Monday, January 12, 2015

Use Private Internet Access (PIA) in DigitalOcean

tags: PrivateInternetAccess, Digital Ocean, VPS, VPN

This runs the PIA VPN using OpenVPN all from the command line.

sudo apt-get install openvpn network-manager-openvpn
Not sure if you need network-manager-openvpn.

sudo wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
Extract. Move ca.crt and crl.pem to /etc/openvpn

Move "Hong Kong.ovpn" to "/etc/openvpn/Hong Kong.config" for example.

Modified the following lines.

auth-user-pass /etc/openvpn/login.conf
route-up /etc/openvpn/route-up.sh

These are the contents of these files.

# cat /etc/openvpn/login.conf
username
password

Replace with your username and password.

# cat route-up.sh 
#!/bin/bash

ip route flush table 100
ip route flush cache
ip rule add from x.x.x.x table 100
ip route add table 100 to y.y.y.y/y dev ethX
ip route add table 100 default via z.z.z.z

Replace x.x.x.x with your public IP address, y.y.y.y/y with your subnet. Compute using http://jodies.de/ipcalc. Hint: Input public IP and netmask, you should get your Network/Subnet.

Permissions of the previous files.

-r-------- 1 root root   20 Jan 11 04:27 login.conf
-rw-r--r-- 1 root root  284 Jan 11 14:51 Hong Kong.conf

You can then run the VPN.

/etc/openvpn# openvpn "Hong Kong.conf"
Sun Jan 11 14:52:20 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Sun Jan 11 14:52:20 2015 NOTE: starting with OpenVPN 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables
Sun Jan 11 14:52:20 2015 UDPv4 link local: [undef]
Sun Jan 11 14:52:20 2015 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Sun Jan 11 14:52:20 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 11 14:52:21 2015 [Private Internet Access] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Sun Jan 11 14:52:24 2015 TUN/TAP device tun0 opened
Sun Jan 11 14:52:24 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jan 11 14:52:24 2015 /sbin/ip link set dev tun0 up mtu 1500
Sun Jan 11 14:52:24 2015 /sbin/ip addr add dev tun0 local y.y.y.y peer z.z.z.z
Sun Jan 11 14:52:24 2015 WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Sun Jan 11 14:52:24 2015 WARNING: Failed running command (--route-up): external program fork failed
Sun Jan 11 14:52:24 2015 Initialization Sequence Completed

Check out this page how to auto-start.

To be able to port forward.

curl -d "user=USERNAME&pass=PASSWORD&client_id=UNIQUE_CLIENT_ID&local_ip=INTERNAL_IP_FROM_PIA" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment

Replace USERNAME, PASSWORD, UNIQUE_CLIENT_ID, and INTERNAL_IP_FROM_PIA.

UNIQUE_CLIENT_ID you can get using (commands OS X only):

$ head -n 100 /dev/urandom | md5 > ~/.pia_client_id
$ cat ~/.pia_client_id

Internal IP is of the form 10.x.x.x.

curl should reply with something like.

{"port":49845}

You can test using.

wget http://ipecho.net/plain -O - -q ; echo
109.201.152.14

Hints taken from:

https://www.privateinternetaccess.com/forum/discussion/180/port-forwarding-without-the-application-advanced-users

http://serverfault.com/questions/515272/openvpn-bypass-on-some-ports

https://forum.linode.com/viewtopic.php?p=50114&sid=b440414422596bb7dbc96cf7c9ee511f#p50114

http://raspinotes.wordpress.com/2013/06/04/setup-vpn-with-privateinternetaccess-com/comment-page-1/