Kevin Boone

Using Private Internet Access VPN with Gentoo Linux

This is a short note about how to connect to the PIA VPN from a Gentoo Linux system. It’s not that difficult, but there’s no built-in support, either from Gentoo or from PIA. In fact, the PIA proprietary software installer warns that the host isn’t compatible. Still, the proprietary installer does work, with a bit of fiddling.

Alternatively, you can just use OpenVPN.

Using PIA’s proprietary software

I should point out that I’m running a systemd-free Gentoo with OpenRC as the service manager – I’m not sure whether the PIA installer is more friendly to an installation with systemd. Probably it is, frankly – most things are these days.

PIA supplies an installer for Linux in the form of a self-extracting binary with a name like pia-linux-xxx.run. The installer won’t allow itself to be run as root: it will expect to be able to run sudo to get root permissions. It installs in /opt, and it seems generally well-behaved; that is, it doesn’t appear to spray files all over the disk as some binary installers do.

What it does do, however, is attempt to install start-up scripts in /etc/init.d. These won’t work, because they refer to the wrong installation locations. It’s not difficult to create an init script for OpenRC, however.

The PIA software has a client-server architecture. There’s a service daemon, pia-daemon which would normally get started at boot time. Then there are a couple of clients that talk to that daemon. The graphical client – the part you see if you hit the ‘PIA’ icon in your Linux desktop – is an application called pia-client.

I found that neither part would start immediately after installation. It’s worth running both the daemon and the client from a console, so you can see the error messages. The obvious one was:

Error while loading shared libraries: libgssapi_krb5.so.2...:   

The library it’s complaining about wasn’t part of my Gentoo install, and I get the impression that it usually won’t be. It’s easy enough to install, though:

# emerge app-crypt/mit-krb5

With that done, I was able to start pia-daemon and pia-client in a console, and connect to the VPN using the graphical application.

Of course, I’d rather have the daemon start at boot time, although it does take a few seconds to start, and then just use the graphical client to manage my VPN connection. That means creating an init script for OpenRC, although first I had to remove the defective /etc/init.d/pia and /etc/init.d/pia-daemon.

My OpenRC init script is below – this just goes in /etc/init.d/pia. I’m not expert on OpenRC, so it’s possible I’ve got something wrong; but this configuration seems to work for me.

#!/sbin/openrc-run

name="PIA daemon"
description="PIA daemon"
command=/opt/piavpn/bin/pia-daemon
command_background=yes
pidfile=/run/pia-daemon.pid

depend() 
  {
  need net
  }

I’ve put need net as a dependency to ensure that the network is basically up before starting the daemon. Again, I’m not sure that’s the textbook approach, but it works for me.

To make the daemon start at boot:

# rc-update add pia default

The PIA installer created a .desktop file for the client, so it shows up as a menu item in the desktop menu. or you can just run pia-client from a command line.

Using OpenVPN

The use of OpenVPN is described in the Gentoo documentation, but I think there’s an easier way. Whichever way you do it, you’ll need to install OpenVPN:

emerge --ask openvpn

Doing this creates a service called openvpn that you can start and stop using rc-service. However, you’ll need at least one configuration file. By default, OpenVPN reads /etc/openvpn/openvpn.conf.

The Gentoo documentation explains how to create this file manually. However, the OpenVPN website can create it for you. If you log into your account, and hunt around a bit (it’s not obvious where to look), you’ll see a link to “OpenVPN configuration generator”. Currently, it’s right at the bottom of the ‘Downloads’ page in small print. From here you’ll be able to select the VPN endpoint you want to connect to, the OpenVPN version, and the client platform. You must also select the TLS parameters to use. So far as I know they will all work; they just have different security implications. There’s nothing on the website to help you choose between them – PIA presumes, I guess, that if you’re setting up OpenVPN yourself, you’ll know what will suit your needs best.

The configuration page will generate a .ovpn file, that you can use as openvpn.conf. You can have as many of these files as you want, if you need to connect to different endpoints. However, you’ll need to come up with some way to switch between them.

I found that I had problems with IPv6 routing with the auto-generated configuration. Since I have little need for IPv6 at present, I turned IPv6 support off in openvpn.conf, rather than spending a day troubleshooting. These are the additions I made:

pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"

Starting the VPN connection amounts to running

# rc-service openvpn start

This will prompt you for your PIA credentials. If you prefer, you can put your credentials in a file, and link them using auth-user-pass in openvpn.conf. You’ll need to be a bit careful with this approach, of course, for the obvious reasons.

Although you can have the OpenVPN service start at boot time, there’s perhaps no need to do so, unless you actually want the VPN active all the time. I find it easier just to start and stop from a command line.

There is a bit of a gotcha here: I find that the OpenVPN service always starts with a warning message:

OpenVPN: service started, but is inactive

I see that warning whether the connection is working or not. When everything is set up correctly, the connection does get made, despite the warning. In the early stages of set-up, it’s certainly worth checking that you really do have a VPN connection. If it’s working, ifconfig will show a tun0 interface, with an IP number. If it doesn’t connect, you’ll have to look in the system log to see why.

It’s worth bearing in mind that setting up OpenVPN for PIA is not in any way Gentoo-specific. Although OpenVPN is pretty complicated, there’s a huge amount of information available about it.

Which to use?

In my experience, the PIA proprietary software outperforms OpenVPN in almost all respects. Of course, if you have an ideological objection to proprietary software, you won’t want to use it, however good it is. Although PIA doesn’t support Gentoo, their proprietary software isn’t too difficult to install. The fact that the client lets you choose your VPN endpoint from a clickable list, without fiddling about with configuration files and certificates, is a bonus. If you’re running Linux without a graphical desktop, PIA provides a command-line client as well.

OpenVPN is not a particularly easy thing to set up, but it’s a transferable skill. It’s compatible with most VPN services so, provided you can get the connection parameters and certificates, you’ll be able to change VPN providers easily, and even use multiple providers on the same computer. In addition, OpenVPN doesn’t require anything to be started at boot time (although it’s possible). To be fair, the PIA proprietary software doesn’t have to be started at boot time, either, but it usually is.