Hybrid VPN OpenVPN error

[nightstorm]

The OpenVPN Connect client accepts this config and works fine, but the Hybrid VPN doesn't seem to like it. It technically still connects but doesn't actually work right. I put a box around the part where I'm thinking it fails, just not sure why or what I can do about it. Anyone from support able to chime in? This is for Private Internet Access by the way.

I'm trying to get the VPN to only route traffic for a specific IP range while leaving all other traffic to pass normally without going through the VPN. Here is what I'm trying to use, and I've bolded the part that I think is causing the problem:

 

client
route 185.34.106.0 255.255.255.0
route-nopull
dev tun
proto tcp
remote ar.privacy.network 502
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
<super secret encryption stuff>
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
<super secret encryption stuff>
-----END CERTIFICATE-----
</ca>

disable-occ
 

[nightstorm]

1 hour ago, nightstorm said:

The OpenVPN Connect client accepts this config and works fine, but the Hybrid VPN doesn't seem to like it. It technically still connects but doesn't actually work right. I put a box around the part where I'm thinking it fails, just not sure why or what I can do about it. Anyone from support able to chime in? This is for Private Internet Access by the way.

I'm trying to get the VPN to only route traffic for a specific IP range while leaving all other traffic to pass normally without going through the VPN. Here is what I'm trying to use, and I've bolded the part that I think is causing the problem:

 

client
route 185.34.106.0 255.255.255.0
route-nopull
dev tun
proto tcp
remote ar.privacy.network 502
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
<super secret encryption stuff>
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
<super secret encryption stuff>
-----END CERTIFICATE-----
</ca>

disable-occ
 

Sure enough, if I remove those 2 lines in bold in the config I do not get these errors showing up in the logs. The VPN does not seem to work either way though. Honestly not sure what this is supposed to be for since even with a standard default config it's not connecting me through the VPN (web services still see my public IP). Is this thing broken or am I missing something?

Thanks

[Netduma Liam]

It may be possible using your current idea, though it would be much easier to add the devices you do/don't want to go through the VPN to the panel on the right-hand side and decide whether they get VPN'd that way.

[nightstorm]

6 hours ago, Netduma Liam said:

It may be possible using your current idea, though it would be much easier to add the devices you do/don't want to go through the VPN to the panel on the right-hand side and decide whether they get VPN'd that way.

Like I said in my last post, I tried removing that and just using as a regular VPN and still can't get it to work. Also tried setting it to only route a certain service just for fun and instead of being able to select something it asks for source/destination ports... and was presented with yet another error. According to NetLimiter the connection in question uses TCP port 3074 but it doesn't say what the source/destination are. Using Wireshark I found the connection being made and determined that the source port should be 57049 but honestly not sure why that even matters and it won't let me leave it blank. So I tried entering that and it still gave the error. 

[Netduma Fraser]

Set the DNS of the router to the DNS of the VPN server, then add your device and choose 1-65535 for source, 3074 for destination with Only VPN these services then it should work

[nightstorm]

2 minutes ago, Netduma Fraser said:

Set the DNS of the router to the DNS of the VPN server, then add your device and choose 1-65535 for source, 3074 for destination with Only VPN these services then it should work

Awesome thanks! I will try this as soon as I can.

[nightstorm]

Tried this, no luck. To be honest I didn't think it would work since the error seems to indicate that the router doesn't like the "dport", which is presumably the destination port. I am not sure why... I've even tried other ports and it still gives the same error so it's not even an issue with 3074 specifically. Are you able to reproduce this? Do you have any other suggestions?

Thanks

[Netduma Fraser]

You would need to take the route options and then it should work fine

[nightstorm]

Nope. Already said I took those out and got the same problem.

[Netduma Fraser]

Are you still getting an error? How are you determining it doesn't work exactly? If you change to Do NOT VPN these services and then check your IP on a PC (once added) does that change?

[nightstorm]

2 hours ago, Netduma Fraser said:

Are you still getting an error? How are you determining it doesn't work exactly? If you change to Do NOT VPN these services and then check your IP on a PC (once added) does that change?

Ok great that worked. So confirmed I can get it to work like a typical VPN where all traffic is routed through another server. Now what I would like to do is add just one specific connection to route through the VPN and have the rest of my internet handled normally with no VPN. I seem to get an error every time I try to add anything through "Advanced" in the service selection screen. None of the basic ones that are included are what I'm looking for.

[Netduma Liam]

10 hours ago, nightstorm said:

Ok great that worked. So confirmed I can get it to work like a typical VPN where all traffic is routed through another server. Now what I would like to do is add just one specific connection to route through the VPN and have the rest of my internet handled normally with no VPN. I seem to get an error every time I try to add anything through "Advanced" in the service selection screen. None of the basic ones that are included are what I'm looking for.

What error are you getting in the Advanced config? What service are you trying to add and how did you find which ports it uses?

[nightstorm]

4 hours ago, Netduma Liam said:

What error are you getting in the Advanced config? What service are you trying to add and how did you find which ports it uses?

All of this is up above but if it's easier I will repeat. 

Error is "RPC error 'ERROR_VALIDATION': Validation failed for 'dport'"

You cannot actually add a service, only a source port and destination port and a protocol.

Ports were found via NetLimiter and Wireshark, although the source port really shouldn't matter and it was suggested by Fraser that I just use 1-65535

[Netduma Fraser]

If you click Basic at the top you should be able to pick a service. Try this:

Source Port
Start - 1
End - 65535

Destination Port
Start - 3074
End - 3074

Protocol - TCP/UDP

[nightstorm]

1 hour ago, Netduma Fraser said:

If you click Basic at the top you should be able to pick a service. Try this:

Source Port
Start - 1
End - 65535

Destination Port
Start - 3074
End - 3074

Protocol - TCP/UDP

So are you saying you have to pick a service under basic first and then go into advanced? What if none of those are the service I'm looking for? I tried those exact settings without selecting anything from the Basic section and got the same error. I tried both TCP and TCP & UDP but it gave the same error. If it requires that you select something from Basic first then I guess that makes sense why it didn't work if I didn't choose anything but that seems dumb since that list obviously does not include everything and I thought that was the whole point of the Advanced option. If you can't find a preset in the basic list that matches what you're looking for, then you specify your own under advanced. If it doesn't work that way I definitely think it should...

[Netduma Fraser]

I was answering your concern about not being able to choose a service, you can do that via basic, you choose basic or advanced so one or the other, not both. Can you provide a total VPN page screenshot of how its set so far please

[nightstorm]

59 minutes ago, Netduma Fraser said:

I was answering your concern about not being able to choose a service, you can do that via basic, you choose basic or advanced so one or the other, not both. Can you provide a total VPN page screenshot of how its set so far please

Ok that makes sense. I will get that to you ASAP.

Thanks

[nightstorm]

So it's failing on the DNS provided by PIA. Tried to go back to Network Settings and set it back to my usual DNS which at least I know worked and that whole rapp just spins indefinitely now. Looks like I found a way to break the Network Settings page lol

[nightstorm]

Ok so... The first set of DNS servers I found on the PIA website obviously don't work as the VPN would not connect using those (it would not even resolve its own server name). So I found a "Smart DNS" thing somewhere else on the site and used that instead. That one worked to resolve stuff no problem but I found that as soon as I added that DNS info into the Duma it gave me an IP from that region and as long as I had any VPN info configured at all it would make me hold that IP, even if I disabled VPN. In order to get my regular IP back I had to delete all VPN related config from the Netduma even after having disconnected.

Not only was this a pain, but my plan was never to have "What's my IP" show a foreign IP anyway so I knew I was barking up the wrong tree. But one of the things I did during my troubleshooting was reboot the router. After rebooting I no longer got the "RPC error 'ERROR_VALIDATION': Validation failed for 'dport'" when trying to manually add a service.

Once I realized I wasn't getting that error message anymore I went back to trying it with a default config again just using my default upstream DNS, then adding "Only VPN these services" Source: 1-65535 Destination: 3074 Protocol: TCP and it let me add it with no error.

Then I connected with all my PIA login and config info and BAM it worked! "What is my IP" still shows my local IP from my ISP here which makes sense since that would be a TCP port 80 connection if I'm not mistaken, or maybe 443 or something but anyway because it's not 3074 it did what it was supposed to do and handled it through my normal connection.

Now when I log in to Call of Duty (that's what this was all for, in case you were wondering 😛) it correctly shows my geographic region as the region of the IP given to me by PIA for the VPN connection. I discovered awhile back that the Demonware server at 185.34.106.x connects to the player on TCP port 3074 to ascertain your geographic location AND also coordinate matchmaking based on that.

It obviously gets thrown for a bit of a loop though when you're not actually physically connecting from that location 🤣

 

Anyway, short version is a reboot fixed it. The error message should not have been there as I wasn't actually doing anything wrong, and that's what started all this confusion in the first place. Thanks again for all your help!

[Netduma Liam]

9 hours ago, nightstorm said:

Ok so... The first set of DNS servers I found on the PIA website obviously don't work as the VPN would not connect using those (it would not even resolve its own server name). So I found a "Smart DNS" thing somewhere else on the site and used that instead. That one worked to resolve stuff no problem but I found that as soon as I added that DNS info into the Duma it gave me an IP from that region and as long as I had any VPN info configured at all it would make me hold that IP, even if I disabled VPN. In order to get my regular IP back I had to delete all VPN related config from the Netduma even after having disconnected.

Not only was this a pain, but my plan was never to have "What's my IP" show a foreign IP anyway so I knew I was barking up the wrong tree. But one of the things I did during my troubleshooting was reboot the router. After rebooting I no longer got the "RPC error 'ERROR_VALIDATION': Validation failed for 'dport'" when trying to manually add a service.

Once I realized I wasn't getting that error message anymore I went back to trying it with a default config again just using my default upstream DNS, then adding "Only VPN these services" Source: 1-65535 Destination: 3074 Protocol: TCP and it let me add it with no error.

Then I connected with all my PIA login and config info and BAM it worked! "What is my IP" still shows my local IP from my ISP here which makes sense since that would be a TCP port 80 connection if I'm not mistaken, or maybe 443 or something but anyway because it's not 3074 it did what it was supposed to do and handled it through my normal connection.

Now when I log in to Call of Duty (that's what this was all for, in case you were wondering 😛) it correctly shows my geographic region as the region of the IP given to me by PIA for the VPN connection. I discovered awhile back that the Demonware server at 185.34.106.x connects to the player on TCP port 3074 to ascertain your geographic location AND also coordinate matchmaking based on that.

It obviously gets thrown for a bit of a loop though when you're not actually physically connecting from that location 🤣

 

Anyway, short version is a reboot fixed it. The error message should not have been there as I wasn't actually doing anything wrong, and that's what started all this confusion in the first place. Thanks again for all your help!

Thanks for letting us know. Give us a shout if you have any other issues!