated VPN options and/or file a bug report.
As far as automation goes, If mobile devices need something special, I really have no experience with it. Perhaps something better is available than I can imagine, and maybe it's as easy as a weekend of inserting API calls into the app's sourcecode. I guess I'm not really fit to comment on this specific issue.
I'd still rather have them put their resources into stuff that benefits me instead of you. I think I could make an objective argument for information disclosure over feature programming, but let's just say I'm selfish. That will probably result in less arguing.
I feel that posting in a public forum automatically invites third parties to comment.
@VPN has been asking questions for years now. And with all due respect to you, he *DOES* know quite a bit about networking. Local does not mean the same thing to everyone. I remember arguing about locahost being a variable with any possible address. People argued it could only ever be 192.168.0.0 or 127.0.0.0 or some other nonsense that may as well be arbitrary.
In the end, everyone who thought it was a static address was proven wrong. And while local routing is a whole different subject, remember that we are all running different systems. @VPN runs Linux only as far as I know, and sometimes is a bit puzzled by the questions of users of other OSes. (As I am myself.)
Android is not the droid you were looking for...
No. Pardon the Star-Wars pun. Android is not really the same as Linux in many ways. I cannot specify the ways, but Google has never been truly forthcoming about the OS.
No worries. I've stopped being angry at people misunderstanding me on the internet a long time ago.
About a year ago, PIA introduced an update to their desktop software client (across all supported OSs) which allowed to define the used encryption, authentication and verification methods that the VPN connection uses, i.e. encryption cipher and strength (I believe choices are None, Blowfish, AES128 or AES256), Authentication via RSA with different key sizes (don't know if any others are supported), and different HMACs (probably None,MD5,SHA*).
Since the software internally uses OpenVPN for the connection itself, it should have been possible to use these settings with OpenVPN configuration files also.
But it isn't, as you've noticed too, and users fail to understand why this is the case, because no information was offered even after asking explicitly.
We have had, during the last 12 months or so, at least 5 threads on the forums about when and/or if the needed configuration settings will be provided by PIA. Especially the option to disable encryption could help router users to gain more speed with their limiting devices, or advanced users like me who'd like to be able to use the best crypto settings available while stil having full config access and scripting flexibility by using OpenVPN over the client software (not to mention that it's useless on headless machines).
So, to conclude, apparently Android does things differently and routing is more limited, which makes it an important point to have more options regarding automated connecting and disconnecting. We learned that PIA doesn't always keep up with user's needs and that @VPN watches Anime.
By the way, since you talked about the routing stuff so extensively, if you'd like I could show you the routing tables for my LAN router, which handles my ISP uplink and 3 concurrent VPN connections to different gateways, accessible via individual VLANs. I want to allow IP clients on my network to switch the used VPN tunnel (and country exit point) from a website, but haven't gotten around to it yet. But the routing works, so let me know if you'd like to see.
Yes, the AES stuff is undoubtedly the reason that it will not work. A while ago there was a few threads that discussed the issue, and we had hopes that it would be fixed soon after OpenVPN added the support for AES natively, but the threads died when a malicious user made an army of clone accounts and voted down every thread I or @VPN ever made a post in.
I lost 1200 posts in one night. @VPN fared about the same if my memory is correct. And there were many other victims and many good threads lost as well. Thread voting was disabled, and the trolling has stopped. But the threads where this was discussed are gone for good now.
But the last thing I recall was someone from PIA saying this was a thing they intended to fix. I could be remembering it wrong, but that is what I remember.
*Edit* Ninja'ed by @VPN due to my slow key-pecking...
I think the fact that the PIA client expects things to work one way that OpenVPN cannot accept or workaround is the problem. The servers are trivial compared to tens or hundreds of thousands of users running a hundred different versions of the custom PIA application.
The client cannot force a user to update, and that may one day be required.
I don't think PIA has patched OpenVPN substantially. As far as I know, all the settings that PIA Manager offers for crypto are possible with OpenVPN itself, it's just that the servers don't accept them if we set them in the config files. You can see that other VPN companies offer the same settings, but natively for OpenVPN, not any client software.
Even if they did modified OpenVPN in a way that's needed for these settings to work, I feel that they should still publish this information, so that all customers can make use of it. As it is now, OpenVPN users (everyone with VPN on a router) can't access crypto settings that PIA uses to advertise their service with. They don't explain this restriction when signing up. Some countries in the world might see this a fraudulent advertising.