Use PIA VPN on Linux w/o GUI client, but still have kill-switch and port forwarding functionality

LazLongLazLong
in Linux VPN Setup

I am wanting to build a VM that will use PIA. I would like to use Linux, but I've recently learned that PIA's Linux client requires a GUI, and can not be used wholly from a CLI. I want this VM to be headless and as light weight as possible, so a GUI's out. My only interest in using PIA's client are the killswitch and the port forwarding features.


Couldn't I achieve the same functionality using OpenVPN to connect to PIA, and a firewall rule to route all non-LAN (local) traffic through the VPN? Thus, if the VPN tunnel goes down the traffic won't be able to go anywhere. And as for the port forwarding, can't I just open a port on the firewall with a firewall rule that routes all traffic to that port to the app (Bittorrent client) I want to use the open port?


Or is there some other/more elegant way to achieve my goals?

Comments

  • [Deleted User][Deleted User]
    Please run piactl -h for our CLI, or piactl -uh to include the "unstable" commands.
  • LazLongLazLong
    From what I've read, you must have the GUI client running, even to access the CLI commands. Is this not true?

    https://www.privateinternetaccess.com/helpdesk/kb/articles/pia-desktop-command-line-interface

    Usage: piactl [options] command [parameters...]
    Command-line interface to the PIA client. Some commands, such as connect, require that the graphical client is also running.
  • Omnibus_IVOmnibus_IV
    I know you are looking for 'kill switch' and 'port forwarding'. Comodo for Linux can give you the 'kill switch' functionality. I use it on my Windows machine so if for any reason the MAC changes, then I am disconnected instantly from the network. You might look to see if that would work for you.
  • LazLongLazLong
    Thank you for your suggestion. However, based upon the product info, Comodo for Linux only supports very old versions of Linux.
  • Omnibus_IVOmnibus_IV
    Sorry, I am not a linux user and did not know that. :(
  • colpatcolpat
    i'm also in the same boat. the fact that PIA drops connections seemingly randomly with OpenVPN is crappy in itself, but i've tried a few different firewall rules to block all traffic on anything other than the tun0 connection.

    that kind of works, but then it's annoying with other services and firewall rules for my headless server. i'm on Ubuntu 18.04.4 LTS. i've basically had to set up Splunk monitoring to alert my phone if the VPN connection drops. it shouldn't take this level of workarounds
  • netfiinetfii
    Imo the best and reliable solution would be to setup killswitch on your router if it supports iptables (or get one which does). Basically you have to allow connections to VPN port for some (or all) IPs from your local network and forbid connections to any other ports, so anytime that VPN connection is gone, no internet traffic will be possible. And disable ipv6 or setup iptables for it as well. This solution works for me for many years already (I'm using routers on ddwrt)
  • netfiinetfii
    P. S. here is a basic Idea how it should look like 

    ####  Killswitch ####################################################

    #### clean rules #################################################
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
    
#allow DNS to VPN
iptables -A FORWARD -p udp -d 209.222.18.222 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -d 209.222.18.218 --dport 53 -j ACCEPT

#allow traffic on following ports
#123 - Timesync before VPN for Devices without RTC-Clock
#1194, 1198 - VPN

#this doesn't work on DD-WRT v3.0-r40559 on Archer C7
#iptables -A FORWARD -p udp -m multiport --dports 123,1194,1198 -j ACCEPT
iptables -A FORWARD -p udp --dport 123 -j ACCEPT
iptables -A FORWARD -p udp --dport 1194 -j ACCEPT
iptables -A FORWARD -p udp --dport 1198 -j ACCEPT

# QNAP - allow MAIL WITH ERRORS
iptables -A FORWARD -p tcp -s 192.168.9.10 --dport 465 -j ACCEPT

# QNAP
iptables -A FORWARD -s 192.168.9.10 -j REJECT
# Headless Server
iptables -A FORWARD -s 192.168.9.20 -j REJECT
    so basically I allow traffic on VPN ports and then forbid any other traffic for two clients in my network, that are not able to connect if VPN is down


Sign In or Register to comment.