Private Internet Access
Private Internet Access is a subscription-based VPN service. See its How It Works page for more information.
Contents
Manual
Installation
Download [1]. Unzip the file and move all files to /etc/openvpn/client
. Ensure the files have root
as the owner.
Usage
To test to see if you have successfully connected to the VPN, see this article.
Automatic
Official installation script
Private Internet Access has an installation script that sets up NetworkManager for use with the VPN. Download the script here and then run to set up.
Packages
- openvpn-pia — The package automates the method listed in the #Manual section, including renaming the configuartion files to be used with OpenVPN#systemd service configuration, as well as setting up the OpenVPN parameter
auth-user-pass
with a file for automatic login. Upon installation read/usr/share/doc/openvpn-pia/README
for setup.
- pia-nm — Installs NetworkManager configuration files for the VPN, similar to the #Official installation script.
- Private Internet Access VPN — Installs profiles for NetworkManager, Connman, and OpenVPN.
Tips and tricks
Internet "kill switch"
The following iptables rules only allow network traffic through the tun
interface, with the exception that traffic is allowed to PIA's DNS servers and to port 1197, which is used in establishing the VPN connection:
/etc/iptables/iptables.rules
:INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:10] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -d 209.222.18.222/32 -j ACCEPT -A OUTPUT -d 209.222.18.218/32 -j ACCEPT -A OUTPUT -p udp -m udp --dport 1197 -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT -A OUTPUT -j REJECT --reject-with icmp-net-unreachable COMMIT
This ensures that if you are disconnected from the VPN uknowingly, no network traffic is allowed in or out.
If you wish to additionally access devices on your LAN, you will need to explicity allow them. For example, to allow access to devices on 192.0.0.0/24
, add the following two rules (before any REJECT rule):
-A INPUT -s 192.168.0.0/24 -j ACCEPT -A OUTPUT -d 192.168.0.0/24 -j ACCEPT
Additionally, the above rules block the ICMP protocol, which is probably not desired. See this thread for potential pitfalls of using these iptables rules as well as more details.