# Private Internet Access Client (OpenVPN+Iptables+DNS over TLS on Alpine Linux)
*Lightweight VPN client to tunnel to private internet access servers*
[](https://hub.docker.com/r/qmcgaw/private-internet-access/)
[](https://travis-ci.org/qdm12/private-internet-access-docker)
[](https://hub.docker.com/r/qmcgaw/private-internet-access)
[](https://github.com/qdm12/private-internet-access-docker/issues)
[](https://github.com/qdm12/private-internet-access-docker/issues)
[](https://github.com/qdm12/private-internet-access-docker/issues)
[](https://hub.docker.com/r/qmcgaw/private-internet-access)
[](https://hub.docker.com/r/qmcgaw/private-internet-access)
[](https://hub.docker.com/r/qmcgaw/private-internet-access)
[](https://microbadger.com/images/qmcgaw/private-internet-access)
[](https://microbadger.com/images/qmcgaw/private-internet-access)
[](https://paypal.me/qdm12)
| Image size | RAM usage | CPU usage |
| --- | --- | --- |
| 19.8MB | 14MB to 80MB | Low to Medium |
Click to show base components
- [Alpine 3.10](https://alpinelinux.org) for a tiny image
- [OpenVPN 2.4.7](https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/openvpn) to tunnel to PIA servers
- [IPtables 1.8.3](https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/iptables) enforces the container to communicate only through the VPN or with other containers in its virtual network (acts as a killswitch)
- [Unbound 1.9.1](https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/unbound) configured with Cloudflare's [1.1.1.1](https://1.1.1.1) DNS over TLS
- [Files and blocking lists built periodically](https://github.com/qdm12/updated/tree/master/files) used with Unbound (see `BLOCK_MALICIOUS` and `BLOCK_NSA` environment variables)
- [TinyProxy 1.10.0](https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/tinyproxy)
Configure everything with environment variables
- [Destination region](https://www.privateinternetaccess.com/pages/network)
- Internet protocol
- Level of encryption
- PIA Username and password
- DNS over TLS
- Malicious DNS blocking
- Internal firewall
- Web HTTP proxy (**not working yet**)
- Run openvpn without root
Requirements
- A Private Internet Access **username** and **password** - [Sign up](https://www.privateinternetaccess.com/pages/buy-vpn/)
- Firewall requirements
- Allow outbound TCP 853 to 1.1.1.1 to allow Unbound to resolve the PIA domain name at start. You can then block it once the container is started.
- For UDP strong encryption, allow outbound UDP 1197
- For UDP normal encryption, allow outbound UDP 1198
- For TCP strong encryption, allow outbound TCP 501
- For TCP normal encryption, allow outbound TCP 502
CLICK IF YOU HAVE AN ARM DEVICE
- If you have a ARM 32 bit v6 architecture
```sh
docker build -t qmcgaw/private-internet-access \
--build-arg BASE_IMAGE=arm32v6/alpine \
https://github.com/qdm12/private-internet-access-docker.git
```
- If you have a ARM 32 bit v7 architecture
```sh
docker build -t qmcgaw/private-internet-access \
--build-arg BASE_IMAGE=arm32v7/alpine \
https://github.com/qdm12/private-internet-access-docker.git
```
- If you have a ARM 64 bit v8 architecture
```sh
docker build -t qmcgaw/private-internet-access \
--build-arg BASE_IMAGE=arm64v8/alpine \
https://github.com/qdm12/private-internet-access-docker.git
```
Connect other containers to PIA
Add `--network=container:pia` when launching the container
Connect containers from another docker-compose.yml
Add `network_mode: "container:pia"` to your *docker-compose.yml*
Connect containers in the same docker-compose.yml as PIA
Add `network_mode: "service:pia"` to your *docker-compose.yml* (no need for `depends_on`)
Access ports of containers connected to PIA
To access port `8000` of container `xyz` and `9000` of container `abc` connected to PIA, you will need a reverse proxy such as `qmcgaw/caddy-scratch` (you can build it for **ARM**, see its [readme](https://github.com/qdm12/caddy-scratch))
1. Create the file *Caddyfile*
```sh
touch Caddyfile
chown 1000 Caddyfile
# chown 1000 because caddy-scratch runs as user ID 1000 by default
chmod 600 Caddyfile
```
with this content:
```ruby
:8000 {
proxy / xyz:8000
}
:9000 {
proxy / abc:9000
}
```
You can of course make more complicated Caddyfile (such as proxying `/xyz` to xyz:8000 and `/abc` to abc:9000, just ask me!)
1. Run Caddy with
```sh
docker run -d -p 8000:8000/tcp -p 9000:9000/tcp \
--link pia:xyz --link pia:abc \
-v $(pwd)/Caddyfile:/Caddyfile:ro \
qmcgaw/caddy-scratch
```
**WARNING**: Make sure the Docker network in which Caddy runs is the same as the one of PIA. It can be the default `bridge` network.
1. You can now access xyz:8000 at [localhost:8000](http://localhost:8000) and abc:9000 at [localhost:9000](http://localhost:9000)
For more containers, add more `--link pia:xxx` and modify the *Caddyfile* accordingly
If you want to user a *docker-compose.yml*, you can use this example - **make sure PIA is launched and connected first**:
```yml
version: '3'
services:
piaproxy:
image: qmcgaw/caddy-scratch
container_name: piaproxy
ports:
- 8000:8000/tcp
- 9000:9000/tcp
external_links:
- pia:xyz
- pia:abc
volumes:
- ./Caddyfile:/Caddyfile:ro
abc:
image: abc
container_name: abc
network_mode: "container:pia"
xyz:
image: xyz
container_name: xyz
network_mode: "container:pia"
```
Access ports of containers connected to PIA, all in the same docker-compose.yml
To access port `8000` of container `xyz` and `9000` of container `abc` connected to PIA, you could use:
```yml
version: '3'
services:
pia:
image: qmcgaw/private-internet-access
container_name: pia
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
environment:
- USER=js89ds7
- PASSWORD=8fd9s239G
ports:
- 8000:8000/tcp
- 9000:9000/tcp
abc:
image: abc
container_name: abc
network_mode: "service:pia"
xyz:
image: xyz
container_name: xyz
network_mode: "service:pia"
```
Access ports of containers connected to PIA, all in the same docker-compose.yml, using a reverse proxy
To access port `8000` of container `xyz` and `9000` of container `abc` connected to PIA, you will need a reverse proxy such as `qmcgaw/caddy-scratch` (you can build it for **ARM**, see its [readme](https://github.com/qdm12/caddy-scratch))
1. Create the file *Caddyfile*
```sh
touch Caddyfile
chown 1000 Caddyfile
# chown 1000 because caddy-scratch runs as user ID 1000 by default
chmod 600 Caddyfile
```
with this content:
```ruby
:8000 {
proxy / xyz:8000
}
:9000 {
proxy / abc:9000
}
```
You can of course make more complicated Caddyfile (such as proxying `/xyz` to xyz:8000 and `/abc` to abc:9000, just ask me!)
1. Use this example:
```yml
version: '3'
services:
pia:
image: qmcgaw/private-internet-access
container_name: pia
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
environment:
- USER=js89ds7
- PASSWORD=8fd9s239G
piaproxy:
image: qmcgaw/caddy-scratch
container_name: piaproxy
ports:
- 8000:8000/tcp
- 9000:9000/tcp
external_links:
- pia:xyz
- pia:abc
volumes:
- ./Caddyfile:/Caddyfile:ro
abc:
image: abc
container_name: abc
network_mode: "service:pia"
xyz:
image: xyz
container_name: xyz
network_mode: "service:pia"
```
Connect to the PIA through an HTTP proxy (i.e. with Chrome, Kodi, etc.)
**THIS IS NOT CURRENTLY WORKING, INVESTIGATION IS IN PROGRESS...**
1. Setup a HTTP proxy client, such as [SwitchyOmega for Chrome](https://chrome.google.com/webstore/detail/proxy-switchyomega/padekgcemlokbadohgkifijomclgjgif?hl=en)
1. Make sure the PIA container:
- Has port 8888 published `-p 8888:8888/tcp`
- **Has your LAN** in `EXTRA_SUBNETS`
1. With your HTTP proxy client, connect to the Docker host (i.e. `192.168.1.10`) on port `8888`. You might need to enter your credentials if you set them with the environment variables `PROXY_USER` and `PROXY_PASSWORD`.
1. If you set `PROXY_LOG_LEVEL` to `Info`, you can check the log output of tinyproxy with:
```sh
docker exec -it pia cat /var/log/tinyproxy/tinyproxy.log
```
`PROXY_LOG_LEVEL` defaults to `Critical` to avoid logging everything, for privacy purposes as well as to save storage.