PIA and OpenVPN V2.5

[MendozaDOD]

Just thought I'd give everyone a heads up trying to setup a jail that uses the new OpenVPN V2.5 to connect to PIA's (Private Internet Access) VPN Servers.

With OpenVPN 2.5 they changed the default ciphers that it can use and the standard config files used in V2.4 and previous that use (AES-128-CBC+SHA1) no longer work. What I've found so far is only the Fourth Generation Strong Configuration Files work that use AES-256-CBC+SHA25. Not all of PIA's servers support these connections :(

The Fourth Gen config files can't be found on PIA's standard OpenVPN Config Files area. I was only able to find them here: https://www.privateinternetaccess.com/helpdesk/kb/articles/where-can-i-find-your-ovpn-files

And... Yes this all does work with 12.1-RELEASE-p10 jails :)

Hope this helps

 

[Mannekino]

Hi, I've encountered this issue also and posted in the general thread about various Jail plugins. I've managed to get the OpenVPN connection working with PIA and the nextgen servers and configuration but now the port forwarding no longer works so I reverted back to the normal servers and added the cipher to OpenVPN configuration file.

From my other post: https://www.truenas.com/community/t...ansmission-organizr.55502/page-47#post-612848

My custom port forwarding script is up and running without any issues; it based on the official scripts, are they not working for you or are you using something else?

I used an old one, but it worked prior to the update from OpenVPN and the switch to the nextgen servers.

I've tried downloading those scripts you linked. They wouldn't run at first in the jail because #!/bin/bash didn't work, so I changed it to #!/bin/sh and now I get the following error when running the get_region_and_token.sh script.

Code:

# ./get_region_and_token.sh
./get_region_and_token.sh: 23: Syntax error: "(" unexpected

Als when I run the run_setup.sh script I can't get past the first entry, after I enter my username the script terminates with an error that says I didn't enter my password.

Code:

# ./run_setup.sh

PIA username (pNNNNNNN): test

PIA password: read: Illegal option -s

Password is required, aborting.

There must be something wrong with my Jail or maybe I don't have the required packages. I did install everything they said in the README.md file.

Don't know how to proceed. Could you share your script and OpenVPN configuration?

 

[MendozaDOD]

My setup isn’t near as complicated. Mine is a Transmission Jail with OpenVPN installed on it to VPN to PIA. I used this procedure for the most part: https://www.reddit.com/r/freenas/comments/41fhz3/configuration_guide_for_openvpn_and_ipfw_so_that/


I've always had to change dev tun to dev tun32 to connect to PIA. And now of course now I just create my own openvpn.conf and paste in the contents of the Gen4 Strong connection file.

I did read the OpenVPN 2.5 setup documents and did try to specify --data-cipher to specify "AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC " because the OpenVPN log entries showed it was initially trying to use BF-CBC ( is one of the ciphers removed from the default setup in 2.5) -> I couldn't get this to work. All the docs show it being used in the command line before specifying the config file but since were running OpenVPN as a service I know it will need to be done differently and I couldn't get it to work. I'm a noob when it comes to linux and freebsd, maybe someone with more experience can figure it out...

 

[Mannekino]

Are you having issues with IPv6 with the nextgen servers? It seems my OpenVPN wants to configurate an IPv6 connection and it doesn't work properly and then I get a bunch of errors in the log that OpenVPN can't connect to IPv6 addresses.

 

[colmconn]

Adding the following to my nextgen ovpn config file eliminated the IPv6 errors for me.

Code:

pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "

 

[Mannekino]

Adding the following to my nextgen ovpn config file eliminated the IPv6 errors for me.

Code:

pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6

Doesn't seem to work for OpenVPN, is ovpn something else?

Is there a particular place I need to put those?

Edit: it seems the location of these variables are important. I first added them after the dev tun but that caused the connection to fail. I then put it right before the <crl-verify> part like this. On another site I saw a space after the route-ipv6 no idea if that is actually needed but I kept it in

Code:

pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6 "
<crl-verify>

It seems to be working so far, the errors are gone. But now I'm waiting to see if the port forwarding keeps working.

 

[MendozaDOD]

Maybe the placment within the ovpn file was causing my attempts of using data-cipher AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC to not work. I was placing it before cipher aes-128-cbc. I bet it needs to be specified before dev tun. When I have a bit of time to dive into this and report back.

 

[Mannekino]

Everything is still working for me with the switch to OpenVPN 2.5 and the PIA nextgen servers.

I wrote everything I did here: https://github.com/pia-foss/manual-connections/issues/30#issuecomment-721326610

 

[MendozaDOD]

I had a chance to do some testing using data-cipher AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC on Standard Fourth Gen and Third Gen Strong config files. All of these older strong and standard connection files connect to the same servers and the only difference is which cipher is being specified the connection should use. According to the logs when connecting to these servers OpenVPN 2.5 opens the tunnel with PIA server, but when switching between BF-CBC to AES-256-CBC or AES-128-CBC closes the tunnel (log says it needs to be reopened to use the different cipher) and the connection fails. I even tried using auth sha256 as well but same result.

This tells me OpenVPN 2.5 has separated what they believe is "secure" and "unsecure" connections based off their initial negotiated cipher and don't allow switching a tunnel from one to the other. Because PIA's older strong and standard servers require BF-CBC to start the process and then switch ciphers to the one specified using data-cipher or cipher I don't see any way of connecting to these servers. I was going to include some lines from the logs but my NAS motherboard died last night and I'm scrambling trying to find a replacement.

So in short - For OpenVPN 2.5 only use the Fourth Gen Strong config files for PIA. They be found here - https://www.privateinternetaccess.com/helpdesk/kb/articles/where-can-i-find-your-ovpn-files (PIA just removed the older ones from this article and only list Fourth Gen now)

According to OpenVPN's support info were in for some more hiccups when V2.6 get released as they are depreciating some options

 

[sp00nlude]

Hi guys, I'm using PIA with OpenVPN in my Transmission jail. Recently I noticed the tun01 adapter is missing and transmission can't connect to any tracker. I am able to ping google.com from within the jail though. Does this server change from PIA require me to update something or do I have a different problem?

Edit: this was the problem for me. I updated my downloaded and replaced the files for nextgen server and rebooted everything working fine again.

 

[MendozaDOD]

This would only be your issue if your openVPN version is 2.5 -> type openvpn --version in the jails shell. If your running an earlier version then there is many reasons you could be having this issue -> Check the OpenVPN logs in /var/log/messages and they should point you in the right direction

 

[sp00nlude]

This would only be your issue if your openVPN version is 2.5 -> type openvpn --version in the jails shell. If your running an earlier version then there is many reasons you could be having this issue -> Check the OpenVPN logs in /var/log/messages and they should point you in the right direction

Hmm...I have 2.4.9 installed but after updating to the nextgen config files everything is working again.