PIA released updated ca's but I don't know how to make them work please help me.
-
https://www.privateinternetaccess.com/forum/discussion/9093/pia-openvpn-client-encryption-patch/p1
Supposed to do AES256 SHA256 and RSA4069
I copied and pasted the one for 4069 into my certificate area and set AES to 256 CBC and SHA to 256 but when I do I get my own ip when I visit https://ipleak.net
Is there a way I can have pfSense disconnect entirely if it can't establish a connection or if connection is dropped?
How do I get all this stuff to work?
Thank you. -
You haven't told us what is in the openvpn logs.
-
a bunch of this:
Oct 23 19:10:47 openvpn[58927]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]108.61.101.153:1194
Oct 23 19:10:49 openvpn[58927]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]108.61.101.153:1194
Oct 23 19:10:53 openvpn[58927]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]108.61.101.153:1194 -
I tried no tls auth and it wont work either
I need to find a key that works -
I also have recently setup pfSense with PIA and been wanting to use stronger encryption.
I found a note about changing the port to 1196 to get AES-128-CBC to work (SHA only, not SHA256). Which is the most I've been able to get beyond the weak defaults. I tried other ports to try to get AES-256-CBC, but no luck.
Unfortunately after much digging I found a few obscure forum posts that indicated that to get SHA256, or a cert higher than 2048, you need to use PIA's patched client. (Anyone that has more or different info, would be appreciated.)
This should just be a matter of changing standard client settings, and should not need a special patched client. So I'm a bit disappointed with PIA and their default to weak encryption and the need for a patched client to get what should be common high encryption standards to work with common OpenVPN clients.