PIA OpenVPN Client Encryption Patch
Closing this thread for the time being to avoid misinformation as it's not currently relevant. These set-ups have since been modified and are no longer relevent. Please refer to the following Help Center article instead: https://helpdesk.privateinternetaccess.com/hc/en-us/articles/218984968-What-is-the-difference-between-the-OpenVPN-config-files-on-your-website- - Dave R
We will also post compiled binaries for all OSs at some point in the near future
pia_openvpn_patch.tar.bz2
==README==
- apply pia_openvpn.patch to OpenVPN 2.2.2* (included in this archive) [ http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz ] - tar xf openvpn-2.2.2.tar.gz && cd openvpn-2.2.2 && patch < ../pia_openvpn.patch - compile patched OpenVPN normally - ./configure --enabled-password-save && make && sudo make install - IMPORTANT: add the configuration option '--pia-signal-settings' - to use a different cipher add the configuration option '--cipher CIPHER' - supported ciphers are: - AES-128: '--cipher aes-128-cbc' << recommended - AES-256: '--cipher aes-256-cbc' - Blowfish: '--cipher bf-cbc' - No Encryption: '--cipher none' - to use a different authentication digest add the configuration option '--auth DIGEST' - supported digests are: - SHA1: '--auth sha1' << recommended - SHA256: '--auth sha256' - No Authentication: '--auth none' - to use differnet handshake encryption change the configuration option '--ca CERT' - supported handshake encryptions are: - RSA-2048: '--ca ca_rsa2048.crt' << recommended - RSA-3072: '--ca ca_rsa3072.crt' - RSA-4096: '--ca ca_rsa4096.crt' - ECC-256k1: '--ca ca_ecdsa256k1.crt' - ECC-256r1: '--ca ca_ecdsa256r1.crt' - ECC-521: '--ca ca_ecdsa521.crt' - for more information on vpn encryption choices see https://www.privateinternetaccess.com/pages/vpn-encryption * our patch also includes a security patch which 2.2.2 requires ( https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee )
This discussion has been closed.
Comments
pia_openvpn_patch.tar.bz2
pia_openvpn_x86
pia_openvpn_x64
pia_openvpn_x86.osx
pia_openvpn_x64.osx
win32.zip
win64.zip
openvpn-2.2.2.tar.gz
Thanks PIA!
I'll be checking it out in a few days and let you know what I think.
Needless to say, apparently I was mistaken about PIA patching OpenVPN
Why not patch the latest version instead (2.3.6)?
I have taken the above 64bit binaries, and replaced the ones that ship with OpenVPN GUI.
I have copied a config file, and added/changed the following:
- cipher aes-256-cbc
- auth sha256
- ca ca_rsa4096.crt #got this file from the patch archive above
- pia-signal-settings
- link-mtu 1542
I can connect to the VPN fine (to remote aus.privateinternetaccess.com on port 1194), however I get the following warnings:Does the above log mean that SHA256/AES256 are not being used?
Does it use the server settings instead?
Should I be connecting on a different port number or change my config in some way?
I'm also wondering if there are any changes to my MTU I should make? I'm on ADSL2, and my MTU is 1492. If setting it to something more appropriate in the OpenVPN connection config file will result in less fragmentation I'm happy to take suggestions!
Thank you kindly for any advice.
Edit: Formatting.
"link-mtu 1542"
Change it to 1450 or less. 1500 is the maximum size any packet can be, and is reduced in tunneled packets by the tunneling overhead.
And this needs to be in the shortcut you use to start. (The two dashes at the start tell me it is a command line suffix, rather than a config addition. Leave it in the config and try adding it to your shortcut and see if that helps.)
"--pia-signal-settings"
Now I am getting: As stated in my earlier post, I am using the OpenVPN GUI to connect. This is convenient because I can right click on the system tray icon and choose what country I want to connect to. I tried adding --pia-signal-settings to the shortcut, however it refuses to start with this unrecognised option.
AFAIK there is no way to tell OpenVPN GUI to include an extra parameter when calling openvpn.exe
I think I'm going to have to:
I've got three avenues to try. Until I get the time to try them, I will just revert to using the standard .ovpn files I downloaded.
Thanks for your help!
I have also compared the OpenVPN logs generated between the PIA and OpenVPN Clients. They both have the same warnings
It's my belief that putting pia-signal-settings in the .ovpn file is enough to connect with the chosen settings. Increasing the verbosity to 1, I can see that both methods result in the following being logged:
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
The warnings are just 'warnings' and I'm guessing just show the different default settings the client & server have. I imagine they agree upon a setting they both like during some handshake/negotiation process.
So in the end I don't really need to do anything besides drop in the patched 2.2.2 openvpn binaries, and add/change the following settings in the .ovpn file
- cipher aes-256-cbc
- auth sha256
- ca ca_rsa4096.crt
- pia-signal-settings
and it's good to go. OpenVPN GUI will connect fine.Commenting out "crl-verify crl.pem" in the .ovpn file removes the certificate issuer warning - I'm thinking it's just a server setting for specifying certificates that are to be immediately revoked: https://openvpn.net/index.php/open-source/documentation/howto.html#revoke
Thanks again for these binaries - I'm going to use them moving forward.
See these extracts from my log (I removed the timestamps to safe space):
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
These are from unpatched binaries, without any special encryption settings in the config.
OpenVPN does use the same logic to parse options from the command line and the configuration files, so it should indeed work if put into the configuration file.
The warnings about mismatched ciphers are indeed warnings, but please note that OpenVPN overrides the settings from the configuration with options it receives from the peer/server - if you and the server used different encryption settings, you couldn't read each others packets and no data will be transmitted (I've had this happen).
If the CRL is only provided with one of the CAs' signatures, the warning will only disappear if you select that CA. Maybe a way around this could be using capath additionally to ca. I'm not sure if OpenVPN supports both options at the same time, but perhaps you'd like to try
This makes your statement "but please note that OpenVPN overrides the settings from the configuration with options it receives from the peer/server" seem incorrect - at least with the patched binaries I am using.
Yesterday I switched to using the "ca.crt" file included in the PIA Manager, instead of "ca_rsa4096.crt" in the PIA openvpn patch. Combined with commenting out "crl-verify crl.pem" I no longer have warnings about certificates/issuers.
So everything is fine :-) At some point I might look at configuring the right MTU, however I won't get to that for a while.
Thanks for the discussion guys - it's always good to learn something new!
use verb 5 to see more info.
If you want to give users a choice regarding their crypto settings, you will either have to use different ports or a different set of IP addresses for each combination of crypto and MAC and CA. OpenVPN doesn't natively allow to negotiate these at runtime (TLS neither). PIA's patch adds this ability, meaning you can run different settings (per user) from the same IP address and port.
I would guess that most competitors only offer one setting, which might not fit all purposes.
however, if PIA were to come out with an industry leading configuration generator which the user could use to generate an ovpn config with the necessary certs and keys and settings for the config wanted it could be done.
but so far PIA have only wanted to conform everybody to their way - their app, and now their hacked version of openvpn.
Can you give an example of a VPN provider that has choice via config file alone? I'd love to see how they accomplish it.
but regarding ports, does that really matter? I've tested the PIA app with different settings and it always uses the port that I've specified. It's not changing depending on the config. but, I suppose their hacked openvpn triggers something in the server that other clients can't and is therefore able to use the other encryption settings.
Any more updates? Look forward to this being integrated into the PIA client.
What updates are you looking for?
Which OpenVPN version is included in current the PIA Manager release?