Secure Auto-Starting Private Internet Access (PIA) Using OpenVPN on Ubuntu 16.04 LTS

By | March 20, 2017

The goal of this article is to create a Linux server that can only talk to Private Internet Access’ servers before the VPN is brought up, or if it goes down.

To remove the need for DNS before the VPN is operational, we will specify the PIA servers by IP address. The allows us to also block outgoing DNS queries as an added privacy measure (DNS Leakage).

Installing and Configuring OpenVPN

Install OpenVPN

$ sudo apt install openvpn

Download and Unpack OpenVPN Configuration Files (IP)

$ sudo apt install unzip
$ mkdir PIA
$ cd PIA
$ wget
$ unzip
$ sudo cp ca.rsa.2048.crt /etc/openvpn/
$ sudo cp crl.rsa.2048.pem /etc/openvpn/

Create the OpenVPN Configuration File

Create the file /etc/openvpn/pia.conf

$ sudo nano /etc/openvpn/pia.conf

and paste the following into it:

dev tun
proto udp
#AU Melbourne
;remote 1198
#AU Sydney
;remote 1198
;remote 1198
#CA Montreal
;remote 1198
#CA Toronto
;remote 1198
;remote 1198
;remote 1198
;remote 1198
;remote 1198
#Hong Kong
;remote 1198
;remote 1198
;remote 1198
;remote 1198
;remote 1198
;remote 1198
;remote 1198
;remote 1198
#New Zealand
;remote 1198
;remote 1198
;remote 1198
;remote 1198
#South Korea
;remote 1198
;remote 1198
;remote 1198
;remote 1198
#UK London
;remote 1198
#UK Southampton
;remote 1198
#US California
;remote 1198
#US Chicago
;remote 1198
#US East
;remote 1198
#US Florida
;remote 1198
#US Midwest
;remote 1198
#US New York City
;remote 1198
#US Seattle
;remote 1198
#US Silicon Valley
;remote 1198
#US Texas
;remote 1198
#US West
;remote 1198
resolv-retry infinite
cipher aes-128-cbc
auth sha1
remote-cert-tls server
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
--script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
keepalive 10 60

To select a VPN server, uncomment (remove the semi-colon) in front of the server you wish to use. If you uncomment more than one server, this configuration will randomly select a server from the uncommented servers every time it connects.

Configuring Credentials

Create a text file in your home directory called .pia_auth and put your PIA username and password on separate lines:

$ echo PIAUsername > ~/.pia_auth
$ echo SecretPIAPassword >> ~/.pia_auth

Don’t forget to change the values for your username and password above to the ones you use for your account.

Add the username and password file to the PIA configuration file for OpenVPN:

$ echo auth-user-pass ~/.pia_auth | sudo tee --append /etc/openvpn/pia.conf

You can now test the VPN by typing:

$ sudo openvpn /etc/openvpn/pia.conf

If everything went well, it should successfully connect. You can cancel the connection with ctrl-c.

Starting Private Internet Access on Start-up

Edit the file/etc/default/openvpn

$ sudo nano /etc/default/openvpn

and add the line


below the other lines starting with #AUTOSTART. Now, when you start the server, it will automatically start the VPN. You should restart the server now and then use the ifconfig command to check the VPN is running.

$ sudo shutdown -r now

*** Wait for Reboot ***

$ sudo service openvpn start

Configuring UFW to Block All Traffic Except OpenVPN

Locate the Name of Your Ethernet

$ sudo ifconfig

Look for the entry that starts with ‘ens’ or ‘eth’. My server has ‘ens18’, but ‘eth0’ is standard. Remember this for the firewall rules below. Where I use ‘ens18’, you should replace it with the value for your ethernet card.

Allow Incoming SSH Connections on the Local Ethernet

$ sudo ufw allow in on ens18 to any port 22 proto tcp

Disable IPV6

Edit the file /etc/sysctl.conf:

$ sudo nano /etc/sysctl.conf

and add the following lines at the end of the file:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Block IPV6 and All Incoming and Outgoing Connections

Edit /etc/default/ufw:

$ sudo nano /etc/default/ufw

Change the appropriate lines in the configuration file to match below:


Save and quit. Then restart your firewall with the following commands:

$ sudo ufw disable
$ sudo ufw enable

Allow Outbound VPN Connections

$ sudo ufw allow out on ens18 to any port 1198 proto udp

Allow Traffic Over the VPN Link

To allow outgoing connections over the VPN link, add the following UFW rule:

$ sudo ufw allow out on tun0 to any

To allow specific incoming connections on the VPN link, you need to specify the port number and be sure to specify the interface name for the VPN link. For example, you might want qBittorrent to accept incoming connections when downloading Ubuntu ISOs. Replace the 8999 in the command below with the port number your service is listening to.

$ sudo ufw allow in on tun0 to any port 8999 proto tcp
$ sudo ufw allow in on ens18 to any port 8080 proto tcp

Finally, restart the computer to make sure all of the changes have taken place.

$ sudo shutdown -r now

When the computer has restarted, you can check that the VPN is running from the command line with:

$ sudo ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
 inet addr: P-t-P: Mask:
 RX packets:1249926 errors:0 dropped:0 overruns:0 frame:0
 TX packets:1073005 errors:0 dropped:1 overruns:0 carrier:0
 collisions:0 txqueuelen:100
 RX bytes:1704370992 (1.7 GB) TX bytes:57204011 (57.2 MB)

You should see output similar to above that lists the details for an interface called ‘tun0’.

Making Sure It Stays Running

To make sure the VPN stays running, I created this script which tests connectivity to PIA’s DNS server. If the connection fails, the VPN is restarted. I added this to s CRON job to check every 5 minutes.

# Set LOG to true to have the status of the VPN logged to the file specified at LOGPATH

# Specify the file name for where the VPN status should be logged to

function log
    if [ ${LOG} = true ] ; then
        /usr/bin/sudo /bin/echo "${DATE} ${1}" >> ${LOGPATH}
    /usr/bin/sudo /bin/echo ${1}

/bin/ping -c 1 -I tun0 -q 2>&1 >/dev/null
if [[ $? -ne 0 ]] ; then
    /usr/bin/sudo /usr/sbin/service openvpn restart # user must have root access permitted by sudo for this to work
    log "VPN OK"

In order for this script to work properly, you will need access to SUDO and have it set not to need a password. Alternatively, you can run it as root.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.