One of the most popular VPN providers these days is Private Internet Access (PIA). In this tutorial, I’ll show how to add a VPN connection to the Linux network manager with PIA’s service, using OpenVPN instead of PIA’s client software. Though the client app is robust and offers many useful features like a “VPN killswitch”, it can still crash and warns about potential network issues when you go to enable said features. There are also issues with IPv6 leaking which can compromise your privacy. PIA’s client is still in beta for Linux, so instead you can install OpenVPN, a free and open source software, and reap the benefit of a larger software project with most of the bugs already discovered and addressed. Adding a VPN connection on Linux is easy because the manager will pull most of the configuration information from the cert file PIA provides you. Lastly, I’ll show how to disable IPv6 on Linux to prevent it from leaking and revealing your IP address. With this method, I’m able to retain nearly 100% of my download speed.
This should work on most distributions (Ubuntu, Mint, Lubuntu, Gnome, etc). If you are a beginner and feel overwhelmed already, you might want to see tldr;
- Build dependencies, edit NetworkManager.conf, and grab PIA’s openvpn zip file. Each line is a separate command.
sudo apt-get update sudo apt-get install network-manager-openvpn network-manager network-manager-gnome network-manager-openvpn-gnome sudo nano /etc/NetworkManager/NetworkManager.conf # change managed from false to true sudo mkdir -p /etc/openvpn cd /etc/openvpn wget http://www.privateinternetaccess.com/openvpn/openvpn.zip unzip openvpn.zip
- Then click your connection icon in the upper right hand corner –> Network Settings
- Add new connection –> VPN –> Import from file
- Select the desired .ovpn file from where you want to connect from
- Add DNS servers. I used two of PIA’s DNS. You can use these, they are listed on the PIA site, or you can use OpenDNS addresses.
- Change the custom gateway port to 1198. The rest of the settings should be correct.
- Select cipher and HMAC Authentication. Note: you can use a stronger encryption method (higher number in cipher) at the cost of speed.
- Hit OK, Apply. Restart. Make sure you have your account number and password entered in the network setting manager. Connect by clicking the OFF/ON button visible in the picture from step 2. You should now be connected nearly instantly.
- Check to see if it is working by searching “what is my ip”. Observe IPv6 leaks on ipv6leak.com. You can verify that your IPv6 has leaked by typing “ifconfig” into the terminal and seeing if it matches the one displayed on the website.
- The best way to disable ipv6 is by adding “ipv6.disable=1” right before “quiet splash” in your GRUB file. This should work on a wider range of systems.
sudo nano /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash" sudo update-grub
10b. Stop your IPv6 from leaking by adding the following lines to /etc/sysctl.conf
>> sudo nano sysctl.conf # add the below lines ################################################ # DISABLE IPV6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
- Restart sysctl/read the changes with the command “sysctl -p”. Reload the IPv6 leak site to check if the issue is resolved. To refresh sysctl each time your computer boots, type “sudo crontab -e” and add a line at the bottom that goes “@reboot sysctl -p”. Ctrl+X to save and exit (make sure you call crontab with sudo or else it won’t work).
- Observe the fix
A few notes on step 10b: though the changes to sysctl.conf are saved, it appears the effects are lost each time the system restarts, so adding the extra line to crontab is crucial. Alternatively, you can add a line with “sysctl -p” to your /etc/init.d, but I have not tested this.
Fire it up
Check your download and upload speed for the VPN server you are using. You can always add more profiles to choose from by repeating these steps.
If you have any trouble setting this up, comment below and I’ll see if I can help.
For your convenience, I made a install script that can do most of this for you:
Open the console
curl http://adamantine.me/wp-content/uploads/2017/01/openvpninstaller.sh >> openvpninstaller.sh sudo chmod +x openvpninstaller.sh sudo ./openvpninstaller.sh
If you are capable, make sure to review the code before you issue the commands above. It differs slightly from the step by step to automagically make the config edits since I have replaced the edits with bash commands. You can also have the code emailed to you with the form below:
You’ll still need to do steps 2-7, but those steps are easy. Not that copy/pasting commands is hard, but there was a time where I would struggle with something like this. So there you go, openvpninstaller.sh
Going the extra mile
You want to be connected all the time, right? See how to auto-connect at boot. Make the changes recommended by top comment and second top comment. Then go to network settings, wired connection settings (or wifi if you’re using that, basically NOT the VPN settings) and go to the general tab, select “auto connect to VPN” and you should see the profile you set up earlier. Select that and click save.
So far we have the basic setup, but the client software that paid VPN services provide also do extra work to preserve your privacy by preventing certain information from leaking. We already covered ipv6 leaks, but what about DNS leaks? A DNS, or domain name server, is the dictionary your computer uses to translate domain names (adamantine.me) to IP addresses. A DNS may or may not have a record of all the websites you have visited, and may or may not log that activity indefinitely. A DNS leak can also reveal what ISP you use. With the latest version of OpenVPN, this is no problem. Add this line to the end of your OpenVPN .conf file:
Make sure you edit your DNS settings for your regular wired/Wifi connection as well. Edit connections -> Wired/Wifi -> Edit -> IPv4 Settings -> Method, select “Automatic (DHCP) addresses only”. Then enter the two PIA DNS servers (or your own choice of DNS servers) in the DNS servers box, separated by a comma.
It’s important to have a second DNS to fall back on if the first one goes down.
Reconnect then test at this site
Last but not least. That was a lot of work just for your browser to be exploited.
Disable WebRTC in Firefox:
- Type about:config in the address bar
- Find the setting media.peerconnection.enabled
- Set it to false
Whew, who would have thought privacy would be so much work? Now you have a leak proof encrypted connection that will automatically connect when you start or restart your computer. Happy actual incognito browsing!