A script to setup and run PIA through WireGuard on OpenWrt
https://github.com/bolemo/pia_wg/
1.0.8
mkdir /opt/scripts; cd /opt/scripts
wget https://raw.githubusercontent.com/bolemo/pia_wg/main/pia_wg.sh
chmod +x pia_wg.sh
opkg update && opkg install jq curl wireguard-tools luci-proto-wireguard coreutils-stty coreutils-nl
./pia_wg.sh start
(or ./pia_wg.sh start --watchdog
if you want the watchdog installed) and answer the questions./pia_wg.sh configure
and answer the questions
./pia_wg.sh start
(or ./pia_wg.sh start --watchdog
)The firewall setup depends on your needs and your personal configuration.
For a typical setup (direct all LAN traffic to/from internet through the newly created wireguard interface), you'll need to update your firewall this way:
The script can be updated to the latest version using: pia_wg.sh update
You can setup the script to set any OpenWrt WireGuard network interface or peer settings this way (after running the initial configuration):
uci set pia_wg.@net_interface[0].<option>=<value>
then uci commit pia_wg.@net_interface[0]
uci set pia_wg.@net_peer[0].<option>=<value>
then uci commit pia_wg.@net_peer[0]
For example, to prevent OpenWrt to route all the traffic through the VPN:
uci set pia_wg.@net_peer[0].route_allowed_ips='0'
uci commit pia_wg.@net_peer[0]
Or to put a fwmark on the outgoing VPN traffic:
uci set pia_wg.@net_interface[0].fwmark='0x1'
uci commit pia_wg.@net_interface[0]
Then, next time you use ./pia_wg.sh start
(if not already started, otherwise you need to restart or do stop then start to enable the new configuration) or ./pia_wg.sh restart
, it will use these extra settings when OpenWrt WireGuard will create the PIA interface and the PIA peer.
The script can install a watchdog that will check regularly the status and restart the VPN if needed.
For that, just use --watchdog
when using start
or restart
, or run the command ./pia_wg.sh watchdog install
To unsinstall/remove the watchdog, use ./pia_wg.sh watchdog remove
; when ./pia_wg.sh stop
is used, the watchdog is automatically removed
When the watchdog is enabled, the scripts log is located in /var/log/pia_wg_watchdog.log
The log can be displayed using pia_wg.sh log show
and cleared using pia_wg_sh log clear
Usage: `pia_wg.sh { configure
Details:
configure
: same as configure allconfigure all
: configure all settingsconfigure user
: set PIA user ID and passwordconfigure region
: set/choose PIA regionconfigure keys
: generate local WireGuard keysconfigure network
: generate default network settingsinit-network
: setup PIA WireGuard network (no start)start
: start PIA WireGuard (if not already up)start --watchdog
: same as start and install the watchdogrestart
: start or restart PIA WireGuardrestart --watchdog
: same as restart and install the watchdogstop
: stop PIA WireGuard (and remove the watchdog)status
: show PIA WireGuard statuswatchdog install
: install the watchdogwatchdog remove
: remove the watchdoglog show
: display the watchdog loglog clear
: clear the watchdog loglog path
: set a custom Directory Path for the logupdate
: update the script to latest versionversion
: print the version and exitPlease, take into account that the script is only creating and setting up the WireGuard interface. It is up to the user to set up/adapt his firewall zones (either including the interface in the WAN zone, or creating a specific zone for it named VPN, PIA or whichever name you want).
A user reported an issue not directly linked to this script but that others users might experience : on his OpenWrt setup, when his router restarts, the time is not properly set and it prevents the interface to go up. He proposed a solution here: https://github.com/bolemo/pia_wg/issues/5
©2024 bOLEMO