[](https://github.com/qdm12/private-internet-access-docker/actions?query=workflow%3A%22Buildx+latest%22)
[](https://hub.docker.com/r/qmcgaw/private-internet-access)
[](https://hub.docker.com/r/qmcgaw/private-internet-access)
[](https://github.com/qdm12/private-internet-access-docker/issues)
[](https://github.com/qdm12/private-internet-access-docker/issues)
[](https://github.com/qdm12/private-internet-access-docker/issues)
[](https://microbadger.com/images/qmcgaw/private-internet-access)
[](https://microbadger.com/images/qmcgaw/private-internet-access)
[](https://join.slack.com/t/qdm12/shared_invite/enQtOTE0NjcxNTM1ODc5LTYyZmVlOTM3MGI4ZWU0YmJkMjUxNmQ4ODQ2OTAwYzMxMTlhY2Q1MWQyOWUyNjc2ODliNjFjMDUxNWNmNzk5MDk)
- [Alpine 3.11](https://alpinelinux.org) for a tiny image (37MB of packages, 6.7MB of Go binary and 5.6MB for Alpine) - [OpenVPN 2.4.8](https://pkgs.alpinelinux.org/package/v3.11/main/x86_64/openvpn) to tunnel to PIA servers - [IPtables 1.8.3](https://pkgs.alpinelinux.org/package/v3.11/main/x86_64/iptables) enforces the container to communicate only through the VPN or with other containers in its virtual network (acts as a killswitch) - [Unbound 1.9.6](https://pkgs.alpinelinux.org/package/v3.11/main/x86_64/unbound) configured with Cloudflare's [1.1.1.1](https://1.1.1.1) DNS over TLS (configurable with 5 different providers) - [Files and blocking lists built periodically](https://github.com/qdm12/updated/tree/master/files) used with Unbound (see `BLOCK_MALICIOUS`, `BLOCK_SURVEILLANCE` and `BLOCK_ADS` environment variables) - [TinyProxy 1.10.0](https://pkgs.alpinelinux.org/package/v3.11/main/x86_64/tinyproxy) - [Shadowsocks 3.3.4](https://pkgs.alpinelinux.org/package/edge/testing/x86/shadowsocks-libev)
- At start only - Allow outbound TCP 443 to github.com - If `DOT=on`, allow outbound TCP 853 to allow Unbound to resolve github.com and the PIA subdomain name if you use PIA. - If `DOT=off` and `VPNSP=pia`, allow outbound UDP 53 to your DNS provider to resolve the PIA subdomain name. - If `VPNSP=pia`, `ENCRYPTION=strong` and `PROTOCOL=udp`: allow outbound UDP 1197 to the corresponding VPN server IPs - If `VPNSP=pia`, `ENCRYPTION=normal` and `PROTOCOL=udp`: allow outbound UDP 1198 to the corresponding VPN server IPs - If `VPNSP=pia`, `ENCRYPTION=strong` and `PROTOCOL=tcp`: allow outbound TCP 501 to the corresponding VPN server IPs - If `VPNSP=pia`, `ENCRYPTION=normal` and `PROTOCOL=tcp`: allow outbound TCP 502 to the corresponding VPN server IPs - If `VPNSP=mullvad` and `PORT=`, please refer to the mapping of Mullvad servers in [these source code lines](https://github.com/qdm12/private-internet-access-docker/blob/master/internal/constants/mullvad.go#L64-L667) to find the corresponding UDP port number and IP address(es) of your choice - If `VPNSP=mullvad` and `PORT=53`, allow outbound UDP 53 to the corresponding VPN server IPs, which you can fine in [the mapping of Mullvad servers](https://github.com/qdm12/private-internet-access-docker/blob/master/internal/constants/mullvad.go#L64-L667) - If `VPNSP=mullvad` and `PORT=80`, allow outbound TCP 80 to the corresponding VPN server IPs, which you can fine in [the mapping of Mullvad servers](https://github.com/qdm12/private-internet-access-docker/blob/master/internal/constants/mullvad.go#L64-L667) - If `VPNSP=mullvad` and `PORT=443`, allow outbound TCP 443 to the corresponding VPN server IPs, which you can fine in [the mapping of Mullvad servers](https://github.com/qdm12/private-internet-access-docker/blob/master/internal/constants/mullvad.go#L64-L667) - If `SHADOWSOCKS=on`, allow inbound TCP 8388 and UDP 8388 from your LAN - If `TINYPROXY=on`, allow inbound TCP 8888 from your LAN
Add `network_mode: "service:pia"` to your *docker-compose.yml* (no need for `depends_on`)
Add `--network=container:pia` when launching the container, provided PIA is already running
Add `network_mode: "container:pia"` to your *docker-compose.yml*, provided PIA is already running
You might want to use Shadowsocks instead which tunnels UDP as well as TCP, whereas Tinyproxy only tunnels TCP. 1. Setup a HTTP proxy client, such as [SwitchyOmega for Chrome](https://chrome.google.com/webstore/detail/proxy-switchyomega/padekgcemlokbadohgkifijomclgjgif?hl=en) 1. Ensure the PIA container is launched with: - port `8888` published `-p 8888:8888/tcp` - your LAN subnet, i.e. `192.168.1.0/24`, set as `-e EXTRA_SUBNETS=192.168.1.0/24` 1. With your HTTP proxy client, connect to the Docker host (i.e. `192.168.1.10`) on port `8888`. You need to enter your credentials if you set them with `TINYPROXY_USER` and `TINYPROXY_PASSWORD`. 1. If you set `TINYPROXY_LOG` to `Info`, more information will be logged in the Docker logs
1. Setup a SOCKS5 proxy client, there is a list of [ShadowSocks clients for **all platforms**](https://shadowsocks.org/en/download/clients.html) - **note** some clients do not tunnel UDP so your DNS queries will be done locally and not through PIA and its built in DNS over TLS - Clients that support such UDP tunneling are, as far as I know: - iOS: Potatso Lite - OSX: ShadowsocksX - Android: Shadowsocks by Max Lv 1. Ensure the PIA container is launched with: - port `8388` published `-p 8388:8388/tcp -p 8388:8388/udp` - your LAN subnet, i.e. `192.168.1.0/24`, set as `-e EXTRA_SUBNETS=192.168.1.0/24` 1. With your SOCKS5 proxy client - Enter the Docker host (i.e. `192.168.1.10`) as the server IP - Enter port TCP (and UDP, if available) `8388` as the server port - Use the password you have set with `SHADOWSOCKS_PASSWORD` - Choose the encryption method/algorithm `chacha20-ietf-poly1305` 1. If you set `SHADOWSOCKS_LOG` to `on`, (a lot) more information will be logged in the Docker logs
In example, to access port `8000` of container `xyz` and `9000` of container `abc` connected to PIA, publish ports `8000` and `9000` for the PIA container and access them as you would with any other container
In example, to access port `8000` of container `xyz` and `9000` of container `abc` connected to PIA, publish port `8000` and `9000` for the PIA container. The docker-compose.yml file would look like: ```yml version: '3.7' services: pia: image: qmcgaw/private-internet-access container_name: pia init: true cap_add: - NET_ADMIN environment: - USER=js89ds7 - PASSWORD=8fd9s239G ports: - 8000:8000/tcp - 9000:9000/tcp abc: image: abc container_name: abc network_mode: "service:pia" xyz: image: xyz container_name: xyz network_mode: "service:pia" ```
It happens especially on some PIA servers where they change their configuration or the server goes offline. You will obtain an error similar to: ```s openvpn: Wed Mar 18 22:13:00 2020 [3a51ae90324bcb0719cb399b650c64d4] Inactivity timeout (--ping-restart), restarting, openvpn: Wed Mar 18 22:13:00 2020 SIGUSR1[soft,ping-restart] received, process restarting, ... openvpn: Wed Mar 18 22:13:17 2020 Preserving previous TUN/TAP instance: tun0, openvpn: Wed Mar 18 22:13:17 2020 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device., openvpn: Wed Mar 18 22:13:17 2020 ERROR: Linux route delete command failed: external program exited with error status: 2, openvpn: Wed Mar 18 22:13:17 2020 ERROR: Linux route delete command failed: external program exited with error status: 2, openvpn: Wed Mar 18 22:13:17 2020 ERROR: Linux route delete command failed: external program exited with error status: 2, openvpn: Wed Mar 18 22:13:17 2020 ERROR: Linux route delete command failed: external program exited with error status: 2, openvpn: Wed Mar 18 22:13:17 2020 /sbin/ip addr del dev tun0 local 10.6.11.6 peer 10.6.11.5, openvpn: Wed Mar 18 22:13:17 2020 Linux ip addr del failed: external program exited with error status: 2, openvpn: Wed Mar 18 22:13:18 2020 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1), openvpn: Wed Mar 18 22:13:18 2020 Exiting due to fatal error, exit status 1 ``` To fix it, you would have to run openvpn with root, by setting the environment variable `OPENVPN_ROOT=yes`.
You might see some warnings similar to: ```s openvpn: Sat Feb 22 15:55:02 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this openvpn: Sat Feb 22 15:55:02 2020 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1542' openvpn: Sat Feb 22 15:55:02 2020 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC' openvpn: Sat Feb 22 15:55:02 2020 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1' openvpn: Sat Feb 22 15:55:02 2020 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128' openvpn: Sat Feb 22 15:55:02 2020 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' openvpn: Sat Feb 22 15:55:02 2020 [a121ce520d670b71bfd3aa475485539b] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1197 ``` It is mainly because the option [disable-occ](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/) was removed for transparency with you. Private Internet Access explains [here why](https://www.privateinternetaccess.com/helpdesk/kb/articles/why-do-i-get-cipher-auth-warnings-when-i-connect) the warnings show up.
At start, the Go entrypoint only downloads, depending on your settings: - If `DOT=on`: [DNS over TLS named root](https://github.com/qdm12/files/blob/master/named.root.updated) for Unbound - If `DOT=on`: [DNS over TLS root key](https://github.com/qdm12/files/blob/master/root.key.updated) for Unbound - If `BLOCK_MALICIOUS=on`: [Malicious hostnames and IP addresses block lists](https://github.com/qdm12/files) for Unbound - If `BLOCK_SURVEILLANCE=on`: [Surveillance hostnames and IP addresses block lists](https://github.com/qdm12/files) for Unbound - If `BLOCK_ADS=on`: [Ads hostnames and IP addresses block lists](https://github.com/qdm12/files) for Unbound
First, install [Git](https://git-scm.com/). The following will build the Docker image locally and replace the previous one you built or pulled. - Build the latest image ```sh docker build -t qmcgaw/private-internet-access https://github.com/qdm12/private-internet-access-docker.git ``` - Find a [commit](https://github.com/qdm12/private-internet-access-docker/commits/master) you want to build for, in example `095623925a9cc0e5cf89d5b9b510714792267d9b`, then: ```sh docker build -t qmcgaw/private-internet-access https://github.com/qdm12/private-internet-access-docker.git#095623925a9cc0e5cf89d5b9b510714792267d9b ``` - Find a [branch](https://github.com/qdm12/private-internet-access-docker/branches) you want to build for, in example `mullvad`, then: ```sh docker build -t qmcgaw/private-internet-access https://github.com/qdm12/private-internet-access-docker.git#mullvad ```
By default, the Mullvad server tunnels both ipv4 and ipv6, hence openvpn will try to create an ipv6 route. To allow the container to create such route, you have to specify `net.ipv6.conf.all.disable_ipv6=0` at runtime, using either: - For a Docker run command, the flag: `--sysctl net.ipv6.conf.all.disable_ipv6=0` - In a docker-compose file: ```yml sysctls: - net.ipv6.conf.all.disable_ipv6=0 ```
The Go code is a big rewrite of the previous shell entrypoint, it allows for: - better testing - better maintainability - ease of implementing new features - faster boot - asynchronous/parallel operations It is mostly made of the [internal directory](https://github.com/qdm12/private-internet-access-docker/tree/master/internal) and the entry Go file [cmd/main.go](https://github.com/qdm12/private-internet-access-docker/blob/master/cmd/main.go).
- You can test DNSSEC using [internet.nl/connection](https://www.internet.nl/connection/) - Check DNS leak tests with [https://www.dnsleaktest.com](https://www.dnsleaktest.com) - Some other DNS leaks tests might not work because of [this](https://github.com/qdm12/cloudflare-dns-server#verify-dns-connection) (*TLDR*: Unbound DNS server is a local caching intermediary)
You can try: - Installing the tun kernel module on your host with `insmod /lib/modules/tun.ko` or `modprobe tun` - Adding `--device=/dev/net/tun` to your docker run command (equivalent for docker-compose, kubernetes, etc.)
1. Install [Docker](https://docs.docker.com/install/) - On Windows, share a drive with Docker Desktop and have the project on that partition - On OSX, share your project directory with Docker Desktop 1. With [Visual Studio Code](https://code.visualstudio.com/download), install the [remote containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) 1. In Visual Studio Code, press on `F1` and select `Remote-Containers: Open Folder in Container...` 1. Your dev environment is ready to go!... and it's running in a container :+1:
Install [Go](https://golang.org/dl/), [Docker](https://www.docker.com/products/docker-desktop) and [Git](https://git-scm.com/downloads); then: ```sh go mod download go get github.com/golang/mock/gomock go get github.com/golang/mock/mockgen ``` And finally install [golangci-lint](https://github.com/golangci/golangci-lint#install)
- Support Windscribe - Gotify support for notificactions - Periodic update of malicious block lists with Unbound restart - Improve healthcheck - Check IP address belongs to selected region - Check for DNS provider somehow if this is even possible - Support for other VPN protocols - Wireguard (wireguard-go) - Show new versions/commits available at start - Colors & emojis - Setup - Logging streams - More unit tests - Write in Go - DNS over TLS to replace Unbound - HTTP proxy to replace tinyproxy - use [go-Shadowsocks2](https://github.com/shadowsocks/go-shadowsocks2) - DNS over HTTPS, maybe use [github.com/likexian/doh-go](https://github.com/likexian/doh-go) - use [iptables-go](https://github.com/coreos/go-iptables) to replace iptables - wireguard-go - Openvpn to replace openvpn