Private Internet Access/AUR

From ArchWiki

Related articles

This article details the installation and usage of private-internet-access-vpnAUR. For the general information on the service and additional packages, see Private Internet Access.

Note: In 2019, PIA merged with Kape Technologies, and this event has been surrounded by a lot of controversy, especially via reddit posts. However since the merger, the following improvements have been made to the PIA infrastructure:
  • All PIA applications got released as Open Source: https://github.com/pia-foss
  • WireGuard got added to the VPN servers and VPN Apps
  • VPN servers got migrated from Ubuntu 14 LTS to Arch Linux
  • All VPN servers now are encrypted via dm-crypt, following advice from Arch devs
  • All VPN services now run in memory via ramdisk

Installation

Install the private-internet-access-vpnAUR or private-internet-access-vpn-devAURpackage.

Note: This is not meant to be installed through python-pip directly. See [1] for more information.

The package provides a tool that downloads the OpenVPN configuration files and stores them in /etc/openvpn. However, it updates the file names to better support using them on the command line.

Configuration for the package is stored in /etc/private-internet-access.

After installation

If there are any issues with connectivity and you are running connman, please restart connman-vpn.service.

Usage

Enabling auto-login

Note: This is a limitation of OpenVPN. See PIA's Support Center: How can I make OpenVPN remember my username and password? [dead link 2021-05-17 ⓘ]

Enabling auto-login allows a user to connect to the VPN service without having to type any passwords on the command line (needed when using networkmanager). To set this up, you must do the following:

  • Create /etc/private-internet-access/login.conf
  • Add your username and password in the file. Make sure LINE 1 is your username and LINE 2 is your password. Do not add any other text to the file or it will not work (this is a limitation of OpenVPN):
/etc/private-internet-access/login.conf
USERNAME
PASSWORD
  • Change permissions of the file to 0600 and owner to root:root:
# chmod 0600 /etc/private-internet-access/login.conf
# chown root:root /etc/private-internet-access/login.conf

This secures the access to the file from non-root users. Read more on File permissions and attributes. It is required when activating auto-login.

  • Run pia -a as root.
    • If you have networkmanager installed, it will create the configuration files for networkmanager. Make sure to restart networkmanager to see them.
    • If you have connman installed, it will create the configuration files for connman. Start connman-vpn.service if not running already. It will auto load the profiles.
    • Regardless, it will create the OpenVPN .conf files in /etc/openvpn/client.
Tip: Disable auto-login in configurations by adding openvpn_auto_login = False to /etc/private-internet-access/pia.conf and running pia -a

Manually connecting to VPN

# openvpn --config /etc/openvpn/client/{config_file_name}

{config_file_name} will be listed in the /etc/openvpn directory or run pia -l.

Automatically connecting to VPN

For connman:

  • enable the connman-vpn.service.
  • Run pia -a as root (if you have not already)
# pia -a
  • Get a list of all connman services and find the name of the VPN config (for example, Finland) in the second column
connmanctl services
...

*   Finland_VPN          vpn_fi_privateinternetaccess_com_privateinternetaccess_com
...
  • Connect to your VPN chosen VPN config to create a connman settings file for it:
# connmanctl connect vpn_fi_privateinternetaccess_com_privateinternetaccess_com
  • Edit the relevant settings file:
# vim /var/lib/connman/vpn_fi_privateinternetaccess_com_privateinternetaccess_com/settings
  • Change the AutoConnect=false line to AutoConnect=true, save, exit, reboot
Tip: You can also configure autoconnect in the Details tab of cmstAUR
Tip: The VPN will keep working even after waking from suspend, unlike vanilla openvpn (see below)

For openvpn you can look here: OpenVPN#systemd service configuration.

Advanced options

Warning: Protocols and port combinations no longer work as of Version 3.1. See Github Issue #17 or PIA's Support - Which encryption/auth settings should I use for ports on your gateways?
  • Create /etc/private-internet-access/pia.conf
  • For the [pia] section:
option option values description
openvpn_auto_login True,False Default: True; Configures if OpenVPN configuration files should have auto-login enabled. See #Enabling auto-login
  • For the [configure] section:
option option values description
apps cm, nm Default: all; This configures which applications are configured. The application will configure all applications installed; however, if a user only needed configurations for Conman, then setting this to 'cm' would generate only those configurations even if they had NetworkManager installed. OpenVPN configurations are always generated. cm = Conman; nm = NetworkManager
port See for list: PIA's Support -
Which encryption/auth settings should I use for ports on your gateways? 		Default: 1198

Example configuration

The configuration enables auto-login, configures only Connman and OpenVPN, uses port 8080 over UDP, and configures only US East, US West, Japan, UK London, and UK Southampton VPN endpoints. OpenVPN is always configured. 

/etc/private-internet-access/pia.conf

[pia]
openvpn_auto_login = True

[configure]
apps = cm
port = 8080
hosts = US East, US West, Japan, UK London, UK Southampton

Troubleshooting

Using NetworkManager's applet

In order to use the network-manager-applet to connect:

  1. Right click the NetworkManager icon in the system tray
  2. and click Configure Network Connections...
  3. then click Add
  4. choose Import VPN...
  5. browse to /etc/openvpn/client/CA_Toronto.conf or whichever configuration you would like to use
  6. then click Open
  7. Remove only the :1198 from the Gateway: (if present) as only the domain name should be in this box
  8. for the Username: type in your p1234567 username
  9. for the Password: type in the password that goes with your p-xxxxx username
  10. then click Advanced...
  11. set Custom gateway port: and set it to 1198
  12. click on the Security tab
  13. set the Cipher: to AES-128-CBC
  14. set the HMAC Authentication: to SHA-1
  15. click OK
  16. click OK again

DNS Leaks

Concerning DNS Leaks (see python-pia/#13), NetworkManager leaks information due to how /etc/resolv.conf is setup. The script below was posted by @maximbaz to work around the problem. You may need to disable IPv6 if you continue to get leaks. 

/etc/NetworkManager/dispatcher.d/pia-vpn

#!/bin/bash
#/etc/NetworkManager/dispatcher.d/pia-vpn

interface="$1"
status=$2

case $status in
  vpn-up)
    if [[ $interface == "tun0" ]]; then
      chattr -i /etc/resolv.conf
      echo -e "nameserver 209.222.18.222\nnameserver 209.222.18.218" > /etc/resolv.conf
      chattr +i /etc/resolv.conf
    fi
    ;;
  vpn-down)
    if [[ $interface == "tun0" ]]; then
      chattr -i /etc/resolv.conf
    fi
    ;;
esac

See also