Private Internet Access Client (OpenVPN, Alpine and DNS over TLS with Unbound)

Docker VPN client to private internet access servers using OpenVPN and Cloudflare DNS 1.1.1.1 over TLS

Optionally set the protocol (TCP, UDP) and the level of encryption using Docker environment variables.

Download size	Image size	RAM usage	CPU usage
5.4MB	13MB	11.89MB	Low to Medium

It is based on:

• Alpine 3.7
• OpenVPN 2.4.5-r1
• Unbound 1.7.0-r2
• wget and ca-certificates for the healthcheck

It requires:

• A Private Internet Access username and password - Sign up
• Docker installed on the host

The PIA .ovpn configuration files are downloaded from the PIA website when the Docker image is built. You can build the image yourself if you are paranoid.

Cloudflare DNS 1.1.1.1 over TLS is used to connect to any PIA server for multiple reasons:

• Man-in-the-middle (ISP, hacker, government) can't block you from resolving the PIA server domain name. For example, austria.privateinternetaccess.com maps to 185.216.34.229
• Man-in-the-middle (ISP, hacker, government) can't see to which server you connect nor when. As the domain name are sent to 1.1.1.1 over TLS, there is no way to examine what domains you are asking to be resolved

Setup

1. Run the tun.sh script on your host machine to ensure you have the /dev/tun device setup

   wget https://raw.githubusercontent.com/qdm12/private-internet-access-docker/master/tun.sh
   sudo chmod +x tun.sh
   ./tun.sh
   

2. Create a network to be used by this container and other containers connecting to it with:

   docker network create pianet
   

3. Create a file auth.conf in /yourhostpath (for example), with:

   • On the first line: your PIA username (i.e. js89ds7)
   • On the second line: your PIA password (i.e. 8fd9s239G)

Using Docker only

1. Run the container with (at least change /yourhostpath to your actual path):

   docker run -d --restart=always --name=pia --cap-add=NET_ADMIN \
   --device=/dev/net/tun --network=pianet \
   -v /yourhostpath/auth.conf:/auth.conf:ro \
   -e REGION=Germany -e PROTOCOL=udp -e ENCRYPTION=normal \
   qmcgaw/private-internet-access
   

   Note that you can change REGION, PROTOCOL and ENCRYPTION. See the Environment variables section

2. Wait about 5 seconds for it to connect to the PIA server. You can check with:

   docker logs pia
   

3. Follow the Testing section

Using Docker Compose

1. Download docker-compose.yml

2. Edit it and change at least yourpath

3. Run the container as a daemon in the background with:

    docker-compose up -d
   

   Note that you can change REGION, PROTOCOL and ENCRYPTION. See the Environment variables section

4. Wait about 5 seconds for it to connect to the PIA server. You can check with:

   docker logs pia
   

5. Follow the Testing section

Testing

1. Note that you can simply use the HEALTCHECK provided. The container will stop by itself if the VPN IP is the same as your initial public IP address.

Otherwise you can follow these instructions:

1. Check your host IP address with:

   curl -s ifconfig.co
   

2. Run the curl Docker container using your pia container with:

   docker run --rm --network=container:pia byrnedo/alpine-curl ifconfig.co
   

   If the displayed IP address appears and is different that your host IP address, the PIA client should fully work !

Environment variables

Environment variable	Default	Description
REGION	Switzerland	Any one of the regions supported by private internet access
PROTOCOL	tcp	tcp or udp
ENCRYPTION	strong	normal or strong

If you know what you're doing, you can change the container name (pia), the hostname (piaclient) and the network name (pianet) as well.

Connect other containers to it

Connect other Docker containers to the PIA VPN connection by adding --network=container:pia when launching them.

---

EXTRA: Access ports of containers connected to the VPN container

You have to use another container acting as a Reverse Proxy such as Nginx.

Example:

• Deluge container with name deluge connected to the pia container with --network=container:pia
• Deluge's WebUI runs on port TCP 8112

1. Create the Nginx configuration file nginx.conf:

   user  nginx;
   worker_processes  1;
   error_log  /var/log/nginx/error.log warn;
   pid        /var/run/nginx.pid;
   events {
       worker_connections  1024;
   }
   http {
       include       /etc/nginx/mime.types;
       default_type  application/octet-stream;
       log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                         '$status $body_bytes_sent "$http_referer" '
                         '"$http_user_agent" "$http_x_forwarded_for"';
       access_log  /var/log/nginx/access.log  main;
       sendfile        on;
       keepalive_timeout  65;
       server {
           listen 80;
           location / {
               proxy_pass http://deluge:8112/;
               proxy_set_header X-Deluge-Base "/";
           }
       }
       include /etc/nginx/conf.d/*.conf;
   }
   

2. Run the Alpine Nginx container with:

   docker -d --restart=always --name=proxypia -p 8000:80 \
   --network=pianet --link pia:deluge \
   -v /mypathto/nginx.conf:/etc/nginx/nginx.conf:ro nginx:alpine
   

3. Access the WebUI of Deluge at localhost:8000

For more containers, add more --link pia:xxx and modify nginx.conf accordingly

EXTRA: For the paranoids

• You might want to build the image yourself
• The download and unziping is done at build for the ones not able to download the zip files with their ISPs.
• Checksums for PIA openvpn zip files are not used as these files change often
• You should use strong encryption for the environment variable ENCRYPTION