GUIDE: Setting up Transmission with OpenVPN and PIA

[Eric Ruud]

Port forwarding on vpn service? Huh? Wot?

You don't port forward on your router, they assign you a port through the service which allows applications on your computer to use the remote port.

There's a setup for pfsense port forwarding through PIA here: https://forum.pfsense.org/index.php?topic=71725.0

Here is PIA's original script: https://www.privateinternetaccess.c...without-application-pia-script-advanced-users

 

[Rilo Ravestein]

I don get it... usually all the vpn service's ports are open. What am i missing here?

 

[Eric Ruud]

I don get it... usually all the vpn service's ports are open. What am i missing here?

This forwards ports from the internet, through the VPN. Useful for listening for connections on a torrent client. This may explain it better - https://airvpn.org/faq/port_forwarding/

 

[mjk79]

Anyone know how to set the encryption level in openvpn? (using PIA) I'd like to set it to max encryption but im not seeing a way.

 

[Rilo Ravestein]

2 minutes of Google:

PIA levels of encryption: https://www.privateinternetaccess.com/pages/vpn-encryption
Options in OpenVPN: http://openvpn.net/index.php/access...ange-the-cipher-in-openvpn-access-server.html
Example config files (see last one for client script): https://openvpn.net/index.php/open-source/documentation/howto.html#examples
In the PIA forums, someone who also wants to change the encryption level/method: https://www.privateinternetaccess.com/forum/discussion/3543/encryption-options-using-openvpn-client

Even more info: http://darizotas.blogspot.nl/2014/04/openvpn-hardening-cheat-sheet.html

 

[mjk79]

nm think I found, it, thanks for the info!

 

[Rilo Ravestein]

Glad you changed your comment. Do some research (read: Google), this (config file) is really just very basic OpenVPN stuff. Read and learn. It will help you in the long run.

 

[mjk79]

Glad you changed your comment. PLEASE do some research (read: Google) yourself first, this (config file) is really just very basic OpenVPN stuff.

I did, but this is still like reading french to me. I honestly spent an hour searching before i posted.

I still can't figure out how to set Data Authentication to SHA256 or Handshake to RSA-4096. It looks like RSA needs to be set before keys are generated and I have no idea how to do that, but I can't find any refrences anywhere to setting Authentication to sha256.

 

[Rilo Ravestein]

As far as i know you get the key files (RSA-4096) from PIA. You might want to ask there.

And right from the OpenVPN wiki:

Use of --tls-cipher:
The following are TLSv1.2 DHE + RSA choices, requiring a compatible peer running at least OpenVPN 2.3.3:

• TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
• TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
• TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
• TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

In the example config file from the link i sent you:

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

 

[mjk79]

As far as i know you get the key files (RSA-4096) from PIA. You might want to ask there.

And right from the OpenVPN wiki:

In the example config file from the link i sent you:

Just a FYI, none of those cyphers work with the version of TLS that comes with openvpn. These are all SHA1. (on freenas)

These are the ones that are available.


[root@customplugin_1 /]# openvpn --show-tls
Available TLS Ciphers,
listed in order of preference:

TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-DSS-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA
DES-CBC3-MD5 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-DSS-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
RC2-CBC-MD5 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-RSA-WITH-RC4-128-SHA
TLS-RSA-WITH-RC4-128-MD5
TLS-RSA-WITH-RC4-128-MD5
TLS-DHE-RSA-WITH-DES-CBC-SHA
TLS-DHE-DSS-WITH-DES-CBC-SHA
TLS-RSA-WITH-DES-CBC-SHA
DES-CBC-MD5 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA
TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA
TLS-RSA-EXPORT-WITH-DES40-CBC-SHA
TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5
TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5
TLS-RSA-EXPORT-WITH-RC4-40-MD5
TLS-RSA-EXPORT-WITH-RC4-40-MD5

I was able to get AES-128-CBC working but it also required changing the server port number to 1196. I can't find any reference to a AES-256 port number, I've contacted PIA about it.

 

[Rilo Ravestein]

You have done your homework [emoji6]

Now you do got my attention... Maybe have to Install some extra package? Not sure, though. OpenVPN seems to be able to support it from what I read in their wiki.

Please let us know if you find out (I'm sure now you will). [emoji106]

 

[mjk79]

Ok so this morning I get this BS response from PIA.

Hello,

Welcome to Private Internet Access support!

The AES-256-CBC encryption is only available on our PIA client software. It will use whichever port is set in the client settings.


Please let us know if you have any further concerns.

Regards,

Brendon T, Level I Tech Support
Private Internet Access™

So I did some more searching with some trial and error of near by port numbers but I wasn't able to nail down the AES-256-CBC port. But, 128 does work and I guess that'll have to be good enough.

For anyone who needs it in the future, this is what my openvpn.conf file looks like.

client
dev tun
proto udp
remote us-seattle.privateinternetaccess.com 1196
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass pass.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem
cipher AES-128-CBC

 

[cdgonzalez]

I really enjoy the PIA service but I'm not a fan of their OpenVPN support vs. the reliance on their proprietary client.

 

[Rilo Ravestein]

Ok so this morning I get this BS response from PIA.

The AES-256-CBC encryption is only available on our PIA client software. It will use whichever port is set in the client settings..

That sure is a BS answer. If i were you, i would search the PIA and OpenVPN forums on this matter. For the "AES-256-CBC encryption is only available on our PIA client software" BS and for the thing about the ciphers not being supported in the BSD port of OpenVPN. I really feel we are missing something here, since the OpenVPN wiki tells us it is supported from version 2.3.3 and up. The ports version is 2.3.6 i think.

EDIT: Have you checked the outcome of this:

To show the supported ciphers execute the command openvpn --show-ciphers. In any case, remember that OpenVPN supports automatically those supported by OpenSSL library. The command openssl ciphers -v will return the list of ciphers.

 

[jwdicki]

0) Full script on gist. I made this for myself to automate a boring and long process. If you don't know what you're doing you should probably do it the 'hard' way first so you understand at least what the script is doing. It's also just for Private Internet Access (PIA) because I have PIA.

1) Tested on my: 9.3-RELEASE-p5 FreeBSD 9.3-RELEASE-p5 #1 f8ed4e8: Fri Dec 19 20:25:35 PST 2014

2) Not responsible for this losing your data, formatting your drives or your wife leaving you. This is supposed to be run inside the jail. It requires at least curl or wget to be installed. Tested with Transmission plugin jail &

3) Code should work like this:

Code:

jls
jexec [JAILID] tcsh
cd /tmp
wget --quiet --no-check-certificate -O pia.sh https://gist.githubusercontent.com/jedediahfrey/6d475dcc34c710f62a7c/raw/d9e2c8f26da0da5ba4e347df1c0210fde42884a8/pia.sh
chmod +x pia.sh
./pia.sh

The end of the script should show you this:

Code:

Starting openvpn.
Waiting 10 seconds for OpenVPN to spin up
If these are different, OpenVPN is working
Old IP: 68.[x].[x].[x]
New IP: 179.[x].[x].[x]

This worked like a charm and ended hours of frustration! All I had to do was delete my old jail and start over. I'm pretty new to all this and am wondering if someone can direct me how to change the server (Switzerland installed by the script) to a different one. Thanks again for the amazing guide!

 

[jwdicki]

You will need to edit your /etc/rc.conf file.

Thank you, I should have been more specific. I've been trying to find that config file. Not sure where the script put it. I've looked (to my ability) in the dirs of the orig. guide above, but no luck. Thanks for the reply

 

[jwdicki]

Thank you, I should have been more specific. I've been trying to find that config file. Not sure where the script put it. I've looked (to my ability) in the dirs of the orig. guide above, but no luck. Thanks for the reply

on second thought: that might be a really dumb question. I'll look deeper later. Thanks again.

 

[duel007]

Thanks for posting this. I got mine set up and working, and I was able to verify it was using a completely different IP than my home external IP. But a side effect I didn't think about is I'm no longer able to access transmission remotely using the remote GUI set to my home DDNS address. Is there a workaround for this?

 

[jwdicki]

Thanks for posting this. I got mine set up and working, and I was able to verify it was using a completely different IP than my home external IP. But a side effect I didn't think about is I'm no longer able to access transmission remotely using the remote GUI set to my home DDNS address. Is there a workaround for this?

Same issue for me. Changed my PIA server (thanks Jafrey!) but now am having trouble with GUI. have been going through the .json. I think it's in there.

 

[duel007]

Same issue for me. Changed my PIA server (thanks Jafrey!) but now am having trouble with GUI. have been going through the .json. I think it's in there.

Definitely report back if you figure something out. I ended up rolling back my config so that I could use the remote GUI again. Not sure why, but it would work locally but not remotely.