PIA OVPN broke need help with new setup (NextGen)

Help and Support Vero 4K / Vero 4K +
1

Hey everyone.

I always used PIA to unthrottle my remote network activity from my Vero’s and Pi’s but they recently decided to drop all legacy connections. Some devices still work, but most are offline.

I need some help setting up a new VPN (or even WG setup) on all of my devices but one Vero4k in particular.
The structure is still in tact, it auto connects on start up (set up through SSH but I can’t for dear life remember how I did it).
It’s most likely just a DNS change and a couple of port changes (a little more if WG is supported with a killswitch) but I don’t know how to do it, i’ve been struggling with it for a few days now, OpenVPN fails to connect so iptables killswitch kills all but LAN traffic.

Any help would be greatly appreciated since reddit is filled with PIA dropping most support for Routers.

2

Hi,

What’s the output of sudo iptables -S

I would stick to openvpn, as it will the easiest to get work with your current config. Do you know what port your are trying to connect to on the PIA server?

Thanks Tom.

3 
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1198 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -j DROP

Port was default (even though I wouldn’t mind switching it to a http port if possible)

I was looking at these files already but not sure if it would work or how I would change my current file (located under /etc/openvpn/file.ovpn)
https://www.privateinternetaccess.com/openvpn/openvpn-strong-nextgen.zip

Currently my login is located in the same dir but with different permissions as a login.conf file.

4

current file used

client
dev tun
proto udp
remote nl.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login.conf
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

5

Hi,

Not possible atm, pia are not offering support for http or https; I’m hoping they will return soon.

I’d have a go with these instructions:

https://www.underscorenews.net/2019/07/26/openvpn-setup-for-private-internet-access-for-osmc/

When it comes to downloading the private internet access VPN zip and unzip, you will need to do this instead:

sudo wget https://www.privateinternetaccess.com/openvpn/openvpn-strong-nextgen.zip
sudo unzip openvpn-strong-nextgen.zip

As for iptables, this should do it:

sudo iptables -D OUTPUT -o eth0 -p udp -m udp --dport 1198 -j ACCEPT
sudo iptables -D OUTPUT -o eth0 -j DROP
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -j DROP

if that works, you can make it survive a reboot by issuing:

sudo netfilter-persistent save

Thanks Tom.

6

Will the “strong” version work on Vero and Pi3 as well? The rest seems do-able, I’ll update if anything goes wrong of course.

7

Hi,

It should work, but the download speeds may not be great. You may be better off with:

https://www.privateinternetaccess.com/openvpn/openvpn-nextgen.zip

Then you don’t need to do anything with iptables, as these use 1198.

Thanks Tom.

8

But they’re all on sha1 still, that shouldn’t even be an option anymore, that has been broken for 2 years or so now.

All I need it to do is refresh my tvdb, download images from that and sorts. Nothing huge.

9

iptables aren’t working.
Can’t edit them.

le:/etc/openvpn$ sudo iptables -D OUTPUT -o eth0 -p udp -m udp --dport 1198 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).

after your commands I get

sudo iptables -S -P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT

10

@Tom_Doyle

11

Or anyone else, I know nothing about IPtables.

12

Hi,

I suggest you try removing iptables from the equation, for now. If you issues:

sudo iptables -F

Does your openvpn connection work?

Thanks Tom.

Thanks Tom.

13

Ok think I got it fixed.

I’m getting an IP from curl https://ipinfo.io/ip
that I don’t think is mine.

this is my current iptables

sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT

14

Hi,

Ignore my last response then.

Does is it still working, if you issue:

sudo iptables -A OUTPUT -o eth0 -j DROP

Thanks Tom.

15

no idea, the box is on a different floor :stuck_out_tongue: (of course I started with the one I’m not sitting next to lol).

I can try and edit my pi3 and veron normal (right next to me) right now, see what that does.

16

Hi,

What I mean is if if you issue, that command; does it remained connect to the OVPN connection?

Thanks Tom.

17

Stays connected

18

sudo iptables -A OUTPUT -o eth0 -j DROP
osmc@osmc:~$ curl https://ipinfo.io/ip
185.123.xxx.xxx

19

Hi,

Please issue:

sudo netfilter-persistent save

Reboot and confirm it connects, if it does you can replicate the settings to your other devices; if please provide the output of:

iptables -S

Thanks Tom.

20

I did, but i’ll do it again.

sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A OUTPUT -o eth0 -j DROP

sudo netfilter-persistent save

shutdown -r now

sudo iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
-A OUTPUT -o eth0 -j DROP

sudo iptables -A OUTPUT -o eth0 -j DROP

curl https://ipinfo.io/ip
193.239.xxx.xxx.

all in order. curl still works.

doing iptables now

sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A OUTPUT -o eth0 -j DROP