Oct 032016

I have already written about getting Private Internet Access running on Linux Mint back in 2013. It was for then current version 16 and it still works. However, there are some possible improvements to be made.

As OpenVPN client is installed by default these days, we only need to download PIA’s OpenVPN configuration files. More careful ones will notice these files are slightly different than recommended default. These have VPN server IP instead of DNS name. While this might cause long term issues if that IP ever changes, it does help a lot with firewall setup as we won’t need to poke a hole for DNS over our eth0 adapter.

From downloaded archive select .ovpn file with desired destination (usually going with one closest to you gives the best results) and also get both .crt and .pem file. Copy them all to your desktop and we’ll use them later for setup. Yes, you can use any other directory too – this is just one I prefer.

With this done we can go into configuring VPN from Terminal window:

# sudo mv ~/Desktop/*.crt /etc/openvpn/
# sudo mv ~/Desktop/*.pem /etc/openvpn/
# sudo mv ~/Desktop/*.ovpn /etc/openvpn/client.conf

# sudo sed -i "s*ca *ca /etc/openvpn/*" /etc/openvpn/client.conf
# sudo sed -i "s*crl-verify *crl-verify /etc/openvpn/*" /etc/openvpn/client.conf

# sudo echo "auth-user-pass /etc/openvpn/client.login" >> /etc/openvpn/client.conf
# sudo echo "mssfix 1400" >> /etc/openvpn/client.conf
# sudo echo "dhcp-option DNS" >> /etc/openvpn/client.conf
# sudo echo "dhcp-option DNS" >> /etc/openvpn/client.conf

#  echo "username" | sudo tee -a /etc/openvpn/client.login
#  echo 'password' | sudo tee -a /etc/openvpn/client.login

# sudo chmod 500 /etc/openvpn/client.login

Now we can test our VPN connection:

# sudo openvpn --config /etc/openvpn/client.conf

Assuming that this last step ended with Initialization Sequence Completed, we just need to verify whether this connection is actually used and I’ve found whatismyipaddress.com quite helpful here. Just check if IP detected there is different then IP you usually get without VPN.

Stop the test connection using Ctrl+C so we can configure automatic startup and test it.

# echo "AUTOSTART=all" | sudo tee -a /etc/default/openvpn
# sudo reboot

Lastly you can think about firewall and disabling default interface when VPN is not active. This means allowing traffic only on tun0 interface (VPN) and allowing only port 1198 (it used to be 1194).

# sudo ufw reset
# sudo ufw default deny incoming
# sudo ufw default deny outgoing
# sudo ufw allow out on tun0
# sudo ufw allow out 1198/udp
# sudo ufw enable

Assuming all went well, VPN should be happily running.

PS: For nitpickers, you can actually make firewall for VPN a bit more strict. This assumes is address of your VPN destination (check in client.conf under remote) and that your network interface is eth0 (check with ip addr).

# sudo ufw reset
# sudo ufw default deny incoming
# sudo ufw default deny outgoing
# sudo ufw allow out on tun0
# sudo ufw allow out on eth0 proto udp to port 1198
# sudo ufw enable

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>