Connect to Private Internet Access (PIA) VPN with OpenVPN on Ubuntu (2023)

This post covers using OpenVPN on Ubuntu 16.04 to connect to a Private Internet Access (PIA) VPN server. PIA has configuration files ready to useherewhich we will use as the base for our configuration file. I will go through each option so you understand any potential issues you may be facing. The first thing we have to do is install OpenVPN to be able to run it

sudo apt-get install openvpn

Once we have it installed, we must download the certificate that we will use to connect to the PIA servers. Download the above mentioned zip file to the openvpn directory with cd /etc/openvpn and then download the zip file with

sudo wgethttps://www.privateinternetaccess.com/openvpn/openvpn.zip

Once we have the ZIP file, we can unzip it into a separate folder to keep the main directory clean. We probably need to install the unzip utility, so run sudo apt-get install unzip. Now we unzip the downloaded file in a new PIA directory

sudo unzip openvpn.zip -d PIA

All together we get:

sudo apt-get install openvpncd /etc/openvpnsudo wgethttps://www.privateinternetaccess.com/openvpn/openvpn.zipsudo apt-get install unzipsudo unzip openvpn.zip -d PIA

Since we are creating our own configuration file for OpenVPN, we only need the peer certification file for connecting to VPN servers ca.rsa.2048.crt and the certification revocation list file crl.rsa from the ZIP archive. 2048.pem. The CRL is used to list all the certificate keys that cannot connect to the PIA servers. We can move these files to the main OpenVPN directory

sudo mv /etc/openvpn/PIA/ca.rsa.2048.crt /etc/openvpn/ca.rsa.2048.crtsudo mv /etc/openvpn/PIA/crl.rsa.2048.pem /etc/openvpn/crl.rsa.2048.pem

Now that we have the keys, let's create the configuration file that OpenVPN will use to connect to the PIA servers. We create an empty file with

sudo touch /etc/openvpn/pia.conf.

We also need to create a separate file for the username and password.

sudo touch /etc/openvpn/creds.conf

Before we get to the actual configuration, let's recap the commands:

sudo mv /etc/openvpn/PIA/ca.rsa.2048.crt /etc/openvpn/ca.rsa.2048.crtsudo mv /etc/openvpn/PIA/crl.rsa.2048.pem /etc/openvpn/crl.rsa.2048.pemsudo touch /etc/openvpn/pia.confsudo touch /etc/openvpn/creds.conf

The full setup we will go through is:

Clientdevelopers doremote us-east.privateinternetaccess.com 1198 udpremote us-east.privateinternetaccess.com 502 tcpResolution-infinite retrydo not tiepersistent keypersist-tunChiffre aes-128-cbcsha1 authenticationcrl-check /etc/openvpn/crl.rsa.2048.pemca /etc/openvpn/ca.rsa.2048.crtremote-tls-cert-serverauth-user-pass /etc/openvpn/creds.confauto-nocachecomp-lzoverb 1reg-seg 0Disable occupancy

The first option passed to OpenVPN is client, which is a shortcut for using the pull and tls-client options. The pull option is used on a client to allow a server to which many clients connect (or a multi-tenant server) to send routes to the client. This forces all queries to go through the PIA servers. The tls-client option enables TLS (often referred to as SSL) encryption. The next OpenVPN option is dev, which can be set to TUN or TAP. We put TUN here, which allows for lower traffic overhead, but can only be used on IP-based traffic and cannot create Ethernet bridges. TAP, on the other hand, is more compatible with a variety of network protocols because it behaves like a real network adapter (like a virtual adapter). It can also be used to bridge Ethernet adapters, but all of this comes at the cost of more overhead, as it adds data to each data packet sent. 99% of the time you will need TUN unless you are trying to connect to PIA with a variety of devices like printers, network drives, etc. The next option for OpenVPN is Remote, of which we will have two copies, one for UDP, which is less expensive but has no troubleshooting, and an option for TCP to use in your browser. We indicate the host name of the PIA server to which we want to connect, the port used for this type of connection and the network protocol used (UDP or TCP). Using two remote options allows for a fallback option if the first one fails. I used US East as my VPN server, but you have to choose from the listherethat best suits your needs.

Clientdevelopers doremote us-east.privateinternetaccess.com 1198 udpremote us-east.privateinternetaccess.com 502 tcp

The next option is resolv-retry, which we set to infinity. This means that we want to keep trying to reconnect forever. This can be set to a number, say 5, which OpenVPN will then only try to reconnect with 5 times before failing. The nobind option tells OpenVPN not to use the local IP address and port. This is used with the remote option so that the PIA servers can assign these values ​​dynamically themselves. The next two, persist-key and persist-tun tell OpenVPN not to reopen/reload on OpenVPN reboots. This allows reboots via the SIGUSR1 signal without reloading the keys and the tun connection. SIGUSR1 (and SIGUSR2) are user-defined signals that you can use for your own scripts. These are optional but nice to have when you want to automate reconnection.

Resolution-infinite retrydo not tiepersistent keypersist-tun

The following options are security specific. The Encryption option specifies the encryption algorithm to use. PIA uses aes-128-cbc, but if you want to see a list of supported algorithms, run openvpn --show-ciphers. The auth option defines the message digest algorithm, which is almost always SHA-1. The next two options use the two files we copied. The crl-verify option is used to certify the certificate revocation list. The value of this is where the CRL is located, ie crl-verify /etc/openvpn/crl.rsa.2048.pem. The same applies to the ca option, which specifies the certification used: ca /etc/openvpn/ca.rsa.2048.crt. The remote certificate option is a shortcut option and is equivalent to -remote-cert-ku a0 88 -remote-cert-eku "TLS web client authentication". The remote-cert-ku option requires that a peer certificate be specially signed with a key. This is encoded in hexadecimal (the part ao 88). The remote-cert-eku option requires the same peer certificate to be signed with an extended key. This is encoded in OpenSSL symbolic representation. This ensures proper TLS authentication with the PIA servers.

Chiffre aes-128-cbcsha1 authenticationcrl-check /etc/openvpn/crl.rsa.2048.pemca /etc/openvpn/ca.rsa.2048.crtremote-tls-cert-server

I want to go through the auth-user-pass option on its own, as we'll be using the /etc/openvpn/creds.conf file we created here. This file has two lines, the username and the password. It is important to remember that this text file must be in UNIX format and not DOS. If you're creating and editing the file on Linux, that's fine, but if you're using Windows and SFTP, you should probably convert it to Unix format. If you don't convert it, you may get errors about badly formatted auth file. Open the creds.conf file we created with sudo nano /etc/openvpn/creds.conf. In the file we have two option values: "YOUR_USERNAME" is your PIA username and "YOUR_PASSWORD" is your PIA password. How to convert the creds.conf file to Unix format if you need to run the command

sudo dos2unix /etc/openvpn/creds.conf.YOUR USERNAMEYOUR PASSWORD

Save this file and since it contains your password in clear text, we'll change the permissions to read-only for the root user. We set the owner to root with

sudo chown root:root /etc/openvpn/creds.conf

and set to read-only

sudo chmod 0400 /etc/openvpn/creds.conf

Be sure to set this AFTER adding your username and password to the creds.conf file. We now need to reference this file in the main OpenVPN configuration file, and we do this by adding the path to your credentials file to the auth-user-pass option. We also added the auth-nocache option to disallow storing username and password in virtual memory. This is an added security precaution for your PIA credentials.

auth-user-pass /etc/openvpn/creds.confauto-nocache

We're done with the authorization page, so now let's add the comp-lzo option, which enables lzo compression. Ubuntu comes with lzo compression, but if you don't have it you can install it with it

sudo apt-get install liblzo2–2

The Verb option sets the amount of logging you want for OpenVPN operations. This can be set from a low value of 0 to a high value of 11. For debugging, set this value in the range of 6-11. 1-4 is normal running, which I like to set to 1 when everything is working. The associated status option determines where the logs go, and I set this to /etc/openvpn/openvpn.log. Normally, the logs for most programs are moved to the /var/logs/ directory if desired. The reneg-sec option tells OpenVPN to renegotiate the data channel key after n seconds. The default is 3600, but we'll set it to 0 since we'll be using the same key when connecting to the PIA servers. Finally, the disabled-occ option tells OpenVPN not to display warnings when there are inconsistent options between peers. PIA servers can update their server-side options, but it may not affect the connection, so we don't want any bugs in this regard. This is an optional field.

comp-lzoverb 1Status /etc/openvpn/openvpn.logreg-seg 0Disable occupancy

Once we have all the options configured, we simply run OpenVPN with the --config option and specify the configuration we created. You will see startup information and finally you will see Initialization Sequence Completed and you will be connected to the OpenVPN servers. To be safe, we can open another terminal and type curl ipinfo.io/ip and this website will return our public IP address, which should be the PIA server you configured in the remote option.

sudo openvpn — config /etc/openvpn/pia.confcurl ipinfo.io/ip

We now want OpenVPN to always connect to the PIA servers when booting in the background. We do this with the init.d configuration. OpenVPN already comes with an init.d script, so we only need to change the configuration files that OpenVPN will use. We only have one conf file /etc/openvpn/pia.conf, so we open the configuration file init.d sudo nano /etc/default/openvpn and create a new line above the #AUTOSTART='all' line with AUTOSTART= ' tweet '. This AUTOSTART variable tells the init.d script to automatically start all conf files for each AUTOSTART you define. It can have more than one AUTOSTART value. We don't need to add the .conf as this is implicit when the script loads our configuration file. The relevant part of the OpenVPN script looks like this:

# Only start these VPNs automatically via the startup script.# Allowed values ​​are "all", "none", or a space-separated list of# VPN names. If empty, "everyone" is assumed.# The VPN name refers to the name of the VPN configuration file.# namely. "home" would be /etc/openvpn/home.conf#AUTOSTART='pia'#AUTOSTART="all"#AUTOSTART="none"#AUTOSTART="home office"

Now you need to run the init.d file and once OpenVPN has started the PIA configuration file, you will see a message: Autostart VPN 'pia'.