How to connect to PIA through OpenVPN on Linux

By | January 7, 2017

openvpn piaOne of the most popular VPN providers these days is Private Internet Access (PIA). In this tutorial, I’ll show how to add a VPN connection to the Linux network manager with PIA’s service, using OpenVPN instead of PIA’s client software. Though the client app is robust and offers many useful features like a “VPN killswitch”, it can still crash and warns about potential network issues when you go to enable said features. There are also issues with IPv6 leaking which can compromise your privacy. PIA’s client is still in beta for Linux, so instead you can install OpenVPN, a free and open source software, and reap the benefit of a larger software project with most of the bugs already discovered and addressed. Adding a VPN connection on Linux is easy because the manager will pull most of the configuration information from the cert file PIA provides you. Lastly, I’ll show how to disable IPv6 on Linux to prevent it from leaking and revealing your IP address. With this method, I’m able to retain nearly 100% of my download speed.

This should work on most distributions (Ubuntu, Mint, Lubuntu, Gnome, etc). If you are a beginner and feel overwhelmed already, you might want to see tldr;

    1. Build dependencies, edit NetworkManager.conf, and grab PIA’s openvpn zip file. Each line is a separate command.
      sudo apt-get update
      sudo apt-get install network-manager-openvpn network-manager network-manager-gnome network-manager-openvpn-gnome
      
      sudo nano /etc/NetworkManager/NetworkManager.conf
      # change managed from false to true
      
      sudo mkdir -p /etc/openvpn
      cd /etc/openvpn
      wget http://www.privateinternetaccess.com/openvpn/openvpn.zip
      unzip openvpn.zip
    2. Then click your connection icon in the upper right hand corner –> Network Settings
      click network settings
    3. Add new connection –> VPN –> Import from filenetwork manager
    4. Select the desired .ovpn file from where you want to connect from.ovpn files
    5. Add DNS servers. I used two of PIA’s DNS (209.222.18.222 and 209.222.18.218). You can use these, they are listed on the PIA site, or you can use OpenDNS addresses.DNS servers
    6. Change the custom gateway port to 1198. The rest of the settings should be correct.gateway port
    7. Select cipher and HMAC Authentication. Note: you can use a stronger encryption method (higher number in cipher) at the cost of speed.cipher and authentication
    8. Hit OK, Apply. Restart. Make sure you have your account number and password entered in the network setting manager. Connect by clicking the OFF/ON button visible in the picture from step 2. You should now be connected nearly instantly.
    9. Check to see if it is working by searching “what is my ip”. Observe IPv6 leaks on ipv6leak.com. You can verify that your IPv6 has leaked by typing “ifconfig” into the terminal and seeing if it matches the one displayed on the website.IP check
    10. The best way to disable ipv6 is by adding “ipv6.disable=1” right before “quiet splash” in your GRUB file. This should work on a wider range of systems.
      
      sudo nano /etc/default/grub
      GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"
      sudo update-grub

      10b. Stop your IPv6 from leaking by adding the following lines to /etc/sysctl.conf

      >> sudo nano /etc/sysctl.conf
      # add the below lines
      ################################################
      # DISABLE IPV6
      net.ipv6.conf.all.disable_ipv6 = 1
      net.ipv6.conf.default.disable_ipv6 = 1
      net.ipv6.conf.lo.disable_ipv6 = 1
    11. Restart sysctl/read the changes with the command “sysctl -p”. Reload the IPv6 leak site to check if the issue is resolved. To refresh sysctl each time your computer boots, type “sudo crontab -e” and add a line at the bottom that goes “@reboot sysctl -p”. Ctrl+X to save and exit (make sure you call crontab with sudo or else it won’t work).
    12. Observe the fixrestart sysctl

A few notes on step 10b: though the changes to sysctl.conf are saved, it appears the effects are lost each time the system restarts, so adding the extra line to crontab is crucial. Alternatively, you can add a line with “sysctl -p” to your /etc/init.d, but I have not tested this.

Fire it up
Check your download and upload speed for the VPN server you are using. You can always add more profiles to choose from by repeating these steps.

speed test

If you have any trouble setting this up, comment below and I’ll see if I can help.

tldr;

For your convenience, I made a install script that can do most of this for you:
http://adamantine.me/wp-content/uploads/2017/01/openvpninstaller.sh
Open the console

 
curl http://adamantine.me/wp-content/uploads/2017/01/openvpninstaller.sh >> openvpninstaller.sh
sudo chmod +x openvpninstaller.sh 
sudo ./openvpninstaller.sh 

If you are capable, make sure to review the code before you issue the commands above. It differs slightly from the step by step to automagically make the config edits since I have replaced the edits with bash commands. You can also have the code emailed to you with the form below:



SHA256SUM: e70fb284f545aef8ff80ead455b99fd80bfe5a062b5f27ccbabd8b87b9112890

You’ll still need to do steps 2-7, but those steps are easy. Not that copy/pasting commands is hard, but there was a time where I would struggle with something like this. So there you go, openvpninstaller.sh

Going the extra mile

You want to be connected all the time, right? See how to auto-connect at boot. Make the changes recommended by top comment and second top comment. Then go to network settings, wired connection settings (or wifi if you’re using that, basically NOT the VPN settings) and go to the general tab, select “auto connect to VPN” and you should see the profile you set up earlier. Select that and click save.

auto-connect

So far we have the basic setup, but the client software that paid VPN services provide also do extra work to preserve your privacy by preventing certain information from leaking. We already covered ipv6 leaks, but what about DNS leaks? A DNS, or domain name server, is the dictionary your computer uses to translate domain names (adamantine.me) to IP addresses. A DNS may or may not have a record of all the websites you have visited, and may or may not log that activity indefinitely. A DNS leak can also reveal what ISP you use. With the latest version of OpenVPN, this is no problem. Add this line to the end of your OpenVPN .conf file:

block-outside-dns

Make sure you edit your DNS settings for your regular wired/Wifi connection as well. Edit connections -> Wired/Wifi -> Edit -> IPv4 Settings -> Method, select “Automatic (DHCP) addresses only”. Then enter the two PIA DNS servers  (or your own choice of DNS servers) in the DNS servers box, separated by a comma.

209.222.18.222,209.222.18.218

It’s important to have a second DNS to fall back on if the first one goes down.

Reconnect then test at this site

Last but not least. That was a lot of work just for your browser to be exploited.

Disable WebRTC in Firefox:

  1. Type about:config in the address bar
  2. Find the setting media.peerconnection.enabled
  3. Set it to false

Whew, who would have thought privacy would be so much work? Now you have a leak proof encrypted connection that will automatically connect when you start or restart your computer. Happy actual incognito browsing!

update: small change to a command for accuracy. Also, it appears if you paste the shell script installer text, it will have some trouble carrying out commands that were broken into two lines. Try just pasting each command line by line if this happens.

Facebooktwittergoogle_plusredditpinterestlinkedintumblr

2 thoughts on “How to connect to PIA through OpenVPN on Linux

  1. The PIA Review

    Thanks for posting this awesome article. I search since
    a long time an answer to this subject and I have finally found it on your site.
    I saved your blog in my rss feed and shared it on my Facebook.
    Thanks again for this great article!

    Reply

Leave a Reply

Your email address will not be published.