Tunnel VPN with PIA failed state

[proactivens]

Tunnel VPN is not working today with PIA. Ive tried US East and US West and seeing the same behavior on both.

Tunnel VPN logs
Thu Nov 19 09:52:25 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Thu Nov 19 09:52:25 2020 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Thu Nov 19 09:52:25 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Nov 19 09:52:25 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]184.170.242.135:1198
Thu Nov 19 09:52:25 2020 UDP link local: (not bound)
Thu Nov 19 09:52:25 2020 UDP link remote: [AF_INET]184.170.242.135:1198
Thu Nov 19 09:53:25 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Nov 19 09:53:25 2020 TLS Error: TLS handshake failed
Thu Nov 19 09:53:25 2020 SIGUSR1[soft,tls-error] received, process restarting
Thu Nov 19 09:53:30 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Nov 19 09:53:30 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]184.170.241.194:1198
Thu Nov 19 09:53:30 2020 UDP link local: (not bound)
Thu Nov 19 09:53:30 2020 UDP link remote: [AF_INET]184.170.241.194:1198

Here is the VPN config
client
dev tun
remote us-west.privateinternetaccess.com 1198 udp
remote us-west.privateinternetaccess.com 502 tcp
resolv-retry infinite
nobind
persist-key
persist-tun
setenv CLIENT_CERT 0

<ca>
-----BEGIN CERTIFICATE-----
Removed cert because its not relevant and makes the post too long
-----END CERTIFICATE-----
</ca>

cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo no
verb 1
reneg-sec 0

[proactivens]

To provide some more color; The PIA page shows a bunch of connections with the verbiage (Client update needed) and these connection do not work.
https://www.privateinternetaccess.com/pages/openvpn-ios
The ones that do not have the verbiage (client update needed) do work. I have connected to Houston and Washington, DC. So it seems as though an updated OVPN client may be needed to connect to a majority of PIA connections??

[sky-knight]

One... you didn't call me?!? That's odd!

Two, Untangle v16 runs OpenVPN 2.4.7-1, which is the most recent version of OpenVPN available via the Debian repos...

Stay tuned folks while I smack my business partner with a fish...

*edit* Dug through PIA's support docks and they support 2.3 onward, though they recommend 2.4.7. This isn't a version thing, this is a client or server configured incorrectly thing.

[chinook]

Hi,

I was having the same problem and I think it will be related to the new "NextGen VPN network" that PIA launched.
Looking at the settings that proactivens put up there, I would say that you are using the old configuration file, just as I was.

What I did to get it working was to use the new configuration files. I found them at the following link:
h**ps://**w.privateinternetaccess.com/pages/download

You will have an option that says "View OpenVPN Configurations".
In the window that opens will be the new configuration files. I used the ones that say "NextGen".

I see only 3 differences, no more "comp-lzo no" and new "compress" and "disable-occ".
I have no experience with OpenVPN. I hope that one of you can confirm that this is correct and properly configured.

PS: Sorry for the link only with one post.

[sky-knight]

Oh yes I think you're right!

But the change I see that's most significant is the remote lines, there are completely different DNS names in the NextGen files relative to the others. I suspect the old servers are simply not online anymore, and the new ones are active. That would explain the above error, since TLS Error: TLS key negotiation failed to occur within 60 seconds basically means HELP SOMETHING WENT WRONG!

It's usually a connection error, as in the server isn't responding.

[chinook]

Yes, it's true, I didn't even notice the domain changed even though I changed the subdomain to the server I normally use because it wasn't in the zip file

It's late for me, going to sleep