Private Internet Access/AUR
This article details the installation and usage of private-internet-access-vpnAUR. For the general information on the service and additional packages, see Private Internet Access.
- All PIA applications got released as Open Source: https://github.com/pia-foss
- WireGuard got added to the VPN servers and VPN Apps
- VPN servers got migrated from Ubuntu 14 LTS to ArchLinux
- All VPN servers now are encrypted via dm-crypt, following advice from Arch devs
- All VPN services now run in memory via ramdisk
Installation
Install the private-internet-access-vpnAUR or private-internet-access-vpn-devAURpackage.
The package provides a tool that downloads the OpenVPN configuration files and stores them in /etc/openvpn
. However, it updates the file names to better support using them on the command line.
Configuration for the package is stored in /etc/private-internet-access
.
After installation
If there are any issues with connectivity and you are running connman, please restart connman-vpn.service
.
Usage
Enabling auto-login
Enabling auto-login allows a user to connect to the VPN service without having to type any passwords on the command line (needed when using networkmanager). To set this up, you must do the following:
- Create
/etc/private-internet-access/login.conf
- Add your username and password in the file. Make sure LINE 1 is your username and LINE 2 is your password. Do not add any other text to the file or it will not work (this is a limitation of OpenVPN):
/etc/private-internet-access/login.conf
USERNAME PASSWORD
- Change permissions of the file to 0600 and owner to root:root:
# chmod 0600 /etc/private-internet-access/login.conf # chown root:root /etc/private-internet-access/login.conf
This secures the access to the file from non-root users. Read more on File permissions and attributes. It is required when activating auto-login.
- Run
pia -a
as root.- If you have networkmanager installed, it will create the configuration files for networkmanager. Make sure to restart networkmanager to see them.
- If you have connman installed, it will create the configuration files for connman. Start
connman-vpn.service
if not running already. It will auto load the profiles. - Regardless, it will create the OpenVPN
.conf
files in/etc/openvpn/client
.
openvpn_auto_login = False
to /etc/private-internet-access/pia.conf
and running pia -a
Manually connecting to VPN
# openvpn --config /etc/openvpn/client/{config_file_name}
{config_file_name}
will be listed in the /etc/openvpn directory or run pia -l
.
Automatically connecting to VPN
For connman:
-
enable the
connman-vpn.service
.
# systemctl enable connman-vpn.service
- Run
pia -a
as root (if you have not already)
# pia -a
- Get a list of all connman services and find the name of the VPN config
(for example, Finland)
in the second column
connmanctl services
... * Finland_VPN vpn_fi_privateinternetaccess_com_privateinternetaccess_com ...
- Connect to your VPN chosen VPN config to create a connman settings file for it:
# connmanctl connect vpn_fi_privateinternetaccess_com_privateinternetaccess_com
- Edit the relevant settings file:
# vim /var/lib/connman/vpn_fi_privateinternetaccess_com_privateinternetaccess_com/settings
- Change the
AutoConnect=false
line toAutoConnect=true
, save, exit, reboot
For openvpn you can look here: OpenVPN#systemd service configuration.
Advanced options
- Create
/etc/private-internet-access/pia.conf
- For the
[pia]
section:
option | option values | description |
---|---|---|
openvpn_auto_login | True,False | Default: True; Configures if OpenVPN configuration files should have auto-login enabled. See #Enabling auto-login |
- For the
[configure]
section:
option | option values | description |
---|---|---|
apps | cm, nm | Default: all; This configures which applications are configured. The application will configure all applications installed; however, if a user only needed configurations for Conman, then setting this to 'cm' would generate only those configurations even if they had NetworkManager installed. OpenVPN configurations are always generated. cm = Conman; nm = NetworkManager |
port | See for list: PIA's Support - Which encryption/auth settings should I use for ports on your gateways? |
Default: 1198 |
Example configuration
The configuration enables auto-login, configures only Connman and OpenVPN, uses port 8080 over UDP, and configures only US East, US West, Japan, UK London, and UK Southampton VPN endpoints. OpenVPN is always configured.
/etc/private-internet-access/pia.conf
[pia] openvpn_auto_login = True [configure] apps = cm port = 8080 hosts = US East, US West, Japan, UK London, UK Southampton
Troubleshooting
Using NetworkManager's applet
In order to use the network-manager-applet to connect:
- Right click the NetworkManager icon in the system tray
- and click Configure Network Connections...
- then click Add
- choose Import VPN...
- browse to
/etc/openvpn/client/CA_Toronto.conf
or whichever configuration you would like to use - then click Open
- Remove only the
:1198
from theGateway:
(if present) as only the domain name should be in this box - for the
Username:
type in yourp1234567
username - for the
Password:
type in the password that goes with yourp-xxxxx
username - then click Advanced...
- set
Custom gateway port:
and set it to1198
- click on the Security tab
- set the
Cipher:
toAES-128-CBC
- set the
HMAC Authentication:
toSHA-1
- click OK
- click OK again
DNS Leaks
Concerning DNS Leaks (see python-pia/#13), NetworkManager leaks information due to how /etc/resolv.conf
is setup. The script below was posted by @maximbaz to work around the problem. You may need to disable IPv6 if you continue to get leaks.
/etc/NetworkManager/dispatcher.d/pia-vpn
#!/bin/bash #/etc/NetworkManager/dispatcher.d/pia-vpn interface="$1" status=$2 case $status in vpn-up) if [[ $interface == "tun0" ]]; then chattr -i /etc/resolv.conf echo -e "nameserver 209.222.18.222\nnameserver 209.222.18.218" > /etc/resolv.conf chattr +i /etc/resolv.conf fi ;; vpn-down) if [[ $interface == "tun0" ]]; then chattr -i /etc/resolv.conf fi ;; esac