PDA

View Full Version : How to setup Private Internet Access VPN gateways on Fedora as OpenVPN server



picasso_1.2.13
17th September 2016, 10:54 PM
If you want to use a VPN service like Private Internet Access (PIA), but intend on using it on a headless server rather than a desktop Linux OS, here is how you set it up in Fedora:

First, download the OpenVPN configuration files from PIA:


$ wget -O /tmp/PIA-openvpn.zip https://www.privateinternetaccess.com/openvpn/openvpn.zip

Next, unzip this file into /etc/openvpn:


$ cd /etc/openvpn
$ unzip /tmp/PIA-openvpn.zip

You should see several *.ovpn files and a .pem and .crt file:


# ls -l
total 156
-rw-r-----. 1 root root 297 Aug 29 14:35 AU Melbourne.ovpn
-rw-r-----. 1 root root 287 Aug 29 14:35 AU Sydney.ovpn
-rw-r-----. 1 root root 290 Aug 29 14:35 Brazil.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 CA North York.ovpn
-rw-r--r--. 1 root root 2025 Jul 16 07:42 ca.rsa.2048.crt
-rw-r-----. 1 root root 294 Aug 29 14:35 CA Toronto.ovpn
-rw-r--r--. 1 root root 869 Jul 16 07:42 crl.rsa.2048.pem
-rw-r-----. 1 root root 291 Aug 29 14:35 Denmark.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 Finland.ovpn
-rw-r-----. 1 root root 290 Aug 29 14:35 France.ovpn
-rw-r-----. 1 root root 291 Aug 29 14:35 Germany.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 Hong Kong.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 India.ovpn
-rw-r-----. 1 root root 291 Aug 29 14:35 Ireland.ovpn
-rw-r-----. 1 root root 290 Aug 29 14:35 Israel.ovpn
-rw-r-----. 1 root root 289 Aug 29 14:35 Italy.ovpn
-rw-r-----. 1 root root 289 Aug 29 14:35 Japan.ovpn
-rw-r-----. 1 root root 290 Aug 29 14:35 Mexico.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 Netherlands.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 New Zealand.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 Norway.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 Romania.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 Singapore.ovpn
-rw-r-----. 1 root root 290 Aug 29 14:35 Sweden.ovpn
-rw-r-----. 1 root root 289 Aug 29 14:35 Switzerland.ovpn
-rw-r-----. 1 root root 290 Aug 29 14:35 Turkey.ovpn
-rw-r-----. 1 root root 293 Aug 29 14:35 UK London.ovpn
-rw-r-----. 1 root root 298 Aug 29 14:35 UK Southampton.ovpn
-rw-r-----. 1 root root 297 Aug 29 14:35 US California.ovpn
-rw-r-----. 1 root root 291 Aug 29 14:35 US East.ovpn
-rw-r-----. 1 root root 294 Aug 29 14:35 US Florida.ovpn
-rw-r-----. 1 root root 294 Aug 29 14:35 US Midwest.ovpn
-rw-r-----. 1 root root 298 Aug 29 14:35 US New York City.ovpn
-rw-r-----. 1 root root 294 Aug 29 14:35 US Seattle.ovpn
-rw-r-----. 1 root root 323 Aug 29 14:35 US Silicon Valley.ovpn
-rw-r-----. 1 root root 315 Aug 29 14:35 US Texas.ovpn
-rw-r-----. 1 root root 291 Aug 29 14:35 US West.ovpn

By default, these OpenVPN configuration files are set to use AES-128-CBC and SHA1 for auth on UDP port 1198. I wanted to use AES-256-CBC and SHA256, but simply changing the ‘cipher’ and ‘auth’ setting resulted in a non-forwarding VPN connection. After some searching, I found out that PIA uses a different port if you want to use other encryption ciphers. From PIA’s website:

(source: https://helpdesk.privateinternetaccess.com/hc/en-us/articles/225274288-Which-encryption-auth-settings-should-I-use-for-ports-on-your-gateways-)

So, in order to use the stronger ciphers, we have to also change our port from 1198 to 1197, download the 4096bit CA certificate, and reconfigure a few settings. We’ll do these steps using sed:

Download the 4096-bit certificate:

$ wget -O /etc/openvpn/ca.rsa.4096.crt \
http://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt

Edit all the *.ovpn configurations with sed
- replace port 1198 with 1197:

$ sed -i -e s/1198/1197/ /etc/openvpn/*.ovpn
- replace aes-128-cbc with aes-256-cbc:

$ sed -i -e s/aes-128-cbc/aes-256-cbc/ /etc/openvpn/*.ovpn
- replace sha1 with sha256:

$ sed -i -e s/sha1/sha256/ /etc/openvpn/*.ovpn
- reference the 4096-bit certificate instead of the 2048-bit one:

$ sed -i -e s/ca\.rsa\.2048\.crt/ca.rsa.4096.crt/ /etc/openvpn/*.ovpn

Now, since we’re running this on a server, we don’t intend to have to interact with it. We will need to put our PIA VPN credentials in a file. We’ll put this file in /etc/openvpn/PIA-cred.conf; the format is simple -1st line is your username, 2nd line is your password:

Start by creating a new file with your PIA username, which starts with a “p” followed by 7 digits:



$ echo “p1234567” > /etc/openvpn/PIA-cred.conf

Next, append the password:


$ echo “yourpassword” >> /etc/openvpn/PIA-cred.conf

Because this file has sensitive information, let’s make sure it has the right permissions to protect it:


$ chown root:root /etc/openvpn/PIA-cred.conf
$ chmod 400 /etc/openvpn/PIA-cred.conf

Next, we need the PIA OpenVPN configuration files to use these credentials, so we have to set ‘auth-user-pass’ to reference this file.


$ sed -i -e ‘s/auth-user-pass.*/auth-user-pass PIA-cred.conf/’ /etc/openvpn/*.ovpn

To be more secure, we’ll also tell OpenVPN not to cache the credentials in virtual memory by appending the ‘auth-nocache’ option right after auth-user-pass:


$ sed -i -e ‘/auth-user-pass PIA-cred.conf/a auth-nocache’ /etc/openvpn/*.ovpn

One more thing, if you have SELinux enabled, we should make sure that all the new files have the correct SELinux labels:


$ restorecon -r /etc/openvpn

Finally, before we start the VPN, we will pick a region and symlink it as “PIA.conf”. This will allow us to reference this particular OpenVPN configuration in systemd later. So, let’s say we wanted to use the Mexico.ovpn:


$ ln -s /etc/openvpn/Mexico.ovpn /etc/openvpn/PIA.conf

Now we can finally start the VPN using systemctl:


$ systemctl start openvpn@PIA.service

And to have this VPN start on boot, let’s enable it too:


$ systemctl enable openvpn@PIA.service

If the VPN connected successfully, you should see a tun network interface device (see “ip link” or “ifconfig” command) and your routing table should have default gateway pointing to the tun interface (see “ip route show” command). If you have any problems, I recommend looking at your openvpn logs to see what might have gone wrong.

As a final verification, check your public IP address. You can do this by using ipify or equivalent:


$ curl https://api.ipify.org

Finally, I actually wrote a script that will do all of the above and also setup VPN profiles for NetworkManager. If you're interested in using the script instead of the step-by-step above, you can find it on github: https://github.com/ezonakiusagi/setup-PIA-OpenVPN