Using Private Internet Access VPN with Gentoo Linux
This is a short note about how to connect to the PIA VPN from a Gentoo Linux system. It’s not that difficult, but there’s no built-in support, either from Gentoo or from PIA. In fact, the PIA proprietary software installer warns that the host isn’t compatible. Still, the proprietary installer does work, with a bit of fiddling.
Alternatively, you can just use OpenVPN.
Using PIA’s proprietary software
I should point out that I’m running a systemd-free Gentoo with OpenRC as the service manager – I’m not sure whether the PIA installer is more friendly to an installation with systemd. Probably it is, frankly – most things are these days.
PIA supplies an installer for Linux in the form of a self-extracting
binary with a name like pia-linux-xxx.run
. The installer
won’t allow itself to be run as root: it will expect to be able to run
sudo
to get root permissions. It installs in
/opt
, and it seems generally well-behaved; that is, it
doesn’t appear to spray files all over the disk as some binary
installers do.
What it does do, however, is attempt to install start-up scripts in
/etc/init.d
. These won’t work, because they refer to the
wrong installation locations. It’s not difficult to create an init
script for OpenRC, however.
The PIA software has a client-server architecture. There’s a service
daemon, pia-daemon
which would normally get started at boot
time. Then there are a couple of clients that talk to that daemon. The
graphical client – the part you see if you hit the ‘PIA’ icon in your
Linux desktop – is an application called pia-client
.
I found that neither part would start immediately after installation. It’s worth running both the daemon and the client from a console, so you can see the error messages. The obvious one was:
Error while loading shared libraries: libgssapi_krb5.so.2...:
The library it’s complaining about wasn’t part of my Gentoo install, and I get the impression that it usually won’t be. It’s easy enough to install, though:
# emerge app-crypt/mit-krb5
With that done, I was able to start pia-daemon
and
pia-client
in a console, and connect to the VPN using the
graphical application.
Of course, I’d rather have the daemon start at boot time, although it
does take a few seconds to start, and then just use the graphical client
to manage my VPN connection. That means creating an init script for
OpenRC, although first I had to remove the defective
/etc/init.d/pia
and
/etc/init.d/pia-daemon
.
My OpenRC init script is below – this just goes in
/etc/init.d/pia
. I’m not expert on OpenRC, so it’s possible
I’ve got something wrong; but this configuration seems to work for
me.
#!/sbin/openrc-run
name="PIA daemon"
description="PIA daemon"
command=/opt/piavpn/bin/pia-daemon
command_background=yes
pidfile=/run/pia-daemon.pid
depend()
{
need net
}
I’ve put need net
as a dependency to ensure that the
network is basically up before starting the daemon. Again, I’m not sure
that’s the textbook approach, but it works for me.
To make the daemon start at boot:
# rc-update add pia default
The PIA installer created a .desktop
file for the
client, so it shows up as a menu item in the desktop menu. or you can
just run pia-client
from a command line.
Using OpenVPN
The use of OpenVPN is described in the Gentoo documentation, but I think there’s an easier way. Whichever way you do it, you’ll need to install OpenVPN:
emerge --ask openvpn
Doing this creates a service called openvpn
that you can
start and stop using rc-service
. However, you’ll need at
least one configuration file. By default, OpenVPN reads
/etc/openvpn/openvpn.conf
.
The Gentoo documentation explains how to create this file manually. However, the OpenVPN website can create it for you. If you log into your account, and hunt around a bit (it’s not obvious where to look), you’ll see a link to “OpenVPN configuration generator”. Currently, it’s right at the bottom of the ‘Downloads’ page in small print. From here you’ll be able to select the VPN endpoint you want to connect to, the OpenVPN version, and the client platform. You must also select the TLS parameters to use. So far as I know they will all work; they just have different security implications. There’s nothing on the website to help you choose between them – PIA presumes, I guess, that if you’re setting up OpenVPN yourself, you’ll know what will suit your needs best.
The configuration page will generate a .ovpn
file, that
you can use as openvpn.conf
. You can have as many of these
files as you want, if you need to connect to different endpoints.
However, you’ll need to come up with some way to switch between
them.
I found that I had problems with IPv6 routing with the auto-generated
configuration. Since I have little need for IPv6 at present, I turned
IPv6 support off in openvpn.conf
, rather than spending a
day troubleshooting. These are the additions I made:
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
Starting the VPN connection amounts to running
# rc-service openvpn start
This will prompt you for your PIA credentials. If you prefer, you can
put your credentials in a file, and link them using
auth-user-pass
in openvpn.conf
. You’ll need to
be a bit careful with this approach, of course, for the obvious
reasons.
Although you can have the OpenVPN service start at boot time, there’s perhaps no need to do so, unless you actually want the VPN active all the time. I find it easier just to start and stop from a command line.
There is a bit of a gotcha here: I find that the OpenVPN service always starts with a warning message:
OpenVPN: service started, but is inactive
I see that warning whether the connection is working or not. When
everything is set up correctly, the connection does get made, despite
the warning. In the early stages of set-up, it’s certainly worth
checking that you really do have a VPN connection. If it’s working,
ifconfig
will show a tun0
interface, with an
IP number. If it doesn’t connect, you’ll have to look in the system log
to see why.
It’s worth bearing in mind that setting up OpenVPN for PIA is not in any way Gentoo-specific. Although OpenVPN is pretty complicated, there’s a huge amount of information available about it.
Which to use?
In my experience, the PIA proprietary software outperforms OpenVPN in almost all respects. Of course, if you have an ideological objection to proprietary software, you won’t want to use it, however good it is. Although PIA doesn’t support Gentoo, their proprietary software isn’t too difficult to install. The fact that the client lets you choose your VPN endpoint from a clickable list, without fiddling about with configuration files and certificates, is a bonus. If you’re running Linux without a graphical desktop, PIA provides a command-line client as well.
OpenVPN is not a particularly easy thing to set up, but it’s a transferable skill. It’s compatible with most VPN services so, provided you can get the connection parameters and certificates, you’ll be able to change VPN providers easily, and even use multiple providers on the same computer. In addition, OpenVPN doesn’t require anything to be started at boot time (although it’s possible). To be fair, the PIA proprietary software doesn’t have to be started at boot time, either, but it usually is.