Private Internet Access
Private Internet Access is a subscription-based VPN service.
Download OpenVPN configurations from PIA. Unzip the file and move all files to
/etc/openvpn/client. Ensure the files have
root as the owner.
systemctl start openvpn-client@<config>), rename the all the files and replace
.confand replace spaces in configuration file names with underscores.
auth-user-passin the configuration file(s). See this option in for more information.
To test to see if you have successfully connected to the VPN, see this article.
Official installation script
Official Linux client
Private Internet Access has now an official client for Linux with support for Arch. Download the client from this page, unzip the file (e.g.
pia-v81-installer-linux.tar.gz) and run the installation script (.e.g.
- openvpn-pia — The package automates the method listed in the #Manual section, including renaming the configuartion files to be used with OpenVPN#systemd service configuration, as well as setting up the OpenVPN parameter
auth-user-passwith a file for automatic login. Upon installation read
- pia-nm — Installs NetworkManager configuration files for the VPN, similar to the #Official installation script.
Tips and tricks
Internet "kill switch"
The following iptables rules only allow network traffic through the
tun interface, with the exception that traffic is allowed to PIA's DNS servers and to port 1197, which is used in establishing the VPN connection:
:INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:10] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -d 188.8.131.52/32 -j ACCEPT -A OUTPUT -d 184.108.40.206/32 -j ACCEPT -A OUTPUT -p udp -m udp --dport 1197 -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT -A OUTPUT -j REJECT --reject-with icmp-net-unreachable COMMIT
This ensures that if you are disconnected from the VPN unknowingly, no network traffic is allowed in or out.
If you wish to additionally access devices on your LAN, you will need to explicitly allow them. For example, to allow access to devices on
192.0.0.0/24, add the following two rules (before any REJECT rule):
-A INPUT -s 192.168.0.0/24 -j ACCEPT -A OUTPUT -d 192.168.0.0/24 -j ACCEPT
Additionally, the above rules block the ICMP protocol, which is probably not desired. See this thread for potential pitfalls of using these iptables rules as well as more details.
Setting PIA DNS
If you find that Network Manager is controlling your host's DNS settings, and therefore your host cannot resolve any address, you will have to manually set the DNS server and attributes. You should note a symbolic link when running the following command
ls -l /etc/resolv.conf
Remove the symbolic link with
Then create a new
/etc/resolv.conf and add the following
nameserver 220.127.116.11 nameserver 18.104.22.168
Finally make the file immutable so no other application can modify it
chattr +i /etc/resolv.conf
I can't connect to OpenVPN using PIA manager, or OpenVPN doesn't work
PIA manager still uses OpenVPN under the hood, so even if you don't directly use one of the OpenVPN methods, you still need it. Firstly, check that it's installed. If you used one of the installation scripts, this should be done for you.
If you're getting errors like
#<Errno::ECONNREFUSED: Connection refused - connect(2) for "127.0.0.1" port 31749>, that probably means TAP/TUN is not currently running. Either your kernel does not have it, in which case install a kernel which does (or compile a fresh one), or it isn't currently running, in which case it needs to be started:
# modprobe tun