Private Internet Access
Private Internet Access is a subscription-based VPN service.
- All PIA applications got released as open source: https://github.com/pia-foss
- WireGuard got added to the VPN servers and VPN Apps
- VPN servers got migrated from Ubuntu 14.04 LTS to Arch Linux
- All VPN servers now are encrypted via dm-crypt, following advice from the Arch Linux developers
- All VPN services now run in memory via ramdisk
NetworkManager applet approach
Download OpenVPN configuration files from PIA[dead link 2021-05-17 ⓘ]. Extract the ZIP file to a place in your user home directory or elsewhere that is memorable for future access. It's worth noting that even when WireGuard can be used on the Linux binary and on the app, PIA has yet to provide WireGuard files for configuration. In other words, only OpenVPN can be used when using the NetworkManager approach.
Install and configure NetworkManager along with the NetworkManager applet and OpenVPN plugin.
- Right click on the NetworkManager applet from your desktop environment and click Edit Connections. Click the Plus sign in the bottom left corner of the Network Connections window that appears.
- When you choose a connection type, click the drop-down menu and scroll all the way down until you reach "Import a saved VPN configuration". Select that option. Now, click Create.
- Navigate to the directory you extracted all of the OpenVPN files to earlier, then open one of the files from that folder. Generally speaking, you will want to open the file that is associated with the connection you specifically want.
- After you have opened one of the OpenVPN files, the window that appears should be "Editing <connection type>". Type in your Username and Password that you received from Private Internet Access. There is an icon in the password box indicating user permission of the credentials; change the settings as you wish.
- Now, click Advanced. Next to "Use LZO data compression", click the drop-down menu to select "adaptive" and next to "Set virtual device type", click the menu and make sure "TUN" is selected.
- Next, go to the security tab and select as cipher "AES-128-CBC" and as HMAC Authentication "SHA-1".
- Click the OK button at the bottom left of the window to save this change.
- Go to the "IPv6 Settings" tab and select for "Method" "Ignore" since PIA blocks IPv6 addresses .
- Click Save at the bottom right of the "Editing <connection type>" window.
Left click on the NetworkManager applet. There is a VPN Connections menu. Inside it should be the VPN connection you saved. Click on it to connect to Private Internet Access.
When a gold lock has appeared over the NetworkManager applet, you are successfully connected to Private Internet Access. Visit Private Internet Access and confirm that you are connected by referring to the status message at the top of their homepage.
OpenVPN command line approach
Download OpenVPN configurations from PIA. Unzip the file and move all files to
/etc/openvpn/client. Ensure the files have
root as the owner.
systemctl start openvpn-client@<config>), rename the all the files and replace
.confand replace spaces in configuration file names with underscores.
auth-user-passin the configuration file(s). See this option in for more information.
To test to see if you have successfully connected to the VPN, see this article which recommends the following four tools:
Official installation script
Official Linux client
Private Internet Access now has an official client for Linux with support for Arch. Download the client from this page, unzip the file (e.g.
pia-v81-installer-linux.tar.gz) and run the installation script (.e.g.
- piavpn-bin — Automates the official installer
- || AUR
- || AUR
vopono is a tool to run specific applications via a VPN connection with temporary network namespaces. Automatic configuration generation is supported for PrivateInternetAccess.
It includes kill switch support by default, and support for forwarding and proxying ports from the network namespace to the host so you can run daemons and servers via the VPN whilst the rest of the system is unaffected.
Tips and tricks
Internet "kill switch"
The following iptables rules only allow network traffic through the
tun interface, with the exception that traffic is allowed to PIA's DNS servers and to port 1197, which is used in establishing the VPN connection:
:INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:10] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -d 188.8.131.52/32 -j ACCEPT -A OUTPUT -d 184.108.40.206/32 -j ACCEPT -A OUTPUT -p udp -m udp --dport 1197 -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT -A OUTPUT -j REJECT --reject-with icmp-net-unreachable COMMIT
This ensures that if you are disconnected from the VPN unknowingly, no network traffic is allowed in or out.
If you wish to additionally access devices on your LAN, you will need to explicitly allow them. For example, to allow access to devices on
192.0.0.0/24, add the following two rules (before any REJECT rule):
-A INPUT -s 192.168.0.0/24 -j ACCEPT -A OUTPUT -d 192.168.0.0/24 -j ACCEPT
Additionally, the above rules block the ICMP protocol, which is probably not desired. See this thread for potential pitfalls of using these iptables rules as well as more details.
Setting PIA DNS
If you find that Network Manager is controlling your host's DNS settings, and therefore your host cannot resolve any address, you will have to manually set the DNS server and attributes. You should note a symbolic link when running the following command:
ls -l /etc/resolv.conf
Remove the symbolic link with
Then create a new
/etc/resolv.conf and add the following:
nameserver 220.127.116.11 nameserver 18.104.22.168
Next regenerate resolvconf by typing:
# resolvconf -u
Finally make the file immutable so no other application can modify it:
chattr +i /etc/resolv.conf
I cannot connect to OpenVPN using PIA manager, or OpenVPN does not work
PIA manager still uses OpenVPN under the hood, so even if you do not directly use one of the OpenVPN methods, you still need it. Firstly, check that it's installed. If you used one of the installation scripts, this should be done for you.
If you are getting errors like
#<Errno::ECONNREFUSED: Connection refused - connect(2) for "127.0.0.1" port 31749>, that probably means TAP/TUN is not currently running. Either your kernel does not have it, in which case install a kernel which does (or compile a fresh one), or it is not currently running, in which case it needs to be started:
# modprobe tun