You don't have to be a cryptographer or a tech genius to realize the advantage of stronger encryption, though, so I thought I'd put up a short layman's guide on how to implement the patched OpenVPN.
Some assumptions: 1. You're using OpenVPN GUI and are comfortable with its typical use - connecting, disconnecting, choosing servers, etc. 2. You're using Windows. I'm using Windows 7 64-bit so the guide is based on that. 3. You know whether your Windows OS is 64-bit or 32-bit. 4. You understand file directories and can find/navigate to the correct folders and files.
Here we go: Step 1 - Download the patched files and certificates found in the first post or in OmniNegro's post immediately following. Download the pia_openvpn_patch.tar.bz2 archive - it contains the .crt files you will need. a. If on 64-bit Windows, download the win64 archive. b. If on 32-bit Windows. download the win32 archive.
Step 2 - Unpack the archives to a folder of your choice, preferably somewhere you can find them easily so you can delete them when you're done. I use WinRar archiver but WinZip should work too.
Step 3 - Navigate to where you have OpenVPN installed and open the "bin" folder. Default path is C:\Program Files\OpenVPN\bin for 64-bit Windows. If it's not there check Program Files (x86). You're going to copy and replace all files from "win64.zip" (win32.zip if on 32-bit Windows) to your OpenVPN\bin folder. Exit OpenVPN GUI and make sure openvpn.exe is stopped via task manager. If you want, before you copy the new files, you can add the ".bak" file extension to the end of each existing file as seen below. This renders the existing files inoperable and effectively turns them into backup copies of themselves. This is just in case you have problems or want to revert so you don't have to completely reinstall OpenVPN. You can restore them simply by removing the ".bak" extension. Ignore the New Folder I have in the picture.
Step 4 - Navigate to your OpenVPN\Config folder. You're going to copy files ending in ".crt" from pia_openvpn_patch.tar.bz2 into this folder. You only need to copy the one you want to use but you can copy them all if you're not sure yet. OpenVPN will only call the one you name in the .ovpn config file (shown in step 5***).
Step 5 - Make necessary changes to your .ovpn config files. You only need to change one file to start so that you can make sure it's working, then you can worry about updating the others. In the picture below, the left is the CA North York.ovpn config file as it came from PIA in the default config files download available here: https://www.privateinternetaccess.com/openvpn/openvpn.zip (I put each parameter on it's own line for convenience) On the right is the same config file with changes made to use stronger encryption. Your new config file should look exactly like the one on the right. Save the config file after making changes. I am not an expert on OpenVPN configuration - this is the config file layout that is working for me. Others feel free to make suggestions.
***As mentioned in step 4, OpenVPN will look for the .crt file specified in the config file. In this case, it is "ca_rsa4096.crt" so that is the only .crt you need to copy in step 4 for this setup.
NOTE: The config file shown on the right specifies the following encryption standards: AES 256 SHA 256 RSA 4096
You can change the encryption used by changing these parameter (See first post by Support), that's the point of this patch. I am by no means an authority on encryption so please do research and ask questions if you want to use a different configuration than above. See more here: https://www.privateinternetaccess.com/pages/vpn-encryption#data_encryption
Step 6 - Use OpenVPN GUI to connect using the modified config file. Watch the dialog. It should look like the picture below. If the dialog goes by too fast, a text version can be found in OpenVPN\log. It will have the same name as the config file used to connect. You are checking here to make sure it is using your specified encryption settings. Looking at the information in the black box we can see that it is!
NOTE: Apparently, the warnings can be ignored although some of us are still looking into the 'link-mtu'/'tun-mtu' error.
* I used the CA North York config file as my example in the guide and when doing screen captures but here you see CA Toronto is used. I did my testing by connecting to CA Toronto so that's why it's shown. No voodoo going on.
I was wondering whether yourself or anyone could tell me if this can be used with versions of OpenVPN later than 2.2.2? I have tried it on version 2.3.4 (using the GUI) and it seemed to work ok aside from the MTU & Cipher inconsistency I mentioned above. But I'm not a dev or very knowledgeable about VPN setups and so I can't be sure if it's still secure or not.
I was wondering whether yourself or anyone could tell me if this can be used with versions of OpenVPN later than 2.2.2? I have tried it on version 2.3.4 (using the GUI) and it seemed to work ok aside from the MTU & Cipher inconsistency I mentioned above. But I'm not a dev or very knowledgeable about VPN setups and so I can't be sure if it's still secure or not.
Can anyone confirm?
No reason to use a version later than 2.2.2. It does not increase your security or privacy in any way. PIA uses a different setup for 2.2.2 so it will not be vulnerable to many things that vanilla 2.2.2 is.
I consider myself much more technically inclined than the average person but, like anyone, I have my strengths and weaknesses and I had some trouble getting this patched OpenVPN to work with advanced encryption.
You don't have to be a cryptographer or a tech genius to realize the advantage of stronger encryption, though, so I thought I'd put up a short layman's guide on how to implement the patched OpenVPN.
Some assumptions: 1. You're using OpenVPN GUI and are comfortable with its typical use - connecting, disconnecting, choosing servers, etc. 2. You're using Windows. I'm using Windows 7 64-bit so the guide is based on that. 3. You know whether your Windows OS is 64-bit or 32-bit. 4. You understand file directories and can find/navigate to the correct folders and files.
Here we go: Step 1 - Download the patched files and certificates found in the first post or in OmniNegro's post immediately following. Download the pia_openvpn_patch.tar.bz2 archive - it contains the .crt files you will need. a. If on 64-bit Windows, download the win64 archive. b. If on 32-bit Windows. download the win32 archive.
Step 2 - Unpack the archives to a folder of your choice, preferably somewhere you can find them easily so you can delete them when you're done. I use WinRar archiver but WinZip should work too.
Step 3 - Navigate to where you have OpenVPN installed and open the "bin" folder. Default path is C:\Program Files\OpenVPN\bin for 64-bit Windows. If it's not there check Program Files (x86). You're going to copy and replace all files from "win64.zip" (win32.zip if on 32-bit Windows) to your OpenVPN\bin folder. Exit OpenVPN GUI and make sure openvpn.exe is stopped via task manager. If you want, before you copy the new files, you can add the ".bak" file extension to the end of each existing file as seen below. This renders the existing files inoperable and effectively turns them into backup copies of themselves. This is just in case you have problems or want to revert so you don't have to completely reinstall OpenVPN. You can restore them simply by removing the ".bak" extension. Ignore the New Folder I have in the picture.
Step 4 - Navigate to your OpenVPN\Config folder. You're going to copy files ending in ".crt" from pia_openvpn_patch.tar.bz2 into this folder. You only need to copy the one you want to use but you can copy them all if you're not sure yet. OpenVPN will only call the one you name in the .ovpn config file (shown in step 5***).
Step 5 - Make necessary changes to your .ovpn config files. You only need to change one file to start so that you can make sure it's working, then you can worry about updating the others. In the picture below, the left is the CA North York.ovpn config file as it came from PIA in the default config files download available here: https://www.privateinternetaccess.com/openvpn/openvpn.zip (I put each parameter on it's own line for convenience) On the right is the same config file with changes made to use stronger encryption. Your new config file should look exactly like the one on the right. Save the config file after making changes. I am not an expert on OpenVPN configuration - this is the config file layout that is working for me. Others feel free to make suggestions.
***As mentioned in step 4, OpenVPN will look for the .crt file specified in the config file. In this case, it is "ca_rsa4096.crt" so that is the only .crt you need to copy in step 4 for this setup.
NOTE: The config file shown on the right specifies the following encryption standards: AES 256 SHA 256 RSA 4096
You can change the encryption used by changing these parameter (See first post by Support), that's the point of this patch. I am by no means an authority on encryption so please do research and ask questions if you want to use a different configuration than above. See more here: https://www.privateinternetaccess.com/pages/vpn-encryption#data_encryption
Step 6 - Use OpenVPN GUI to connect using the modified config file. Watch the dialog. It should look like the picture below. If the dialog goes by too fast, a text version can be found in OpenVPN\log. It will have the same name as the config file used to connect. You are checking here to make sure it is using your specified encryption settings. Looking at the information in the black box we can see that it is!
NOTE: Apparently, the warnings can be ignored although some of us are still looking into the 'link-mtu'/'tun-mtu' error.
* I used the CA North York config file as my example in the guide and when doing screen captures but here you see CA Toronto is used. I did my testing by connecting to CA Toronto so that's why it's shown. No voodoo going on.
That's it!
Hi all! I need a guide on how to accomplish this patch like the one found on windows that I quoted above, but for the Mac Environment and even Linux if possible, such as Ubuntu. I hope I am not asking for too much. Is there a way to get this patch to work with the programs on the Mac known as Viscosity and Tunnelblick (Obviously)? Thanks!
Thank you for the guide. Really thank you heaps for this guide! I will be implementing this over the weekend and report back with any issues.
Since I am late to the party, can someone link me to detailed info or threads on here why we can ignore the warnings?
Also I see no mention of being able to pick a port. Would it be possible to use port 443 with OpenVPN for example? I think now all OpenVPN users using PIA have to use post 1194, right?
I don't believe there are any other 'useful' threads about the warnings. The pertinent info that is available is here in the thread. Without really knowing what's going on behind the scenes I'm only speculating but I think the warnings are the result of negotiations between client and server and how OpenVPN interprets and logs certain events.
With a standard OpenVPN GUI configuration and PIA supplied config files the cipher used is 128 bit Blowfish in CBC mode. That is what the PIA server expects to see. With different encryption settings specified, the warning is triggered but because of the patch the server is able to negotiate with the client the same way it would if using the PIA app.
This patch is really a workaround to address differences between PIA systems and the OpenVPN standard. It all stems from the fact that PIA had implemented AES256 encryption in their client before it was available in OpenVPN. PIA did it one way, OpenVPN did it another.
I believe the Link-MTU/Tun-MTU warning is the result of a similar situation. For the benefit of anyone who doesn't know MTU stands for 'maximum transmission unit' and is the maximum size of an individual packet. I think under some circumstances the value for MTU may also be negotiated between client and server and if there is a difference the result is fragmented traffic. I don't think this necessarily causes problems or performance issues unless you have a firewall that filters fragmented packets.
As for selecting a port, I'm not entirely sure. Looking at my network connections in Comodo firewall it appears the outgoing port is arbitrary but the destination port does have to be 1194.
I'm not a Mac user so I can't give you specific steps that I have tested/verified. I hate seeing people's questions go unanswered though.
At a minimum I can make a few suggestions. Download the OSX binaries from the first page. If the Tunnelblick app is available in both 32 and 64 bit, verify which version you have and download the matching binaries. You will need the certs in the pia_openvpn_patch.tar.bz2 download just like in the Windows guide.
I downloaded the OSX binary just to see if I could do anything with it but no dice and it's just a single file on my end. I don't know if it can be extracted in the Mac environment or if maybe it acts as an installer.
For the sake of giving myself a frame of reference I'm picturing Mac's file structure as being similar to Windows in that you have some directory where things are installed to. I've literally never even looked at a Mac before. The basic concept of applying the patch is locating the binaries that installed as part of the standard app (Tunnelblick) and replacing them (it?) with the patched one(s) you downloaded here. You should also search for 'ca.crt' and replace it with 'ca_rsa4096.crt' which is bundled in the pia_openvpn_patch.tar.bz2 archive. Your config files should be exactly the same as in the Windows guide. I'm making that assumption because per PIA's guide for setting up Tunnelblick they say to use their provided config files - they only have one default set. Here is their guide for your reference: https://www.privateinternetaccess.com/pages/client-support/osx10.10-openvpn-tunnelblick
I'm thinking PIA should be paying users that put up these guides. Lord knows they need the help with their software. Conversely, here's torguard's software guide, no matter the OS. Click to install and you're done. Btw, once installed the clients update themselves. Also handy.
Shame there's no patch for the android openvpn client as I'd like to have higher encryption using it, I use that app instead of the official pia android client as I get much better speeds with it.
Just for fun I did try this guide by selecting the new ca 4096 certificate and setting up the openvpn app to use aes-256-cbc and sha256 but it fails to connect due to an error with the certificate file.
Jan 02 15:56:29: UDPv4 link remote: [AF_INET]192.40.88.12:1194
Jan 02 15:56:29: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 02 15:56:29: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, [email protected]
Jan 02 15:56:29: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
It's now 2016 and we are still using OpenVPN Client 2.2.2 which was released 5 years ago, with the latest is version being 2.3.10. So much for security.
So many bugs and vulnerabilities have been patched in the many versions released since then. Someones excuse that the latest versions contains bugs, well with that line of thought lets never patch anything ever again.
There have been plenty of updates since 2.2.2 and it needs to be everybody's concern that PIA refuses to support any of the more recent versions. PIA support stated that the reason they don't use an updated version is because Windows XP users will have issues. WTF.. Microsoft does not even support Windows XP anymore so why should everyone risk their network security because someone still uses an i386 computer.
Here is the Change Log of OpenVPN Client to show all the issues and vulnerabilities fixed since 2.2.2. Should I be concerned or not about using Client 2.2.2?
Concerning RSA-2048 threat, there seems to be fresh decryptor http://sureshotsoftware.com/guides/locky/, maybe fake but source has lots of links throudhout the internet.
Comments
Some assumptions:
1. You're using OpenVPN GUI and are comfortable with its typical use - connecting, disconnecting, choosing servers, etc.
2. You're using Windows. I'm using Windows 7 64-bit so the guide is based on that.
3. You know whether your Windows OS is 64-bit or 32-bit.
4. You understand file directories and can find/navigate to the correct folders and files.
Here we go:
Step 1 - Download the patched files and certificates found in the first post or in OmniNegro's post immediately following.
Download the pia_openvpn_patch.tar.bz2 archive - it contains the .crt files you will need.
a. If on 64-bit Windows, download the win64 archive.
b. If on 32-bit Windows. download the win32 archive.
Step 2 - Unpack the archives to a folder of your choice, preferably somewhere you can find them easily so you can delete them when you're done. I use WinRar archiver but WinZip should work too.
Step 3 - Navigate to where you have OpenVPN installed and open the "bin" folder. Default path is C:\Program Files\OpenVPN\bin for 64-bit Windows. If it's not there check Program Files (x86).
You're going to copy and replace all files from "win64.zip" (win32.zip if on 32-bit Windows) to your OpenVPN\bin folder. Exit OpenVPN GUI and make sure openvpn.exe is stopped via task manager. If you want, before you copy the new files, you can add the ".bak" file extension to the end of each existing file as seen below. This renders the existing files inoperable and effectively turns them into backup copies of themselves. This is just in case you have problems or want to revert so you don't have to completely reinstall OpenVPN. You can restore them simply by removing the ".bak" extension. Ignore the New Folder I have in the picture.
Step 4 - Navigate to your OpenVPN\Config folder. You're going to copy files ending in ".crt" from pia_openvpn_patch.tar.bz2 into this folder. You only need to copy the one you want to use but you can copy them all if you're not sure yet. OpenVPN will only call the one you name in the .ovpn config file (shown in step 5***).
Step 5 - Make necessary changes to your .ovpn config files. You only need to change one file to start so that you can make sure it's working, then you can worry about updating the others.
In the picture below, the left is the CA North York.ovpn config file as it came from PIA in the default config files download available here: https://www.privateinternetaccess.com/openvpn/openvpn.zip
(I put each parameter on it's own line for convenience)
On the right is the same config file with changes made to use stronger encryption. Your new config file should look exactly like the one on the right. Save the config file after making changes.
I am not an expert on OpenVPN configuration - this is the config file layout that is working for me. Others feel free to make suggestions.
***As mentioned in step 4, OpenVPN will look for the .crt file specified in the config file. In this case, it is "ca_rsa4096.crt" so that is the only .crt you need to copy in step 4 for this setup.
NOTE: The config file shown on the right specifies the following encryption standards:
AES 256
SHA 256
RSA 4096
You can change the encryption used by changing these parameter (See first post by Support), that's the point of this patch. I am by no means an authority on encryption so please do research and ask questions if you want to use a different configuration than above. See more here: https://www.privateinternetaccess.com/pages/vpn-encryption#data_encryption
Step 6 - Use OpenVPN GUI to connect using the modified config file. Watch the dialog. It should look like the picture below. If the dialog goes by too fast, a text version can be found in OpenVPN\log. It will have the same name as the config file used to connect. You are checking here to make sure it is using your specified encryption settings. Looking at the information in the black box we can see that it is!
NOTE: Apparently, the warnings can be ignored although some of us are still looking into the 'link-mtu'/'tun-mtu' error.
* I used the CA North York config file as my example in the guide and when doing screen captures but here you see CA Toronto is used. I did my testing by connecting to CA Toronto so that's why it's shown. No voodoo going on.
That's it!
Since I am late to the party, can someone link me to detailed info or threads on here why we can ignore the warnings?
Also I see no mention of being able to pick a port. Would it be possible to use port 443 with OpenVPN for example? I think now all OpenVPN users using PIA have to use post 1194, right?
Again, thank you heaps for the guide.
I don't believe there are any other 'useful' threads about the warnings. The pertinent info that is available is here in the thread. Without really knowing what's going on behind the scenes I'm only speculating but I think the warnings are the result of negotiations between client and server and how OpenVPN interprets and logs certain events.
With a standard OpenVPN GUI configuration and PIA supplied config files the cipher used is 128 bit Blowfish in CBC mode. That is what the PIA server expects to see. With different encryption settings specified, the warning is triggered but because of the patch the server is able to negotiate with the client the same way it would if using the PIA app.
This patch is really a workaround to address differences between PIA systems and the OpenVPN standard. It all stems from the fact that PIA had implemented AES256 encryption in their client before it was available in OpenVPN. PIA did it one way, OpenVPN did it another.
I believe the Link-MTU/Tun-MTU warning is the result of a similar situation. For the benefit of anyone who doesn't know MTU stands for 'maximum transmission unit' and is the maximum size of an individual packet. I think under some circumstances the value for MTU may also be negotiated between client and server and if there is a difference the result is fragmented traffic. I don't think this necessarily causes problems or performance issues unless you have a firewall that filters fragmented packets.
As for selecting a port, I'm not entirely sure. Looking at my network connections in Comodo firewall it appears the outgoing port is arbitrary but the destination port does have to be 1194.
At a minimum I can make a few suggestions.
Download the OSX binaries from the first page. If the Tunnelblick app is available in both 32 and 64 bit, verify which version you have and download the matching binaries.
You will need the certs in the pia_openvpn_patch.tar.bz2 download just like in the Windows guide.
I downloaded the OSX binary just to see if I could do anything with it but no dice and it's just a single file on my end. I don't know if it can be extracted in the Mac environment or if maybe it acts as an installer.
For the sake of giving myself a frame of reference I'm picturing Mac's file structure as being similar to Windows in that you have some directory where things are installed to. I've literally never even looked at a Mac before. The basic concept of applying the patch is locating the binaries that installed as part of the standard app (Tunnelblick) and replacing them (it?) with the patched one(s) you downloaded here. You should also search for 'ca.crt' and replace it with 'ca_rsa4096.crt' which is bundled in the pia_openvpn_patch.tar.bz2 archive.
Your config files should be exactly the same as in the Windows guide. I'm making that assumption because per PIA's guide for setting up Tunnelblick they say to use their provided config files - they only have one default set.
Here is their guide for your reference: https://www.privateinternetaccess.com/pages/client-support/osx10.10-openvpn-tunnelblick
https://torguard.net/downloads.php
Shame there's no patch for the android openvpn client as I'd like to have higher encryption using it, I use that app instead of the official pia android client as I get much better speeds with it.
Just for fun I did try this guide by selecting the new ca 4096 certificate and setting up the openvpn app to use aes-256-cbc and sha256 but it fails to connect due to an error with the certificate file.
Thanks in advance PIA :-)
Yes they seem to be working now. They was some error for a day or two.
Jan 02 15:38:10: Viscosity Mac 1.5.11 (1314)
Jan 02 15:38:10: Viscosity OpenVPN Engine Started
Jan 02 15:38:10: Running on Mac OS X 10.11.2
Jan 02 15:38:10: ---------
Jan 02 15:38:10: Checking reachability status of connection...
Jan 02 15:38:10: Connection is reachable. Starting connection attempt.
Jan 02 15:38:11: OpenVPN 2.3.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Sep 23 2015
Jan 02 15:38:11: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Jan 02 15:38:31: UDPv4 link local: [undef]
Jan 02 15:38:31: UDPv4 link remote: [AF_INET]192.40.88.15:1194
Jan 02 15:38:32: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 02 15:38:37: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Jan 02 15:38:37: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Jan 02 15:38:37: WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Jan 02 15:38:37: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Jan 02 15:38:37: [Private Internet Access] Peer Connection Initiated with [AF_INET]192.40.88.15:1194
Jan 02 15:38:39: TUN/TAP device /dev/tun0 opened
Jan 02 15:38:39: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 02 15:38:39: /sbin/ifconfig tun0 delete
Jan 02 15:38:39: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Jan 02 15:38:39: /sbin/ifconfig tun0 <MY ISP IP> mtu 1500 netmask 255.255.255.255 up
Jan 02 15:38:39: Initialization Sequence Completed
Jan 02 15:38:49: Authenticate/Decrypt packet error: packet HMAC authentication failed
Jan 02 15:38:59: Authenticate/Decrypt packet error: packet HMAC authentication failed
When i change to ca_rsa4096.crt in config file and point tot that .crt file in viscosity. It's copied to the config folder.
After that the ca_rsa4096.crt is renamed to ca.crt and the config file edited, from ca ca_rsa4096.crt to ca ca.crt
I try to connect and log says:
Jan 02 15:56:15: Viscosity Mac 1.5.11 (1314)
Jan 02 15:56:15: Viscosity OpenVPN Engine Started
Jan 02 15:56:15: Running on Mac OS X 10.11.2
Jan 02 15:56:15: ---------
Jan 02 15:56:15: Checking reachability status of connection...
Jan 02 15:56:15: Connection is reachable. Starting connection attempt.
Jan 02 15:56:16: OpenVPN 2.3.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Sep 23 2015
Jan 02 15:56:16: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Jan 02 15:56:29: UDPv4 link local: [undef]
Jan 02 15:56:29: UDPv4 link remote: [AF_INET]192.40.88.12:1194
Jan 02 15:56:29: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 02 15:56:29: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, [email protected]
Jan 02 15:56:29: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Jan 02 15:56:29: TLS Error: TLS object -> incoming plaintext read error
Jan 02 15:56:29: TLS Error: TLS handshake failed
Jan 02 15:56:29: SIGUSR1[soft,tls-error] received, process restarting
Jan 02 15:56:32: SIGTERM[hard,init_instance] received, process exiting
Some one who can see whats wrong?