ishan
/
manual-connections
mirror of https://github.com/pia-foss/manual-connections.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

added support for OpenVPN

This commit is contained in:
gunix 2020-10-09 23:11:51 +03:00
parent 8d7b921c28
commit 366f132d1e
12 changed files with 637 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
README.md
View File

@ -1,25 +1,22 @@
# Manual PIA VPN Connections
__This project is "Work in Progress"__
This repository contains documentation on how to create native WireGuard connections to our __NextGen network__, and also on how to enable Port Forwarding in case you require this feature. Documentation on OpenVPN will follow soon enough.
This repository contains documentation on how to create native WireGuard and OpenVPN connections to our __NextGen network__, and also on how to enable Port Forwarding in case you require this feature. You will find a lot of information below. However if you prefer quick test, here is the __TL/DR__:
You will find a lot of information bellow. However if you prefer a hands-on approach, here is the __TL/DR__:
* clone this repo: `git clone https://github.com/pia-foss/manual-connections.git`
* use `get_region_and_token.sh` to get the best region and a token
* use `connect_to_wireguard_with_token.sh` to create a WireGuard connection with/without PF
Here is a oneliner example:
```
sudo PIA_AUTOCONNECT=wireguard PIA_USER=p0123456 PIA_PASS=xxxxxxxxxx ./get_region_and_token.sh
git clone https://github.com/pia-foss/manual-connections.git
cd manual-connections
./run_setup.sh
```
The scripts were written so that they are easy to read and to modify. We hope you will enjoy forking the repo and customizing the scripts for your setup!
### Dependencies
In order for the scripts to work (probably even if you do a manual setup), you will need the following packages:
* `curl`
* `jq`
* (only for WireGuard) `wireguard-tools` and wireguard kernel module
* (only for OpenVPN) `openvpn` (however the script is not available yet)
* (only for WireGuard) `wg-quick` and `wireguard` kernel module
* (only for OpenVPN) `openvpn`
### Confirmed systems and distributions
@ -45,13 +42,13 @@ This service can be used only AFTER establishing a VPN connection.
## Automated setup of VPN and/or PF
In order to help you use VPN services and PF on any device, we have prepare a few bash scripts that should help you through the process of setting everything up. The scripts also contain a lot of comments, just in case you require detailed information regarding how the technology works.
In order to help you use VPN services and PF on any device, we have prepared a few bash scripts that should help you through the process of setting everything up. The scripts also contain a lot of comments, just in case you require detailed information regarding how the technology works. The functionality is controlled via environment variables, so that you have an easy time automating your setup.
Here is a list of scripts you could find useful:
* [Get the best region and a token](get_region_and_token.sh): This script helps you to get the best region and also to get a token for VPN authentication. The script will extend it's functionality if you add extra environment variables. Adding your PIA credentials will allow the script to also get a VPN token. The script can also trigger the WireGuard script to create a connection, if you specify `PIA_AUTOCONNECT=wireguard`.
* [Connect to WireGuard](connect_to_wireguard_with_token.sh): This script allow you to connect to the VPN server via WireGuard. You can specify `PIA_PF=true` if you also wish to get Port Forwarding for your connection.
* Connect to OpenVPN: We are still working on this script.
* [Enable Port Forwarding](port_forwarding.sh): Enables you to add Port Forwarding to an existing VPN connection.
* [Get the best region and a token](get_region_and_token.sh): This script helps you to get the best region and also to get a token for VPN authentication. Adding your PIA credentials to env vars `PIA_USER` and `PIA_PASS` will allow the script to also get a VPN token. The script can also trigger the WireGuard script to create a connection, if you specify `PIA_AUTOCONNECT=wireguard` or `PIA_AUTOCONNECT=openvpn_udp_standard`
* [Connect to WireGuard](connect_to_wireguard_with_token.sh): This script allows you to connect to the VPN server via WireGuard.
* [Connect to OpenVPN](connect_to_openvpn_with_token.sh): This script allows you to connect to the VPN server via OpenVPN.
* [Enable Port Forwarding](port_forwarding.sh): Enables you to add Port Forwarding to an existing VPN connection. Adding the environment variable `PIA_PF=true` to any of the previous scripts will also trigger this script.
## Manual setup of PF

234
connect_to_openvpn_with_token.sh Executable file
View File

@ -0,0 +1,234 @@
#!/bin/bash
# Copyright (C) 2020 Private Internet Access, Inc.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# This function allows you to check if the required tools have been installed.
function check_tool() {
cmd=$1
if ! command -v $cmd &>/dev/null
then
echo "$cmd could not be found"
echo "Please install $cmd"
exit 1
fi
}
# Now we call the function to make sure we can use wg-quick, curl and jq.
check_tool curl
check_tool jq
check_tool openvpn
# Check if manual PIA OpenVPN connection is alread intitialized.
# Multi-hop is out of the scope of this repo, but you should be able to
# get multi-hop running with both OpenVPN and WireGuard.
adapter_check="$( ip a s tun06 )"
should_read="Device \"tun06\" does not exist"
pid_filepath="/opt/piavpn-manual/pia_pid"
if [[ "$adapter_check" != "$should_read" ]]; then
echo The tun06 adapter already exists, that interface is required
echo for this configuration.
if [ -f "$pid_filepath" ]; then
old_pid="$( cat "$pid_filepath" )"
old_pid_name="$( ps -p "$old_pid" -o comm= )"
if [[ $old_pid_name == 'openvpn' ]]; then
echo
echo It seems likely that process $old_pid is an OpenVPN connection
echo that was established by using this script. Unless it is closed
echo you would not be able to get a new connection.
echo -n "Do you want to run $ kill $old_pid (Y/n): "
read close_connection
fi
if echo ${close_connection:0:1} | grep -iq n ; then
echo Closing script. Resolve tun06 adapter conflict and run the script again.
exit 1
fi
echo Killing the existing OpenVPN process and waiting 5 seconds...
kill $old_pid
sleep 5
fi
fi
# PIA currently does not support IPv6. In order to be sure your VPN
# connection does not leak, it is best to disabled IPv6 altogether.
if [ $(sysctl -n net.ipv6.conf.all.disable_ipv6) -ne 1 ] ||
[ $(sysctl -n net.ipv6.conf.default.disable_ipv6) -ne 1 ]
then
echo 'You should consider disabling IPv6 by running:'
echo 'sysctl -w net.ipv6.conf.all.disable_ipv6=1'
echo 'sysctl -w net.ipv6.conf.default.disable_ipv6=1'
fi
# Check if the mandatory environment variables are set.
if [[ ! $OVPN_SERVER_IP ||
! $OVPN_HOSTNAME ||
! $PIA_PF ||
! $PIA_TOKEN ||
! $CONNECTION_SETTINGS ]]; then
echo 'This script requires 3 env vars:'
echo 'OVPN_SERVER_IP - IP that you want to connect to'
echo 'OVPN_HOSTNAME - name of the server, required for ssl'
echo 'CONNECTION_SETTINGS - the protocol and encryption specification'
echo ' - available options for CONNECTION_SETTINGS are:'
echo ' * openvpn_udp_standard'
echo ' * openvpn_udp_strong'
echo ' * openvpn_tcp_standard'
echo ' * openvpn_tcp_strong'
echo
echo You can also specify optional env vars:
echo "PIA_PF - enable port forwarding"
echo "PAYLOAD_AND_SIGNATURE - In case you already have a port."
echo
echo An easy solution is to just run get_region_and_token.sh
echo as it will guide you through getting the best server and
echo also a token. Detailed information can be found here:
echo https://github.com/pia-foss/manual-connections
exit 1
fi
# Create a credentials file with the login token
echo "Trying to write /opt/piavpn-manual/pia.ovpn...
"
mkdir -p /opt/piavpn-manual
rm -f /opt/piavpn-manual/credentials /opt/piavpn-manual/route_info
echo ${PIA_TOKEN:0:62}"
"${PIA_TOKEN:62} > /opt/piavpn-manual/credentials || exit 1
# Translate connection settings variable
IFS='_'
read -ra connection_settings <<< "$CONNECTION_SETTINGS"
IFS=' '
protocol="${connection_settings[1]}"
encryption="${connection_settings[2]}"
prefix_filepath="openvpn_config/standard.ovpn"
if [[ $encryption == "strong" ]]; then
prefix_filepath="openvpn_config/strong.ovpn"
fi
if [[ $protocol == "udp" ]]; then
if [[ $encryption == "standard" ]]; then
port=1198
else
port=1197
fi
else
if [[ $encryption == "standard" ]]; then
port=502
else
port=501
fi
fi
# Create the OpenVPN config based on the settings specified
cat $prefix_filepath > /opt/piavpn-manual/pia.ovpn || exit 1
echo remote $OVPN_SERVER_IP $port $protocol >> /opt/piavpn-manual/pia.ovpn
# Copy the up/down scripts to /opt/piavpn-manual/
# based upon use of PIA DNS
if [ "$PIA_DNS" != true ]; then
cp openvpn_config/openvpn_up.sh /opt/piavpn-manual/
cp openvpn_config/openvpn_down.sh /opt/piavpn-manual/
echo This configuration will not use PIA DNS.
echo If you want to also enable PIA DNS, please start the script
echo with the env var PIA_DNS=true. Example:
echo $ OVPN_SERVER_IP=\"$OVPN_SERVER_IP\" OVPN_HOSTNAME=\"$OVPN_HOSTNAME\" \
PIA_TOKEN=\"$PIA_TOKEN\" CONNECTION_SETTINGS=\"$CONNECTION_SETTINGS\" \
PIA_PF=true PIA_DNS=true ./connect_to_openvpn_with_token.sh
else
cp openvpn_config/openvpn_up_dnsoverwrite.sh /opt/piavpn-manual/openvpn_up.sh
cp openvpn_config/openvpn_down_dnsoverwrite.sh /opt/piavpn-manual/openvpn_down.sh
fi
# Start the OpenVPN interface.
# If something failed, stop this script.
# If you get DNS errors because you miss some packages,
# just can hardcode /etc/resolv.conf to "nameserver 10.0.0.242".
#rm -f /opt/piavpn-manual/debug_info
echo "
Trying to start the OpenVPN connection..."
openvpn --daemon \
--config "/opt/piavpn-manual/pia.ovpn" \
--writepid "/opt/piavpn-manual/pia_pid" \
--log "/opt/piavpn-manual/debug_info" || exit 1
echo "
The OpenVPN connect command was issued.
Confirming OpenVPN connection state... "
# Check if manual PIA OpenVPN connection is intitialized.
# Manually adjust the connectino_wait_time if needed
connection_wait_time=10
confirmation="Initialization Sequence Complete"
for (( timeout=0; timeout <=$connection_wait_time; timeout++ ))
do
sleep 1
if grep -q "$confirmation" /opt/piavpn-manual/debug_info; then
connected=true
break
fi
done
ovpn_pid="$( cat /opt/piavpn-manual/pia_pid )"
gateway_ip="$( cat /opt/piavpn-manual/route_info )"
# Report and exit if connection was not initialized within 10 seconds.
if [ "$connected" != true ]; then
echo "The VPN connection was not established within 10 seconds."
kill $ovpn_pid
exit 1
fi
echo "Initialization Sequence Complete!
At this point, internet should work via VPN.
"
echo "OpenVPN Process ID: $ovpn_pid
VPN route IP: $gateway_ip
To disconnect the VPN, run:
--> sudo kill $ovpn_pid <--
"
# This section will stop the script if PIA_PF is not set to "true".
if [ "$PIA_PF" != true ]; then
echo
echo If you want to also enable port forwarding, please start the script
echo with the env var PIA_PF=true. Example:
echo $ OVPN_SERVER_IP=\"$OVPN_SERVER_IP\" OVPN_HOSTNAME=\"$OVPN_HOSTNAME\" \
PIA_TOKEN=\"$PIA_TOKEN\" CONNECTION_SETTINGS=\"$CONNECTION_SETTINGS\" \
PIA_PF=true ./connect_to_openvpn_with_token.sh
exit
fi
echo "
This script got started with PIA_PF=true.
Starting procedure to enable port forwarding by running the following command:
$ PIA_TOKEN=\"$PIA_TOKEN\" \\
PF_GATEWAY=\"$gateway_ip\" \\
PF_HOSTNAME=\"$OVPN_HOSTNAME\" \\
./port_forwarding.sh
"
PIA_TOKEN=$PIA_TOKEN \
PF_GATEWAY="$gateway_ip" \
PF_HOSTNAME="$OVPN_HOSTNAME" \
./port_forwarding.sh

40
connect_to_wireguard_with_token.sh
View File

@ -46,11 +46,11 @@ then
fi
# Check if the mandatory environment variables are set.
if [[ ! $WG_SERVER_IP || ! $WG_HOSTNAME || ! $WG_TOKEN ]]; then
if [[ ! $WG_SERVER_IP || ! $WG_HOSTNAME || ! $PIA_TOKEN ]]; then
echo This script requires 3 env vars:
echo WG_SERVER_IP - IP that you want to connect to
echo WG_HOSTNAME - name of the server, required for ssl
echo WG_TOKEN - your authentication token
echo PIA_TOKEN - your authentication token
echo
echo You can also specify optional env vars:
echo "PIA_PF - enable port forwarding"
@ -79,7 +79,7 @@ echo Trying to connect to the PIA WireGuard API on $WG_SERVER_IP...
wireguard_json="$(curl -s -G \
--connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" \
--cacert "ca.rsa.4096.crt" \
--data-urlencode "pt=${WG_TOKEN}" \
--data-urlencode "pt=${PIA_TOKEN}" \
--data-urlencode "pubkey=$pubKey" \
"https://${WG_HOSTNAME}:1337/addKey" )"
export wireguard_json
@ -91,19 +91,31 @@ if [ "$(echo "$wireguard_json" | jq -r '.status')" != "OK" ]; then
exit 1
fi
# Multi-hop is out of the scope of this repo, but you should be able to
# get multi-hop running with both WireGuard and OpenVPN by playing with
# these scripts. Feel free to fork the project and test it out.
echo
echo Trying to disable a PIA WG connection in case it exists...
wg-quick down pia && echo Disconnected!
echo
# Create the WireGuard config based on the JSON received from the API
# The config does not contain a DNS entry, since some servers do not
# have resolvconf, which will result in the script failing.
# We will enforce the DNS after the connection gets established.
# In case you want this section to also add the DNS setting, please
# start the script with PIA_DNS=true.
echo -n "Trying to write /etc/wireguard/pia.conf... "
mkdir -p /etc/wireguard
if [ "$PIA_DNS" == true ]; then
dnsServer="$(echo "$wireguard_json" | jq -r '.dns_servers[0]')"
echo Trying to set up DNS to $dnsServer. In case you do not have resolvconf,
echo this operation will fail and you will not get a VPN. If you have issues,
echo start this script without PIA_DNS.
dnsSettingForVPN="DNS = $dnsServer"
fi
echo "
[Interface]
Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
PrivateKey = $privKey
## If you want wg-quick to also set up your DNS, uncomment the line below.
# DNS = $(echo "$wireguard_json" | jq -r '.dns_servers[0]')
$dnsSettingForVPN
[Peer]
PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
AllowedIPs = 0.0.0.0/0
@ -129,22 +141,22 @@ if [ "$PIA_PF" != true ]; then
echo
echo If you want to also enable port forwarding, please start the script
echo with the env var PIA_PF=true. Example:
echo $ WG_SERVER=10.0.0.3 WG_HOSTNAME=piaserver401 \
WG_TOKEN=\"\$token\" PIA_PF=true \
./sort_regions_by_latency.sh
echo $ WG_SERVER_IP=10.0.0.3 WG_HOSTNAME=piaserver401 \
PIA_TOKEN=\"\$token\" PIA_PF=true \
./connect_to_wireguard_with_token.sh
exit
fi
echo "
This script got started with PIA_PF=true.
Starting procedure to enable port forwarding by running the following command:
$ PIA_TOKEN=$WG_TOKEN \\
$ PIA_TOKEN=$PIA_TOKEN \\
PF_GATEWAY=\"$(echo "$wireguard_json" | jq -r '.server_vip')\" \\
PF_HOSTNAME=\"$WG_HOSTNAME\" \\
./port_forwarding.sh
"
PIA_TOKEN=$WG_TOKEN \
PIA_TOKEN=$PIA_TOKEN \
PF_GATEWAY="$(echo "$wireguard_json" | jq -r '.server_vip')" \
PF_HOSTNAME="$WG_HOSTNAME" \
./port_forwarding.sh

76
get_region_and_token.sh
View File

@ -155,6 +155,7 @@ echo "$generateTokenResponse"
if [ "$(echo "$generateTokenResponse" | jq -r '.status')" != "OK" ]; then
echo "Could not get a token. Please check your account credentials."
echo
echo "You can also try debugging by manually running the curl command:"
echo $ curl -vs -u "$PIA_USER:$PIA_PASS" --cacert ca.rsa.4096.crt \
--connect-to "$bestServer_meta_hostname::$bestServer_meta_IP:" \
@ -166,31 +167,62 @@ token="$(echo "$generateTokenResponse" | jq -r '.token')"
echo "This token will expire in 24 hours.
"
if [ "$PIA_AUTOCONNECT" != wireguard ]; then
echo If you wish to automatically connect to WireGuard after detecting the best
echo region, please run the script with the env var PIA_AUTOCONNECT=wireguard.
echo You can echo also specify the env var PIA_PF=true to get port forwarding.
echo Example:
echo $ PIA_USER=p0123456 PIA_PASS=xxx \
PIA_AUTOCONNECT=true PIA_PF=true ./sort_regions_by_latency.sh
echo
echo You can also connect now by running this command:
echo $ WG_TOKEN=\"$token\" WG_SERVER_IP=$bestServer_WG_IP \
WG_HOSTNAME=$bestServer_WG_hostname ./connect_to_wireguard_with_token.sh
exit
fi
# just making sure this variable doesn't contain some strange string
if [ "$PIA_PF" != true ]; then
PIA_PF="false"
fi
echo "The ./get_region_and_token.sh script got started with
PIA_AUTOCONNECT=wireguard, so we will automatically connect to WireGuard,
by running this command:
$ WG_TOKEN=\"$token\" \\
WG_SERVER_IP=$bestServer_WG_IP WG_HOSTNAME=$bestServer_WG_hostname \\
PIA_PF=$PIA_PF ./connect_to_wireguard_with_token.sh
"
if [[ $PIA_AUTOCONNECT == wireguard ]]; then
echo The ./get_region_and_token.sh script got started with
echo PIA_AUTOCONNECT=wireguard, so we will automatically connect to WireGuard,
echo by running this command:
echo $ WG_TOKEN=\"$token\" \\
echo WG_SERVER_IP=$bestServer_WG_IP WG_HOSTNAME=$bestServer_WG_hostname \\
echo PIA_PF=$PIA_PF ./connect_to_wireguard_with_token.sh
echo
PIA_PF=$PIA_PF PIA_TOKEN="$token" WG_SERVER_IP=$bestServer_WG_IP \
WG_HOSTNAME=$bestServer_WG_hostname ./connect_to_wireguard_with_token.sh
exit 0
fi
PIA_PF=$PIA_PF WG_TOKEN="$token" WG_SERVER_IP=$bestServer_WG_IP \
if [[ $PIA_AUTOCONNECT == openvpn* ]]; then
serverIP=$bestServer_OU_IP
serverHostname=$bestServer_OU_hostname
if [[ $PIA_AUTOCONNECT == *tcp* ]]; then
serverIP=$bestServer_OT_IP
serverHostname=$bestServer_OT_hostname
fi
echo The ./get_region_and_token.sh script got started with
echo PIA_AUTOCONNECT=$PIA_AUTOCONNECT, so we will automatically
echo connect to OpenVPN, by running this command:
echo PIA_PF=$PIA_PF PIA_TOKEN=\"$token\" \\
echo OVPN_SERVER_IP=$serverIP \\
echo OVPN_HOSTNAME=$serverHostname \\
echo CONNECTION_SETTINGS=$PIA_AUTOCONNECT \\
echo ./connect_to_openvpn_with_token.sh
echo
PIA_PF=$PIA_PF PIA_TOKEN="$token" \
OVPN_SERVER_IP=$serverIP \
OVPN_HOSTNAME=$serverHostname \
CONNECTION_SETTINGS=$PIA_AUTOCONNECT \
./connect_to_openvpn_with_token.sh
exit 0
fi
echo If you wish to automatically connect to the VPN after detecting the best
echo region, please run the script with the env var PIA_AUTOCONNECT.
echo 'The available options for PIA_AUTOCONNECT are (from fastest to slowest):'
echo - wireguard
echo - openvpn_udp_standard
echo - openvpn_udp_strong
echo - openvpn_tcp_standard
echo - openvpn_tcp_strong
echo You can also specify the env var PIA_PF=true to get port forwarding.
echo
echo Example:
echo $ PIA_USER=p0123456 PIA_PASS=xxx \
PIA_AUTOCONNECT=wireguard PIA_PF=true ./get_region_and_token.sh
echo
echo You can also connect now by running this command:
echo $ WG_TOKEN=\"$token\" WG_SERVER_IP=$bestServer_WG_IP \
WG_HOSTNAME=$bestServer_WG_hostname ./connect_to_wireguard_with_token.sh

4
openvpn_config/openvpn_down.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/bash
# Remove process and route information when connection closes
rm -rf /opt/piavpn-manual/pia_pid /opt/pia-manual/route_info

7
openvpn_config/openvpn_down_dnsoverwrite.sh Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Remove process and route information when connection closes
rm -rf /opt/piavpn-manual/pia_pid /opt/pia-manual/route_info
# Replace resolv.conf with original stored as backup
cat /opt/piavpn-manual/resolv_conf_backup > /etc/resolv.conf

4
openvpn_config/openvpn_up.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/bash
# Write gateway IP for reference
echo $route_vpn_gateway > /opt/piavpn-manual/route_info

9
openvpn_config/openvpn_up_dnsoverwrite.sh Executable file
View File

@ -0,0 +1,9 @@
#!/bin/bash
# Write gateway IP for reference
echo $route_vpn_gateway > /opt/piavpn-manual/route_info
# Back up resolv.conf and create new on with PIA DNS
cat /etc/resolv.conf > /opt/piavpn-manual/resolv_conf_backup
echo "# Generated by /connect_to_openvpn_with_token.sh
nameserver 10.0.0.241" > /etc/resolv.conf

56
openvpn_config/standard.ovpn Normal file
View File

@ -0,0 +1,56 @@
client
dev tun06
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /opt/piavpn-manual/credentials
compress
verb 1
reneg-sec 0
<ca>
-----BEGIN CERTIFICATE-----
MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1
MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD
L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX
lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp
cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/
8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB
/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC
OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL
y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO
sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM
b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G
A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg
SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz
czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn
a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU
ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3
7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC
GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz
1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt
YDQ8z9v+DMO6iwyIDRiU
-----END CERTIFICATE-----
</ca>
disable-occ
script-security 2
up /opt/piavpn-manual/openvpn_up.sh
down /opt/piavpn-manual/openvpn_down.sh

66
openvpn_config/strong.ovpn Normal file
View File

@ -0,0 +1,66 @@
client
dev tun06
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
auth-user-pass /opt/piavpn-manual/credentials
compress
verb 1
reneg-sec 0
<ca>
-----BEGIN CERTIFICATE-----
MIIHqzCCBZOgAwIBAgIJAJ0u+vODZJntMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV
BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu
dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx
IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB
FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzQw
MzNaFw0zNDA0MTIxNzQwMzNaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg
QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE
AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy
bmV0YWNjZXNzLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVk
hjumaqBbL8aSgj6xbX1QPTfTd1qHsAZd2B97m8Vw31c/2yQgZNf5qZY0+jOIHULN
De4R9TIvyBEbvnAg/OkPw8n/+ScgYOeH876VUXzjLDBnDb8DLr/+w9oVsuDeFJ9K
V2UFM1OYX0SnkHnrYAN2QLF98ESK4NCSU01h5zkcgmQ+qKSfA9Ny0/UpsKPBFqsQ
25NvjDWFhCpeqCHKUJ4Be27CDbSl7lAkBuHMPHJs8f8xPgAbHRXZOxVCpayZ2SND
fCwsnGWpWFoMGvdMbygngCn6jA/W1VSFOlRlfLuuGe7QFfDwA0jaLCxuWt/BgZyl
p7tAzYKR8lnWmtUCPm4+BtjyVDYtDCiGBD9Z4P13RFWvJHw5aapx/5W/CuvVyI7p
Kwvc2IT+KPxCUhH1XI8ca5RN3C9NoPJJf6qpg4g0rJH3aaWkoMRrYvQ+5PXXYUzj
tRHImghRGd/ydERYoAZXuGSbPkm9Y/p2X8unLcW+F0xpJD98+ZI+tzSsI99Zs5wi
jSUGYr9/j18KHFTMQ8n+1jauc5bCCegN27dPeKXNSZ5riXFL2XX6BkY68y58UaNz
meGMiUL9BOV1iV+PMb7B7PYs7oFLjAhh0EdyvfHkrh/ZV9BEhtFa7yXp8XR0J6vz
1YV9R6DYJmLjOEbhU8N0gc3tZm4Qz39lIIG6w3FDAgMBAAGjggFUMIIBUDAdBgNV
HQ4EFgQUrsRtyWJftjpdRM0+925Y6Cl08SUwggEfBgNVHSMEggEWMIIBEoAUrsRt
yWJftjpdRM0+925Y6Cl08SWhge6kgeswgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tggkAnS7684Nkme0wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQ0FAAOCAgEAJsfhsPk3r8kLXLxY+v+vHzbr4ufNtqnL9/1Uuf8NrsCt
pXAoyZ0YqfbkWx3NHTZ7OE9ZRhdMP/RqHQE1p4N4Sa1nZKhTKasV6KhHDqSCt/dv
Em89xWm2MVA7nyzQxVlHa9AkcBaemcXEiyT19XdpiXOP4Vhs+J1R5m8zQOxZlV1G
tF9vsXmJqWZpOVPmZ8f35BCsYPvv4yMewnrtAC8PFEK/bOPeYcKN50bol22QYaZu
LfpkHfNiFTnfMh8sl/ablPyNY7DUNiP5DRcMdIwmfGQxR5WEQoHL3yPJ42LkB5zs
6jIm26DGNXfwura/mi105+ENH1CaROtRYwkiHb08U6qLXXJz80mWJkT90nr8Asj3
5xN2cUppg74nG3YVav/38P48T56hG1NHbYF5uOCske19F6wi9maUoto/3vEr0rnX
JUp2KODmKdvBI7co245lHBABWikk8VfejQSlCtDBXn644ZMtAdoxKNfR2WTFVEwJ
iyd1Fzx0yujuiXDROLhISLQDRjVVAvawrAtLZWYK31bY7KlezPlQnl/D9Asxe85l
8jO5+0LdJ6VyOs/Hd4w52alDW/MFySDZSfQHMTIc30hLBJ8OnCEIvluVQQ2UQvoW
+no177N9L2Y+M9TcTA62ZyMXShHQGeh20rb4kK8f+iFX8NxtdHVSkxMEFSfDDyQ=
-----END CERTIFICATE-----
</ca>
disable-occ
script-security 2
up /opt/piavpn-manual/openvpn_up.sh
down /opt/piavpn-manual/openvpn_down.sh

2
port_forwarding.sh
View File

@ -21,7 +21,7 @@
# Check if the mandatory environment variables are set.
if [[ ! $PF_GATEWAY || ! $PIA_TOKEN ]]; then
if [[ ! $PF_GATEWAY || ! $PIA_TOKEN || ! $PF_HOSTNAME ]]; then
echo This script requires 3 env vars:
echo PF_GATEWAY - the IP of your gateway
echo PF_HOSTNAME - name of the host used for SSL/TLS certificate verification

163
run_setup.sh Executable file
View File

@ -0,0 +1,163 @@
#!/bin/bash
# Copyright (C) 2020 Private Internet Access, Inc.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# Only allow script to run as
if [ "$(whoami)" != "root" ]; then
echo "This script needs to be run as root. Try again with 'sudo $0'"
exit 1
fi
echo
echo -n "PIA username (pNNNNNNN): "
read PIA_USER
if [ -z "$PIA_USER" ]; then
echo Username is required, aborting.
exit 1
fi
echo
export PIA_USER
echo -n "PIA password: "
read -s PIA_PASS
echo
if [ -z "$PIA_PASS" ]; then
echo Password is required, aborting.
exit 1
fi
echo
export PIA_PASS
# This section asks for user connection preferences
# this is hard coded for now, but will become an input
# variable in the future.
echo -n "Connection method ([W]ireguard/[o]penvpn): "
read connection_method
echo
PIA_AUTOCONNECT="wireguard"
if echo ${connection_method:0:1} | grep -iq o; then
echo -n "Connection method ([U]dp/[t]cp): "
read protocolInput
echo
protocol="udp"
if echo ${protocolInput:0:1} | grep -iq t; then
protocol="tcp"
fi
echo "Higher levels of encryption trade performance for security. "
echo -n "Do you want to use strong encryption ([N]o/[y]es): "
read strongEncryption
echo
encryption="standard"
if echo ${strongEncryption:0:1} | grep -iq y; then
encryption="strong"
fi
PIA_AUTOCONNECT="openvpn_${protocol}_${encryption}"
fi
export PIA_AUTOCONNECT
echo PIA_AUTOCONNECT=$PIA_AUTOCONNECT"
"
# Check for the required presence of resolvconf for settnig DNS on wireguard connections.
setDNS="yes"
if ! command -v resolvconf &>/dev/null && [ "$PIA_AUTOCONNECT" == wireguard ]; then
echo The resolvconf package could not be found.
echo This script can not set DNS for you and you will
echo need to invoke DNS protection some other way.
echo
setDNS="no"
fi
if [ "$setDNS" != no ]; then
echo Using third party DNS could allow DNS monitoring.
echo -n "Do you want to force PIA DNS ([Y]es/[n]o): "
read setDNS
echo
fi
PIA_DNS="true"
if echo ${setDNS:0:1} | grep -iq n; then
PIA_DNS="false"
fi
PIA_DNS="true"
if echo ${setDNS:0:1} | grep -iq n; then
PIA_DNS="false"
fi
export PIA_DNS
echo PIA_DNS=$PIA_DNS"
"
echo -n "Do you want a forwarding port assigned ([N]o/[y]es): "
read portForwarding
echo
PIA_PF="false"
if echo ${portForwarding:0:1} | grep -iq y; then
PIA_PF="true"
fi
export PIA_PF
echo PIA_PF=$PIA_PF
# Set this to the maximum allowed latency in seconds.
# All servers that repond slower than this will be ignored.
echo -n "
With no input, the maximum allowed latency will be set to 0.05s (50ms).
If your connection has high latency, you may need to increase this value.
For example, you can try 0.2 for 200ms allowed latency.
Custom latency (no input required for 50ms): "
read customLatency
echo
MAX_LATENCY=0.05
if [[ $customLatency != "" ]]; then
MAX_LATENCY=$customLatency
fi
export MAX_LATENCY
echo "MAX_LATENCY=\"$MAX_LATENCY\"
"
echo "Having active IPv6 connections might compromise security by allowing"
echo "split tunnel connections that run outside the VPN tunnel."
echo -n "Do you want to disable IPv6? (Y/n): "
read disable_IPv6
echo
if echo ${disable_IPv6:0:1} | grep -iq n; then
echo "IPv6 settings have not been altered.
"
else
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
echo
echo "IPv6 has been disabled, you can enable it again with: "
echo "sysctl -w net.ipv6.conf.all.disable_ipv6=0"
echo "sysctl -w net.ipv6.conf.default.disable_ipv6=0
"
fi
./get_region_and_token.sh