lollipopcloud/armbian/vpn/pia.md

Private Internet Access (PIA)

This is a VERY advanced topic with some creative tricks to simplify getting the config added to NetworkManager. You're on your own.

The author strongly recommends reading through this and adapting/tuning well ahead of any real need(s).

Inspiration / Sources

• http://blog.deadlypenguin.com/blog/2017/04/24/vpn-auto-connect-command-line/
• https://forums.linuxmint.com/viewtopic.php?t=97187
• https://unix.stackexchange.com/questions/301845/scripting-a-way-to-quickly-import-ovpn-files-to-networkmanager-on-ubuntu
• https://www.privateinternetaccess.com/pages/client-support/

Prep Work

Download PIA OpenVPN advanced configs, drop them in a good place on the filesystem and script import.

All files can be found Under Advanced OpenVPN SSL Restrictive Configurations on the main PIA website.

Download PIA OpenVPN Template Files

mkdir -p /etc/pia
cd /etc/pia
mkdir openvpn-strong
cd openvpn-strong
wget https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
unzip openvpn-strong.zip
cd ..
mkdir openvpn-strong-tcp
cd openvpn-strong-tcp
wget https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip
unzip openvpn-strong-tcp.zip
cd ..

Add OpenVPN To Network Manager

# NetworkManager Gnome is *required* to get a missing library on xenial
# OMIT Gnome item if you can get away with it...

apt update
apt install network-manager-openvpn

Cleanup Files for Import

The cipher lines in the templates provided by PIA won't work 100% correctly on import. These commands will clean them up for import.

cd /etc/pia
cd openvpn-strong
sed -i 's/aes-256-cbc/AES-256-CBC/g' *.ovpn
sed -i 's/sha256/SHA256/g' *.ovpn
sed -i 's_crl.rsa.4096.pem_/etc/pia/openvpn-strong/crl.rsa.4096.pem_g' *.ovpn
sed -i 's_ca.rsa.4096.crt_/etc/pia/openvpn-strong/ca.rsa.4096.crt_g' *.ovpn
cd ..
cd openvpn-strong-tcp
sed -i 's/aes-256-cbc/AES-256-CBC/g' *.ovpn
sed -i 's/sha256/SHA256/g' *.ovpn
sed -i 's_crl.rsa.4096.pem_/etc/pia/openvpn-strong-tcp/crl.rsa.4096.pem_g' *.ovpn
sed -i 's_ca.rsa.4096.crt_/etc/pia/openvpn-strong-tcp/ca.rsa.4096.crt_g' *.ovpn
cd ..

Import / Setup

Manual Import

Import the cleaned up, provided OpenVPN profiles. This will require intervention on your part after the profile is created in NetworkManager to ensure it can connect properly.

Note: this assumes UDP profiles, tweak for the openvpn-strong-tcp directory if desired or necessary

Initial Import / Edit

nmcli connection import type openvpn file /etc/pia/openvpn-strong/[con_name].ovpn
nmcli con show
vim /etc/NetworkManager/system-connections/[con_name]

Adjustments/Necessary Verification

id=PIA - [con_name]

[vpn]
auth=SHA256
cipher=AES-256-CBC
password-flags=0
user-name=[your_username]

[vpn-secrets]
password=[your_password]

Update Profiles in NetworkManager

# Reload For Changes
nmcli connection reload [uuid_from_above]

# Connect
nmcli con up [uuid_from_above]

Scripted Import

Some automated imports based on how the ovpn files are normally imported via nmcli

Note: this assumes UDP profiles, you'll need to tweak this as you see fit for TCP

Install uuidgen

apt update
apt install uuid-runtime

Create List of VPN Endpoints

cat > /etc/pia/server_list.txt << EOF
us-west.privateinternetaccess.com=PIA - USA (West)
us-east.privateinternetaccess.com=PIA - USA (East)
us-midwest.privateinternetaccess.com=PIA - USA (Midwest)
aus.privateinternetaccess.com=PIA - Australia (Sydney)
austria.privateinternetaccess.com=PIA - Austria
belgium.privateinternetaccess.com=PIA - Belgium
ca-toronto.privateinternetaccess.com=PIA - Canada (Toronto) (East)
ca-vancouver.privateinternetaccess.com=PIA - Canada (Vancouver) (West)
fi.privateinternetaccess.com=PIA - Finland
france.privateinternetaccess.com=PIA - France
germany.privateinternetaccess.com=PIA - Germany
hk.privateinternetaccess.com=PIA - Hong Kong
in.privateinternetaccess.com=PIA - India
japan.privateinternetaccess.com=PIA - Japan
mexico.privateinternetaccess.com=PIA - Mexico
nl.privateinternetaccess.com=PIA - Netherlands
no.privateinternetaccess.com=PIA - Norway
sg.privateinternetaccess.com=PIA - Singapore
spain.privateinternetaccess.com=PIA - Spain
sweden.privateinternetaccess.com=PIA - Sweden
swiss.privateinternetaccess.com=PIA - Switzerland
turkey.privateinternetaccess.com=PIA - Turkey
uk-london.privateinternetaccess.com=PIA - UK (London)
brazil.privateinternetaccess.com=PIA - Brazil
EOF

Setup NeworkManager Profiles

Some fancy bash tricks to get the full list of NetworkManager PIA connections imported in one copy/paste.

*Note: You'll need to fill in [your_username] and [your_password] before running this block of commands.

export PIA_USER="[your_username]"
export PIA_PASSWORD="[your_password]"
while read line;
do
desc=$(echo $line | cut -f2 -d'=')
dns=$(echo $line | cut -f1 -d'=')
file="/etc/NetworkManager/system-connections/$desc"

cat > "$file" <<EOF
[connection]
id=$desc
uuid=`uuidgen`
type=vpn
permissions=
secondaries=

[vpn]
connection-type=password
auth=SHA256
password-flags=0
remote=${dns}:1197
cipher=AES-256-CBC
comp-lzo=yes
reneg-seconds=0
remote-cert-tls=server
ca=/etc/pia/openvpn-strong/ca.rsa.4096.crt
dev=tun
service-type=org.freedesktop.NetworkManager.openvpn
username=${PIA_USER}

[vpn-secrets]
password=${PIA_PASSWORD}

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

EOF

chmod 600 "$file"

done < /etc/pia/server_list.txt

systemctl restart NetworkManager
nmcli con show

Testing VPN (Post Setup)

Go to each link below and verify you're safe.

• https://www.privateinternetaccess.com/pages/whats-my-ip/
• http://dnsleak.com/
• http://ipv6leak.com/
• http://emailipleak.com/