Region Selection and Other Improvements

- separated get_region and get_token into two separate scripts, allowing for independent calls to each if desired; this also allows the implementation of other features mentioned below - implemented use of new centralized authentication server for easier automation; the new API is located at https://privateinternetaccess.com/gtoken/generateToken - added server selection capabilities to run_setup.sh, as requested by multiple users - added one-line call capabilities to run_setup.sh to allow easy automation - changed PIA_AUTOCONNECT to VPN_PROTOCOL for clarity - added AUTOCONNECT for one-line calls - added PREFERRED_REGION for one-line calls - added colored output to highlight important details - added input validation for prompts in run_setup.sh
2025-02-05 14:08:29 +00:00 · 2021-01-22 01:12:23 +02:00 · 2021-01-22 01:12:23 +02:00 · 742a492eee
commit 742a492eee
parent d2d24808b5
8 changed files with 897 additions and 426 deletions
--- a/README.md
+++ b/README.md
@ -1,11 +1,11 @@
 # Manual PIA VPN Connections
-This repository contains documentation on how to create native WireGuard and OpenVPN connections to our __NextGen network__, and also on how to enable Port Forwarding in case you require this feature. You will find a lot of information below. However if you prefer quick test, here is the __TL/DR__:
+This repository contains documentation on how to create native WireGuard and OpenVPN connections, and also on how to enable Port Forwarding in case you require this feature. You will find a lot of information below. However if you prefer quick test, here is the __TL/DR__:
 ```
 git clone https://github.com/pia-foss/manual-connections.git
 cd manual-connections
-./run_setup.sh
+sudo ./run_setup.sh
 ```
 The scripts were written so that they are easy to read and to modify. The code also has a lot of comments, so that you find all the information you might need. We hope you will enjoy forking the repo and customizing the scripts for your setup!
@ -57,6 +57,7 @@ Some users have created their own repositories for manual connections, based on
 |:-:|:-:|:-:|:-:|-|
 | FreeBSD | Yes | Bash | Compatibility | [glorious1/manual-connections](https://github.com/glorious1/manual-connections) |
 | Linux | No | Groovy/Java | WireGuard, PF | [Slugger/piawgmgr](https://github.com/Slugger/piawgmgr) |
 | Linux | No | Python | WireGuard, PF | [milahu/python-piavpn](https://github.com/milahu/python-piavpn) |
 | OPNsense | No | Python | WireGuard, PF | [FingerlessGlov3s/OPNsensePIAWireguard](https://github.com/FingerlessGlov3s/OPNsensePIAWireguard) |
 | pfSense | No | Sh | OpenVPN, PF | [fm407/PIA-NextGen-PortForwarding](https://github.com/fm407/PIA-NextGen-PortForwarding) |
 | Synology | Yes | Bash | Compatibility | [steff2632/manual-connections](https://github.com/steff2632/manual-connections) |
@ -74,8 +75,24 @@ This service can be used only AFTER establishing a VPN connection.
 In order to help you use VPN services and PF on any device, we have prepared a few bash scripts that should help you through the process of setting everything up. The scripts also contain a lot of comments, just in case you require detailed information regarding how the technology works. The functionality is controlled via environment variables, so that you have an easy time automating your setup.
 The easiest way to trigger a fully automated connection is by running this oneliner:
 ```
 sudo VPN_PROTOCOL=wireguard DISABLE_IPV6="no" AUTOCONNECT=true PIA_PF=false PIA_USER=p0123456 PIA_PASS=xxxxxxxx ./run_setup.sh
 ```
 Here is a list of scripts you could find useful:
- * [Get the best region and a token](get_region_and_token.sh): This script helps you to get the best region and also to get a token for VPN authentication. Adding your PIA credentials to env vars `PIA_USER` and `PIA_PASS` will allow the script to also get a VPN token. The script can also trigger the WireGuard script to create a connection, if you specify `PIA_AUTOCONNECT=wireguard` or `PIA_AUTOCONNECT=openvpn_udp_standard`
+ * [Prompt based connection](run_setup.sh): This script allows connections with a one-line call, or will prompt for any missing or invalid variables. Varaibles available for one-line calls include:
   * `PIA_USER` - your PIA username
   * `PIA_PASS` - your PIA password
   * `PIA_DNS` - true/false
   * `PIA_PF` - true/false
   * `MAX_LATENCY` - numeric value, in seconds
   * `AUTOCONNECT` - true/false; this will test for and select the server with the lowest latency, it will overried PREFERRED_REGION
   * `PREFERRED_REGION` - the region ID for a PIA server
   * `VPN_PROTOCOL` - wireguard or openvpn; openvpn will default to openvpn_udp_standard, but can also specify openvpn_tcp/udp_standad/strong
   * `DISABLE_IPV6` - yes/no
 * [Get region details](get_region.sh): This script will provide server details, validate `PREFERRED_REGION` input, and can determine the lowest latency location. The script can also trigger VPN connections, if you specify `VPN_PROTOCOL=wireguard` or `VPN_PROTOCOL=openvpn`; doing so requires a token. This script can reference `get_token.sh` with use of `PIA_USER` and `PIA_PASS`. If called without specifying `PREFERRED_REGION` this script writes a list of servers within lower than `MAX_LATENCY` to a `/opt/piavpn-manual/latencyList` for reference.
 * [Get a token](get_token.sh): This script allows you to get an authentication token with a valid 'PIA_USER' and 'PIA_PASS'. It will write the token and its expiration date to `/opt/piavpn-manual/token` for reference.
 * [Connect to WireGuard](connect_to_wireguard_with_token.sh): This script allows you to connect to the VPN server via WireGuard.
 * [Connect to OpenVPN](connect_to_openvpn_with_token.sh): This script allows you to connect to the VPN server via OpenVPN.
 * [Enable Port Forwarding](port_forwarding.sh): Enables you to add Port Forwarding to an existing VPN connection. Adding the environment variable `PIA_PF=true` to any of the previous scripts will also trigger this script.
--- a/connect_to_openvpn_with_token.sh
+++ b/connect_to_openvpn_with_token.sh
@ -34,6 +34,20 @@ check_tool curl
 check_tool jq
 check_tool openvpn
 # Check if terminal allows output, if yes, define colors for output
 if test -t 1; then
  ncolors=$(tput colors)
  if test -n "$ncolors" && test $ncolors -ge 8; then
    GREEN='\033[0;32m'
    RED='\033[0;31m'
    NC='\033[0m' # No Color
  else
    GREEN=''
    RED=''
    NC='' # No Color
  fi
 fi
 # Check if manual PIA OpenVPN connection is already initialized.
 # Multi-hop is out of the scope of this repo, but you should be able to
 # get multi-hop running with both OpenVPN and WireGuard.
@ -41,26 +55,33 @@ adapter_check="$( ip a s tun06 2>&1 )"
 should_read="Device \"tun06\" does not exist"
 pid_filepath="/opt/piavpn-manual/pia_pid"
 if [[ "$adapter_check" != *"$should_read"* ]]; then
-  echo The tun06 adapter already exists, that interface is required
+  echo -e ${RED}The tun06 adapter already exists, that interface is required
-  echo for this configuration.
+  echo -e for this configuration.${NC}
  if [ -f "$pid_filepath" ]; then
    old_pid="$( cat "$pid_filepath" )"
    old_pid_name="$( ps -p "$old_pid" -o comm= )"
    if [[ $old_pid_name == 'openvpn' ]]; then
      echo
-      echo It seems likely that process $old_pid is an OpenVPN connection
+      echo -e It seems likely that process ${RED}$old_pid${NC} is an OpenVPN connection
      echo that was established by using this script. Unless it is closed
      echo you would not be able to get a new connection.
-      echo -n "Do you want to run $ kill $old_pid (Y/n): "
+      echo -ne "Do you want to run ${RED}$ kill $old_pid${NC} (Y/n): "
      read close_connection
    fi
    if echo ${close_connection:0:1} | grep -iq n ; then
-      echo Closing script. Resolve tun06 adapter conflict and run the script again.
+      echo -e ${RED}Closing script. Resolve tun06 adapter conflict and run the script again.
      exit 1
    fi
-    echo Killing the existing OpenVPN process and waiting 5 seconds...
+    echo
    echo -e ${GREEN}Killing the existing OpenVPN process and waiting 5 seconds...${NC}
    kill $old_pid
-    sleep 5
+    echo
    for i in {5..1}; do
      echo -n "$i..."
      sleep 1
      done
    echo
    echo
  fi
 fi
@ -72,9 +93,9 @@ if [[ -f /proc/net/if_inet6 ]] &&
  [[ $(sysctl -n net.ipv6.conf.all.disable_ipv6) -ne 1 ||
     $(sysctl -n net.ipv6.conf.default.disable_ipv6) -ne 1 ]]
 then
-  echo 'You should consider disabling IPv6 by running:'
+  echo -e ${RED}'You should consider disabling IPv6 by running:'
  echo 'sysctl -w net.ipv6.conf.all.disable_ipv6=1'
-  echo 'sysctl -w net.ipv6.conf.default.disable_ipv6=1'
+  echo -e 'sysctl -w net.ipv6.conf.default.disable_ipv6=1'${NC}
 fi
 #  Check if the mandatory environment variables are set.
@ -82,7 +103,7 @@ if [[ ! $OVPN_SERVER_IP ||
  ! $OVPN_HOSTNAME ||
  ! $PIA_TOKEN ||
  ! $CONNECTION_SETTINGS ]]; then
-  echo 'This script requires 4 env vars:'
+  echo -e ${RED}'This script requires 4 env vars:'
  echo 'PIA_TOKEN           - the token used for authentication'
  echo 'OVPN_SERVER_IP      - IP that you want to connect to'
  echo 'OVPN_HOSTNAME       - name of the server, required for ssl'
@ -100,18 +121,18 @@ if [[ ! $OVPN_SERVER_IP ||
  echo An easy solution is to just run get_region_and_token.sh
  echo as it will guide you through getting the best server and
  echo also a token. Detailed information can be found here:
-  echo https://github.com/pia-foss/manual-connections
+  echo -e https://github.com/pia-foss/manual-connections ${NC}
  exit 1
 fi
 # Create a credentials file with the login token
-echo "Trying to write /opt/piavpn-manual/pia.ovpn...
+echo -n "Trying to write /opt/piavpn-manual/pia.ovpn..."
 "
 mkdir -p /opt/piavpn-manual
 rm -f /opt/piavpn-manual/credentials /opt/piavpn-manual/route_info
 echo ${PIA_TOKEN:0:62}"
 "${PIA_TOKEN:62} > /opt/piavpn-manual/credentials || exit 1
 chmod 600 /opt/piavpn-manual/credentials
 echo -e "${GREEN}OK!${NC}"
 # Translate connection settings variable
 IFS='_'
@ -148,7 +169,7 @@ echo remote $OVPN_SERVER_IP $port $protocol >> /opt/piavpn-manual/pia.ovpn
 if [ "$PIA_DNS" != true ]; then
  cp openvpn_config/openvpn_up.sh /opt/piavpn-manual/
  cp openvpn_config/openvpn_down.sh /opt/piavpn-manual/
-  echo This configuration will not use PIA DNS.
+  echo -e ${RED}This configuration will not use PIA DNS.${NC}
  echo If you want to also enable PIA DNS, please start the script
  echo with the env var PIA_DNS=true. Example:
  echo $ OVPN_SERVER_IP=\"$OVPN_SERVER_IP\" OVPN_HOSTNAME=\"$OVPN_HOSTNAME\" \
@ -171,10 +192,10 @@ openvpn --daemon \
  --writepid "/opt/piavpn-manual/pia_pid" \
  --log "/opt/piavpn-manual/debug_info" || exit 1
-echo "
+echo -n "
 The OpenVPN connect command was issued.
-Confirming OpenVPN connection state... "
+Confirming OpenVPN connection state..."
 # Check if manual PIA OpenVPN connection is initialized.
 # Manually adjust the connection_wait_time if needed
@ -194,45 +215,54 @@ gateway_ip="$( cat /opt/piavpn-manual/route_info )"
 # Report and exit if connection was not initialized within 10 seconds.
 if [ "$connected" != true ]; then
-  echo "The VPN connection was not established within 10 seconds."
+  echo -e "${RED}The VPN connection was not established within 10 seconds.${NC}"
  kill $ovpn_pid
  exit 1
 fi
-echo "Initialization Sequence Complete!
+echo -e "${GREEN}Initialization Sequence Complete!${NC}
 At this point, internet should work via VPN.
 "
-echo "OpenVPN Process ID: $ovpn_pid
+echo -e "OpenVPN Process ID: ${GREEN}$ovpn_pid${NC}
-VPN route IP: $gateway_ip
+VPN route IP: ${GREEN}$gateway_ip${NC}
 To disconnect the VPN, run:
--> sudo kill $ovpn_pid <--
+--> ${GREEN}sudo kill $ovpn_pid${NC} <--
 "
 # This section will stop the script if PIA_PF is not set to "true".
 if [ "$PIA_PF" != true ]; then
  echo If you want to also enable port forwarding, you can start the script:
  echo -e $ ${GREEN}PIA_TOKEN=$PIA_TOKEN \
    PF_GATEWAY=$gateway_ip \
    PF_HOSTNAME=$OVPN_HOSTNAME \
    ./port_forwarding.sh${NC}
  echo
-  echo If you want to also enable port forwarding, please start the script
+  echo The location used must be port forwarding enabled, or this will fail.
-  echo with the env var PIA_PF=true. Example:
+  echo Calling the ./get_region script with PIA_PF=true will provide a filtered list.
-  echo $ OVPN_SERVER_IP=\"$OVPN_SERVER_IP\" OVPN_HOSTNAME=\"$OVPN_HOSTNAME\" \
+  exit 1
    PIA_TOKEN=\"$PIA_TOKEN\" CONNECTION_SETTINGS=\"$CONNECTION_SETTINGS\" \
    PIA_PF=true ./connect_to_openvpn_with_token.sh
  exit
 fi
-echo "
+echo -ne "This script got started with ${GREEN}PIA_PF=true${NC}.
-This script got started with PIA_PF=true.
+
-Starting procedure to enable port forwarding by running the following command:
+Starting port forwarding in "
-$ PIA_TOKEN=\"$PIA_TOKEN\" \\
+for i in {5..1}; do
-  PF_GATEWAY=\"$gateway_ip\" \\
+  echo -n "$i..."
-  PF_HOSTNAME=\"$OVPN_HOSTNAME\" \\
+  sleep 1
-  ./port_forwarding.sh
+done
-"
+echo
 echo
 echo -e "Starting procedure to enable port forwarding by running the following command:
 $ ${GREEN}PIA_TOKEN=$PIA_TOKEN \\
  PF_GATEWAY=$gateway_ip \\
  PF_HOSTNAME=$OVPN_HOSTNAME \\
  ./port_forwarding.sh${NC}"
 PIA_TOKEN=$PIA_TOKEN \
-  PF_GATEWAY="$gateway_ip" \
+  PF_GATEWAY=$gateway_ip \
-  PF_HOSTNAME="$OVPN_HOSTNAME" \
+  PF_HOSTNAME=$OVPN_HOSTNAME \
  ./port_forwarding.sh
--- a/connect_to_wireguard_with_token.sh
+++ b/connect_to_wireguard_with_token.sh
@ -22,18 +22,31 @@
 # This function allows you to check if the required tools have been installed.
 function check_tool() {
  cmd=$1
  package=$2
  if ! command -v $cmd &>/dev/null
  then
    echo "$cmd could not be found"
-    echo "Please install $package"
+    echo "Please install $cmd"
    exit 1
  fi
 }
 # Now we call the function to make sure we can use wg-quick, curl and jq.
-check_tool wg-quick wireguard-tools
+check_tool wg-quick
-check_tool curl curl
+check_tool curl
-check_tool jq jq
+check_tool jq
 # Check if terminal allows output, if yes, define colors for output
 if test -t 1; then
  ncolors=$(tput colors)
  if test -n "$ncolors" && test $ncolors -ge 8; then
    GREEN='\033[0;32m'
    RED='\033[0;31m'
    NC='\033[0m' # No Color
  else
    GREEN=''
    RED=''
    NC='' # No Color
  fi
 fi
 # PIA currently does not support IPv6. In order to be sure your VPN
 # connection does not leak, it is best to disabled IPv6 altogether.
@ -50,7 +63,7 @@ fi
 # Check if the mandatory environment variables are set.
 if [[ ! $WG_SERVER_IP || ! $WG_HOSTNAME || ! $PIA_TOKEN ]]; then
-  echo This script requires 3 env vars:
+  echo -e ${RED}This script requires 3 env vars:
  echo WG_SERVER_IP - IP that you want to connect to
  echo WG_HOSTNAME  - name of the server, required for ssl
  echo PIA_TOKEN    - your authentication token
@ -62,7 +75,7 @@ if [[ ! $WG_SERVER_IP || ! $WG_HOSTNAME || ! $PIA_TOKEN ]]; then
  echo An easy solution is to just run get_region_and_token.sh
  echo as it will guide you through getting the best server and
  echo also a token. Detailed information can be found here:
-  echo https://github.com/pia-foss/manual-connections
+  echo -e https://github.com/pia-foss/manual-connections${NC}
  exit 1
 fi
@ -86,11 +99,10 @@ wireguard_json="$(curl -s -G \
  --data-urlencode "pubkey=$pubKey" \
  "https://${WG_HOSTNAME}:1337/addKey" )"
 export wireguard_json
 echo "$wireguard_json"
 # Check if the API returned OK and stop this script if it didn't.
 if [ "$(echo "$wireguard_json" | jq -r '.status')" != "OK" ]; then
-  >&2 echo "Server did not return OK. Stopping now."
+  >&2 echo -e "${RED}Server did not return OK. Stopping now.${NC}"
  exit 1
 fi
@ -99,7 +111,7 @@ fi
 # these scripts. Feel free to fork the project and test it out.
 echo
 echo Trying to disable a PIA WG connection in case it exists...
-wg-quick down pia && echo Disconnected!
+wg-quick down pia && echo -e "${GREEN}\nPIA WG connection disabled!${NC}"
 echo
 # Create the WireGuard config based on the JSON received from the API
@ -108,15 +120,16 @@ echo
 # This uses a PersistentKeepalive of 25 seconds to keep the NAT active
 # on firewalls. You can remove that line if your network does not
 # require it.
 echo -n "Trying to write /etc/wireguard/pia.conf... "
 mkdir -p /etc/wireguard
 if [ "$PIA_DNS" == true ]; then
  dnsServer="$(echo "$wireguard_json" | jq -r '.dns_servers[0]')"
  echo Trying to set up DNS to $dnsServer. In case you do not have resolvconf,
  echo this operation will fail and you will not get a VPN. If you have issues,
  echo start this script without PIA_DNS.
  echo
  dnsSettingForVPN="DNS = $dnsServer"
 fi
 echo -n "Trying to write /etc/wireguard/pia.conf..."
 mkdir -p /etc/wireguard
 echo "
 [Interface]
 Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
@ -128,7 +141,7 @@ PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
 AllowedIPs = 0.0.0.0/0
 Endpoint = ${WG_SERVER_IP}:$(echo "$wireguard_json" | jq -r '.server_port')
 " > /etc/wireguard/pia.conf || exit 1
-echo OK!
+echo -e ${GREEN}OK!${NC}
 # Start the WireGuard interface.
 # If something failed, stop this script.
@ -137,41 +150,46 @@ echo OK!
 echo
 echo Trying to create the wireguard interface...
 wg-quick up pia || exit 1
-echo "The WireGuard interface got created.
+echo
 echo -e "${GREEN}The WireGuard interface got created.${NC}
 At this point, internet should work via VPN.
--> to disconnect the VPN, run:
+To disconnect the VPN, run:
-$ wg-quick down pia"
+
 --> ${GREEN}wg-quick down pia${NC} <--
 "
 # This section will stop the script if PIA_PF is not set to "true".
 if [ "$PIA_PF" != true ]; then
  echo If you want to also enable port forwarding, you can start the script:
  echo -e $ ${GREEN}PIA_TOKEN=$PIA_TOKEN \
    PF_GATEWAY=$WG_SERVER_IP \
    PF_HOSTNAME=$WG_HOSTNAME \
    ./port_forwarding.sh${NC}
  echo
-  echo If you want to also enable port forwarding, please start the script
+  echo The location used must be port forwarding enabled, or this will fail.
-  echo with the env var PIA_PF=true. Example:
+  echo Calling the ./get_region script with PIA_PF=true will provide a filtered list.
-  echo $ WG_SERVER_IP=10.0.0.3 WG_HOSTNAME=piaserver401 \
+  exit 1
    PIA_TOKEN=\"\$token\" PIA_PF=true \
    ./connect_to_wireguard_with_token.sh
  exit
 fi
-echo -n "
+echo -ne "This script got started with ${GREEN}PIA_PF=true${NC}.
 This script got started with PIA_PF=true. We will allow WireGuard to fully
 initialize and after that we will try to enable PF by running the following
 command:
 $ PIA_TOKEN=$PIA_TOKEN \\
  PF_GATEWAY=\"$(echo "$wireguard_json" | jq -r '.server_vip')\" \\
  PF_HOSTNAME=\"$WG_HOSTNAME\" \\
  ./port_forwarding.sh
-Starting PF in "
+Starting port forwarding in "
 for i in {5..1}; do
-  echo -n "$i... "
+  echo -n "$i..."
  sleep 1
 done
 echo
 echo
 echo -e "Starting procedure to enable port forwarding by running the following command:
 $ ${GREEN}PIA_TOKEN=$PIA_TOKEN \\
  PF_GATEWAY=$WG_SERVER_IP \\
  PF_HOSTNAME=$WG_HOSTNAME \\
  ./port_forwarding.sh${NC}"
 PIA_TOKEN=$PIA_TOKEN \
-  PF_GATEWAY="$(echo "$wireguard_json" | jq -r '.server_vip')" \
+  PF_GATEWAY=$WG_SERVER_IP \
-  PF_HOSTNAME="$WG_HOSTNAME" \
+  PF_HOSTNAME=$WG_HOSTNAME \
  ./port_forwarding.sh
--- a/get_region.sh
+++ b/get_region.sh
@ -0,0 +1,273 @@
 #!/bin/bash
 # Copyright (C) 2020 Private Internet Access, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
 # in the Software without restriction, including without limitation the rights
 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 # copies of the Software, and to permit persons to whom the Software is
 # furnished to do so, subject to the following conditions:
 #
 # The above copyright notice and this permission notice shall be included in all
 # copies or substantial portions of the Software.
 #
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 # This function allows you to check if the required tools have been installed.
 function check_tool() {
  cmd=$1
  if ! command -v $cmd &>/dev/null
  then
    echo "$cmd could not be found"
    echo "Please install $cmd"
    exit 1
  fi
 }
 # Now we call the function to make sure we can use curl and jq.
 check_tool curl
 check_tool jq
 # If the server list has less than 1000 characters, it means curl failed.
 function check_all_region_data() {
  echo
  echo -n "Getting the server list..."
  if [[ ${#all_region_data} -lt 1000 ]]; then
    echo -e "${RED}Could not get correct region data. To debug this, run:"
    echo "$ curl -v $serverlist_url"
    echo -e "If it works, you will get a huge JSON as a response.${NC}"
    exit 1
  fi
  # Notify the user that we got the server list.
  echo -e "${GREEN}OK!${NC}
  "
 }
 # Get all data for the selected region
 # Exit with code 1 if the REGION_ID provided is invalid
 function get_selected_region_data() {
  regionData="$( echo $all_region_data |
  jq --arg REGION_ID "$selectedRegion" -r \
  '.regions[] | select(.id==$REGION_ID)')"
  if [[ ! $regionData ]]; then
    echo -e "${RED}The REGION_ID $selectedRegion is not valid.${NC}
    "
    exit 1
  fi
 }
 # Check if terminal allows output, if yes, define colors for output
 if test -t 1; then
  ncolors=$(tput colors)
  if test -n "$ncolors" && test $ncolors -ge 8; then
    GREEN='\033[0;32m'
    RED='\033[0;31m'
    NC='\033[0m' # No Color
  else
    GREEN=''
    RED=''
    NC='' # No Color
  fi
 fi
 # Only allow script to run as
 if [ "$(whoami)" != "root" ]; then
  echo -e "${RED}This script needs to be run as root. Try again with 'sudo $0'${NC}"
  exit 1
 fi
 mkdir -p /opt/piavpn-manual
 # Erase old latencyList file
 rm -f /opt/piavpn-manual/latencyList
 touch /opt/piavpn-manual/latencyList
 # This allows you to set the maximum allowed latency in seconds.
 # All servers that respond slower than this will be ignored.
 # You can inject this with the environment variable MAX_LATENCY.
 # The default value is 50 milliseconds.
 MAX_LATENCY=${MAX_LATENCY:-0.05}
 export MAX_LATENCY
 serverlist_url='https://serverlist.piaservers.net/vpninfo/servers/v4'
 # This function checks the latency you have to a specific region.
 # It will print a human-readable message to stderr,
 # and it will print the variables to stdout
 printServerLatency() {
  serverIP="$1"
  regionID="$2"
  regionName="$(echo ${@:3} |
    sed 's/ false//' | sed 's/true/(geo)/')"
  time=$(LC_NUMERIC=en_US.utf8 curl -o /dev/null -s \
    --connect-timeout $MAX_LATENCY \
    --write-out "%{time_connect}" \
    http://$serverIP:443)
  if [ $? -eq 0 ]; then
    >&2 echo Got latency ${time}s for region: $regionName
    echo $time $regionID $serverIP
    # Write a list of servers with acceptable latancy
    # to /opt/piavpn-manual/latencyList
    echo -e $time $regionID'\t'$serverIP'\t'$regionName >> /opt/piavpn-manual/latencyList
  fi
  # Sort the latencyList, ordered by latency
  sort -no /opt/piavpn-manual/latencyList /opt/piavpn-manual/latencyList
 }
 export -f printServerLatency
 # If a server location or autoconnect isn't specified, set the variable to false/no.
 if [[ -z "$PREFERRED_REGION" ]]; then
  PREFERRED_REGION=none
 fi
 if [[ -z "$VPN_PROTOCOL" ]]; then
  VPN_PROTOCOL=no
 fi
 # Get all region data
 all_region_data=$(curl -s "$serverlist_url" | head -1)
 # Set the region the user has specified
 selectedRegion=$PREFERRED_REGION
 # If a server isn't being specified, auto-select the server with the lowest latency
 if [[ $selectedRegion == "none" ]]; then
  selectedOrLowestLatency="lowest latency"
  check_all_region_data
  # Making sure this variable doesn't contain some strange string
  if [ "$PIA_PF" != true ]; then
    PIA_PF="false"
  fi
  # Test one server from each region to get the closest region.
  # If port forwarding is enabled, filter out regions that don't support it.
  if [[ $PIA_PF == "true" ]]; then
    echo Port Forwarding is enabled, non-PF servers excluded.
    echo
    summarized_region_data="$( echo $all_region_data |
      jq -r '.regions[] | select(.port_forward==true) |
      .servers.meta[0].ip+" "+.id+" "+.name+" "+(.geo|tostring)' )"
  else
    summarized_region_data="$( echo $all_region_data |
    jq -r '.regions[] |
    .servers.meta[0].ip+" "+.id+" "+.name+" "+(.geo|tostring)' )"
  fi
  echo -e Testing regions that respond \
    faster than ${GREEN}$MAX_LATENCY${NC} seconds:
  selectedRegion="$(echo "$summarized_region_data" |
    xargs -I{} bash -c 'printServerLatency {}' |
    sort | head -1 | awk '{ print $2 }')"
  echo
  if [ -z "$selectedRegion" ]; then
    echo -e ${RED}No region responded within ${MAX_LATENCY}s, consider using a higher timeout.
    echo For example, to wait 1 second for each region, inject MAX_LATENCY=1 like this:
    echo -e $ MAX_LATENCY=1 ./get_region.sh${NC}
    exit 1
  else
    echo -e "A list of servers and connection details, ordered by latency can be 
 found in at : ${GREEN}/opt/piavpn-manual/latencyList${NC}
 "
  fi
 else
  selectedOrLowestLatency="selected"
  check_all_region_data
 fi
 get_selected_region_data
 bestServer_meta_IP="$(echo $regionData | jq -r '.servers.meta[0].ip')"
 bestServer_meta_hostname="$(echo $regionData | jq -r '.servers.meta[0].cn')"
 bestServer_WG_IP="$(echo $regionData | jq -r '.servers.wg[0].ip')"
 bestServer_WG_hostname="$(echo $regionData | jq -r '.servers.wg[0].cn')"
 bestServer_OT_IP="$(echo $regionData | jq -r '.servers.ovpntcp[0].ip')"
 bestServer_OT_hostname="$(echo $regionData | jq -r '.servers.ovpntcp[0].cn')"
 bestServer_OU_IP="$(echo $regionData | jq -r '.servers.ovpnudp[0].ip')"
 bestServer_OU_hostname="$(echo $regionData | jq -r '.servers.ovpnudp[0].cn')"
 if [[ $VPN_PROTOCOL == "no" ]]; then
  echo -ne The $selectedOrLowestLatency region is ${GREEN}"$(echo $regionData | jq -r '.name')"${NC}
  if echo $regionData | jq -r '.geo' | grep true > /dev/null; then
    echo " (geolocated region)."
  else
    echo "."
  fi
  echo -e "
 The script found the best servers from the region you selected.
 When connecting to an IP (no matter which protocol), please verify
 the SSL/TLS certificate actually contains the hostname so that you
 are sure you are connecting to a secure server, validated by the
 PIA authority. Please find below the list of best IPs and matching
 hostnames for each protocol:
 ${GREEN}Meta Services $bestServer_meta_IP\t-     $bestServer_meta_hostname
 WireGuard     $bestServer_WG_IP\t-     $bestServer_WG_hostname
 OpenVPN TCP   $bestServer_OT_IP\t-     $bestServer_OT_hostname
 OpenVPN UDP   $bestServer_OU_IP\t-     $bestServer_OU_hostname
 ${NC}"
 fi
 # The script will check for an authentication token, and use it if present
 # If no token exists, the script will check for login credentials to generate one
 if [[ -z "$PIA_TOKEN" ]] || [[ $PIA_TOKEN == "" ]]; then
  if [[ ! $PIA_USER || ! $PIA_PASS ]]; then
    echo -e ${RED}If you want this script to automatically get an authentication
    echo token, please add the variables PIA_USER and PIA_PASS. Example:
    echo -e $ PIA_USER=p0123456 PIA_PASS=xxx ./get_region.sh${NC}
    exit 0
  fi
  ./get_token.sh
  PIA_TOKEN=$( awk 'NR == 1' /opt/piavpn-manual/token )
  export PIA_TOKEN
  rm -f /opt/piavpn-manual/token
 else
  echo -e "Using existing token ${GREEN}$PIA_TOKEN${NC}."
  echo
 fi
 # Connect with WireGuard and clear authentication token file and latencyList
 if [[ $VPN_PROTOCOL == wireguard ]]; then
  echo The ./get_region.sh script got started with
  echo -e ${GREEN}VPN_PROTOCOL=wireguard${NC}, so we will automatically connect to WireGuard,
  echo by running this command:
  echo -e $ ${GREEN}PIA_TOKEN=$PIA_TOKEN \\
  echo WG_SERVER_IP=$bestServer_WG_IP WG_HOSTNAME=$bestServer_WG_hostname \\
  echo -e PIA_PF=$PIA_PF ./connect_to_wireguard_with_token.sh${NC}
  echo
  PIA_PF=$PIA_PF PIA_TOKEN=$PIA_TOKEN WG_SERVER_IP=$bestServer_WG_IP \
    WG_HOSTNAME=$bestServer_WG_hostname ./connect_to_wireguard_with_token.sh
  rm -f /opt/piavpn-manual/latencyList
  exit 0
 fi
 # Connect with OpenVPN and clear authentication token file and latencyList
 if [[ $VPN_PROTOCOL == openvpn* ]]; then
  serverIP=$bestServer_OU_IP
  serverHostname=$bestServer_OU_hostname
  if [[ $VPN_PROTOCOL == *tcp* ]]; then
    serverIP=$bestServer_OT_IP
    serverHostname=$bestServer_OT_hostname
  fi
  echo The ./get_region.sh script got started with
  echo -e ${GREEN}VPN_PROTOCOL=$VPN_PROTOCOL${NC}, so we will automatically
  echo connect to OpenVPN, by running this command:
  echo -e $ ${GREEN}PIA_PF=$PIA_PF PIA_TOKEN=$PIA_TOKEN \\
  echo   OVPN_SERVER_IP=$serverIP \\
  echo   OVPN_HOSTNAME=$serverHostname \\
  echo   CONNECTION_SETTINGS=$VPN_PROTOCOL \\
  echo -e ./connect_to_openvpn_with_token.sh${NC}
  echo
  PIA_PF=$PIA_PF PIA_TOKEN=$PIA_TOKEN \
    OVPN_SERVER_IP=$serverIP \
    OVPN_HOSTNAME=$serverHostname \
    CONNECTION_SETTINGS=$VPN_PROTOCOL \
    ./connect_to_openvpn_with_token.sh
  rm -f /opt/piavpn-manual/latencyList
  exit 0
 fi
--- a/get_region_and_token.sh
+++ b/get_region_and_token.sh
@ -1,228 +0,0 @@
 #!/bin/bash
 # Copyright (C) 2020 Private Internet Access, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
 # in the Software without restriction, including without limitation the rights
 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 # copies of the Software, and to permit persons to whom the Software is
 # furnished to do so, subject to the following conditions:
 #
 # The above copyright notice and this permission notice shall be included in all
 # copies or substantial portions of the Software.
 #
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 # This function allows you to check if the required tools have been installed.
 function check_tool() {
  cmd=$1
  package=$2
  if ! command -v $cmd &>/dev/null
  then
    echo "$cmd could not be found"
    echo "Please install $package"
    exit 1
  fi
 }
 # Now we call the function to make sure we can use curl and jq.
 check_tool curl curl
 check_tool jq jq
 # This allows you to set the maximum allowed latency in seconds.
 # All servers that respond slower than this will be ignored.
 # You can inject this with the environment variable MAX_LATENCY.
 # The default value is 50 milliseconds.
 MAX_LATENCY=${MAX_LATENCY:-0.05}
 export MAX_LATENCY
 serverlist_url='https://serverlist.piaservers.net/vpninfo/servers/v4'
 # This function checks the latency you have to a specific region.
 # It will print a human-readable message to stderr,
 # and it will print the variables to stdout
 printServerLatency() {
  serverIP="$1"
  regionID="$2"
  regionName="$(echo ${@:3} |
    sed 's/ false//' | sed 's/true/(geo)/')"
  time=$(LC_NUMERIC=en_US.utf8 curl -o /dev/null -s \
    --connect-timeout $MAX_LATENCY \
    --write-out "%{time_connect}" \
    http://$serverIP:443)
  if [ $? -eq 0 ]; then
    >&2 echo Got latency ${time}s for region: $regionName
    echo $time $regionID $serverIP
  fi
 }
 export -f printServerLatency
 echo -n "Getting the server list... "
 # Get all region data since we will need this on multiple occasions
 all_region_data=$(curl -s "$serverlist_url" | head -1)
 # If the server list has less than 1000 characters, it means curl failed.
 if [[ ${#all_region_data} -lt 1000 ]]; then
  echo "Could not get correct region data. To debug this, run:"
  echo "$ curl -v $serverlist_url"
  echo "If it works, you will get a huge JSON as a response."
  exit 1
 fi
 # Notify the user that we got the server list.
 echo "OK!"
 # Test one server from each region to get the closest region.
 # If port forwarding is enabled, filter out regions that don't support it.
 if [[ $PIA_PF == "true" ]]; then
  echo Port Forwarding is enabled, so regions that do not support
  echo port forwarding will get filtered out.
  summarized_region_data="$( echo $all_region_data |
    jq -r '.regions[] | select(.port_forward==true) |
    .servers.meta[0].ip+" "+.id+" "+.name+" "+(.geo|tostring)' )"
 else
  summarized_region_data="$( echo $all_region_data |
    jq -r '.regions[] |
    .servers.meta[0].ip+" "+.id+" "+.name+" "+(.geo|tostring)' )"
 fi
 echo Testing regions that respond \
  faster than $MAX_LATENCY seconds:
 bestRegion="$(echo "$summarized_region_data" |
  xargs -I{} bash -c 'printServerLatency {}' |
  sort | head -1 | awk '{ print $2 }')"
 if [ -z "$bestRegion" ]; then
  echo ...
  echo No region responded within ${MAX_LATENCY}s, consider using a higher timeout.
  echo For example, to wait 1 second for each region, inject MAX_LATENCY=1 like this:
  echo $ MAX_LATENCY=1 ./get_region_and_token.sh
  exit 1
 fi
 # Get all data for the best region
 regionData="$( echo $all_region_data |
  jq --arg REGION_ID "$bestRegion" -r \
  '.regions[] | select(.id==$REGION_ID)')"
 echo -n The closest region is "$(echo $regionData | jq -r '.name')"
 if echo $regionData | jq -r '.geo' | grep true > /dev/null; then
  echo " (geolocated region)."
 else
  echo "."
 fi
 echo
 bestServer_meta_IP="$(echo $regionData | jq -r '.servers.meta[0].ip')"
 bestServer_meta_hostname="$(echo $regionData | jq -r '.servers.meta[0].cn')"
 bestServer_WG_IP="$(echo $regionData | jq -r '.servers.wg[0].ip')"
 bestServer_WG_hostname="$(echo $regionData | jq -r '.servers.wg[0].cn')"
 bestServer_OT_IP="$(echo $regionData | jq -r '.servers.ovpntcp[0].ip')"
 bestServer_OT_hostname="$(echo $regionData | jq -r '.servers.ovpntcp[0].cn')"
 bestServer_OU_IP="$(echo $regionData | jq -r '.servers.ovpnudp[0].ip')"
 bestServer_OU_hostname="$(echo $regionData | jq -r '.servers.ovpnudp[0].cn')"
 echo "The script found the best servers from the region closest to you.
 When connecting to an IP (no matter which protocol), please verify
 the SSL/TLS certificate actually contains the hostname so that you
 are sure you are connecting to a secure server, validated by the
 PIA authority. Please find below the list of best IPs and matching
 hostnames for each protocol:
 Meta Services: $bestServer_meta_IP // $bestServer_meta_hostname
 WireGuard: $bestServer_WG_IP // $bestServer_WG_hostname
 OpenVPN TCP: $bestServer_OT_IP // $bestServer_OT_hostname
 OpenVPN UDP: $bestServer_OU_IP // $bestServer_OU_hostname
 "
 if [[ ! $PIA_USER || ! $PIA_PASS ]]; then
  echo If you want this script to automatically get a token from the Meta
  echo service, please add the variables PIA_USER and PIA_PASS. Example:
  echo $ PIA_USER=p0123456 PIA_PASS=xxx ./get_region_and_token.sh
  exit 1
 fi
 echo "The ./get_region_and_token.sh script got started with PIA_USER and PIA_PASS,
 so we will also use a meta service to get a new VPN token."
 echo "Trying to get a new token by authenticating with the meta service..."
 generateTokenResponse=$(curl -s -u "$PIA_USER:$PIA_PASS" \
  --connect-to "$bestServer_meta_hostname::$bestServer_meta_IP:" \
  --cacert "ca.rsa.4096.crt" \
  "https://$bestServer_meta_hostname/authv3/generateToken")
 echo "$generateTokenResponse"
 if [ "$(echo "$generateTokenResponse" | jq -r '.status')" != "OK" ]; then
  echo "Could not get a token. Please check your account credentials."
  echo
  echo "You can also try debugging by manually running the curl command:"
  echo $ curl -vs -u \"$PIA_USER:$PIA_PASS\" --cacert ca.rsa.4096.crt \
    --connect-to \"$bestServer_meta_hostname::$bestServer_meta_IP:\" \
    https://$bestServer_meta_hostname/authv3/generateToken
  exit 1
 fi
 token="$(echo "$generateTokenResponse" | jq -r '.token')"
 echo "This token will expire in 24 hours.
 "
 # just making sure this variable doesn't contain some strange string
 if [ "$PIA_PF" != true ]; then
  PIA_PF="false"
 fi
 if [[ $PIA_AUTOCONNECT == wireguard ]]; then
  echo The ./get_region_and_token.sh script got started with
  echo PIA_AUTOCONNECT=wireguard, so we will automatically connect to WireGuard,
  echo by running this command:
  echo $ PIA_TOKEN=\"$token\" \\
  echo WG_SERVER_IP=$bestServer_WG_IP WG_HOSTNAME=$bestServer_WG_hostname \\
  echo PIA_PF=$PIA_PF ./connect_to_wireguard_with_token.sh
  echo
  PIA_PF=$PIA_PF PIA_TOKEN="$token" WG_SERVER_IP=$bestServer_WG_IP \
    WG_HOSTNAME=$bestServer_WG_hostname ./connect_to_wireguard_with_token.sh
  exit 0
 fi
 if [[ $PIA_AUTOCONNECT == openvpn* ]]; then
  serverIP=$bestServer_OU_IP
  serverHostname=$bestServer_OU_hostname
  if [[ $PIA_AUTOCONNECT == *tcp* ]]; then
    serverIP=$bestServer_OT_IP
    serverHostname=$bestServer_OT_hostname
  fi
  echo The ./get_region_and_token.sh script got started with
  echo PIA_AUTOCONNECT=$PIA_AUTOCONNECT, so we will automatically
  echo connect to OpenVPN, by running this command:
  echo PIA_PF=$PIA_PF PIA_TOKEN=\"$token\" \\
  echo   OVPN_SERVER_IP=$serverIP \\
  echo   OVPN_HOSTNAME=$serverHostname \\
  echo   CONNECTION_SETTINGS=$PIA_AUTOCONNECT \\
  echo   ./connect_to_openvpn_with_token.sh
  echo
  PIA_PF=$PIA_PF PIA_TOKEN="$token" \
    OVPN_SERVER_IP=$serverIP \
    OVPN_HOSTNAME=$serverHostname \
    CONNECTION_SETTINGS=$PIA_AUTOCONNECT \
    ./connect_to_openvpn_with_token.sh
  exit 0
 fi
 echo If you wish to automatically connect to the VPN after detecting the best
 echo region, please run the script with the env var PIA_AUTOCONNECT.
 echo 'The available options for PIA_AUTOCONNECT are (from fastest to slowest):'
 echo  - wireguard
 echo  - openvpn_udp_standard
 echo  - openvpn_udp_strong
 echo  - openvpn_tcp_standard
 echo  - openvpn_tcp_strong
 echo You can also specify the env var PIA_PF=true to get port forwarding.
 echo
 echo Example:
 echo $ PIA_USER=p0123456 PIA_PASS=xxx \
  PIA_AUTOCONNECT=wireguard PIA_PF=true ./get_region_and_token.sh
 echo
 echo You can also connect now by running this command:
 echo $ PIA_TOKEN=\"$token\" WG_SERVER_IP=$bestServer_WG_IP \
  WG_HOSTNAME=$bestServer_WG_hostname ./connect_to_wireguard_with_token.sh
--- a/get_token.sh
+++ b/get_token.sh
@ -0,0 +1,95 @@
 #!/bin/bash
 # Copyright (C) 2020 Private Internet Access, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
 # in the Software without restriction, including without limitation the rights
 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 # copies of the Software, and to permit persons to whom the Software is
 # furnished to do so, subject to the following conditions:
 #
 # The above copyright notice and this permission notice shall be included in all
 # copies or substantial portions of the Software.
 #
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 # This function allows you to check if the required tools have been installed.
 function check_tool() {
  cmd=$1
  if ! command -v $cmd &>/dev/null
  then
    echo "$cmd could not be found"
    echo "Please install $cmd"
    exit 1
  fi
 }
 # This function creates a timestamp, to use for setting $TOKEN_EXPIRATION
 function timeout_timestamp() {
  date +"%c" --date='1 day' # Timestamp 24 hours
 }
 # Now we call the function to make sure we can use curl and jq.
 check_tool curl
 check_tool jq
 # Check if terminal allows output, if yes, define colors for output
 if test -t 1; then
  ncolors=$(tput colors)
  if test -n "$ncolors" && test $ncolors -ge 8; then
    GREEN='\033[0;32m'
    RED='\033[0;31m'
    NC='\033[0m' # No Color
  else
    GREEN=''
    RED=''
    NC='' # No Color
  fi
 fi
 # Only allow script to run as
 if [ "$(whoami)" != "root" ]; then
  echo -e "${RED}This script needs to be run as root. Try again with 'sudo $0'${NC}"
  exit 1
 fi
 mkdir -p /opt/piavpn-manual
 if [[ ! $PIA_USER || ! $PIA_PASS ]]; then
  echo If you want this script to automatically get a token from the Meta
  echo service, please add the variables PIA_USER and PIA_PASS. Example:
  echo $ PIA_USER=p0123456 PIA_PASS=xxx ./get_token.sh
  exit 1
 fi
 tokenLocation=/opt/piavpn-manual/token
 echo -n "Checking login credentials..."
 generateTokenResponse=$(curl -s -u "$PIA_USER:$PIA_PASS" \
  "https://privateinternetaccess.com/gtoken/generateToken")
 if [ "$(echo "$generateTokenResponse" | jq -r '.status')" != "OK" ]; then
  echo
  echo
  echo -e "${RED}Could not authenticate with the login credentials provided!${NC}"
  echo
  exit
 fi
 echo -e ${GREEN}OK!
 echo
 token=$(echo "$generateTokenResponse" | jq -r '.token')
 tokenExpiration=$(timeout_timestamp)
 echo -e PIA_TOKEN=$token${NC}
 echo $token > /opt/piavpn-manual/token || exit 1
 echo $tokenExpiration >> /opt/piavpn-manual/token
 echo 
 echo This token will expire in 24 hours, on $tokenExpiration.
 echo
--- a/port_forwarding.sh
+++ b/port_forwarding.sh
@ -19,6 +19,19 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 # This function allows you to check if the required tools have been installed.
 function check_tool() {
  cmd=$1
  if ! command -v $cmd &>/dev/null
  then
    echo "$cmd could not be found"
    echo "Please install $cmd"
    exit 1
  fi
 }
 # Now we call the function to make sure we can use wg-quick, curl and jq.
 check_tool curl
 check_tool jq
 # Check if the mandatory environment variables are set.
 if [[ ! $PF_GATEWAY || ! $PIA_TOKEN || ! $PF_HOSTNAME ]]; then
@ -34,6 +47,20 @@ if [[ ! $PF_GATEWAY || ! $PIA_TOKEN || ! $PF_HOSTNAME ]]; then
 exit 1
 fi
 # Check if terminal allows output, if yes, define colors for output
 if test -t 1; then
  ncolors=$(tput colors)
  if test -n "$ncolors" && test $ncolors -ge 8; then
    GREEN='\033[0;32m'
    RED='\033[0;31m'
    NC='\033[0m' # No Color
  else
    GREEN=''
    RED=''
    NC='' # No Color
  fi
 fi
 # The port forwarding system has required two variables:
 # PAYLOAD: contains the token, the port and the expiration date
 # SIGNATURE: certifies the payload originates from the PIA network.
@ -55,7 +82,8 @@ fi
 # save the payload_and_signature received from your previous request
 # in the env var PAYLOAD_AND_SIGNATURE, and that will be used instead.
 if [[ ! $PAYLOAD_AND_SIGNATURE ]]; then
-  echo "Getting new signature..."
+  echo
  echo -n "Getting new signature... "
  payload_and_signature="$(curl -s -m 5 \
    --connect-to "$PF_HOSTNAME::$PF_GATEWAY:" \
    --cacert "ca.rsa.4096.crt" \
@ -63,17 +91,17 @@ if [[ ! $PAYLOAD_AND_SIGNATURE ]]; then
    "https://${PF_HOSTNAME}:19999/getSignature")"
 else
  payload_and_signature="$PAYLOAD_AND_SIGNATURE"
-  echo "Using the following payload_and_signature from the env var:"
+  echo -n "Checking the payload_and_signature from the env var... "
 fi
 echo "$payload_and_signature"
 export payload_and_signature
 # Check if the payload and the signature are OK.
 # If they are not OK, just stop the script.
 if [ "$(echo "$payload_and_signature" | jq -r '.status')" != "OK" ]; then
-  echo "The payload_and_signature variable does not contain an OK status."
+  echo -e "${RED}The payload_and_signature variable does not contain an OK status.${NC}"
  exit 1
 fi
 echo -e "${GREEN}OK!${NC}"
 # We need to get the signature out of the previous response.
 # The signature will allow the us to bind the port on the server.
@ -90,12 +118,13 @@ port="$(echo "$payload" | base64 -d | jq -r '.port')"
 # 2 months is not enough for your setup, please open a ticket.
 expires_at="$(echo "$payload" | base64 -d | jq -r '.expires_at')"
-# Display some information on the screen for the user.
+echo -ne "
-echo "The signature is OK.
+Signature ${GREEN}$signature${NC}
 Payload   ${GREEN}$payload${NC}
--> The port is $port and it will expire on $expires_at. <--
+--> The port is ${GREEN}$port${NC} and it will expire on ${RED}$expires_at${NC}. <--
-Trying to bind the port..."
+Trying to bind the port... "
 # Now we have all required data to create a request to bind the port.
 # We will repeat this request every 15 minutes, in order to keep the port
@ -108,17 +137,18 @@ while true; do
    --data-urlencode "payload=${payload}" \
    --data-urlencode "signature=${signature}" \
    "https://${PF_HOSTNAME}:19999/bindPort")"
-    echo "$bind_port_response"
+    echo -e "${GREEN}OK!${NC}"
    # If port did not bind, just exit the script.
    # This script will exit in 2 months, since the port will expire.
    export bind_port_response
    if [ "$(echo "$bind_port_response" | jq -r '.status')" != "OK" ]; then
-      echo "The API did not return OK when trying to bind port. Exiting."
+      echo -e "${RED}The API did not return OK when trying to bind port... Exiting."
      exit 1
    fi
-    echo Port $port refreshed on $(date). \
+    echo -e Forwarded port'\t'${GREEN}$port${NC}
-      This port will expire on $(date --date="$expires_at")
+    echo -e Refreshed on'\t'${GREEN}$(date)${NC}
    echo -e Expires on'\t'${RED}$(date --date="$expires_at")${NC}
    # sleep 15 minutes
    sleep 900
--- a/run_setup.sh
+++ b/run_setup.sh
@ -1,5 +1,4 @@
 #!/bin/bash
 # Copyright (C) 2020 Private Internet Access, Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
@ -20,139 +19,376 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 # Check if terminal allows output, if yes, define colors for output
 if test -t 1; then
  ncolors=$(tput colors)
  if test -n "$ncolors" && test $ncolors -ge 8; then
    GREEN='\033[0;32m'
    RED='\033[0;31m'
    NC='\033[0m' # No Color
  else
    GREEN=''
    RED=''
    NC='' # No Color
  fi
 fi
 # Variables to use for validating input
 intCheck='^[0-9]+$'
 floatCheck='^[0-9]+([.][0-9]+)?$'
 # Only allow script to run as
 if [ "$(whoami)" != "root" ]; then
-  echo "This script needs to be run as root. Try again with 'sudo $0'"
+  echo -e "${RED}This script needs to be run as root. Try again with 'sudo $0'${NC}"
  exit 1
 fi
-echo
+# Erase previous authentication token if present
-echo -n "PIA username (pNNNNNNN): "
+rm -f /opt/piavpn-manual/token /opt/piavpn-manual/latencyList
 read PIA_USER
-if [ -z "$PIA_USER" ]; then
+# Retry login if no token is generated
-  echo Username is required, aborting.
+while :; do
-  exit 1
+    while :; do
-fi
+      # Check for in-line definition of $PIA_USER
-echo
+      if [[ ! $PIA_USER || $PIA_USER = "" ]]; then
-export PIA_USER
+        echo
        read -p "PIA username (p#######): " PIA_USER
      fi
-echo -n "PIA password: "
+      # Confirm format of PIA_USER input
-read -s PIA_PASS
+      unPrefix=$( echo ${PIA_USER:0:1} )
-echo
+      unSuffix=$( echo ${PIA_USER:1} )
      if [[ -z "$PIA_USER" ]]; then
        echo -e "${RED}You must provide input.${NC}"
      elif [[ ${#PIA_USER} != 8 ]]; then
        echo -e "${RED}A PIA username is always 8 characters long.${NC}"
      elif [[ $unPrefix != "P" ]] && [[ $unPrefix != "p" ]]; then
        echo -e "${RED}A PIA username must start with \"p\".${NC}"
      elif ! [[ $unSuffix =~ $intCheck ]]; then
        echo -e "${RED}Username formatting is always p#######!${NC}"
      else
        echo -e "\n${GREEN}PIA_USER=$PIA_USER${NC}"
        break
      fi
      PIA_USER=""
    done
  export PIA_USER
-if [ -z "$PIA_PASS" ]; then
+  while :; do
-  echo Password is required, aborting.
+    # Check for in-line definition of $PIA_PASS
-  exit 1
+    if [[ ! $PIA_PASS || $PIA_PASS = "" ]]; then
-fi
+      echo
-echo
+      echo -n "PIA password: "
-export PIA_PASS
+      read -rs PIA_PASS
      echo
    fi
-# This section asks for user connection preferences
+    # Confirm format of PIA_PASS input
-# this is hard coded for now, but will become an input
+    if [[ -z "$PIA_PASS" ]]; then
-# variable in the future.
+      echo -e "\n${RED}You must provide input.${NC}"
-echo -n "Connection method ([W]ireguard/[o]penvpn): "
+    elif [[ ${#PIA_PASS} -lt 8 ]]; then
-read connection_method
+      echo -e "\n${RED}A PIA password is always a minimum of 8 characters long.${NC}"
-echo
+    else
      echo -e "\n${GREEN}PIA_PASS input received.${NC}"
      echo
      break
    fi
    PIA_PASS=""
  done
  export PIA_PASS
-PIA_AUTOCONNECT="wireguard"
+  # Confirm credentials and generate token
-if echo ${connection_method:0:1} | grep -iq o; then
+  ./get_token.sh
  echo -n "Connection method ([U]dp/[t]cp): "
  read protocolInput
  echo
-  protocol="udp"
+  tokenLocation="/opt/piavpn-manual/token"
-  if echo ${protocolInput:0:1} | grep -iq t; then
+  # If the script failed to generate an authentication token, the script will exit early.
-    protocol="tcp"
+  if [ ! -f "$tokenLocation" ]; then
    read -p "Do you want to try again ([N]o/[y]es): " tryAgain
    if ! echo ${tryAgain:0:1} | grep -iq y; then
      exit 1
    fi
    PIA_USER=""
    PIA_PASS=""
  else
    PIA_TOKEN=$( awk 'NR == 1' /opt/piavpn-manual/token )
    export PIA_TOKEN
    rm -f /opt/piavpn-manual/token
    break
  fi
 done
-  echo "Higher levels of encryption trade performance for security. "
+# Check for in-line definition of PIA_PF and prompt for input
-  echo -n "Do you want to use strong encryption ([N]o/[y]es): "
+if [[ ! $PIA_PF || $PIA_PF = "" ]]; then
-  read strongEncryption
+  echo -n "Do you want a forwarding port assigned ([N]o/[y]es): "
  read portForwarding
  echo
-
+  if echo ${portForwarding:0:1} | grep -iq y; then
-  encryption="standard"
+    PIA_PF="true"
  if echo ${strongEncryption:0:1} | grep -iq y; then
    encryption="strong"
  fi
  PIA_AUTOCONNECT="openvpn_${protocol}_${encryption}"
 fi
-export PIA_AUTOCONNECT
+if [[ $PIA_PF != "true" ]]; then
-echo PIA_AUTOCONNECT=$PIA_AUTOCONNECT"
+ PIA_PF="false"
 fi
 export PIA_PF
 echo -e ${GREEN}PIA_PF=$PIA_PF${NC}
 echo
 # Check for in-line definition of DISABLE_IPV6 and prompt for input
 if [[ ! $DISABLE_IPV6 || $DISABLE_IPV6 = "" ]]; then
  echo "Having active IPv6 connections might compromise security by allowing"
  echo "split tunnel connections that run outside the VPN tunnel."
  echo -n "Do you want to disable IPv6? (Y/n): "
  read DISABLE_IPV6
  echo
 fi
 if echo ${DISABLE_IPV6:0:1} | grep -iq n; then
  echo -e ${RED}"IPv6 settings have not been altered.
  "${NC}
 else
  echo -e "The variable ${GREEN}DISABLE_IPV6=$DISABLE_IPV6${NC}, does not start with 'n' for 'no'.
 ${GREEN}Defaulting to yes.${NC}
 "
  sysctl -w net.ipv6.conf.all.disable_ipv6=1
  sysctl -w net.ipv6.conf.default.disable_ipv6=1
  echo
  echo -e "${RED}IPv6 has been disabled${NC}, you can ${GREEN}enable it again with: "
  echo "sysctl -w net.ipv6.conf.all.disable_ipv6=0"
  echo "sysctl -w net.ipv6.conf.default.disable_ipv6=0"
  echo -e ${NC}
 fi
-# Check for the required presence of resolvconf for setting DNS on wireguard connections.
+# Input validation and check for conflicting declartions of AUTOCONNECT and PREFERRED_REGION
 # If both variables are set, AUTOCONNECT has superiority and PREFERRED_REGION is ignored
 if [[ ! $AUTOCONNECT ]]; then
  echo AUTOCONNECT was not declared.
  echo
  selectServer="ask"
 elif echo ${AUTOCONNECT:0:1} | grep -iq f; then
  if [[ $AUTOCONNECT != "false" ]]; then
    echo -e "The variable ${GREEN}AUTOCONNECT=$AUTOCONNECT${NC}, starts with 'f' for 'false'."
    AUTOCONNECT="false"
    echo -e "Updated ${GREEN}AUTOCONNECT=$AUTOCONNECT${NC}"
    echo
  fi
  selectServer="yes"
 else
  if [[ $AUTOCONNECT != "true" ]]; then
    echo -e "The variable ${GREEN}AUTOCONNECT=$AUTOCONNECT${NC}, does not start with 'f' for 'false'."
    AUTOCONNECT="true"
    echo -e "Updated ${GREEN}AUTOCONNECT=$AUTOCONNECT${NC}"
    echo
  fi
  if [[ ! $PREFERRED_REGION ]]; then
    echo -e "${GREEN}AUTOCONNECT=true${NC}"
    echo
  else
    echo
    echo AUTOCONNECT supercedes in-line definitions of PREFERRED_REGION.
    echo -e "${RED}PREFERRED_REGION=$PREFERRED_REGION will be ignored.${NC}
    "
    PREFERRED_REGION=""
  fi
  selectServer="no"
 fi
 # Prompt the user to specify a server or auto-connect to the lowest latency
 while :; do
  if [[ ! $PREFERRED_REGION || $PREFERRED_REGION = "" ]]; then
    # If autoconnect is not set, prompt the user to specify a server or auto-connect to the lowest latency
    if [[ $selectServer = "ask" ]]; then
      echo -n "Do you want to manually select a server, instead of auto-connecting to the
 server with the lowest latency ([N]o/[y]es): "
      read selectServer
      echo
    fi
    # Call the region script with input to create an ordered list based upon latency
    # When $PREFERRED_REGION is set to none, get_region.sh will generate a list of servers
    # that meet the latency requirements speciied by $MAX_LATENCY.
    # When $VPN_PROTOCOL is set to no, get_region.sh will sort that list of servers
    # to allow for numeric selection, or an easy manual review of options.
    if echo ${selectServer:0:1} | grep -iq y; then
      # This sets the maximum allowed latency in seconds.
      # All servers that respond slower than this will be ignored.
      if [[ ! $MAX_LATENCY || $MAX_LATENCY = "" ]]; then
        echo -n "With no input, the maximum allowed latency will be set to 0.05s (50ms).
 If your connection has high latency, you may need to increase this value.
 For example, you can try 0.2 for 200ms allowed latency.
 "
      else
        latencyInput=$MAX_LATENCY
      fi
      # Assure that input is numeric and properly formatted.
      MAX_LATENCY=0.05 # default
      while :; do
        if [[ ! $latencyInput || $latencyInput = "" ]]; then
          read -p "Custom latency (no input required for 50ms): " latencyInput
          echo
        fi
        customLatency=0
        customLatency+=$latencyInput
        if [[ -z "$latencyInput" ]]; then
          break
        elif [[ $latencyInput = 0 ]]; then
          echo -e ${RED}Latency input must not be zero.${NC}
        elif ! [[ $customLatency =~ $floatCheck ]]; then
          echo -e ${RED}Latency input must be numeric.${NC}
        elif [[ $latencyInput =~ $intCheck ]]; then
          MAX_LATENCY=$latencyInput
          break
        else
          MAX_LATENCY=$customLatency
          break
        fi
        latencyInput=""
      done
      export MAX_LATENCY
      echo -e "${GREEN}MAX_LATENCY=$MAX_LATENCY${NC}"
      PREFERRED_REGION="none"
      export PREFERRED_REGION
      VPN_PROTOCOL="no"
      export VPN_PROTOCOL
      VPN_PROTOCOL=no ./get_region.sh
      if [ -s /opt/piavpn-manual/latencyList ]; then
        # Output the ordered list of servers that meet the latency specification $MAX_LATENCY
        echo -e "Orderd list of servers with latency less than ${GREEN}$MAX_LATENCY${NC} seconds:"
        i=0
        while read line; do
          i=$((i+1))
          time=$( awk 'NR == '$i' {print $1}' /opt/piavpn-manual/latencyList )
          id=$( awk 'NR == '$i' {print $2}' /opt/piavpn-manual/latencyList )
          ip=$( awk 'NR == '$i' {print $3}' /opt/piavpn-manual/latencyList )
          location1=$( awk 'NR == '$i' {print $4}' /opt/piavpn-manual/latencyList )
          location2=$( awk 'NR == '$i' {print $5}' /opt/piavpn-manual/latencyList )
          location3=$( awk 'NR == '$i' {print $6}' /opt/piavpn-manual/latencyList )
          location4=$( awk 'NR == '$i' {print $7}' /opt/piavpn-manual/latencyList )
          location=$location1" "$location2" "$location3" "$location4
          printf "%3s : %-8s %-15s %17s" $i $time $ip $id
          echo " - "$location
        done < /opt/piavpn-manual/latencyList
        echo
        # Receive input to specify the server to connect to manually
        while :; do 
          read -p "Input the number of the server you want to connect to ([1]-[$i]) : "  serverSelection
            if [[ -z "$serverSelection" ]]; then
              echo -e "${RED}You must provide input.${NC}"
            elif ! [[ $serverSelection =~ $intCheck ]]; then
              echo -e "${RED}You must enter a number.${NC}"
            elif [[ $serverSelection -lt 1 ]]; then
              echo -e "${RED}You must enter a number greater than 1.${NC}"
            elif [[ $serverSelection -gt $i ]]; then
              echo -e "${RED}You must enter a number between 1 and $i.${NC}"
            else
              PREFERRED_REGION=$( awk 'NR == '$serverSelection' {print $2}' /opt/piavpn-manual/latencyList )
              echo
              echo -e ${GREEN}PREFERRED_REGION=$PREFERRED_REGION${NC}
              break
            fi
        done
        # Write the serverID for use when connecting, and display the serverName for user confirmation
        export PREFERRED_REGION
        echo
        break
      else
        exit 1
      fi
    else
      echo -e ${GREEN}You will auto-connect to the server with the lowest latency.${NC}
      echo
      break
    fi
  else
    # Validate in-line declaration of PREFERRED_REGION; if invalid remove input to initiate prompts
    echo Region input is : $PREFERRED_REGION
    export PREFERRED_REGION
    VPN_PROTOCOL=no ./get_region.sh
    if [[ $? != 1 ]]; then
      break
    fi
    PREFERRED_REGION=""
  fi
 done
 if [[ ! $VPN_PROTOCOL ]]; then
  VPN_PROTOCOL="none"
 fi
 # This section asks for user connection preferences
 case $VPN_PROTOCOL in
  openvpn)
    VPN_PROTOCOL="openvpn_udp_standard"
    ;;
  wireguard | openvpn_udp_standard | openvpn_udp_strong | openvpn_tcp_standard | openvpn_tcp_strong)
    ;;
  none | *)
    echo -n "Connection method ([W]ireguard/[o]penvpn): "
    read connection_method
    echo
    VPN_PROTOCOL="wireguard"
    if echo ${connection_method:0:1} | grep -iq o; then
      echo -n "Connection method ([U]dp/[t]cp): "
      read protocolInput
      echo
      protocol="udp"
      if echo ${protocolInput:0:1} | grep -iq t; then
        protocol="tcp"
      fi
      echo "Higher levels of encryption trade performance for security. "
      echo -n "Do you want to use strong encryption ([N]o/[y]es): "
      read strongEncryption
      echo
      encryption="standard"
      if echo ${strongEncryption:0:1} | grep -iq y; then
        encryption="strong"
      fi
      VPN_PROTOCOL="openvpn_${protocol}_${encryption}"
    fi
    ;;
 esac
 export VPN_PROTOCOL
 echo -e ${GREEN}VPN_PROTOCOL=$VPN_PROTOCOL"
 ${NC}"
 # Check for the required presence of resolvconf for setting DNS on wireguard connections
 setDNS="yes"
-if ! command -v resolvconf &>/dev/null && [ "$PIA_AUTOCONNECT" == wireguard ]; then
+if ! command -v resolvconf &>/dev/null && [ "$VPN_PROTOCOL" == wireguard ]; then
-  echo The resolvconf package could not be found.
+  echo -e ${RED}The resolvconf package could not be found.
  echo This script can not set DNS for you and you will
-  echo need to invoke DNS protection some other way.
+  echo -e need to invoke DNS protection some other way.${NC}
  echo
  setDNS="no"
 fi
-if [ "$setDNS" != no ]; then
+# Check for in-line definition of PIA_DNS and prompt for input
-  echo Using third party DNS could allow DNS monitoring.
+if [[ $setDNS = "yes" ]]; then
-  echo -n "Do you want to force PIA DNS ([Y]es/[n]o): "
+  if [[ ! $PIA_DNS || $PIA_DNS = "" ]]; then
-  read setDNS
+    echo Using third party DNS could allow DNS monitoring.
-  echo
+    echo -n "Do you want to force PIA DNS ([Y]es/[n]o): "
-fi
+    read setDNS
-
+    echo
-PIA_DNS="true"
+    PIA_DNS="true"
-if echo ${setDNS:0:1} | grep -iq n; then
+    if echo ${setDNS:0:1} | grep -iq n; then
      PIA_DNS="false"
    fi
  fi
 elif [[ $PIA_DNS != "true" || $setDNS = "no" ]];then
  PIA_DNS="false"
 fi
 export PIA_DNS
-echo PIA_DNS=$PIA_DNS"
+echo -e "${GREEN}PIA_DNS=$PIA_DNS${NC}"
 "
-echo -n "Do you want a forwarding port assigned ([N]o/[y]es): "
+CONNECTION_READY="true"
-read portForwarding
+export CONNECTION_READY
 echo
-PIA_PF="false"
+./get_region.sh
 if echo ${portForwarding:0:1} | grep -iq y; then
  PIA_PF="true"
 fi
 export PIA_PF
 echo PIA_PF=$PIA_PF
 # Set this to the maximum allowed latency in seconds.
 # All servers that respond slower than this will be ignored.
 echo -n "
 With no input, the maximum allowed latency will be set to 0.05s (50ms).
 If your connection has high latency, you may need to increase this value.
 For example, you can try 0.2 for 200ms allowed latency.
 Custom latency (no input required for 50ms): "
 read customLatency
 echo
 MAX_LATENCY=0.05
 if [[ $customLatency != "" ]]; then
  MAX_LATENCY=$customLatency
 fi
 export MAX_LATENCY
 echo "MAX_LATENCY=\"$MAX_LATENCY\"
 "
 echo "Having active IPv6 connections might compromise security by allowing"
 echo "split tunnel connections that run outside the VPN tunnel."
 echo -n "Do you want to disable IPv6? (Y/n): "
 read disable_IPv6
 echo
 if echo ${disable_IPv6:0:1} | grep -iq n; then
  echo "IPv6 settings have not been altered.
  "
 else
  sysctl -w net.ipv6.conf.all.disable_ipv6=1
  sysctl -w net.ipv6.conf.default.disable_ipv6=1
  echo
  echo "IPv6 has been disabled, you can enable it again with: "
  echo "sysctl -w net.ipv6.conf.all.disable_ipv6=0"
  echo "sysctl -w net.ipv6.conf.default.disable_ipv6=0
  "
 fi
 ./get_region_and_token.sh