PIA

[DannyMac]

Trying to get PIA working has been a PIA. I saw in a different issue, you use Private Internet Access, but I'm getting nothing. I eventually get an auth failed message. I've tried several different ways:

docker run -it --cap-add=NET_ADMIN --device=/dev/net/tun --name=vpn --restart=always --privileged \ -v /home/mediamanager/docker/configs/openvpn-client:/vpn dperson/openvpn-client \ -v 'nl.privateinternetaccess.com;username;password' -d -f -t "EST5EDT"

I saw in one of the ovpn files that the port was 1198, seems to actually progress a bit better: docker run -it --cap-add=NET_ADMIN --device=/dev/net/tun --name=vpn --restart=always --privileged \ -v /home/mediamanager/docker/configs/openvpn-client:/vpn dperson/openvpn-client \ -v 'nl.privateinternetaccess.com;username;password;1198' -d -f -t "EST5EDT"

I'm running Ubuntu 16.04.

I am not the one to go running to forums or emailing people for help at the first hint of trouble. I try to figure it out myself, but I've been working on this for far too long and I need some help. Thanks in advance.

[DannyMac]

Okay, after much research, this is how I got PIA to work finally. I hope this can help someone:

From PIA's site, download https://www.privateinternetaccess.com/openvpn/openvpn.zip to a "pia" directory where you are saving dperson/openvpn-client's configuration files, example: /path/to/vpn/config/pia. (The only reason I'm doing this is for organization. The container doesn't care about this directory).

Copy the .ovpn file of the location around the world you want, "ca.rsa.2048.crt," and "crl.rsa.2048.pem" to /path/to/vpn/config.

Create a file called vpn.cert_auth with 0600 permissions that contains your PIA username on the first line and the password on the second.

Edit the .ovpn file you copied to /path/to/vpn/config earlier to add the parts in bold:

client dev tun proto udp remote wherever.privateinternetaccess.com 1198 resolv-retry infinite nobind persist-key persist-tun cipher aes-128-cbc auth sha1 tls-client remote-cert-tls server auth-user-pass /vpn/vpn.cert_auth comp-lzo verb 1 reneg-sec 0 crl-verify /vpn/crl.rsa.2048.pem ca /vpn/ca.rsa.2048.crt disable-occ

Per dperson's instructions you may want to add the last line too: NOTE: if you don't use the -v to configure your VPN, then you'll have to make sure that redirect-gateway def1 is set, otherwise routing may not work.**

redirect-gateway def1

Make links to each file with the names the openvpn.sh script expects:

ln -s ca.rsa.2048.crt vpn-ca.crt ln -s wherever.ovpn vpn.conf

Now run the command WITHOUT -v or -d as dperson mentioned in a different issue to stop openvpn.sh from overwriting vpn.conf:

docker run -it --cap-add=NET_ADMIN --device=/dev/net/tun --name=vpn --restart=always \ -v /path/to/vpn/config:/vpn dperson/openvpn-client <use any openvpn.sh flags here EXCEPT -v and -d>

I hope this helps.

_Updated to remove --privileged and simply have the user create vpn.certauth insead of a different file and creating a link with that name.

[dperson]

You shouldn't need to make the container --privileged, the only extra permission that it needs is the --cap-add=NET_ADMIN. With PIA, you have to provide a username and password to connect. OpenVPN doesn't really support interactive prompting, so they have to be provided ahead of time. the PIA provided config won't be able to authenticate.

Are you using your real (provided by PIA) <username> and <password> in the arguments to -v? Thanks.

[DannyMac]

I'll remove --privileged (I think I added it at some point in a fevered attempt to get this working). As I showed earlier, the modified PIA ovpn file now has "/vpn/login.txt" appended to auth-user-pass so one doesn't need to interactively add anything. A couple days have past and I see now that I should have just pointed the ovpn file to /vpn/vpn.cert_auth directly instead of making a link.

Yes, I was using my username and password that was provided by PIA. If you compare the PIA ovpn file to your script generated vpn.conf file, there are some differences which wasn't what PIA was accepting until I bypassed your vpn.conf and linked to the modified PIA provided ovpn file.

[dperson]

Okay, it's been a while since I created this container, it looks like they've changed a few things since then. I'll compare them and see if anything needs to be added. Thanks.