This script automates the process of setting up a Wireguard Point-To-Point VPN tunnel on OPNsense to connect to PIA's NextGen Wireguard servers.
It will create a Wireguard Instance and a Peer on your OPNsense deployment automatically. It will then maintain the tunnel to keep it up and connected, with an automated check every 5 minutes.
You can also create a CRON job, allowing you to manually change the PIA server you are connected to.
Warning: This is for Advanced Users
System: Settings: Administration -> Web GUI
Protocol: HTTPS
System: Settings: Administration -> Secure Shell
Enable Secure Shell
Permit root user login
Permit password login
If an older version of the script is already installed, jump to the Updating section
System: Access: Users
Plus
(Add) on the top rightWireguardAPI
Generate a scrambled password to prevent local database logins for this user.
Save
Effective Privileges
, you want to give it the following permissions:
Firewall: Alias: Edit
Firewall: Aliases
System: Static Routes
VPN: Wireguard
Plus
sign on API Keys
, it'll download the keys in a txt file. We'll leverage this later.Save
option 8
.root
, run the below commands:
fetch -o /conf https://raw.githubusercontent.com/FingerlessGlov3s/OPNsensePIAWireguard/main/PIAWireguard.py
fetch -o /conf https://raw.githubusercontent.com/FingerlessGlov3s/OPNsensePIAWireguard/main/ca.rsa.4096.crt
fetch -o /usr/local/opnsense/service/conf/actions.d https://raw.githubusercontent.com/FingerlessGlov3s/OPNsensePIAWireguard/main/actions_piawireguard.conf
PIAWireguard.json
file using Notepad++ or your favourite IDE.
opnsenseURL
Should only need to change this if you use a different TCP Port
for the WebUI or changed the Listen Interfaces
, the provided URL is correct if you've left those unchanged.opnsenseKey
WireguardAPI key you downloaded from step 2.2 apikeys.txt
opnsenseSecret
WireguardAPI secret you downloaded from step 2.2 apikeys.txt
piaUsername
Your PIA usernamepiaPassword
Your PIA passwordinstances
As we support creation of multiple tunnels, Example config has one instance but you can have as many as you like. The instances
are key value pairs. Change instancename
to something like london
if you using the uk
region since but the instance name can be what you'd like it to be.regionId
Change to your PIA region id (see below for details)portForward
Enable port forwarding (note region support required)opnsenseWGPort
outgoing port for OPNsense, this needs to be different for each tunnel and not already be in use for something else on OPNsenseListRegions.py
on your local device. Run
. This will list the name and region id of each PIA region, for you choose from.--listregions
PIAWireguard.json
file to /conf/
on your OPNsense router using SCP or Filezilla etc, make sure you using the root user of OPNsense when you connect, otherwise you'll get access denied messages.
scp .\PIAWireguard.json root@192.168.1.1:/conf/PIAWireguard.json
option 8
. (If you've closed the previous SSH connection.)chmod +x /conf/PIAWireguard.py
service configd restart
/conf/PIAWireguard.py --debug
New interface
, on the drop down select wg0
, unless you already had one set up then select wg1
etc...WAN_PIAWG
+
buttonWAN_PIAWG_INSTANCENAME
interface will show on the list, which will be the new wg interface, click on it to edit.Enable Interface
, click save and Apply Changes. nothing elseSystem: Gateways: Single
, so we can set up the PIA gateway for the tunnel/tunnels
+
button to add a new gatewayDisabled
is uncheckedWAN_PIA_INSTANCENAME_IPv4
WAN_PIAWG_INSTANCENAME
Far Gateway
Disable Gateway Monitoring
Save and Apply Changes
/conf/PIAWireguard.py --debug --changeserver instancename
System: Gateways: Single
, you should see WAN_PIA_INSTANCENAME_IPv4
now has a gateway IP and is pingingplus
button at the bottom right of the table*/5
in the minute box*
in the hours boxPIA WireGuard Monitor Tunnels
on the command dropdownFirewall: Settings: Normalization
Add
WAN_PIA_INSTANCENAME_IPv4
Maximum MSS for PIA WireGuard Tunnel
1380
Save
(you will notice it'll now list this as OPT rather than the interface name, don't worry it's still correct, just edit it to verify you made the right selection)Apply Changes
Note: If your having speed issues, you may need to change PIA server region or lower the default MTU from 1420, advanced users should understand how to do this.
Since 2024/01/05 the script has gone a complete overhaul. The major change is the script is now able to handle multiple instances of the tunnel. IE you can establish connections to multiple regions.
The main impact, is that our InstanceName needs to be unique since we'll have multiple instances.
{instancename}
is replaced with the name for your specific instance in the config file, example london
would be come pia-london
for the WireGuard instance name. See Example config below.Update Steps:
PIAWireguard.json
based on your old config filePIAWireguard.py
and PIAWireguard.json
file to /conf/
actions_piawireguard.conf
file to /usr/local/opnsense/service/conf/actions.d/
service configd restart
to refresh new actions file via SSHpia-{instancename}
from PIA
pia-{instancename}-server
from PIA-Server
pia_{instancename}_port
from PIA_Port
python3 PIAWireguard.py --debug
, should return instancename tunnel up - last handshake x seconds ago
as the last log entrypython3 PIAWireguard.py --debug --changeserver instancename
, to ensure all changes will apply and work.PIA WireGuard Monitor Tunnels
See releases, starting from the version you have installed, to see if there's anything you need to do, usually it's just upgrade the py script itself. Release description will have the required commands, and notes for upgrading.
Example config
{
"opnsenseURL": "https://127.0.0.1:443",
"opnsenseKey": "/FQDXExojUWWuBdnPEPCUt98vnrQOdLxFqypTIEhE41304uYgA68ZJw7fveXBpXkMHqiAdx04cRAlLwh",
"opnsenseSecret": "p+Gi4uE1xypuGIptbhrDylGKcNd9vaRpQ298eH0k6SFRQ6Crw4fLk0cIA0eSuKvWEN0hKx8JaIGUtNPq",
"piaUsername": "p1234567",
"piaPassword": "EncryptAllTheThings",
"tunnelGateway": null,
"opnsenseWGPrefixName": "pia",
"instances": {
"london": {
"regionId": "uk",
"dipToken": "",
"dip": false,
"portForward": true,
"opnsenseWGPort": "51815"
}
}
}
Note: Passwords and keys in the example are not real
You may list the arguments you can pass in to the script by doing the following "/conf/PIAWireguard.py --help` an example output is below.
usage: PIAWireguard.py [-h] [--debug] [--listregions] [--changeserver [instancename]]
Python script to automate connections to PIA's WireGuard Servers. Source:
https://github.com/FingerlessGlov3s/OPNsensePIAWireguard
optional arguments:
-h, --help show this help message and exit
--debug Enable debug logging
--listregions List available regions and their properties
--changeserver [instancename]
Change server for instance name or "all" for all instances
--debug
shows debug logging, to see what the script is doing or maybe not doing \
--listregions
lists all of the available PIA regions \
--changeserver [instancename]
allows you to rotate/change the server your connected to for that instance. \
Example: /conf/PIAWireguard.py --debug --changeserver instance2
will change the server that instance2 is connecting too and print all debug messages.
To use port forwarding Enable portForward
variable in the json file for the intance from false
to true
. This will create an alias in your system called pia_instancename_port
, which you can then use in your Port Forwarding rule. This alias will self update when required.
If you need a way to find out this port for an internal application, you can go to the following URL of your OPNsense to get the port, as its published publicly to devices that can reach the HTTPS port of OPNsense
https://opnsense.lan/wg0_port.txt
Note: Not all server locations support port forwarding.
If you have purchased a Dedicated IP from PIA. Add your DIP token to dipToken
in the json file for the instance, then to enable the usage simply set dip
to true
. Remember PIA only give you the DIP token once, so make sure you have backed up the token somewhere.
I have developed this functionality by reserve engineering the PIA client, at this moment in time manual connections for DIP is not offically supported by PIA.
Note: I have not tested DIP in a while, so if this works for you let me know, if not create a GitHub issue.
In some deployments, people may be running dual or even triple WAN configurations, in this case due to how WireGuard is configured in FreeBSD (OPNsense), it'll route the PIA tunnel over the default WAN interface. Some people will want to change this to use another WAN interface as the gateway to route the PIA tunnel over.
To accommodate this functionality, this is built in to the script. You will need to get the name of your wanted gateway, for example WAN2_DHCP
, then set this as the tunnelGateway
variable value in the json file (value needs to be in double quotes). When the script then runs it'll add/change a static route to enforce the PIA tunnel to use that gateway (interface).
You'll find your gateway names in System: Gateways: Single
, making sure its the IPv4 one.
You will find that if the VPN tunnel isn't up, that traffic that should flow over it, will instead head straight out your WAN interface. You can setup a "VPN Kill Switch" to prevent this.
Firewall - Rules - WAN
Action - Block
Quick - Apply the action immediately on match
Interface - WAN
Direction - Out
Description - "Don't let traffic headed for VPN out the WAN"
Match local tag = NO_WAN_EGRESS
Firewall - Rules - LAN
(Or whatever interface has VPN rules)
Advanced features Show/Hide
Set local tag
add in NO_WAN_EGRESS
WireGuard
is a registered trademarks of Jason A. Donenfeld.
Private Internet Access
is owned by Private Internet Access, Inc. All Rights Reserved