Tuesday, August 25, 2020

Private Internet Access (PIA) Next-Gen servers break apps and smart home devices

 Problem:  After restoring your PIA connection from after it broke using router-based VPN, you do not have full connectivity.  

Specifically, none of your smartphone apps or smart home devices work properly.

  • Your router IS connected to the VPN
  • You ARE using the correct encryption, port, and ca.crt combination
  • They DO have a working internet connection
  • They CAN see the internet
  • They DO work outside the VPN

But they can't log in to, or access, their respective servers through the VPN:

  • Gmail: Useless "View more" link that does nothing
  • Banking apps: Can't log in
  • Starbucks: Endless "Finding stores"
  • Ecobee:  "Trouble connecting to your device"
  • Honeywell Home: Endless startup
  • Ratuken Kobo: Endless accessing "My Books"
  • Smart Life: Endless startup
  • Lastpass: Password vault is empty
  • Roblox: Endless loading
  • Minecraft: Can't join multiplayer servers
  • Terraria: Can't join other players 
  • Pixel Guns 3D:  No multiplayer available
  • Ecobee thermostat: Pings "ecobee.com", but "unable to connect to web servers".
  • Lyriq water leak detectors: Permanently offline 

etc, etc, etc.

Oddly, Windows PCs work.  Chrome, Maps, and Play Store work.  Some other apps work.  Many don't.

PIA confirmed the cause was "resolvers for [the] legacy network" - i.e. on their end.

Solution (for router-based VPN only, this example is DD-WRT):  

0.  Follow this guide exactly.

1.  If your OpenVPN does not even try to connect, try removing this line from Additional Config:

 pull-filter ignore "auth-token"

It should at least connect now, but you will still have app/device issues as noted above. 

Note: This bug appears to affect only very old versions of DD-WRT.  If you can upgrade your firmware, you likely should.

2.  Set your router DNS to:


3.  Change to a "Next-Gen" server.  These all end in "privacy.network".


  • us-california.privacy.network
  • ca-montreal.privacy.network
  • uk-london.privacy.network

4.  You have to try different encryption / port combinations, to see what works.

For example, I used AES-128-CBC SHA1 on port 1198, using "ca.rsa.2048.crt".  It did not work, resulting in the app/smart device issues.

I then changed to AES-256-CBC SHA256 on port 1197, using "ca.rsa.4096.crt".  That worked fine.

 You don't need to reboot your DD-WRT router (but you do need to hit "Save", then "Apply Settings"), and resolution will be more-or-less instant.  When you hit a "good" setup, you will know it.

 The above did work on OpenVPN 2.3.  Newer DD-WRT builds have 2.4, hopefully it works for that too.

 Similar steps should fix Tomato, ASUSWRT, Merlin, pfsense, whatever.  (I hope.)

This was the result of several days back and forth with PIA tech support.  Only their eventual fix has kept me with them, as I was just about to pull the trigger on NordVPN.

However, I can't help but say their NextGen rollout is a bit of a dumpster fire:

  • These problems should not be occurring.
  • They certainly should not be dumping people off perfectly good connections that have been flawless for years for reasons unknown. 
  • Their router setup guide was not updated in advance of NextGen rollout, which is dumb.
  • Their support staff seems unable to readily support the NextGen rollout, which is even dumber.
  • Tech support actually told me I had to figure out the NextGen settings by interpreting the '.ovpn' file for my preferred PIA server, which is dumbest of all, as that is not support.

 It's almost like they never saw the NextGen transition coming. Which is just shoddy business.

Yes, I know there was a merger.  So either they had to changeover with little to no warning, or they forgot about their massive upcoming server changeover because of new business cards.  Either way, it's crap for the customer.

No comments:

Post a Comment