Private Internet Access

From ArchWiki

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

Reason: Unconventional page format, this page requires a complete rewrite (Discuss in Talk:Private Internet Access)

Private Internet Access is a subscription-based VPN service.

Note: In 2019, PIA merged with Kape Technologies, and this event has been surrounded by a lot of controversy, especially via reddit posts. However, since the merger, the following improvements have been made to the PIA infrastructure:
  • All PIA applications got released as open source: https://github.com/pia-foss
  • WireGuard got added to the VPN servers and VPN Apps
  • VPN servers got migrated from Ubuntu 14.04 LTS to Arch Linux
  • All VPN servers now are encrypted via dm-crypt, following advice from the Arch Linux developers
  • All VPN services now run in memory via ramdisk

Manual

Note:
  • Disable IPv6 since it is not supported by PIA.[1]
  • Ensure you are using PIA's DNS servers, listed on their website.

NetworkManager applet approach

Installation

Download OpenVPN configuration files from PIA. Extract the ZIP file to a place in your user home directory or elsewhere that is memorable for future access. It is worth noting that even when WireGuard can be used on the Linux binary and on the app, PIA has yet to provide WireGuard files for configuration. In other words, only OpenVPN can be used when using the NetworkManager approach.

Install and configure NetworkManager along with the NetworkManager applet and OpenVPN plugin.

Configuration

  1. Right click on the NetworkManager applet from your desktop environment and click Edit Connections. Click the Plus sign in the bottom left corner of the Network Connections window that appears.
  2. When you choose a connection type, click the drop-down menu and scroll all the way down until you reach "Import a saved VPN configuration". Select that option. Now, click Create.
  3. Navigate to the directory you extracted all of the OpenVPN files to earlier, then open one of the files from that folder. Generally speaking, you will want to open the file that is associated with the connection you specifically want.
  4. After you have opened one of the OpenVPN files, the window that appears should be "Editing <connection type>". Type in your Username and Password that you received from Private Internet Access. There is an icon in the password box indicating user permission of the credentials; change the settings as you wish.
  5. Now, click Advanced. Next to "Use LZO data compression", click the drop-down menu to select "adaptive" and next to "Set virtual device type", click the menu and make sure "TUN" is selected.
  6. Next, go to the security tab and select as cipher "AES-128-CBC" and as HMAC Authentication "SHA-1".
  7. Click the OK button at the bottom left of the window to save this change.
  8. Go to the "IPv6 Settings" tab and select for "Method" "Ignore" since PIA blocks IPv6 addresses [2].
  9. Click Save at the bottom right of the "Editing <connection type>" window.

Usage

Left click on the NetworkManager applet. There is a VPN Connections menu. Inside it should be the VPN connection you saved. Click on it to connect to Private Internet Access.

When a gold lock has appeared over the NetworkManager applet, you are successfully connected to Private Internet Access. Visit Private Internet Access and confirm that you are connected by referring to the status message at the top of their homepage.

Note: If the VPN asks for a password, and you would like to avoid entering the password each time you attempt to connect, be sure to click the icon in the password box as noted previously regarding permission of credentials and change it to all users.

OpenVPN command line approach

Installation

Download OpenVPN configurations from PIA. Unzip the file and move all files to /etc/openvpn/client. Ensure the files have root as the owner.

Tip: To be able to use OpenVPN#systemd service configuration (e.g starting openvpn-client@config), rename the all the files and replace .opvn extension with .conf and replace spaces in configuration file names with underscores.

Usage

See OpenVPN#Starting OpenVPN.

Tip: To automatically login, append the name of the file containing your username and password immediately after auth-user-pass in the configuration file(s). See this option in openvpn(8)for more information.

To test to see if you have successfully connected to the VPN, see this article which recommends the following four tools:

Aur approach

Official installation script

Private Internet Access has an installation script that sets up NetworkManager for use with the VPN. Download the script here and then run to set up.

Note: Requires Python 2, which is no longer provided in the official repositories. Install python2AUR first or patch the script for Python 3.

Official Linux client

Private Internet Access now has an official client for Linux with support for Arch. Download the client from this page, unzip the file (e.g. pia-v81-installer-linux.tar.gz) and run the installation script (.e.g. # ./pia-v81-installer-linux.sh).

Packages

Tip: You need to enable and start piavpn.service
  • piavpn-bin — Automates the official installer
|| piavpn-binAUR
|| private-internet-access-vpnAUR

Installation

Install private-internet-access-vpnAUR.

Note: This is not meant to be installed through python-pip directly. See [3] for more information.

The package provides a tool that downloads the OpenVPN configuration files and stores them in /etc/openvpn. However, it updates the file names to better support using them on the command line.

Configuration for the package is stored in /etc/private-internet-access.

After installation

If there are any issues with connectivity and you are running connman, please restart connman-vpn.service.

Usage

Enabling auto-login

Note: This is a limitation of OpenVPN. See PIA's Support Center: How can I make OpenVPN remember my username and password? [dead link 2021-05-17 ⓘ]

Enabling auto-login allows a user to connect to the VPN service without having to type any passwords on the command line (needed when using networkmanager). To set this up, you must do the following:

  • Create /etc/private-internet-access/login.conf
  • Add your username and password in the file. Make sure LINE 1 is your username and LINE 2 is your password. Do not add any other text to the file or it will not work (this is a limitation of OpenVPN):
/etc/private-internet-access/login.conf
USERNAME
PASSWORD
  • Change permissions of the file to 0600 and owner to root:root:
# chmod 0600 /etc/private-internet-access/login.conf
# chown root:root /etc/private-internet-access/login.conf

This secures the access to the file from non-root users. Read more on File permissions and attributes. It is required when activating auto-login.

  • Run pia -a as root.
    • If you have networkmanager installed, it will create the configuration files for networkmanager. Make sure to restart networkmanager to see them.
    • If you have connman installed, it will create the configuration files for connman. Start connman-vpn.service if not running already. It will auto load the profiles.
    • Regardless, it will create the OpenVPN .conf files in /etc/openvpn/client.
Tip: Disable auto-login in configurations by adding openvpn_auto_login = False to /etc/private-internet-access/pia.conf and running pia -a

Manually connecting to VPN

# openvpn --config /etc/openvpn/client/{config_file_name}

{config_file_name} will be listed in the /etc/openvpn directory or run pia -l.

Automatically connecting to VPN

For connman

  • enable the connman-vpn.service.
  • Run pia -a as root (if you have not already)
# pia -a
  • Get a list of all connman services and find the name of the VPN config (for example, Finland) in the second column
connmanctl services
...

*   Finland_VPN          vpn_fi_privateinternetaccess_com_privateinternetaccess_com
...
  • Connect to your VPN chosen VPN config to create a connman settings file for it:
# connmanctl connect vpn_fi_privateinternetaccess_com_privateinternetaccess_com
  • Edit the relevant settings file, e.g /var/lib/connman/vpn_fi_privateinternetaccess_com_privateinternetaccess_com/settings
  • Change the AutoConnect=false line to AutoConnect=true, save, exit, reboot
Tip:
  • You can also configure autoconnect in the Details tab of cmstAUR
  • The VPN will keep working even after waking from suspend, unlike vanilla openvpn (see below)

For openvpn you can look here: OpenVPN#systemd service configuration.

Advanced options

Warning: Protocols and port combinations no longer work as of Version 3.1. See Github Issue #17 or PIA's Support - Which encryption/auth settings should I use for ports on your gateways?
  • Create /etc/private-internet-access/pia.conf
  • For the [pia] section:
option option values description
openvpn_auto_login True,False Default: True; Configures if OpenVPN configuration files should have auto-login enabled. See #Enabling auto-login
  • For the [configure] section:
option option values description
apps cm, nm Default: all; This configures which applications are configured. The application will configure all applications installed; however, if a user only needed configurations for Conman, then setting this to 'cm' would generate only those configurations even if they had NetworkManager installed. OpenVPN configurations are always generated. cm = Conman; nm = NetworkManager
port See for list: PIA's Support -
Which encryption/auth settings should I use for ports on your gateways?
Default: 1198

Example configuration

The configuration enables auto-login, configures only Connman and OpenVPN, uses port 8080 over UDP, and configures only US East, US West, Japan, UK London, and UK Southampton VPN endpoints. OpenVPN is always configured.

/etc/private-internet-access/pia.conf

[pia]
openvpn_auto_login = True

[configure]
apps = cm
port = 8080
hosts = US East, US West, Japan, UK London, UK Southampton

Troubleshooting

Using NetworkManager's applet

In order to use the network-manager-applet to connect:

  1. Right click the NetworkManager icon in the system tray
  2. and click Configure Network Connections...
  3. then click Add
  4. choose Import VPN...
  5. browse to /etc/openvpn/client/CA_Toronto.conf or whichever configuration you would like to use
  6. then click Open
  7. Remove only the :1198 from the Gateway: (if present) as only the domain name should be in this box
  8. for the Username: type in your p1234567 username
  9. for the Password: type in the password that goes with your p-xxxxx username
  10. then click Advanced...
  11. set Custom gateway port: and set it to 1198
  12. click on the Security tab
  13. set the Cipher: to AES-128-CBC
  14. set the HMAC Authentication: to SHA-1
  15. click OK
  16. click OK again

DNS Leaks

Concerning DNS Leaks (see python-pia/#13), NetworkManager leaks information due to how /etc/resolv.conf is setup. The script below was posted by @maximbaz to work around the problem. You may need to disable IPv6 if you continue to get leaks.

/etc/NetworkManager/dispatcher.d/pia-vpn

#!/bin/bash
#/etc/NetworkManager/dispatcher.d/pia-vpn

interface="$1"
status=$2

case $status in
  vpn-up)
    if [[ $interface == "tun0" ]]; then
      chattr -i /etc/resolv.conf
      echo -e "nameserver 209.222.18.222\nnameserver 209.222.18.218" > /etc/resolv.conf
      chattr +i /etc/resolv.conf
    fi
    ;;
  vpn-down)
    if [[ $interface == "tun0" ]]; then
      chattr -i /etc/resolv.conf
    fi
    ;;
esac

vopono

vopono is a tool to run specific applications via a VPN connection with temporary network namespaces. Automatic configuration generation is supported for PrivateInternetAccess.

It includes kill switch support by default, and support for forwarding and proxying ports from the network namespace to the host so you can run daemons and servers via the VPN whilst the rest of the system is unaffected.

See also

Tips and tricks

Internet "kill switch"

The following iptables rules only allow network traffic through the tun interface, with the exception that traffic is allowed to PIA's DNS servers and to port 1197, which is used in establishing the VPN connection:

/etc/iptables/iptables.rules
# Set default policies for INPUT, FORWARD, and OUTPUT chains to DROP
# This means all traffic is blocked by default unless explicitly allowed
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

# Allow incoming traffic that is related to established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow all traffic on the loopback interface
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow all incoming traffic on tun interfaces
-A INPUT -i tun+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
# Allow connections to PIA servers
-A OUTPUT -d 209.222.18.222/32 -j ACCEPT
-A OUTPUT -d 209.222.18.218/32 -j ACCEPT
# allow VPN establishing
-A OUTPUT -p udp -m udp --dport 1197 -j ACCEPT
# Reject all other outgoing traffic with an ICMP net unreachable message; catches any traffic not matched by previous rules
-A OUTPUT -j REJECT --reject-with icmp-net-unreachable

# Commit the changes to iptables
COMMIT

This ensures that if you are disconnected from the VPN unknowingly, no network traffic is allowed in or out.

If you wish to additionally access devices on your LAN, you will need to explicitly allow them. For example, to allow access to devices on 192.0.0.0/24, add the following two rules (before any REJECT rule):

-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -j ACCEPT

Additionally, the above rules block the ICMP protocol, which is probably not desired. See this thread for potential pitfalls of using these iptables rules as well as more details.

Setting PIA DNS

If you find that Network Manager is controlling your host's DNS settings, and therefore your host cannot resolve any address, you will have to manually set the DNS server and attributes. You should note a symbolic link when running the following command:

$ ls -l /etc/resolv.conf

Remove the symbolic link with rm /etc/resolv.conf Then create a new /etc/resolv.conf and add the following:

/etc/resolv.conf 
nameserver 209.222.18.222
nameserver 209.222.18.218

The factual accuracy of this article or section is disputed.

Reason: Using resolvconf after editing /etc/resolv.conf makes no sense. If openresolv is used then the nameservers should be set in /etc/resolvconf.conf, and /etc/resolv.conf should not be manually edited. (Discuss in Talk:Private Internet Access)

Next regenerate resolvconf by typing:

# resolvconf -u

This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.

Finally make the file immutable so no other application can modify it:

chattr +i /etc/resolv.conf

Troubleshooting

I cannot connect to OpenVPN using PIA manager, or OpenVPN does not work

PIA manager still uses OpenVPN under the hood, so even if you do not directly use one of the OpenVPN methods, you still need it. Firstly, check that it is installed. If you used one of the installation scripts, this should be done for you.

If you are getting errors like #<Errno::ECONNREFUSED: Connection refused - connect(2) for "127.0.0.1" port 31749>, that probably means TAP/TUN is not currently running. Either your kernel does not have it, in which case install a kernel which does (or compile a fresh one), or it is not currently running, in which case it needs to be started:

# modprobe tun