Private Internet Access (PIA) WireGuard Guide/Script

[someone1337]

Okay it turns out that opnsenseWGName was the issue.  I named it PIA_toronto, which apparently was causing the script to pull my existing PIA config from OPNsense.  When the script asked for a new wireguard key (using an existing WG public key), PIA refused the creation and caused the script to fail.

So, I changed opnsenseWGName to PIACA, and it created the interface just fine.

Not sure if the API doesn't like the underscore or the small caps ... but removing both allowed me to move forward!

[someone1337]

Also, just in case you're trying to get port forwarding working...

I still had problems port forwarding over Wireguard running OPNSense 22, and solved using steps in the github issue:

https://github.com/opnsense/core/issues/4389

The solution posted there works, but I had to switch over to the OPNSense Development branch in order for it to work. 

No idea why this is such a problem (still)...

[panks21]

Okay it turns out that opnsenseWGName was the issue.  I named it PIA_toronto, which apparently was causing the script to pull my existing PIA config from OPNsense.  When the script asked for a new wireguard key (using an existing WG public key), PIA refused the creation and caused the script to fail.

So, I changed opnsenseWGName to PIACA, and it created the interface just fine.

Not sure if the API doesn't like the underscore or the small caps ... but removing both allowed me to move forward!

I had exact same issue and I reported over github via https://github.com/FingerlessGlov3s/OPNsensePIAWireguard/issues/24
I am glad he has added the check in the code now for opnsenseWGName

[bbyrd]

Hi FingerlessGloves... thanks very much for your efforts on this.

I'm running into some issues getting this running... when I set up the user per your guide, there is no option to add 'Effective Privileges' (just edit, and only GUI based option available to select) [I'm running OPNSense 22.1.10]

I skipped ahead anyway... all good until I ran

Code: [Select]

/conf/PIAWireguard.py debug as which point i get the message

Code: [Select]

searchServer request failed non 200 status code - listing wireguard instances
I'm assuming this is why when I go to Interfaces: Assignments there is no wg0 option available.

I do note that I am successfully running Tailscale on my OPNSense (which is WireGuard based), I case this might cause issues.

Any suggestions?

[bbyrd]

*facepalm*

All sorted... didn't scroll properly in the list of 'Effective Privileges'. Now found, added and all working.

[DarkHelmet]

Hi,

I am pretty much a nub with opnsense, but I got this all working with my setup.  I am sending a specific ip address out to the interface.  I tested a reboot tho and on reboot the interface defaults to the normal lan interface.  not using the vpn.   Not sure why.  Any thoughts?     

After the reboot I can get it working again by ssh to the router and running the "PIAWireguard.py debug changeserver" command.  After that the source ip traffic goes through the vpn again.

Thanks.

--pat

Versions   OPNsense 22.7.8-amd64
FreeBSD 13.1-RELEASE-p3
OpenSSL 1.1.1s 1 Nov 2022


**Update** 

It appears to me that the vpn interface eventually comes up after a boot.  It just takes a bit of time before it's active. Maybe 5 minutes for the cron job to kick in? If this is true for everyone  people might not be vpn protected for the first few minutes of a reboot unless they have the "kill switch"  from step 11
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

[lallhands]

Unable to get my gateway monitor to connect. It was running fine overnight, but when I woke up this morning it was in this "defunct" state. Also when I restarted it using /conf/PIAWireguard.py, I saw that it was getting timeout connection errors to serverlist.piaservers.net on port 443... Help me Obi-Wan Kenobi, you're my only hope!

Version
OPNsense 22.7.11-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022

[chuliu]

I wonder if this script will work if i have an existing wireguard server set up in my opnsense?
Also, does it work in a dual wan environment?

Thank you.

[Skylinar]

The script adds an additional interface, so it won't break your existing WG server. Dual Wan is supported, check out the git repo's Readme.

[richardk3]

Feature request -- although I may be the only one in the world who needs this:

When my router reboots, or the cron job runs with "changesever", I sometimes lose access to my IPTV streams.  Apparently, the IPTV provider is blocking one or more PIA server IP addresses within the region I'm using.  I can fix it by running the script manually with "changeserver", so that it selects a different PIA server within the same region.

However, it would be nice if the script would accept a blocklist of specific server IP addresses to bypass, perhaps in the json file.

Or...is there a way to accomplish this with the existing script?