PIA Linux via NetworkManager OpenVPN on Fedora - A few questions.

linuxpialinuxpia
in Linux VPN Setup
After installing PIA via pia-nm.sh there are no options selected by default under Network -> VPN ( e.g. PIA - UK London ) -> Identity -> Advanced / OpenVPN Advanced Options -> TLS Authentication. Should anything be manually enabled? Or is there another mechanism to verify I'm connecting to an actual PIA server? My understanding is that PIA uses the standard Diffie-Hellman algorithm for key agreement rather than the elliptic curve version. Is it susceptible to logjam, the attack disclosed in late 2015 on weakdh.org? Since I'm only web browsing I've only allowed the ports for HTTP, HTTPS, DNS, and NTP over the tunnel. PIA is working just fine. Is there anything else I should allow to improve performance? e.g. icmp or BOOTP? If enabling icmp would improve performance, which icmp types specifically should be allowed? I assume ping for example wouldn't help your server. Thank you in advance for your answers. You are running a great VPN service. My connection hasn't dropped in the ~200 hours I've been online. The speed is great. The cost is surprisingly low. I'm happy with the service and absolutely intend to renew my account next year. Viva la PIA.

Comments

  • linuxpialinuxpia
    Holy formatting. My original post included paragraphs. Preview and paragraphs both don't appear to work without scripts enabled. Sincere apologizes. That wall of text is embarrassing, but I can't seem to fix it without enabling scripts.
  • martoufmartouf
    delete and repost?  or just repost ..
  • linuxpialinuxpia
    I'll try one paragraph per comment. Hopefully the server won't call it spam. The only bad thing I can think of about PIA is how many scripts the website wants/needs to run. But that's the modern internet.
  • linuxpialinuxpia
    After installing PIA via pia-nm.sh there are no options selected by default under Network -> VPN ( e.g. PIA - UK London ) -> Identity -> Advanced / OpenVPN Advanced Options -> TLS Authentication. Should anything be manually enabled? Or is there another mechanism to verify I'm connecting to an actual PIA server?
  • linuxpialinuxpia
    My understanding is that PIA uses the standard Diffie-Hellman algorithm for key agreement rather than the elliptic curve version. Is it susceptible to logjam, the attack disclosed in late 2015 on weakdh.org?
  • linuxpialinuxpia
    Since I'm only web browsing I've only allowed the ports for HTTP, HTTPS, DNS, and NTP over the tunnel. PIA is working just fine. Is there anything else I should allow to improve performance? e.g. icmp or BOOTP? If enabling icmp would improve performance, which icmp types specifically should be allowed? I assume ping for example wouldn't help your server.
  • linuxpialinuxpia
    Thank you in advance for your answers. You are running a great VPN service. My connection hasn't dropped in the ~200 hours I've been online. The speed is great. The cost is surprisingly low. I'm happy with the service and absolutely intend to renew my account next year. Viva la PIA.
  • Max-PMax-P
    linuxpia said:
    After installing PIA via pia-nm.sh there are no options selected by default under Network -> VPN ( e.g. PIA - UK London ) -> Identity -> Advanced / OpenVPN Advanced Options -> TLS Authentication. Should anything be manually enabled? Or is there another mechanism to verify I'm connecting to an actual PIA server?
    The script sets a Certificate Authority (CA) certificate to use with the connection, which means it will only accept certificates that are signed by PIA for use with its servers.

    As far as I'm aware, the pia-nm.sh script should already be setting everything that needs to be set in the VPN profile.linuxpia said:
    My understanding is that PIA uses the standard Diffie-Hellman algorithm for key agreement rather than the elliptic curve version. Is it susceptible to logjam, the attack disclosed in late 2015 on weakdh.org?
    It's not really DH in itself that's vulnerable but weak keys and old features that were basically intended to lower the security (so called export ciphers, which were aimed to provide adversary countries with weaker crypto than the US). This was patched long ago, and OpenVPN wasn't quite as affected as web servers were either.

    linuxpia said:
    Since I'm only web browsing I've only allowed the ports for HTTP, HTTPS, DNS, and NTP over the tunnel. PIA is working just fine. Is there anything else I should allow to improve performance? e.g. icmp or BOOTP? If enabling icmp would improve performance, which icmp types specifically should be allowed? I assume ping for example wouldn't help your server.
    There isn't really a need to firewall the tunnel unless there are things you don't want going out at all. ICMP should definitely be allowed as it is essential for the Internet to work properly (it still works without it, but it blocks very important flow control messages that can severely drop performance or prevent PMTU detection). I don't see any reason to block pings or other ICMP messages. BOOTP shouldn't leave the local network so it's fine to have it blocked.

    PIA is already protecting you so I don't think there is much value if at all to block outgoing things. An app that would contact something on a specific port could always do the same over port 443 or even over a real HTTPS connection, making it pretty weak security to do protocol-based filtering.
Sign In or Register to comment.