Skip to main content

Use Private Internet Access (PIA) in DigitalOcean

tags: PrivateInternetAccess, Digital Ocean, VPS, VPN

This runs the PIA VPN using OpenVPN all from the command line.

sudo apt-get install openvpn network-manager-openvpn
Not sure if you need network-manager-openvpn.

sudo wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
Extract. Move ca.crt and crl.pem to /etc/openvpn

Move "Hong Kong.ovpn" to "/etc/openvpn/Hong Kong.config" for example.

Modified the following lines.

auth-user-pass /etc/openvpn/login.conf
route-up /etc/openvpn/route-up.sh

These are the contents of these files.

# cat /etc/openvpn/login.conf
username
password

Replace with your username and password.

# cat route-up.sh 
#!/bin/bash

ip route flush table 100
ip route flush cache
ip rule add from x.x.x.x table 100
ip route add table 100 to y.y.y.y/y dev ethX
ip route add table 100 default via z.z.z.z

Replace x.x.x.x with your public IP address, y.y.y.y/y with your subnet. Compute using http://jodies.de/ipcalc. Hint: Input public IP and netmask, you should get your Network/Subnet.

Permissions of the previous files.

-r-------- 1 root root   20 Jan 11 04:27 login.conf
-rw-r--r-- 1 root root  284 Jan 11 14:51 Hong Kong.conf

You can then run the VPN.

/etc/openvpn# openvpn "Hong Kong.conf"
Sun Jan 11 14:52:20 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Sun Jan 11 14:52:20 2015 NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
Sun Jan 11 14:52:20 2015 UDPv4 link local: [undef]
Sun Jan 11 14:52:20 2015 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Sun Jan 11 14:52:20 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 11 14:52:21 2015 [Private Internet Access] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Sun Jan 11 14:52:24 2015 TUN/TAP device tun0 opened
Sun Jan 11 14:52:24 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jan 11 14:52:24 2015 /sbin/ip link set dev tun0 up mtu 1500
Sun Jan 11 14:52:24 2015 /sbin/ip addr add dev tun0 local y.y.y.y peer z.z.z.z
Sun Jan 11 14:52:24 2015 WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Sun Jan 11 14:52:24 2015 WARNING: Failed running command (--route-up): external program fork failed
Sun Jan 11 14:52:24 2015 Initialization Sequence Completed

Check out this page how to auto-start.

To be able to port forward.

curl -d "user=USERNAME&pass=PASSWORD&client_id=UNIQUE_CLIENT_ID&local_ip=INTERNAL_IP_FROM_PIA" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment

Replace USERNAME, PASSWORD, UNIQUE_CLIENT_ID, and INTERNAL_IP_FROM_PIA.

UNIQUE_CLIENT_ID you can get using (commands OS X only):

$ head -n 100 /dev/urandom | md5 > ~/.pia_client_id
$ cat ~/.pia_client_id

Internal IP is of the form 10.x.x.x.

curl should reply with something like.

{"port":49845}

You can test using.

wget http://ipecho.net/plain -O - -q ; echo
109.201.152.14

Hints taken from:

https://www.privateinternetaccess.com/forum/discussion/180/port-forwarding-without-the-application-advanced-users

http://serverfault.com/questions/515272/openvpn-bypass-on-some-ports

https://forum.linode.com/viewtopic.php?p=50114&sid=b440414422596bb7dbc96cf7c9ee511f#p50114

http://raspinotes.wordpress.com/2013/06/04/setup-vpn-with-privateinternetaccess-com/comment-page-1/



Labels:

Comments

Post a Comment

Popular posts from this blog

ld: unrecognized option '--hash-style=both'

gcc -Wl,-Map=contiki.map,-export-dynamic testv6.co obj_linux-native/socketdev_listener.o \ contiki-linux-native.a -o testv6.linux-native /usr/local/bin/ld: unrecognized option '--hash-style=both' /usr/local/bin/ld: use the --help option for usage information collect2: ld returned 1 exit status If you look closely, the error is something related to the local gcc not using the host's linker (ld). $ which gcc /usr/bin/gcc $ which ld /usr/local/bin/ld For some reason, I messed my compiler path. To synchronized gcc to use the host's dynamic linker (i.e. /usr/bin/ld ), set the environment variable COMPILER_PATH to /usr/bin . $ export COMPILER_PATH=/usr/bin $ echo $COMPILER_PATH /usr/bin $ gcc -print-prog-name=ld /usr/bin/ld
9 comments
Read more

Zenoss: monitor free VMWare ESXi version

We confirmed that the free ESXi version does not allow SNMP gets, only traps. The original script was taken from here: http://communities.vmware.com/docs/DOC-7170 Modified script: http://mirakulo.com/pub/esxi/check_esx_wbmem.py We added Fan and power supply, hinted from this page: http://www.stephenjc.com/2009/01/whatsup-vmware-esxi-monitor-these.html Use this guide to add the Data source: http://www.zenoss.com/community/docs/howtos/create-modify-nagios-templates Added as template under: /Devices /Server /VMWare /ESXi /Templates /esxi-monitor /check_esx_wbmem Name: check_esx_wbmem Source Type: Command Enable true Use SSH false Component: blank Event class: /VMWare/ESXi Severity: Error Cycle time: 60 Parser: auto Command template: /usr/local/zenoss/python/bin/python /opt/zenoss/libexec/check_esx_wbmem.py https://${dev/manageIp}:5989 root passwd To bind this template to ESXi nodes, go to the device: Example: /Devices /Server /VMWare /ESXi /esxi-01.prod.corp.org then to its temp...
6 comments
Read more

Resetting admin password in IBM System p5 510 Express ASMI

These are the steps in resetting the admin password: 0. Re-route stored static in your body via an ESD wrist strap to a metallic element. 1. Look for the 2 toggle switches and service processor batt. The batt should be in front of the Power Supply 1 and Power Supply 2 (codes: E1 and E2, see Rear Location Codes on the cover plate). The "very tiny" toggle switches should be in the area of P1-C14 slot. I forgot the exact sequence but it should be a combination of the ff. step (2): 2. Remove the battery, toggle the switches to the opposite direction. Allows some time for the caps to discharge. 3. Move back the toggle switches and put back the batt in its place. 4. Assign your PC to Class C subnet (i.e. masked 255.255.255.0 ): IPaddr: 192.168.2.x for HMC1 or IPaddr: 192.168.3.x for HMC2 5. Ping HMC1 or HMC2. Access the web interface using the default address: http://192.168.2.147 (for HMC1) or http://192.168.3.147 (for HMC2) Note: Sometimes you have to force the https protocol: ...
1 comment
Read more