Private Internet Access/AUR

From ArchWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

This article details the installation and usage of private-internet-access-vpnAUR. For the general information on the service and additional packages, see Private Internet Access.

Note: In 2019, PIA merged with Kape Technologies, and this event has been surrounded by a lot of controversy, especially via reddit posts. However since the merger, the following improvements have been made to the PIA infrastructure:
  • All PIA applications got released as Open Source: https://github.com/pia-foss
  • WireGuard got added to the VPN servers and VPN Apps
  • VPN servers got migrated from Ubuntu 14 LTS to ArchLinux
  • All VPN servers now are encrypted via dm-crypt, following advice from Arch devs
  • All VPN services now run in memory via ramdisk

Installation

Install the private-internet-access-vpnAUR or private-internet-access-vpn-devAURpackage.

Note: This is not meant to be installed through python-pip directly. See [1] for more information.

The package provides a tool that downloads the OpenVPN configuration files and stores them in /etc/openvpn. However, it updates the file names to better support using them on the command line.

Configuration for the package is stored in /etc/private-internet-access.

After installation

If there are any issues with connectivity and you are running connman, please restart connman-vpn.service.

Usage

Enabling auto-login

Note: This is a limitation of OpenVPN. See PIA's Support Center: How can I make OpenVPN remember my username and password? [dead link 2021-05-17 ⓘ]

Enabling auto-login allows a user to connect to the VPN service without having to type any passwords on the command line (needed when using networkmanager). To set this up, you must do the following:

  • Create /etc/private-internet-access/login.conf
  • Add your username and password in the file. Make sure LINE 1 is your username and LINE 2 is your password. Do not add any other text to the file or it will not work (this is a limitation of OpenVPN):
/etc/private-internet-access/login.conf
USERNAME
PASSWORD
  • Change permissions of the file to 0600 and owner to root:root:
# chmod 0600 /etc/private-internet-access/login.conf
# chown root:root /etc/private-internet-access/login.conf

This secures the access to the file from non-root users. Read more on File permissions and attributes. It is required when activating auto-login.

  • Run pia -a as root.
    • If you have networkmanager installed, it will create the configuration files for networkmanager. Make sure to restart networkmanager to see them.
    • If you have connman installed, it will create the configuration files for connman. Start connman-vpn.service if not running already. It will auto load the profiles.
    • Regardless, it will create the OpenVPN .conf files in /etc/openvpn/client.
Tip: Disable auto-login in configurations by adding openvpn_auto_login = False to /etc/private-internet-access/pia.conf and running pia -a

Manually connecting to VPN

# openvpn --config /etc/openvpn/client/{config_file_name}

{config_file_name} will be listed in the /etc/openvpn directory or run pia -l.

Automatically connecting to VPN

For connman:

  • enable the connman-vpn.service.
# systemctl enable connman-vpn.service
  • Run pia -a as root (if you have not already)
# pia -a
  • Get a list of all connman services and find the name of the VPN config (for example, Finland) in the second column
connmanctl services
...

*   Finland_VPN          vpn_fi_privateinternetaccess_com_privateinternetaccess_com
...
  • Connect to your VPN chosen VPN config to create a connman settings file for it:
# connmanctl connect vpn_fi_privateinternetaccess_com_privateinternetaccess_com
  • Edit the relevant settings file:
# vim /var/lib/connman/vpn_fi_privateinternetaccess_com_privateinternetaccess_com/settings
  • Change the AutoConnect=false line to AutoConnect=true, save, exit, reboot
Tip: You can also configure autoconnect in the Details tab of cmstAUR
Tip: The VPN will keep working even after waking from suspend, unlike vanilla openvpn (see below)

For openvpn you can look here: OpenVPN#systemd service configuration.

Advanced options

Warning: Protocols and port combinations no longer work as of Version 3.1. See Github Issue #17 or PIA's Support - Which encryption/auth settings should I use for ports on your gateways?
  • Create /etc/private-internet-access/pia.conf
  • For the [pia] section:
option option values description
openvpn_auto_login True,False Default: True; Configures if OpenVPN configuration files should have auto-login enabled. See #Enabling auto-login
  • For the [configure] section:
option option values description
apps cm, nm Default: all; This configures which applications are configured. The application will configure all applications installed; however, if a user only needed configurations for Conman, then setting this to 'cm' would generate only those configurations even if they had NetworkManager installed. OpenVPN configurations are always generated. cm = Conman; nm = NetworkManager
port See for list: PIA's Support -
Which encryption/auth settings should I use for ports on your gateways?
Default: 1198

Example configuration

The configuration enables auto-login, configures only Connman and OpenVPN, uses port 8080 over UDP, and configures only US East, US West, Japan, UK London, and UK Southampton VPN endpoints. OpenVPN is always configured.

/etc/private-internet-access/pia.conf

[pia]
openvpn_auto_login = True

[configure]
apps = cm
port = 8080
hosts = US East, US West, Japan, UK London, UK Southampton

Troubleshooting

Using NetworkManager's applet

In order to use the network-manager-applet to connect:

  1. Right click the NetworkManager icon in the system tray
  2. and click Configure Network Connections...
  3. then click Add
  4. choose Import VPN...
  5. browse to /etc/openvpn/client/CA_Toronto.conf or whichever configuration you would like to use
  6. then click Open
  7. Remove only the :1198 from the Gateway: (if present) as only the domain name should be in this box
  8. for the Username: type in your p1234567 username
  9. for the Password: type in the password that goes with your p-xxxxx username
  10. then click Advanced...
  11. set Custom gateway port: and set it to 1198
  12. click on the Security tab
  13. set the Cipher: to AES-128-CBC
  14. set the HMAC Authentication: to SHA-1
  15. click OK
  16. click OK again

DNS Leaks

Concerning DNS Leaks (see python-pia/#13), NetworkManager leaks information due to how /etc/resolv.conf is setup. The script below was posted by @maximbaz to work around the problem. You may need to disable IPv6 if you continue to get leaks.

/etc/NetworkManager/dispatcher.d/pia-vpn

#!/bin/bash
#/etc/NetworkManager/dispatcher.d/pia-vpn

interface="$1"
status=$2

case $status in
  vpn-up)
    if [[ $interface == "tun0" ]]; then
      chattr -i /etc/resolv.conf
      echo -e "nameserver 209.222.18.222\nnameserver 209.222.18.218" > /etc/resolv.conf
      chattr +i /etc/resolv.conf
    fi
    ;;
  vpn-down)
    if [[ $interface == "tun0" ]]; then
      chattr -i /etc/resolv.conf
    fi
    ;;
esac

See also