[PIA Tunnel] A Virtual Machine VPN tunnel

edited September 2013 in Other Privacy Software Posts: 19
PIA-Tunnel is a virtual machine that may act as the default gateway for any device on your network.
It supports two separate LAN segments, one for your private LAN and a second one to completely isolated all network traffic.
The image below illustrates the current network setup supported by the VM.


PIA-Tunnel VM is designed to be simple to use so even if the diagram above looks a bit complicated. Using the VM usually only requires that you start it and initiate a VPN connection.

  • Open by design. Script based, so no binaries with hidden features, and you may roll your own VM by following the Clean Installation Steps.txt
  • Complete network isolation with private VM LAN segment (leak protection)
  • Simple Web-interface (Screenshots)
  • Port forwarding to 1 IP on your LAN or private VM LAN
  • Runs on existing hardware, your Computer
  • Requires 1 CPU core, 92MB RAM and less then 2GB free drive space
Latest Documentation: http://www.kaisersoft.net/r/?PIADOCU   <= READ THIS!

Latest Image: http://www.kaisersoft.net/r/?PIAIMG

Contact Support: http://www.kaisersoft.net/r/?HELPME
I don't check this thread regularly so using the contact form is usually the best way to get in touch with me.

Please note that this is the official "PIA Tunnel PHP-GUI" release. Any previous VMs where development builds and will not be upgraded. Please download http://www.kaisersoft.net/r/?PIAIMG to get the current version which will be maintained and upgraded from here on out.
Post edited by VPN_Dude on


    Posts: 795
    At the first glance his looks like some nice work, thank you.
    I'll check out the scripts later.
  • Posts: 19
    I have tested the VM on a few different system and networks already and am pleased to "announce" that it has been working as it should :)

    I did notice an issue causing the VM to sometime locked up after the Grub screen. This appears to be caused by an issue with LVM and only having 80MB RAM. I increased the RAM to 92MB to get around this issue until I have time to reroll a VM without LVN.

    If anybody downloaded the older 2013-07-21 release then you need to run "pia-update" followed by "pia-setup" to get everything updated. After that "pia-update" will automatically call "pia-setup" after each run.
  • edited July 2013 Posts: 19
    This keeps getting better and better :)

    I run a separate VM to handle my torrents and I wanted to ensure that the VM will disconnect the VPN AND Internet connection if something goes wrong.
    So I wrote pia-daemon, a little shell script that will continuously monitor the VPN,
    If it goes down then forwarding is automatically disabled until the VPN connection is reestablished.

    pia-daemon will also monitor your Internet connection and will lock everything down until Internet + VPN is back up.
    Here is a screenshot of pia-daemon in action
    pia daemon

    First I create a connection to Sweden with "pia-start Sweden". Once connected I proceed to start "pia-daemon" to keep monitoring the VPN connection.
    I disconnected the network cable (simulates DSL going down) and pia-daemon responded by closing everything for a few minutes.

    This feature is still highly experimental but appears to work well :)
    BTW, this VM should work with any VPN service that supports openvpn!
    Post edited by VPN_Dude on
  • edited July 2013 Posts: 19
    Now that things appear to work I have time to clean everything up a bit.
    This is the "make it pretty" update :)

    This VM is running on my ESXi Server and I am using pia-daemon to initiate the first VPN connection. pia-daemon was not indented to be used this way but the code can handle it ..... and I am lazy :)
    pia tunnel2013 07 26
    Post edited by VPN_Dude on
  • Posts: 433
    Looking good!  Once you're comfortable with it changing from beta, I'll be glad to sticky this near the top.  I've got a daemon being written (Slowly) to provide standardized access on linux, so I'm hoping to finish that up (soon) and provide a standard, easy, non-cli client for people to use.  One of these days I might actually finish it too.
  • edited August 2013 Posts: 19
    Hello Alex,

    thanks for the offer. The scripts are now "stable" and the daemon will loop in the background constantly testing the VPN connection. I have tested this any way I can think of and the daemon will recover the VPN connection every time.

    Major changes:
    + all settings have been moved to /pia/settings.conf. this is not tracked by git so modifying that file will not break my update script (pia-update)
    + pia-update works well, run it every now and then to keep the scripts up to date
    + There are a few ReadMe*.txt files located in /pia.

    I have setup this VM on multiple computers running Windows or Linux and have not experienced a single issue.

    Special thanks goes to an anonymous donor. He or She decided to support this project with a 2 BTC donation to 157Gh2dTCkrip8hqj3TKqzWiezHXTPqNrV  !THANK YOU!

    EDIT: Updated first post with new information and added a pretty picture :)
    Post edited by VPN_Dude on
  • Posts: 13
    Looks like just what I'm after.   I'll give it a go.

    Thanks for the effort.
  • Posts: 181
    It looks very promising! :-))

    If you could provide a tutorial how to install it from start to finish on a Windows PC, I would like to give it a try. :-)
  • edited August 2013 Posts: 19
    Sry for being away for a while. Been really busy and did not notice how quickly the days went by....
    If you could provide a tutorial how to install it from start to finish on a Windows PC, I would like to give it a try. :-)
    Anyway. the VM is currently for "advanced users" as it will only bridge a virtual network. So it requires that you are already familiar with virtual machines.

    That said, I have been thinking about expanding the VM by adding a third
    network interface as a bridge to your LAN. This would allow you to use
    the VM as a default gateway for any machine on your LAN. Once it can do that it could be used as "the" Private Internet Access VPN Client for all your LAN computers.
    This is when the VM will be ready for anybody and I'll write some simple step by step instructions.

    I want to add the following features as soon as I can find some free time :)
    + write deamon to allow a remote computer to query for the currently forwarded port .... might be possible to allow PCs to register themselves for port forwarding .... we'll see
    + add VPN bridge to LAN

    The first feature would be nice for servers, things like torrent clients. Someone  could write a monitoring client/script to start the server with the port settings provided by the PIA VM.

    The second option would be nice to get around crap like country IP blocks. Say you hit a "Video not available" on YouTube. Then you would set the PIA VM's IP as the default gateway of your current computer and route all your traffic through the VPN.
    Changing the gateway only takes a few clicks and since the PIA VM holds a connection you will be able to use the VPN as soon as you click "OK".

    Post edited by VPN_Dude on
  • Posts: 181
    I look forward to your developments :-)
  • Posts: 19
    A the weekend is finally here. I worked on the daemon yesterday evening and got the first version "working". It can already create a VPN connection and it accepts remote commands :)
  • edited August 2013 Posts: 19
    OK here we go - PIA Tunnel VM v2.0-alpha :)

    I had a serious "talk" with myself and came to the conclusion that my remote socket daemon is just too complicated for most users.
    Too bad because it would have been interesting for people like myself - RIP.

    * Introducing PIA Tunnel VM with web GUI *
    I wrote a web GUI to mange the Virtual Machine and VPN connection. This is still in in development but works quite well.
    So give a try and please let me know if you run into any problems.

    * Overview Screen

    * Network Config

    * VPN account settings

    Major changes to previous Versions
    * now comes with configuration GUI
    * can now act as a Gateway for your LAN and private vLAN segment

    Please note that this is a separate branch right now so this will not work with the previous PIA VM.
    You may find the latest guide and download location here:
    Post edited by VPN_Dude on
  • Posts: 13
    Its taken me so long to find time to let you know how I'm getting on with it that you've come up with new version!

    I'll DL the new version as the web front end looks funky.

    I'm really liking the original version, certainly easier than fannying around with getting the pia app to work in windows 8.

    I'm running it in virtual box rather than vmware but seems to run fine.

    One thing I did notice is that now I've got superfast broadband the vpn vm couldn't keep up with just one processor, so I've had to give it 2 and it still only goes up to 50mb/s but then the full client is the same.  Surprising how much cpu goes into running a vpn.

    A feature request I have is to be able to access a proxy on the machine behind the vpn vm from a machine on the normal LAN.  This way I could selectively browse the internet securely from any machine just by turning the proxy settings on.   Your idea above of a 3rd nic might do the trick, or even better build in a proxy to your image if that's possible.

    All in all I'm impressed, looking forwards to seeing new developments.


    Posts: 795
    Some VM network drivers offload packet processing to the main CPU, gobbling up cycles like crazy. Try to use the hardware virtualized drivers (if your chipset/CPU supports it), those should lower CPU usage considerably.
  • Posts: 13
    Thats the baby.

    Using the Paravirtualized nic option and I'm getting 50-70Mbits/s (bt infinity is great) with only 1 cpu core assigned to the PIA VM.


    I'll give the new version a try over the weekend if the GF doesn't find me to many chores to do!
  • edited August 2013 Posts: 19
    Hey nipsy,

    thanks for the info about the network driver. I have been focusing on getting everything working so things may not be properly optimized yet.
    I have access to a synchronous gigabit Internet connection and I'll be running some test on it soon to see how the VM handles the traffic. It will saturate my home connection with 1.1MB/s down while running on one of my Laptop CPU cores (i5-3317U).

    I released a new GUI versions a few minutes ago. Once you run "pia-update" you will have access to all new features.
    The settings should now store properly and the "tools" page has been populated with the first scripts. The VPN should be able to act as a network gateway for the entire LAN by setting "VPN Gateway for public LAN" to yes.

    I think I found the correct route for this project and I am exited to implement a few more ideas.
    Next up will be a Setup Wizard to avoid any command line interactions :)

    pia tunnel config
    Post edited by VPN_Dude on
  • Posts: 13
    Hi Dude

    If I run the pia-update from the web front end It processes the script, 

    Updating 1e90d50..b7bd58e

    Showing the last 3 commit messages
    by: Mirko Kaiser on 2013-08-22 16:14:37 +0200
    >> * new tool page <<

    by: Mirko Kaiser on 2013-08-22 15:23:11 +0200
    >> * update and full reset via web interface <<

    by: Mirko Kaiser on 2013-08-22 14:44:07 +0200
    >> * working on tools page <<

    Which all looks fine but the interface does not seem to have changed.

    If I run the pi-update from the cli and I get this error:

    Updating 1e90d50..b7bd58e
    error: Your local changes to the following files would be overwritten by merge:
    Please, commit your changes or stash them before you can merge.

    Showing the last 3 commit messages
    by: Mirko Kaiser on 2013-08-22 16:14:37 +0200
    >> * new tool page <<

    by: Mirko Kaiser on 2013-08-22 15:23:11 +0200
    >> * update and full reset via web interface <<

    by: Mirko Kaiser on 2013-08-22 14:44:07 +0200
    >> * working on tools page <<

    Any ideas?

  • Posts: 19
    Hey nipsy,

    I just had the same experience and came here to post the solution.

    Login as root and run

    cd /pia
    git reset --hard php-gui
    git pull origin

    that should be it and it should work from now on.
    Sorry about that
  • edited August 2013 Posts: 181


    You a on a right path to the hearts of VPN Regular Users :-) Keep up the great job!
    Post edited by VPNTester on
  • Posts: 13
    There wasn't much chance of me working that out.   :-O

    Worked a treat, thanks very much.

  • edited September 2013 Posts: 19
    @nipsy that only happened because I did not retest everything with the development VM. Lesson learned :)

    I just applied my pia-daemon changes to the php-gui so VPN fallback is now supported by the php-gui as well. I'll merge the changes back into the main release once I have the new "Setup Wizard" done.

    "Network Config" => "PIA Daemon Settings" => "Enable pia-daemon"
    Setting this option to "yes" will autostart the daemon after a connection has been established using the "Connect VPN" button. Please keep in mind that this will initiate a VPN connection with the location you selected and not with your "Failover 0" setting, unless they happen to be the same.

    The better way to use the pia-daemon is to start with a disconnect VPN, then simply hit the "Start pia-daemon" button.
    The daemon will connect to "Failover 0", periodically check for a good connection and switch to "Failover n" if the PIA VPN Service goes down at that location.

    /Shameless plug
    internet uptime monitor
    BTW, if anybody needs a very simple "Internet Uptime Checker" for Windows. I wrote a tool yesterday that will download a website, look for one or more words on that site and either report "OK" or "ERROR" in a grid view. I am only posting this here because it is somewhat related to my work above and it is 100% free and open source.
    Internet Uptime Monitor.exe
    Post edited by VPN_Dude on
  • Posts: 13
    Hi dude

    Still getting on great with this, a great little project.

    I have a couple of (hopefully useful) suggestions for future versions:-
     - On connection translate the assigned 'forwarded' port number to a static port number on the inside pc.   At the moment every time the port changes the torrent client has to be reconfigured.
     - Ability to reserve the mac address of the 192.168,10.101 machine in the dhcp scope.
     - Show the version number of your sw on the manager page, so I can tell its updated.


  • Hi,

    My host is Windows 8.1, and the VPN client doesn't seem to work well on Windows 8.1 . Can i run this VM so that my host has an VPN connection, provided by the VM?

    Posts: 795
    Ability to reserve the mac address of the 192.168,10.101 machine in the dhcp scope.
    Äh, what?
  • Posts: 4,013
    The MAC address of the adapter is controlled by the machine with the hardware or the software drivers that emulate the adapter. For example, the VPN uses a virtual adapter we know as the "TAP-Win32 Adapter V9". With a bit of common knowledge you can change this and any other common adapter MAC to whatever you want it to be.

    I will not go into this, as the MAC system being spoofed can be interpreted as a means to commit a crime. Search engines will tell you what you want to know about how this works though.
  • Posts: 13
    In a dhcp server you can reserve ip addresses based on the mac address of the requesting device.

    I know how to do this on a windows server and a cisco router, but no idea how to on linux.
    Posts: 795
    @nipsy: Ah. Thanks for clarification.

  • edited September 2013 Posts: 19
    Hello Everybody,

    I have been busing testing the my latest changes and writing a proper manual so I'll update the first post with the new instructions.
    On connection translate the assigned 'forwarded' port number to a static
    port number on the inside pc.   At the moment every time the port
    changes the torrent client has to be reconfigured.

    The port number is a problem but I am not sure if this can be done. My torrent client needs to know the outside port to work properly so even if the private (LAN) port is static then the torrent client will never know about the current public port.
    I wanted to solve this by providing a script that will check if the port has changed and restart/reconfigure your server software to use the new port. This will only work with selected software but I'll double check my options before I get started.
    Now that the UI is working I'll focus on that.
    Ability to reserve the mac address of the 192.168,10.101 machine in the dhcp scope.
    Not in the GUI yet but I'll get on it. Take a look at /etc/dhcp/dhcpd.conf
    There is a static host  example at the very bottom of the file.
    Show the version number of your sw on the manager page, so I can tell its updated.
    This may have to wait until I get around to adding javascript to certain elements but it will come.
    Can i run this VM so that my host has an VPN connection, provided by the VM?
    Sure can, please check the first post in about an hour. It will come with step by step instructions and a GUI to get everything up and running.
    EDIT: or a bit longer since the PIA website is having issues right now :(

    Post edited by VPN_Dude on
  •  - Ability to reserve the mac address of the 192.168,10.101 machine in the dhcp scope.
    Done, I added  "Fixed IP" and "MAC for IP" fields to the configuration option. Please note that there is no input/sanity validation so make sure that the Fixed IP is not within your dynamic scope.

    Also, please see the first post to get the "official release" since the various development builds will not be maintained.
  • I just pushed the next update out and this is a big one. The update adds user account support to the Web-GUI and protects all forms with security tokens.

    Please goto "Tools" => "Start pia-update" to get the latest changes.

    P.S. @nipsy I looked into "dynamic port allocation" to setup port forwarding and I don't think that this is possible. The way port forwarding works with PIA is the opposite of a "home internet service". At home you select the port you want to use but with PIA "the port selects you" :)

    Which torrent client are you running?
Sign In or Register to comment.