Private Internet Access (PIA) WireGuard Guide/Script

[FingerlessGloves]

Hi Guys,

I've written a python script for OPNsense that allows you to use WireGuard and PIA's Next Gen servers.
The script will make sure your PIA wireguard tunnel is up and will change server if required as well.

Please see my Github page for the guide and the script.

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard

Any question just ask and any issues make an issue on Github.

[Chrome]

Awesome script! Worked like a charm! Keep up the good work!

[rnaff]

Hey brother,

I'm trying to get your script running and I'm stuck at instruction #5.

I had copied the file over, ran chmod, restarted the service, and then ran debug but I got a bunch of errors and I thought it was because I didn't have the formatting correct on the file (edited it in wordpad) -- I deleted the PIAWireguard.py and got a proper file editor Notepad++, and have re-edited the file and uploaded it, ran chmod, and restarted the configd -- when I run debug, now I just get this error,

'command not found'.

thank you for providing this script -- I really hope I get it working soon =)

[bigeazy000]

Hey Jonny, this script worked great, thanks!

[richardk3]

Thanks for all the work on this script!  I followed the instructions, and successfully established a VPN connection with PIA.  I also used this guide to restrict the VPN usage to certain nodes:

https://imgur.com/gallery/JBf2RF6

It worked for me...mostly...

But systems using this connection refuse to connect to certain destinations.  Notably, cnn.com doesn't work.  Also, my Docker containers don't update using Watchtower when using this connection. 

If I connect to PIA using PIA's client app (with Wireguard) on the same computers, everything works.  So something is different when I connect using Wireguard on OPNsense.

Any ideas? 

[richardk3]

I noticed that a step had been added to the installation docs.  Doing this seems to have fixed the problems I was encountering. 

Code: [Select]

Last thing we need to set up is maximum MSS for TCP packets, which is 40 bytes smaller than the MTU of WireGuard, by default Wireguard uses 1420 bytes MTU. So we need to set an MSS maximum of 1380. (Without this you may have issues loading websites or slow speeds).
 Goto Firewall: Settings: Normalization
     1. Click Add
     2. Interface select "WAN_PIAWG"
     3. Enter Description of "Maximum MSS for PIA WireGuard Tunnel"
     4. Max MSS to "1380"
     5. Save (you will notice it'll now list this as OPT rather than the interface name, don't worry it's still correct, just edit it to verify you made the right selection)

[thatguyyoulove]

Hey brother,

I'm trying to get your script running and I'm stuck at instruction #5.

I had copied the file over, ran chmod, restarted the service, and then ran debug but I got a bunch of errors and I thought it was because I didn't have the formatting correct on the file (edited it in wordpad) -- I deleted the PIAWireguard.py and got a proper file editor Notepad++, and have re-edited the file and uploaded it, ran chmod, and restarted the configd -- when I run debug, now I just get this error,

'command not found'.

thank you for providing this script -- I really hope I get it working soon =)

I ran into the same issue, then realized that it was due to Notepad++ using Windows-style line endings(CRLF) instead of Unix-style(LF). Changing the line endings inside of Notepad++ fixed the issue and re-uploading fixed the issue.

[dsfghjkl;]

New to OPNsense but had no problem following along the guide and script and got the gateway online     But then, the final step, Step 13 ... fail ... any clues on how to route all LAN traffic over the new wireguard gateway?  Googling just ends up with a spattering of pages that don't match the current version 21.1.1 

[richardk3]

New to OPNsense but had no problem following along the guide and script and got the gateway online     But then, the final step, Step 13 ... fail ... any clues on how to route all LAN traffic over the new wireguard gateway?  Googling just ends up with a spattering of pages that don't match the current version 21.1.1 

I followed this guide to set up the firewall rules, and it worked.

https://imgur.com/gallery/JBf2RF6

Hope this helps.

[kosta]

Excuse my (un)knowledge, but how do I edit PIAWireguard.py? Using Notepad++ makes the file look very... odd.
I feel like an only idiot not being able to figure this out... sorry.

[Greelan]

Best to use a Python IDE. Google can give you options for your system

[kosta]

Well, I do have Visual Studio Code, because I use it for Powershell, so I loaded Phython in it (got it suggested), loaded the py file and... what now? What I see on Github is nice script where to enter data, and in VSC I see the pure code it seems. So yes, how do I edit that?

EDIT:
I managed to get it displayed in VSC properly, I don't really know how, but apparently downloading Github to the computer, then going through couple of clicks and loading the .py files so, it displayed correctly and I was able to save it. Wanted to copy via WinSCP to /conf/ and I got access denied. Not keen to changing permissions on a firewall folder(s) so I think I'll leave it be or get a VPN service that natively works with OpenVPN or Wireguard, without having to go through such scripts, if there is any. I ain't married to PIA...

[FingerlessGloves]

Hi Kosta,

What account did you WinSCP with? it needs to be the root user.

I'll update the readme to say about the editing of the .py file and user to use WinSCP as.

EDIT: Updated

[Learning]

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard

Any question just ask and any issues make an issue on Github.

**Looks around slowly and raises hand sheepishly after several months of inactivity in thread...**

I used this script to set up a PIA WG tunnel . Worked  great 

Now I am hoping to set up multiple WG tunnels.
How would I go about this?  The idea is a tunnel for US & UK in addition to my existing tunnel.

If I run the primary script again, will it break the existing connection?  Do I need to go right back and create a new API for example, or can I start further along in the process?

[FingerlessGloves]

**Looks around slowly and raises hand sheepishly after several months of inactivity in thread...**

I used this script to set up a PIA WG tunnel . Worked  great 

Now I am hoping to set up multiple WG tunnels.
How would I go about this?  The idea is a tunnel for US & UK in addition to my existing tunnel.

If I run the primary script again, will it break the existing connection?  Do I need to go right back and create a new API for example, or can I start further along in the process?

It very simple to do 

Make a copy of your current PIAWireguard.py, name it something like PIAWireguard_US.py then edit the below variables

Code: [Select]

opnsenseWGName  = 'PIAUS'
opnsenseWGPort = "51816"
piaRegionId = "us_silicon_valley"Very important to change the WGName and WGPort!


Then you'll also need to add some new entries to the actions file, just need to add new actions for each region example below
"/usr/local/opnsense/service/conf/actions.d/actions_piawireguard.conf"

Code: [Select]

[piaWireGuardUS]
command:/conf/PIAWireguard_US.py
parameters: %s %s
type:script_output
message:Running PIA WireGuard US Script : /conf/PIAWireguard_US.py %s %s
description:PIA WireGuard US
Then reload the configd service

Code: [Select]

configd restart
Now you can run the script again and it'll create the next PIA WireGuard Interface, and follow the setup guide again, with the second PIA interface.

Code: [Select]

/conf/PIAWireguard_US.py debug