I used the AUR manager AUR to download and setup any AUR packages.
mkdir -p ~/Downloads && cd ~/Downloads
gpg --recv-key 6BC26A17B9B7018A && gpg --lsign 6BC26A17B9B7018A
git clone https://aur.archlinux.org/aurutils.git
cd aurutils && makepkg -si && cd .. && rm -rf aurutils
If used, setup repo for .
OpenVPN
ipv6 should be since PIA . Add ipv6.disable=1 to /boot/cmdline.txt and reboot. To check if it's disabled, see if you get an ipv6 address with ip addr. If disabled, inet6 will not be present.
Install .
pacman -S openvpn
In order to install openvpn, required scripts need to be ,
Edit the file, replace the server remote nl.privateinternetaccess.com 1197 with the PIA servers you want to use. The servers are in the openvpn files. They can all be listed with a grep for privateinternetaccess.com.
To use a random server from a list, remote-random can be used. Replace the single server in /etc/openvpn/client/custompivpn.conf with the list of servers you would like to use. After the list add remote-random.
To auto-login to the vpn with your PIA user path, add your user and password to a file. Add the file path to the config after auth-user-pass, with the username on line one, and password on line two.
client
dev tun
proto udp
remote nl.privateinternetaccess.com 1197
remote ca.privateinternetaccess.com 1197
remote ca-toronto.privateinternetaccess.com 1197
remote ca-vancouver.privateinternetaccess.com 1197
remote sweden.privateinternetaccess.com 1197
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/pia_auth
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.4096.pem
ca ca.rsa.4096.crt
disable-occ
If you're connected over SSH to your pi, connection to the pi will drop if openvpn is started. This is because the default gateway changes. To make local connections continue to be routed over the same interface that SSH was started on, add a new table using the ip command.
ip rule add table 128 from <PI IP ADDRESS>
ip route add table 128 to <SUBNET>/24 dev <INTERFACE>
ip route add table 128 default via <GATEWAY>
For me this look like the following since the IP address of my pi was 172.20.30.4, and my interface was eth0.
ip rule add table 128 from 172.20.30.4
ip route add table 128 to 172.20.30.0/24 dev eth0
ip route add table 128 default via 172.20.30.1
I added these as an ExecStartPre to `systemd-networkd.
systemctl edit systemd-networkd
[Service]
ExecStartPre=-/usr/bin/ip rule add table 128 from 172.20.30.4
ExecStartPre=-/usr/bin/ip route add table 128 to 172.20.30.0/24 dev eth0
ExecStartPre=-/usr/bin/ip route add table 128 default via 172.20.30.1
Now open VPN can be started. A systemd unit exists that lets any client configurations be started from the directory where we put our configuration, so long as they end in .conf. If everything is setup correctly we should be able to start our VPN connection with systemctl start openvpn-client@custompivpn.
I was concerned about losing connection and not being able to get back into my pi, so the first time I started the service in tmux with a five minute kill timer so that if I wasn't able to reconnect I knew that after 5 minutes the service would be stopped and I would be able to get back in.
Fortunately everything was setup correctly so my connection wasn't dropped.
To make sure that the VPN is working correctly, and that your IP is changing, check your IP address before and after the VPN is started with curl -s checkip.dyndns.org. After starting the VPN I got a swedish IP address meaning the VPN was working.
Create User
I'll be using the media user and group for everything torrent related. Create it.
groupadd --gid 8675309 media
useradd --system --shell /usr/bin/nologin --gid 8675309 --uid 8675309 media
Network Shares
NFS Configuration
pacman -S nfs-utils
Enable NFSv4 idmapping
echo N > /sys/module/nfs/parameters/nfs4_disable_idmapping
Set permanent in /etc/modprobe.d/nfsd.conf.
options nfsd nfs4_disable_idmapping=0
Mount Shares
Add mounts to /etc/fstab.
mkdir -p /media/Downloads/{Complete,Incomplete} /media/Torrents
chown -R media:media /media/*
mount lilan.ramsden.network:/mnt/tank/media/Downloads/Complete /media/Downloads/Complete
mount lilan.ramsden.network:/mnt/tank/media/Downloads/Incomplete /media/Downloads/Incomplete
mount lilan.ramsden.network:/mnt/tank/media/Torrents /media/Torrents
Generate fstab entries and copy paste nfs mounts into fstab.
genfstab -U /
DNS
You can then add the following into your OpenVPN configuration file:
script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved
down-pre
It will then follow dhcp-option commands set in OpenVPN.
We can use PIA's DNS servers this way:
dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218
Now, after starting the OpenVPN you should see the following new lines in /etc/resolv.conf.