Private Internet Access/AUR

From ArchWiki

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: Multiple style issues with whitespace, see Help:Style/White space (Discuss in Talk:Private Internet Access/AUR)

Merge-arrows-2.pngThis article or section is a candidate for merging with Private Internet Access.Merge-arrows-2.png

Notes: There should not be a subpage for installation from AUR, this should be incorporated within the main page. (Discuss in Talk:Private Internet Access/AUR)

This article details the installation and usage of private-internet-access-vpnAUR. For the general information on the service and additional packages, see Private Internet Access.

Note: In 2019, PIA merged with Kape Technologies, and this event has been surrounded by a lot of controversy, especially via reddit posts. However since the merger, the following improvements have been made to the PIA infrastructure:
  • All PIA applications got released as Open Source:
  • WireGuard got added to the VPN servers and VPN Apps
  • VPN servers got migrated from Ubuntu 14 LTS to Arch Linux
  • All VPN servers now are encrypted via dm-crypt, following advice from Arch devs
  • All VPN services now run in memory via ramdisk


Install private-internet-access-vpnAUR.

Note: This is not meant to be installed through python-pip directly. See [1] for more information.

The package provides a tool that downloads the OpenVPN configuration files and stores them in /etc/openvpn. However, it updates the file names to better support using them on the command line.

Configuration for the package is stored in /etc/private-internet-access.

After installation

If there are any issues with connectivity and you are running connman, please restart connman-vpn.service.


Enabling auto-login

Note: This is a limitation of OpenVPN. See PIA's Support Center: How can I make OpenVPN remember my username and password? [dead link 2021-05-17 ⓘ]

Enabling auto-login allows a user to connect to the VPN service without having to type any passwords on the command line (needed when using networkmanager). To set this up, you must do the following:

  • Create /etc/private-internet-access/login.conf
  • Add your username and password in the file. Make sure LINE 1 is your username and LINE 2 is your password. Do not add any other text to the file or it will not work (this is a limitation of OpenVPN):
  • Change permissions of the file to 0600 and owner to root:root:
# chmod 0600 /etc/private-internet-access/login.conf
# chown root:root /etc/private-internet-access/login.conf

This secures the access to the file from non-root users. Read more on File permissions and attributes. It is required when activating auto-login.

  • Run pia -a as root.
    • If you have networkmanager installed, it will create the configuration files for networkmanager. Make sure to restart networkmanager to see them.
    • If you have connman installed, it will create the configuration files for connman. Start connman-vpn.service if not running already. It will auto load the profiles.
    • Regardless, it will create the OpenVPN .conf files in /etc/openvpn/client.
Tip: Disable auto-login in configurations by adding openvpn_auto_login = False to /etc/private-internet-access/pia.conf and running pia -a

Manually connecting to VPN

# openvpn --config /etc/openvpn/client/{config_file_name}

{config_file_name} will be listed in the /etc/openvpn directory or run pia -l.

Automatically connecting to VPN

For connman

  • enable the connman-vpn.service.
  • Run pia -a as root (if you have not already)
# pia -a
  • Get a list of all connman services and find the name of the VPN config (for example, Finland) in the second column
connmanctl services

*   Finland_VPN          vpn_fi_privateinternetaccess_com_privateinternetaccess_com
  • Connect to your VPN chosen VPN config to create a connman settings file for it:
# connmanctl connect vpn_fi_privateinternetaccess_com_privateinternetaccess_com
  • Edit the relevant settings file, e.g /var/lib/connman/vpn_fi_privateinternetaccess_com_privateinternetaccess_com/settings
  • Change the AutoConnect=false line to AutoConnect=true, save, exit, reboot
  • You can also configure autoconnect in the Details tab of cmstAUR
  • The VPN will keep working even after waking from suspend, unlike vanilla openvpn (see below)

For openvpn you can look here: OpenVPN#systemd service configuration.

Advanced options

Warning: Protocols and port combinations no longer work as of Version 3.1. See Github Issue #17 or PIA's Support - Which encryption/auth settings should I use for ports on your gateways?
  • Create /etc/private-internet-access/pia.conf
  • For the [pia] section:
option option values description
openvpn_auto_login True,False Default: True; Configures if OpenVPN configuration files should have auto-login enabled. See #Enabling auto-login
  • For the [configure] section:
option option values description
apps cm, nm Default: all; This configures which applications are configured. The application will configure all applications installed; however, if a user only needed configurations for Conman, then setting this to 'cm' would generate only those configurations even if they had NetworkManager installed. OpenVPN configurations are always generated. cm = Conman; nm = NetworkManager
port See for list: PIA's Support -
Which encryption/auth settings should I use for ports on your gateways?
Default: 1198

Example configuration

The configuration enables auto-login, configures only Connman and OpenVPN, uses port 8080 over UDP, and configures only US East, US West, Japan, UK London, and UK Southampton VPN endpoints. OpenVPN is always configured.


openvpn_auto_login = True

apps = cm
port = 8080
hosts = US East, US West, Japan, UK London, UK Southampton


Using NetworkManager's applet

In order to use the network-manager-applet to connect:

  1. Right click the NetworkManager icon in the system tray
  2. and click Configure Network Connections...
  3. then click Add
  4. choose Import VPN...
  5. browse to /etc/openvpn/client/CA_Toronto.conf or whichever configuration you would like to use
  6. then click Open
  7. Remove only the :1198 from the Gateway: (if present) as only the domain name should be in this box
  8. for the Username: type in your p1234567 username
  9. for the Password: type in the password that goes with your p-xxxxx username
  10. then click Advanced...
  11. set Custom gateway port: and set it to 1198
  12. click on the Security tab
  13. set the Cipher: to AES-128-CBC
  14. set the HMAC Authentication: to SHA-1
  15. click OK
  16. click OK again

DNS Leaks

Concerning DNS Leaks (see python-pia/#13), NetworkManager leaks information due to how /etc/resolv.conf is setup. The script below was posted by @maximbaz to work around the problem. You may need to disable IPv6 if you continue to get leaks.




case $status in
    if [[ $interface == "tun0" ]]; then
      chattr -i /etc/resolv.conf
      echo -e "nameserver\nnameserver" > /etc/resolv.conf
      chattr +i /etc/resolv.conf
    if [[ $interface == "tun0" ]]; then
      chattr -i /etc/resolv.conf

See also