Setting up manual VPN connections to Private Internet Access can be a little confusing. This repo contains a single script to setup a Wireguard connection to PIA quickly.
Usage:
./pia-wg.sh setup - Create configuration files
./pia-wg.sh token - Fetch an auth token with user/password
./pia-wg.sh pf_set - setup port forwarding
./pia-wg.sh pf_clean - clean up portforwarding data
./pia-wg.sh pf_port - last known port forwarding port
- Download
pia-wg.shinto your jail - Run
pia-wg.sh setup. Automatically find the fastest region, exchange wireguard keys and create a wireguard configuration. - Copy
pia.confto/usr/local/etc/wireguard - Start your VPN connection
- Done!
It looks like this:
# check your current IP
> curl icanhazip.com
# fetch the script into your FreeNAS jail
> curl -LO https://raw.githubusercontent.com/mostlygeek/pia-wg/main/pia-wg.sh
> chmod +x pia-wg.sh
# Setup and create configuration files
> ./pia-wg.sh setup
Please enter basic information
PIA Username: pXXXXXXX
PIA Password:
Use portfowarding? [true]: true
Getting the server list... OK!
CA Toronto: 0.006924s
Panama (geo): 0.043789s
#
# two files will be created. .settings.env, pia.conf
> cp pia.conf /usr/local/etc/wireguard/pia.conf
> wg-quick up pia
> curl icanhazip.com
When running pia-wg.sh setup make sure use true when asked about port-forwarding.
PIA port forwarding generally works like this.
- Through an established VPN connection ...
- Call the REST API on the wireguard server to request a port forward
- Keep port forwarding active with a keep alive request at least every 15 minutes
There are three commands to make this easier:
pia-wg.sh pf_setpia-wg.sh pf_cleanpia-wg.sh pf_port
Usage example:
# initial run creates a new .portforward.env
> ./pia-wg.sh pf_set
File: .portforward.env not found. Creating a new one.
- Fetching token from metaserver host ... Success!
- Fetching payload/signature values from 10.44.128.1 ... Success!
- Wrote new .portforward.env
- Binding/Refreshing binding on port:49658 ... Success!
# ./pia-wg.sh pf_set again uses the cached values
# to keep the port forward alive. This can be automated via a cronjob.
> ./pia-wg.sh pf_set
Loading cached settings from .portforward.env
- Binding/Refreshing binding on port:49658 ... Success!
# the last known port can be printed with:
> ./pia-wg.sh pf_port
49658
# it can be used like this ...
> update-something.sh $(./pia-wg.sh pf_port)
The port forwarding allocation expires every two months. This means every few months the configuration needs to be redone. This can be done like this:
# clean up the old settings
> ./pia-wg.sh pf_clean
# set up port forwarding again
> ./pia_wg.sh pf_set
This can be automated with a cronjob that runs ./pia-wg.sh pf_clean every few weeks. On the next run of ./pia-wg.sh pf_set it will automatically create a new configuration file and set the port.
Some of the code in this repo was adapted from PIA's official repo, pia-foss/manual-connections. That code is less FreeBSD specific and organized differently. I wanted a single script file that was easy to fetch and could run without any tweaks.
This project is licensed under the MIT (Expat) license, which can be found here.