Private Internet Access Client (OpenVPN, Alpine and DNS over TLS with Unbound)
Docker VPN client to private internet access servers using OpenVPN and Cloudflare DNS 1.1.1.1 over TLS
Optionally set the protocol (TCP, UDP) and the level of encryption using Docker environment variables.
A killswitch is implemented with a firewall (iptables), only allowing traffic with PIA servers on needed ports / protocols.
| Download size | Image size | RAM usage | CPU usage |
|---|---|---|---|
| 5.6MB | 13.5MB | 12MB | Low |
It is based on:
- Alpine 3.8
- OpenVPN 2.4.6-r3
- Unbound 1.7.3-r0
- Ca-Certificates for the healthcheck (through HTTPS)
It requires:
The PIA .ovpn configuration files are downloaded from the PIA website when the Docker image is built. You can build the image yourself if you are paranoid.
Cloudflare DNS 1.1.1.1 over TLS is used to connect to any PIA server for multiple reasons:
- Man-in-the-middle (ISP, hacker, government) can't block you from resolving the PIA server domain name.
For example,
austria.privateinternetaccess.commaps to185.216.34.229 - Man-in-the-middle (ISP, hacker, government) can't see to which server you connect nor when. As the domain name are sent to 1.1.1.1 over TLS, there is no way to examine what domains you are asking to be resolved
Setup
-
Make sure you have your
/dev/net/tundevice setup on your host with one of the following commands, depending on your OS:insmod /lib/modules/tun.koOr
sudo modprobe tun -
Create a network to be used by this container and other containers connecting to it with:
docker network create pianet -
Create a file auth.conf in
/yourhostpath(for example), with:- On the first line: your PIA username (i.e.
js89ds7) - On the second line: your PIA password (i.e.
8fd9s239G)
- On the first line: your PIA username (i.e.
Option 1: Using Docker only
-
Run the container with (at least change
/yourhostpathto your actual path):docker run -d --name=pia \ --cap-add=NET_ADMIN --device=/dev/net/tun --network=pianet \ -v /yourhostpath/auth.conf:/auth.conf:ro \ -e REGION=Germany -e PROTOCOL=udp -e ENCRYPTION=normal \ qmcgaw/private-internet-accessNote that you can change
REGION,PROTOCOLandENCRYPTION. See the Environment variables section -
Wait about 5 seconds for it to connect to the PIA server. You can check with:
docker logs pia -
Follow the Testing section
Option 2: Using Docker Compose
-
Download docker-compose.yml
-
Edit it and change at least
yourpath -
Run the container as a daemon in the background with:
docker-compose up -dNote that you can change
REGION,PROTOCOLandENCRYPTION. See the Environment variables section -
Wait about 5 seconds for it to connect to the PIA server. You can check with:
docker logs pia -
Follow the Testing section
Testing
- Note that you can simply use the HEALTCHECK provided. The container will stop by itself if the VPN IP is the same as your initial public IP address.
Otherwise you can follow these instructions:
-
Check your host IP address with:
curl -s ifconfig.co -
Run the curl Docker container using your pia container with:
docker run --rm --network=container:pia byrnedo/alpine-curl -s ifconfig.coIf the displayed IP address appears and is different that your host IP address, the PIA client works !
Environment variables
| Environment variable | Default | Description |
|---|---|---|
REGION |
Switzerland |
Any one of the regions supported by private internet access |
PROTOCOL |
tcp |
tcp or udp |
ENCRYPTION |
strong |
normal or strong |
If you know what you're doing, you can change the container name (pia),
the hostname (piaclient) and the network name (pianet) as well.
Connect other containers to it
Connect other Docker containers to the PIA VPN connection by adding
--network=container:pia when launching them.
EXTRA: Access ports of containers connected to the VPN container
You have to use another container acting as a Reverse Proxy such as Nginx.
Example:
-
We launch a Deluge (torrent client) container with name deluge connected to the
piacontainer with:docker run -d --name=deluge --network=container:pia linuxserver/deluge -
We launch a Hydra container with name hydra connected to the
piacontainer with:docker run -d --name=hydra --network=container:pia linuxserver/hydra -
HTTP User interfaces are accessible at port 8112 for Deluge and 5075 for Hydra
-
Create the Nginx configuration file nginx.conf:
user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; keepalive_timeout 65; server { listen 1001; location / { proxy_pass http://deluge:8112/; proxy_set_header X-Deluge-Base "/"; } } server { listen 1002; location / { proxy_pass http://hydra:5075/; } } include /etc/nginx/conf.d/*.conf; } -
Run the Alpine Nginx container with:
docker run -d --name=proxypia -p 8001:1001 -p 8002:1002 \ --network=pianet --link pia:deluge --link pia:hydra \ -v /mypathto/nginx.conf:/etc/nginx/nginx.conf:ro nginx:alpine -
Access the WebUI of Deluge at localhost:8000
For more containers, add more --link pia:xxx and modify nginx.conf accordingly
EXTRA: For the paranoids
- You might want to build the image yourself
- The download and unziping is done at build for the ones not able to download the zip files with their ISPs.
- Checksums for PIA openvpn zip files are not used as these files change often
- You should use strong encryption for the environment variable
ENCRYPTION