Private Internet Access VPN

PIA is a subscription based service provided from PIA. See its How It Works page for more information.

Requirements

PIA supports nearly any operating system and solution any user would need. This guide automatically sets up the configurations for PIA which works for most Arch Linux users.

Note: Arch Linux users may set up PIA manually by reading information on PIA Client Support page.

Installation

Install the private-internet-access-vpnAUR or private-internet-access-vpn-devAURpackage.

The package provides a tool that downloads the OPENVPN CONFIGURATION FILES (DEFAULT) and stores them in /etc/openvpn. However, it updates the file names to better support using them on the command line.

Configuration for the package is stored in /etc/private-internet-access

After Installation

If there are any issues with connectivity and you are running connman, please restart connman-vpn.service.

Usage

Note: As of version 2.0, the command pia is provided by python-pia.
Note: As of version 1.5, the command as changed from pia-auto-login.py to pia. Also, command line options have changed.

Enabling auto-login

Enabling auto-login allows a user to connect to the VPN service without having type any passwords on the command line (needed when using networkmanager). To set this up, you must do the following:

  • Create /etc/private-internet-access/login.conf
  • Add your username and password in the file. Make sure LINE 1 is your username and LINE 2 is your password. Do not add any other text to the file or it will not work (this is a limitation of OpenVPN):
/etc/private-internet-access/login.conf
USERNAME
PASSWORD
  • Change permissions of the file to 0600 and owner to root:root:
# chmod 0600 /etc/private-internet-access/login.conf
# chown root:root /etc/private-internet-access/login.conf
This secures the access to the file from non-root users. Read more on File permissions and attributes. It is required when activating auto-login.
  • Run pia -a as root.
    • If you have networkmanager installed, it will create the configuration files for networkmanager. Make sure to restart networkmanager to see them.
    • If you have connman installed, it will create the configuration files for connman. Start connman-vpn.service if not running already. It will auto load the profiles.
    • Regardless, it will create the OpenVPN .conf files in /etc/openvpn.
Tip: Disable auto-login in configurations by adding openvpn_auto_login = False to /etc/private-internet-access/pia.conf and running pia -a

Manually Connecting to VPN

Run openvpn --config /etc/openvpn/{config_file_name} as root. {config_file_name} will be listed in the /etc/openvpn directory or run pia -l.

Automatically connect to VPN

  1. enable the connman-vpn.service.
  2. Run pia -a as root.
Note: These are unsupported configurations.

Advanced Options

Warning: Protocols and port combinations no longer work as of Version 3.1. See Github Issue #17 or PIA's Support - Which encryption/auth settings should I use for ports on your gateways?
  • Create /etc/private-internet-access/pia.conf
  • For the [pia] section:
option option values description
openvpn_auto_login True,False Default: True; Configures if OpenVPN configuration files should have auto-login enabled. See #Enabling auto-login
strong_encryption True,False Default: False; Configures strong encryption. Uses port 1197, cipher aes-256-cbc, auth sha256. Custom configurations for port, cipher, and auth are ignored when enabling this option.
  • For the [configure] section:
option option values description
apps cm, nm Default: all; This configures which applications are configured. The application will configure all applications installed; however, if a user only needed configurations for Conman, then setting this to 'cm' would generate only those configurations even if they had NetworkManager installed. OpenVPN configurations are always generated. cm = Conman; nm = NetworkManager
port 501, 502, 1197, 1198 Default: 1198; This configures which port and protocol the VPN uses. 501,502=TCP; 1197,1198=UDP
cipher aes-128-cbc, aes-256-cbc, bf-cbc, None Default: aes-128-cbc; This configures the data encryption cipher.
auth sha1, sha256, None Default: sha1; This configures the data authentication.

Example Configuration

The configuration enables auto-login, configures only Connman and OpenVPN, uses port 8080 over UDP, and configures only US East, US West, Japan, UK London, and UK Southampton VPN endpoints. OpenVPN is always configured.

/etc/private-internet-access-vpn/pia.conf

[pia]
openvpn_auto_login = True

[configure]
apps = cm
port = UDP/8080
hosts = US East, US West, Japan, UK London, UK Southampton

See also