PIA released updated ca's but I don't know how to make them work please help me.



  • https://www.privateinternetaccess.com/forum/discussion/9093/pia-openvpn-client-encryption-patch/p1
    Supposed to do AES256 SHA256 and RSA4069
    I copied and pasted the one for 4069 into my certificate area and set AES to 256 CBC and SHA to 256 but when I do I get my own ip when I visit https://ipleak.net
    Is there a way I can have pfSense disconnect entirely if it can't establish a connection or if connection is dropped?
    How do I get all this stuff to work?
    Thank you.



  • You haven't told us what is in the openvpn logs.



  • a bunch of this:
    Oct 23 19:10:47 openvpn[58927]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]108.61.101.153:1194
    Oct 23 19:10:49 openvpn[58927]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]108.61.101.153:1194
    Oct 23 19:10:53 openvpn[58927]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]108.61.101.153:1194



  • I tried no tls auth and it wont work either
    I need to find a key that works



  • @LAR

    I also have recently setup pfSense with PIA and been wanting to use stronger encryption.

    I found a note about changing the port to 1196 to get AES-128-CBC to work (SHA only, not SHA256).  Which is the most I've been able to get beyond the weak defaults.  I tried other ports to try to get AES-256-CBC, but no luck.

    Unfortunately after much digging I found a few obscure forum posts that indicated that to get SHA256, or a cert higher than 2048, you need to use PIA's patched client. (Anyone that has more or different info, would be appreciated.)

    This should just be a matter of changing standard client settings, and should not need a special patched client.  So I'm a bit disappointed with PIA and their default to weak encryption and the need for a  patched client to get what should be common high encryption standards to work with common OpenVPN clients.


Log in to reply