I'm getting an issue when running the makepkg -si

Reporting as
==> ERROR: install file (pia-tools.install) does not exist.

The links withing the PKGBUILD refer to an pia-tools.install on Github which seems to be valid but doesn't work when trying to build.

This is on Arch Linux with all the dependencies you have outlined.

Sorry for the fairly rubbish description not an expert here.

should be 2f111701eec8508bc44fd32f237fb3f716b330c8132cdca4bd682ecd5f7589fd

How can i use this on ubuntu? I have installed and ran setup but how can i start it?

The previous pull request I made for this does in fact work when pia-tools is run as root. logname can be used to get the name of the logged in user. For example,

sudo -i -u $(logname) echo \$XDG_CONFIG_HOME

If XDG_CONFIG_HOME isn't set, it could fall back to $HOME/.config/transmission-daemon/settings.json.

please edit PKGBUILD

When running pia-tools --setup, the script fails while trying to unzip the configuration files on Fedora 24. Might be a specific issue with Fedora, but I think it should be a simple fix in the unzip portion of update_config()

Failed to start [email protected]: Interactive authentication required.

But I already ran pia-tools --setup though?

Hey! I'm just opening this issue to let you know that we (PIA) have a new port forwarding API available. It'd be worth taking a look on our forums over here: https://www.privateinternetaccess.com/forum/discussion/23431/

Specifically, a few things you'll want to keep in mind with the new API are:

• You only need to call the API once and the port will stay open forever.
• There's no need to include the username/password or the local IP, which should help simplify things.

If you run into any issues with this, feel free to reply here and I'll take a look.

When executing systemctl start pia@Sweden or any other location, the process fails with the following error

● [email protected] - PIA OpenVPN connection to Sweden
Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled)
Active: failed (Result: exit-code) since Tue 2014-08-05 11:35:06 PDT; 13s ago
Process: 450 ExecStart=/usr/sbin/openvpn --auth-nocache --cd /etc/openvpn/pia --config /etc/openvpn/pia/%i.ovpn --daemon openvpn@%i (code=exited, status=1/FAILURE)

Looks to me that somehow the argument isn't being passed in and therefore the %i never gets recognized as something else.

The check_transmission function was removed, but there is still a call to it on line 183.

https://aur.archlinux.org/packages/pia-tools/
returns 404 Not Found

Hello,

I've been looking over your PIA scripts with great interest. I now have openvpn running as a client on my raspberry PI. I leverage my PI as a gateway/router, so that all outgoing IP traffic from my LAN goes over the VPN - it works really well.

The snag I've run into is with allowing incoming traffic over the VPN tunnel to a server/service running on my LAN. I've read plenty of blogs about allowing incoming connections on the regular WAN/LAN when VPN is connected. In my case, I want the incoming traffic to come in over the the VPN channel.

I used your code to get access to the port forward from PIA, but cannot seem to redirect incoming TUN connections to ETH0 for the local PI nor any server on my LAN. I'm a noon with IPTABLES. At this point, I'm not entirely sure if PIA has the port open, but assume it must work if your code was working.

Can you provide any insight? It'd be greatly appreciated.

Thanks,

R.

The description of the repo says:

..., dynamically add a firewall rule.

Is this applying just for transmission? I hoped i could set easily a firewall rule to route incoming ssh connection via eth0, my "normal" public ip?
If so, could you please explain how. I wasn't able to figure it out while reading the code.

Thank you!

Hi,
I just discovered pia-tools (which is, in my opinion, the best pia-helper out there).
I encountered an issue when trying to block all non-VPN traffic with the option --disallow

The scenario is :

• I configure pia-tools
• I am not connected to pia yet
• I run pia-tools -d
• My interface gets denied in ufw
• I try to start OpenVPN via systemctl start pia@Sweden
• OpenVPN can not resolve privateinternetaccess dns names because my interface is blocked by ufw.

Here are systemd logs

Aug 15 13:53:17 raclette systemd[1]: Started PIA OpenVPN connection to Sweden.
Aug 15 13:53:17 raclette openvpn@Sweden[12752]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 15 13:53:17 raclette openvpn@Sweden[12752]: RESOLVE: Cannot resolve host address: sweden.privateinternetaccess.com:1198 (Name or service not known)
Aug 15 13:53:17 raclette openvpn@Sweden[12752]: RESOLVE: Cannot resolve host address: sweden.privateinternetaccess.com:1198 (Name or service not known)
Aug 15 13:53:17 raclette openvpn@Sweden[12752]: Could not determine IPv4/IPv6 protocol
Aug 15 13:53:17 raclette openvpn@Sweden[12752]: SIGUSR1[soft,init_instance] received, process restarting

And it will loop in this state until I disable ufw, and OpenVPN can connect to pia's VPNs.
I can then re-enable ufw and it keeps working.

Would it be possible to whitelist all private internet access IP's in ufw since we have the list from pia itself when installing pia-tools ?

By the way, the quick help pia-tools -h outputs
-a: Block non VPN traffic (iptables) -d: Unblock non VPN traffic (iptables)
but should output
-a: Allow non VPN traffic (iptables) -d: Block non VPN traffic (iptables)
(The manpage is right).

Thanks

I think it might be better to set firewall rules for both (maybe turn DEV_NET into DEV_NET_WIFI and DEV_NET_ETHERNET) in the case of switching or just because one would want it to block whichever they were using without having to manually choose one each time. In the latter case, if DEV_NET isn't set, it could be set to whatever is active (maybe ip link show up | awk -F ": " '/state UP/ {print $2}').

I'm not sure how well doing this kind of thing to guess device names would work. As for defaults if a variable for wifi was added, I think iw dev | awk '/Interface/ {print $2}' should generally work. Assuming standard naming, it might be easier (though maybe not the best way) to just do ls /sys/class/net | grep en and ls /sys/class/net | grep wl.

EDIT: See the post below first.

With the current default for NETWORK_DEVICES, --disallow can only be used before starting vpn. It does not currently fit with the explanation in the manpage since by default it blocks the currently active interface (tun0 if vpn is running, blocking vpn). The same applies to --allow. Not only must it be run after vpn is off, it must be run with the same interface active (e.g. wifi or ethernet) or it will fail to unblock what was previously blocked.

I tried to address this in #25. It's probably not the best default behaviour, but it behaves consistently. When I use vpn, I want everything else to be blocked. I admittedly don't know really anything about docker or libvirt, but I think it's worth noting that the user only needs to change NETWORK_DEVICES to avoid the behaviour. Docker devices seem to be named consistently (docker) and could be easily ignored. Alternatively, we could try to only block the wifi and ethernet device.

If you don't like this idea at all for the default, how about grepping for state UP from ip link and taking the first match? This still may not allow the device that was blocked, but it will never give tun0 and will instead give the wifi or ethernet device. Maybe we could save the blocked device for the --allow?

The net-tools package which provide ifconfig is deprecated, shouldn't it be replaced by another tools ? Let's say 'ip addre' for instance ?

Hi,

I apologize if the issue isn't pertinent, but after installing this package through the aur, the man page for pia-tools lists:

-a,  --allow
Block all non-VPN traffic
-d,  --disallow
Unblock all non-VPN traffic [default]

While running the command returns:

$ pia-tools -a
Allowing non-VPN traffic ... Done!
$ pia-tools -d
Denying non-VPN traffic ... Done!

Thank you for your work on this tool,
-ctag

A routine (systemd timer) should be implemented to regularly check if there are new or updated exit points and update the config files accordingly. Otherwise it may be possible that pia-tools gets "out of sync".

Hi -

Thank you for this great tool - it's allowed me to be connectable!

I had it working for a few minutes yesterday, but at some point it stopped working. I have it narrowed down to the line where I request the opened port number from PIA; it seems to be returning nothing within the script except the Failed message from line 231. Attempting the curl from a shell returns:

curl: (7) Failed to connect to 209.222.18.222 port 2000: Connection refused

I'm sure I'm connected to PIA at the time, and I'm sure the traffic is going out through the VPN and not any other interface. Any idea why that would be happening?