If you want to use a VPN service like Private Internet Access (PIA), but intend on using it on a headless server rather than a desktop Linux OS, here is how you set it up in Fedora:

First, download the OpenVPN configuration files from PIA:

Code:
$ wget -O /tmp/PIA-openvpn.zip https://www.privateinternetaccess.com/openvpn/openvpn.zip
Next, unzip this file into /etc/openvpn:

Code:
$ cd /etc/openvpn
$ unzip /tmp/PIA-openvpn.zip
You should see several *.ovpn files and a .pem and .crt file:

Code:
# ls -l
total 156
-rw-r-----. 1 root root  297 Aug 29 14:35 AU Melbourne.ovpn
-rw-r-----. 1 root root  287 Aug 29 14:35 AU Sydney.ovpn
-rw-r-----. 1 root root  290 Aug 29 14:35 Brazil.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 CA North York.ovpn
-rw-r--r--. 1 root root 2025 Jul 16 07:42 ca.rsa.2048.crt
-rw-r-----. 1 root root  294 Aug 29 14:35 CA Toronto.ovpn
-rw-r--r--. 1 root root  869 Jul 16 07:42 crl.rsa.2048.pem
-rw-r-----. 1 root root  291 Aug 29 14:35 Denmark.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 Finland.ovpn
-rw-r-----. 1 root root  290 Aug 29 14:35 France.ovpn
-rw-r-----. 1 root root  291 Aug 29 14:35 Germany.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 Hong Kong.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 India.ovpn
-rw-r-----. 1 root root  291 Aug 29 14:35 Ireland.ovpn
-rw-r-----. 1 root root  290 Aug 29 14:35 Israel.ovpn
-rw-r-----. 1 root root  289 Aug 29 14:35 Italy.ovpn
-rw-r-----. 1 root root  289 Aug 29 14:35 Japan.ovpn
-rw-r-----. 1 root root  290 Aug 29 14:35 Mexico.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 Netherlands.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 New Zealand.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 Norway.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 Romania.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 Singapore.ovpn
-rw-r-----. 1 root root  290 Aug 29 14:35 Sweden.ovpn
-rw-r-----. 1 root root  289 Aug 29 14:35 Switzerland.ovpn
-rw-r-----. 1 root root  290 Aug 29 14:35 Turkey.ovpn
-rw-r-----. 1 root root  293 Aug 29 14:35 UK London.ovpn
-rw-r-----. 1 root root  298 Aug 29 14:35 UK Southampton.ovpn
-rw-r-----. 1 root root  297 Aug 29 14:35 US California.ovpn
-rw-r-----. 1 root root  291 Aug 29 14:35 US East.ovpn
-rw-r-----. 1 root root  294 Aug 29 14:35 US Florida.ovpn
-rw-r-----. 1 root root  294 Aug 29 14:35 US Midwest.ovpn
-rw-r-----. 1 root root  298 Aug 29 14:35 US New York City.ovpn
-rw-r-----. 1 root root  294 Aug 29 14:35 US Seattle.ovpn
-rw-r-----. 1 root root  323 Aug 29 14:35 US Silicon Valley.ovpn
-rw-r-----. 1 root root  315 Aug 29 14:35 US Texas.ovpn
-rw-r-----. 1 root root  291 Aug 29 14:35 US West.ovpn
By default, these OpenVPN configuration files are set to use AES-128-CBC and SHA1 for auth on UDP port 1198. I wanted to use AES-256-CBC and SHA256, but simply changing the ‘cipher’ and ‘auth’ setting resulted in a non-forwarding VPN connection. After some searching, I found out that PIA uses a different port if you want to use other encryption ciphers. From PIA’s website:

(source: https://helpdesk.privateinternetacce...your-gateways-)

So, in order to use the stronger ciphers, we have to also change our port from 1198 to 1197, download the 4096bit CA certificate, and reconfigure a few settings. We’ll do these steps using sed:

Download the 4096-bit certificate:
Code:
$ wget -O /etc/openvpn/ca.rsa.4096.crt \ 
http://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt
Edit all the *.ovpn configurations with sed
- replace port 1198 with 1197:
Code:
$ sed -i -e s/1198/1197/ /etc/openvpn/*.ovpn
- replace aes-128-cbc with aes-256-cbc:
Code:
$ sed -i -e s/aes-128-cbc/aes-256-cbc/ /etc/openvpn/*.ovpn
- replace sha1 with sha256:
Code:
$ sed -i -e s/sha1/sha256/ /etc/openvpn/*.ovpn
- reference the 4096-bit certificate instead of the 2048-bit one:
Code:
$ sed -i -e s/ca\.rsa\.2048\.crt/ca.rsa.4096.crt/ /etc/openvpn/*.ovpn
Now, since we’re running this on a server, we don’t intend to have to interact with it. We will need to put our PIA VPN credentials in a file. We’ll put this file in /etc/openvpn/PIA-cred.conf; the format is simple -1st line is your username, 2nd line is your password:

Start by creating a new file with your PIA username, which starts with a “p” followed by 7 digits:


Code:
$ echo “p1234567” > /etc/openvpn/PIA-cred.conf
Next, append the password:

Code:
$ echo “yourpassword” >> /etc/openvpn/PIA-cred.conf
Because this file has sensitive information, let’s make sure it has the right permissions to protect it:

Code:
$ chown root:root /etc/openvpn/PIA-cred.conf
$ chmod 400 /etc/openvpn/PIA-cred.conf
Next, we need the PIA OpenVPN configuration files to use these credentials, so we have to set ‘auth-user-pass’ to reference this file.

Code:
$ sed -i -e ‘s/auth-user-pass.*/auth-user-pass PIA-cred.conf/’ /etc/openvpn/*.ovpn
To be more secure, we’ll also tell OpenVPN not to cache the credentials in virtual memory by appending the ‘auth-nocache’ option right after auth-user-pass:

Code:
$ sed -i -e ‘/auth-user-pass PIA-cred.conf/a auth-nocache’ /etc/openvpn/*.ovpn
One more thing, if you have SELinux enabled, we should make sure that all the new files have the correct SELinux labels:

Code:
$ restorecon -r /etc/openvpn
Finally, before we start the VPN, we will pick a region and symlink it as “PIA.conf”. This will allow us to reference this particular OpenVPN configuration in systemd later. So, let’s say we wanted to use the Mexico.ovpn:

Code:
$ ln -s /etc/openvpn/Mexico.ovpn /etc/openvpn/PIA.conf
Now we can finally start the VPN using systemctl:

Code:
$ systemctl start openvpn@PIA.service
And to have this VPN start on boot, let’s enable it too:

Code:
$ systemctl enable openvpn@PIA.service
If the VPN connected successfully, you should see a tun network interface device (see “ip link” or “ifconfig” command) and your routing table should have default gateway pointing to the tun interface (see “ip route show” command). If you have any problems, I recommend looking at your openvpn logs to see what might have gone wrong.

As a final verification, check your public IP address. You can do this by using ipify or equivalent:

Code:
$ curl https://api.ipify.org
Finally, I actually wrote a script that will do all of the above and also setup VPN profiles for NetworkManager. If you're interested in using the script instead of the step-by-step above, you can find it on github: https://github.com/ezonakiusagi/setup-PIA-OpenVPN