You are not logged in.

#1 2018-07-13 09:58:31

dxxvi
Member
Registered: 2011-07-23
Posts: 122

PrivateInternetAccess connects but unable to access anything

Hi All,

I downloaded PIA configuration files from their website. It looks like this:

client
dev tun
proto udp
remote us-newyorkcity.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass pia.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ

I added a file name with my PIA username and password to the line auth-user-pass. This is the openvpn result:

# openvpn US-New-York-City.ovpn 
Fri Jul 13 05:31:57 2018 WARNING: file 'pia.txt' is group or others accessible
Fri Jul 13 05:31:57 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Fri Jul 13 05:31:57 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Fri Jul 13 05:31:58 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]209.95.50.69:1198
Fri Jul 13 05:31:58 2018 UDP link local: (not bound)
Fri Jul 13 05:31:58 2018 UDP link remote: [AF_INET]209.95.50.69:1198
Fri Jul 13 05:31:58 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jul 13 05:31:58 2018 [ef64f717b4baea6d2363eadb3fc7e5d2] Peer Connection Initiated with [AF_INET]209.95.50.69:1198
Fri Jul 13 05:31:59 2018 TUN/TAP device tun0 opened
Fri Jul 13 05:31:59 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Jul 13 05:31:59 2018 /usr/bin/ip link set dev tun0 up mtu 1500
Fri Jul 13 05:31:59 2018 /usr/bin/ip addr add dev tun0 local 10.63.10.6 peer 10.63.10.5
Fri Jul 13 05:31:59 2018 Initialization Sequence Completed

This is the /etc/resolv.conf:

$ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 8.8.8.8
nameserver 192.168.4.1

It is the same as before openvpn is ran. I'm unable to connect to anything with Firefox or curl:

$ curl https://www.google.com
curl: (7) Failed to connect to www.google.com port 443: Connection timed out

Then I download the file /etc/openvpn/update-resolv-conf from https://github.com/masterkorp/openvpn-u … esolv-conf and append these 3 lines to US-New-York-City.ovpn

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Now the /etc/resolv.conf is updated with the DNS server names from PrivateInternetAccess:

# openvpn US-New-York-City.ovpn 
Fri Jul 13 05:49:29 2018 WARNING: file 'pia.txt' is group or others accessible
Fri Jul 13 05:49:29 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Fri Jul 13 05:49:29 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Fri Jul 13 05:49:29 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jul 13 05:49:30 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]209.95.50.199:1198
Fri Jul 13 05:49:30 2018 UDP link local: (not bound)
Fri Jul 13 05:49:30 2018 UDP link remote: [AF_INET]209.95.50.199:1198
Fri Jul 13 05:49:30 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jul 13 05:49:30 2018 [e892be7937b1fdc07f5439f1c3d82d10] Peer Connection Initiated with [AF_INET]209.95.50.199:1198
Fri Jul 13 05:49:31 2018 TUN/TAP device tun0 opened
Fri Jul 13 05:49:31 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Jul 13 05:49:31 2018 /usr/bin/ip link set dev tun0 up mtu 1500
Fri Jul 13 05:49:31 2018 /usr/bin/ip addr add dev tun0 local 10.7.10.6 peer 10.7.10.5
Fri Jul 13 05:49:31 2018 /etc/openvpn/update-resolv-conf tun0 1500 1558 10.7.10.6 10.7.10.5 init
dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218
Fri Jul 13 05:49:31 2018 Initialization Sequence Completed
$ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 209.222.18.222
nameserver 209.222.18.218

However I'm unable to access anything

$ curl https://www.google.com
curl: (6) Could not resolve host: www.google.com

There is no iptables rule on my machine

# iptables -nvL
Chain INPUT (policy ACCEPT 775 packets, 142K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 812 packets, 455K bytes)
 pkts bytes target     prot opt in     out     source               destination

Now I run out of idea of what needs to try. Does anybody have any idea?

Thanks.

Last edited by dxxvi (2018-07-13 09:59:32)

Offline

#2 2018-07-13 10:43:55

sincomil
Member
Registered: 2018-02-13
Posts: 106

Re: PrivateInternetAccess connects but unable to access anything

Check you routes. In provided connection log I see that there is only route that was added is for the peer address 10.7.10.5.
Run from terminal:

ip ro sh

and post it there.
Also there vpn-server pushed DNS servers so it also should push routes for accessing them via the tunnel. If you expecting that all traffic should go through the tunnel there must be pushed default route option in connection logs.

You can add this  option on your openvpn config-file at the very end by yourself:

redirect-gateway def1

Last edited by sincomil (2018-07-13 10:46:34)

Offline

#3 2018-07-13 12:58:16

ratcheer
Member
Registered: 2011-10-09
Posts: 912

Re: PrivateInternetAccess connects but unable to access anything

What solved it for me was installing package openvpn-update-resolv-conf

Tim

Offline

#4 2018-07-13 14:26:01

Durden
Member
Registered: 2011-06-19
Posts: 261

Re: PrivateInternetAccess connects but unable to access anything

Use this instead:
https://www.privateinternetaccess.com/h … nvpn-setup

it says fedora but the script also supports Arch and it uses the native NetworkManager vpn configs. Very simple setup and extremely reliable.

Offline

#5 2018-07-14 09:11:45

dxxvi
Member
Registered: 2011-07-23
Posts: 122

Re: PrivateInternetAccess connects but unable to access anything

sincomil wrote:
redirect-gateway def

Before connecting to PIA:

$ ip ro sh
default via 192.168.4.1 dev wlp2s0 proto dhcp src 192.168.4.244 metric 302 
192.168.4.0/24 dev wlp2s0 proto dhcp scope link src 192.168.4.244 metric 302

After connecting to PIA:

$ ip ro sh
0.0.0.0/1 via 10.78.10.5 dev tun0 
default via 192.168.4.1 dev wlp2s0 proto dhcp src 192.168.4.244 metric 302 
10.78.10.1 via 10.78.10.5 dev tun0 
10.78.10.5 dev tun0 proto kernel scope link src 10.78.10.6 
128.0.0.0/1 via 10.78.10.5 dev tun0 
192.168.4.0/24 dev wlp2s0 proto dhcp scope link src 192.168.4.244 metric 302 
209.95.50.199 via 192.168.4.1 dev wlp2s0
ratcheer wrote:

What solved it for me was installing package openvpn-update-resolv-conf

I tried that. That package installed this file /etc/openvpn/update-resolv-conf. And we have to append

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

to the .ovpn file manually, don't we? I did that and the result is the same.

Durden wrote:

Use this instead:
https://www.privateinternetaccess.com/h … nvpn-setup

it says fedora but the script also supports Arch and it uses the native NetworkManager vpn configs. Very simple setup and extremely reliable.

That creates some NetworkManager profiles for me. I ran a profile with

$ nmcli connection up "PIA - US New York City" --ask 
A password is required to connect to 'PIA - US New York City'.
Password (vpn.secret.password): ••••••••••
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/9)

but the result was the same as other approaches.

Offline

Board footer

Powered by FluxBB