SG 2220 with PIA strong 256 bit openvpn encryption errors



  • I have been using PIA service for about a year and a few months.  the past few weeks i have been getting several interruptions of service and it leaves my home connection down until i restart the open vpn services.    here are the openvpn logs on the device:

    am i actually connection at 256bit ?  the below seems to think no.  are these a reason for concern?

    WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'

    WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'

    WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'

    WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

    here are the settings suggested by PIA a year ago:

    You may want to try the strong encryption (more info below):

    Router VPN setups are by nature considerably slower than computer based ones, due to the encryption that secure VPN services utilizes. Routers typically lack the hardware capability to process the encryption in real-time, causing connection lag.

    For example, you may be using a router that's considered a fairly good router by today's standards. However, even with a 700mhz processor, and 256mb of RAM, those are specs you might have seen on a high-end Windows 98/ low-end WinXP computer, 10-15 years ago. Basically, it's trying to run modern technology on hardware that can barely support it.

    The only reason one should use a router based VPN setup is (a) to connect devices that do not support VPN installation (TVs, gaming consoles, etc.) or (b) to connect more than 5 devices simultaneously. If you are concerned with speed, you should avoid using a router VPN setup.

    That said, I can suggest trying to tweak your MTU setting a bit; typically, if you lower it slightly, it makes it easier for the router to handle it, and in fact increases your speeds. Try reducing your MTU to around 1400 or so (pretty much any level between 1350 -1450), and hopefully it will help.

    Next, please try using the following ports and protocols for your OpenVPN client:

    UDP 1198
    TCP 502

    Please ensure the Certificate Authority field contains the ca.rsa.2048.crt certificate file from here: Download Certificate

    However, if you're using the strong encryption settings "AES-256-CBC SHA256" please try the following ports and protocols for your OpenVPN client:

    UDP 1197
    TCP 501

    For strong encryption, please ensure the Certificate Authority field contains the ca.rsa.4096.crt file from here: Download Certificate

    Finally, try using an IP instead of a hostname in the Server Address field, to avoid any DNS resolution issues, which can help speed up the connection somewhat. To obtain an IP address from our servers, please open Command Prompt or a Terminal Window and type:

    ping (hostname of server you want IPs for. A list of our servers can be found here: https://www.privateinternetaccess.com/pages/network/)

    and hit enter. You should get an IP address for the hostname you put in.

    A reboot of the router may necessary to activate any changes made in your router settings.



  • to update anyone that uses PIA reading this.  their Senior support engineer replied and basically said to use the instructions on the website.    they are currently working on updating their setup material.    didn't give an ETA

    i've changed back to the original directions and so far no issues, but its only been 24 hours \…

    WOW i just checked the openvpn logs:

    i still ge

    t Dec 9 07:14:01 openvpn 14802 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
    Dec 9 07:14:01 openvpn 14802 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

    AND all of this

    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897349 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897350 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897351 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897352 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897353 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897354 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897355 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897356 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897357 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897358 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897359 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897360 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897361 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897362 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897363 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915146 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915147 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915148 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915149 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915150 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915151 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915152 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915153 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915154 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915155 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915156 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915157 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915158 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915159 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915160 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915161 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915162 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915163 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915164 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915165 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915166 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915167 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915168 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915169 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915170 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915171 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915172 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915173 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915174 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915175 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915176 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915177 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915178 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915179 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915180 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings



  • for anyone that cares.  i have been able to read online and pretty much fix this my self by doing the following:

    1.  i moved away from the  servers CLOSEST to me.  it had the most servers available but they are clearly overloaded OR configured wrong.
    2.  i added
    a.  comp-lzo
    b.  auth sha256    since i am connecting to the openvpn strong server
    c. cipher aes-256-cbc      since i am connecting to the openvpn strong server

    to my configuration and it has gotten rid of the MTU and all the warnings about it connecting to the old cipher.

    night and day difference.    the main key is reading the configuration files provided and mimicking it to your configuration in the client.

    i have a 100Mb down 10up spectrum account.  and on a good server i can get 90Mb down and 10Mb up consistently


  • LAYER 8 Netgate

    All of that is selectable in the gui. I suggest doing it there.

    comp-lzo: adaptive is the default setting. comp-lzo adaptive is enabled by choosing Compression: Enabled with adaptive compression

    auth sha256: Auth digest algorithm: SHA256

    cipher aes-256-cbc: Encryption Algorithm: AES-256-CBC

    An example reason for using the GUI is that the comp-lzo directive is actually deprecated, to be replaced by the compress and comp-noadapt directives. Your configuration will automatically be updated when the OpenVPN functionality is updated with these changes. That will not be the case with custom options. They are blindly added to the configuration.



  • i understand what you are saying about the GUI.  and they were chosen.. in the openvpn log i would get these:

    WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'

    WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'

    WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

    now that i have added them as i posted i get :

    Jan 8 15:02:01 openvpn 21720 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
    Jan 8 15:02:01 openvpn 21720 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
    Jan 8 15:02:01 openvpn 21720 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
    Jan 8 15:02:01 openvpn 21720 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication

    those never showed up in the log before until i manually added as its shown in the openvpn config file by PIA

    just my experience,  PIA has been updating quite a bit i have read as well


  • LAYER 8 Netgate

    Well if you set yours to AES-256-CBC and the remote wants blowfish, I don't know what adding the exact same configuration option manually is going to change.

    But if it works for you, great.


Log in to reply