OpenVPN -privateinternetaccess help

RouterOS Beginner Basics
1

I have been trying for a couple of months now to get this going on my RB2011-UAS-2HnD router. I even went to the point of using a DD-wrt router :frowning: so i could use the VPN capabilities as i couldnt get it going with my MK.

Also i have watched every tutorial going with no luck.

Could someone please layout proper setup to connect as a OVPN client with Privateinternetaccess service.
Below is cut and paste from the DD-WRT setup if that helps. Also they provide a ca.crt file which i have tried to upload but router complains about certificate they provide.

I am trying to set this up on my mk so that certain devices access the vpn for internet and others use straight connection to ISP.
Any help would be appreciated as i am going on holidays next week allowing me time to work on getting this up and going. They also have a option but the link will not stay established.

“DD-WRT: VPN OpenVPN Setup
Access the Administration area and then go to Commands and finally Startup.
Enter the following:
echo username >> /tmp/password.txt
echo password >> /tmp/password.txt
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon
Access the VPN tab found under the Services section.
Enable the OpenVPN Client.
Set the Server IP/name to us-east.privateinternetaccess.com [*].
Set the Port to 1194.
Set the Tunnel Device to TUN.
Set the Tunnel Protocol to UDP.
Set the Encryption Cipher to Blowfish CBC (Default).
Set the Hash Algorithm to SHA1.
Set the nsCertType to unchecked.
Set the Advanced Options to Enabled.
Set Use LZO Compression to Enable.
Set NAT to Enable.
In the Additional Config enter the following:
auth-user-pass /tmp/password.txt
persist-key
persist-tun
tls-client
remote-cert-tls server
Copy and paste the contents of ca.crt found in our OPENVPN CONFIG FILES, into the CA cert field.”

Thanks in advance
Derek

2

I admire your patience. :wink:

Set the Tunnel Protocol to UDP.
Set Use LZO Compression to Enable.

Not supported in RouterOS. You can either use Metarouter, run OpenWRT inside and set up OpenVPN client there. Or switch to PPTP or L2TP/IPSec, that service of yours lists them as supported.

3

Well no luck with PPTP and L2TP.
i will post the setup steps that i have been trying below. I am able to get “link established” then “terminating… - failed to authenticate ourselves to peer”

setup i have tried is from hidemyass and strongvpn.
both end up with same results.

hide my ass.
PPTP Setup


When creating a PPTP VPN connection, make sure to enter the following data in the fields:

Name: Anything you want, but if creating multiple connections it makes sense to name them like “privateinternetaccess”
Connect To: One of our server IPs from the list at “PPTP servers” in the VPN control panel
Max MTU + Max MRU: Set to 1400
User: Your VPN account username
Password: Your PPTP password. Get it at the above mentioned page “PPTP servers”
Check “Dial On Demand” to ensure that the connection is being dialed when needed but disconnected.
Check “Add Default Route” to ensure correct traffic routing.
Allow: Leave all authentication methods checked, as it should be by default already.
Leave the “Enabled” checkbox unchecked, we still have to do some things.
Click on “OK”.

Now please go to “IP” tab and select “Firewall” and “NAT”.
In “Chain”, select “srcnat”, and check the “Enabled” checkbox.
In “Out. Interface”, select the name of the PPTP VPN connection you just created and check its checkbox.
In “Action”, select “Masquerade”.
Click “OK”.

Go the “Mangle” tab, select “Add new”.
In “Chain”, select “prerouting”.
In “Src. Adress”, enter the IP range you want to have routed through the VPN connection. To route all IPs in the Mikrotik routers subnet (assuming the router is 192.168.88.1), enter “192.168.88.2-192.168.88.254”. Check the checkbox next to this field.
In “Action”, select “mark routing”.
In “New Routing Mark”, here enter any name for the routing mark, e.g. “PPTP RM”
Click “OK”.

Go to “IP” and then to “Routes” and “Add New”.
Dst. Address: has to be “0.0.0.0/0”.
Gateway: Here enter the name of the VPN connection you created. (e.g. “privateinternetaccess”)
Routing Mark: select the routing mark you created before. (e.g. “PPTP RM”)
Click “OK”.

Go to “IP” and then to “DNS”.
Select “Static” and now “Settings”
Check “Enabled”
In the “Servers” fields, enter OpenDNS servers,“8.8.8.8” into one field, and “8.8.4.4” into another.
Check “Allow Remote Requests”.
Click “OK”.

Now it depends: if you’ve set your gateway router to set the IPs for its connected devices automatically via DHCP, you need to change the DHCP-client settings of the Mikrotik router - otherwise it will override the DNS settings you’ve just set.
If you have set all IPs in your network manually, you can skip this step →
Go to “IP” and “DHCP Client”.
Doubleclick your dhcp entry and then uncheck “Use Peer DNS”.
Now click “OK.”

That’s all, now we’re going to test the PPTP connection.
Go back to “PPP” and doubleclick your PPTP connection.
Check the “Enabled” checkbox and click on “Apply”.
Above at “Status:” you’ll see the connection status, which should be → Dialing, Authenticating, Connected
Below at “Uptime” you can check how long the connection is active and if it is stable.

Should you not get connected, you can check the “Log” for details."



The strong vpn setup is much the same..

There has to be a simple reason why i cannot connect.

Please help.

Derek

4

I don’t use PPTP often, but “failed to authenticate ourselves to peer” sounds like wrong username or password.

Btw, did you switch to hidemyass, or you just found instructions there? Because if you switched, you might have some luck with OpenVPN. Unlike that first provider, they have also OpenVPN on TCP and without LZO:

client
auth-user-pass
ping 5
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
verb 3
route-metric 1
proto tcp
ping-exit 90
remote <address> 443

I hope I did not miss anything, but to me it looks like it should work with RouterOS.

5

No i didnt switch to hide my ass.
Both Hidemyass and strongvpn have same setup instructions so that is what i followed.
my username and password are correct, know that for sure.

is there anyway you can make the code below into something that can be inputed with winbox or webcfg.

I am thinking about trying hidemyass but have paid for a year with privateinternetaccess. when it does work with other router i get speeds over 40mBs. so it rocks.

Derek

6

Few ideas:

As a test, try to connect using PPTP not from router, but from your computer. Not that I don’t believe you about correct login, I’m sure you double-checked it and everything. But “failed to authenticate ourselves to peer” is the exact message I get when I enter wrong username or password (I just tried it).

In RouterOS, enable PPTP logging under System/Logging, it might show some useful info.

If you mean that OpenVPN config I posted, it’s just a sample from hidemyass, it won’t work with privateinternetaccess. And it’s nothing special, basically it means to enter server address, port, username and password, select mode “ip” and that’s all.

7

f111th
any luck with configuring l2tp (or maybe ovpn) for privateinternetaccess?

8

In case anyone is still looking for an answer to this I changed one thing and its working for me.

Now please go to “IP” tab and select “Firewall” and “NAT”.
In “Chain”, select “srcnat”, and check the “Enabled” checkbox.
In “Out. Interface”, select the name of the PPTP VPN connection you just created and check its checkbox.
In “Action”, select “Masquerade”.
Click “OK”.

In “Out. Interface” I selected ether1 instead of the PPTP VPN connection you just created and everything is running stable and sweet to the PIA server I choose.

I also set WISP AP in Quick Set before starting the above process but don’t know if that is related or not.

Please report back if it works for you.