Private Internet Access (PIA) WireGuard Guide/Script

[Learning]

Thanks for the fast and informative reply.  This is super helpful!

When I started working through these instructions, I noticed the actions file in action.d was missing.
I guess I had originally got WG up and running with another method found elsewhere.  I don't even remember which set of instructions I followed it seems!

Anyway, I copied the file over into actions.d and removed the first entry since I must not have used it.  So it starts with the PIAUS entry.

However when I typed in configd restart, I got Command not found in the shell.

*EDIT* - I did service configd restart as per the original instructions! 
I copied and amended the previous Interface entry and updated the name.
Added the Gateway.
ran the script with debug changeserver
Enabled the Gateway, saved, and it was up and running.

I added an Alias to route certain URLs via this gateway (including 1 IP address checking site), and BINGO!  All working  :)

Many thanks for the added help & support!

[FingerlessGloves]

I highly recommend you make sure you have the actions setup for both the new and old tunnels, and have the cron job setup.

Short term you may not find any issues, but long term you'll need the cron action for each tunnel.

Whats the action does it monitors the tunnel, if the tunnel goes down, for example the PIA server restarts for updates or maybe they retire that server, it'll then move the wireguard tunnel over to another PIA server in that region.  When PIA restarts their servers, all peers will be lost as the server runs in RAM, so a full login on PIA side is required again. The action also makes sure the gateway IP is set, to allow traffic to route over the tunnel.

Also if your disconnected from PIA server for extended period of time they will remove you as a peer, so full authentication is required again. Unsure on the timescale but I think its 15 minutes or so. Which could happen if your WAN goes down or your updating OPNsense. The cron action will then make sure you get back up and running again.

Hope this helps :-)

[Learning]

I highly recommend you make sure you have the actions setup for both the new and old tunnels, and have the cron job setup.

For some reason I had not been able to set up a Cron job originally.  I had attempted, but I think something was missing in one of the dropdown boxes.

I'm currently adding the 3rd WG connection.  Once I have it running, I'll get back to the Cron job.

Although I'll have 3 WG gateways, the .py file will only be aware of 2 of them, since I had obviously set the first up a different way.  I guess I might have to add the initial wg0 info manually to that file.  Will experiment as the day goes on!

[Learning]

Now I seem to have messed it all up.
Had a brief server crash, and it obviously did some kind of reset (asked me to send a crash report).

I was still doing setup and hadn't done the cron thing.
I went back and added the original PIAWireguard.py file, with the relevant changes.

However when I run PIAWireguard.py debug, I keep getting
wireguardserver addKey request failed non 200 status code - Trying to add instance public key to server in exchnage for connection information

Not sure what that means, and I can't find other errors.  The other gateways (US & UK) came up fine when I ran the scripts and readded the gateways etc.

Any suggestions?

[FingerlessGloves]

Now I seem to have messed it all up.
Had a brief server crash, and it obviously did some kind of reset (asked me to send a crash report).

I was still doing setup and hadn't done the cron thing.
I went back and added the original PIAWireguard.py file, with the relevant changes.

However when I run PIAWireguard.py debug, I keep getting
wireguardserver addKey request failed non 200 status code - Trying to add instance public key to server in exchnage for connection information

Not sure what that means, and I can't find other errors.  The other gateways (US & UK) came up fine when I ran the scripts and readded the gateways etc.

Any suggestions?

The part is failing on is sending PIA server your public key and PIA token in turn for the connection information.

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard/blob/6f839bf952b0dfe5f967ba0edb4c2b3ce9c37abf/PIAWireguard.py#L399

I would assume an issue with opnsenseWGPubkey the script is retrieving from OPNsense. Does the script pick it up correctly? The script does print this information when in debug mode.


I can provide remote support if required.

[Learning]

You're really on the ball - thanks for monitoring this thread so closely!

A little more playing around and I currently have all gateways up and running again.

One of the issues had been that I was editing the PIAWireguard.py file on my desktop, and had forgotten to copy it back across to Opnsense.  Schoolboy error I'm afraid  :-[

I'm now showing 3 different public IP addresses.

Before going any further I'll see if I can get the Cron jobs set up, then I'll look a bit more closely at my firewall rules.  Still trying to get the hang of those, but so far the UK streaming sites are not working for me.

[FingerlessGloves]

You're really on the ball - thanks for monitoring this thread so closely!

A little more playing around and I currently have all gateways up and running again.

One of the issues had been that I was editing the PIAWireguard.py file on my desktop, and had forgotten to copy it back across to OPNsense.  Schoolboy error I'm afraid  :-[

I'm now showing 3 different public IP addresses.

Before going any further I'll see if I can get the Cron jobs set up, then I'll look a bit more closely at my firewall rules.  Still trying to get the hang of those, but so far the UK streaming sites are not working for me.

Streaming can be a tricky one, you may need to use PIA DNS servers, as PIA do some DNS tricky to get streaming services working. But if you look in the regions list you'll see uk_2 which is described as a streaming optimised region, so you may need to use that region id in your setup, failing that PIA DNS maybe required.

Cron Jobs should be pretty easy.

Make sure your action file contains actions for all 3 setups, then reload the configd. Then the 3 actions will appear in the cron section of the webui.

[Learning]

Streaming can be a tricky one, you may need to use PIA DNS servers, as PIA do some DNS tricky to get streaming services working. But if you look in the regions list you'll see uk_2 which is described as a streaming optimised region, so you may need to use that region id in your setup, failing that PIA DNS maybe required.

Cron Jobs should be pretty easy.

Make sure your action file contains actions for all 3 setups, then reload the configd. Then the 3 actions will appear in the cron section of the webui.

Yes, I just confirmed that the actions file has all 3 setups contained within it.
There are 3 distinct entries in Cron now as well.  So I guess that's good.

I have selected the uk_2 server for British streaming.

I think you might be onto something with the DNS holding me back.
Ideally I would like to capture the DNS and route appropriately for each tunnel, although it looks as though all tunnels utilise the same internal IP addresses for DNS.

I am attempting to make sense of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks in order to route the DNS appropriately.  In fact I had started a separate thread about it a few days ago at https://forum.opnsense.org/index.php?topic=24416.0, but as yet don't have it working.

[FingerlessGloves]

Yes, I just confirmed that the actions file has all 3 setups contained within it.
There are 3 distinct entries in Cron now as well.  So I guess that's good.

I have selected the uk_2 server for British streaming.

I think you might be onto something with the DNS holding me back.
Ideally I would like to capture the DNS and route appropriately for each tunnel, although it looks as though all tunnels utilise the same internal IP addresses for DNS.

I am attempting to make sense of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks in order to route the DNS appropriately.  In fact I had started a separate thread about it a few days ago at https://forum.opnsense.org/index.php?topic=24416.0, but as yet don't have it working.

Sounds like your on the right tracks now. Just create the cron jobs to run each of those actions every 5 or 10 minutes.

DNS wise... what you need to do is set the PIA DNS on the clients via DHCP (or manually), to 10.0.0.243, then in the firewall rules, you allow traffic to 10.0.0.243 but using PIA gateway you need. That should then push the DNS traffic down the tunnel to the DNS server for that region :-)


Also this may be handy information.
https://www.privateinternetaccess.com/helpdesk/kb/articles/streaming-with-pia

[Learning]

I am trying to do URL-based routing.  Perhaps what I am attempting is not quite possible.

For any given client, if you enter CNN.com you will be routed via the US VPN gateway.
On the same client if you enter bbc.com you will be routed via the UK VPN gateway.
For all other destinations, routing is down on the default VON gateway unless the client device is in my exclude list.
The exclude list is a direct WAN connection to the ISP.

The goal is to enable automatic routing behind the scenes.  It is working for basic websites, but not the streaming platforms.
I feel like I'm so close...

[richardk3]

Hmm...I've installed the latest version of the script, and it has stopped working for me.  I've done something stupid, I'm sure, but I don't know what.

Can anyone help?

Code Select Expand

root@OPNsense:~ # /conf/PIAWireguard.py debug
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 169, in _new_conn
    conn = connection.create_connection(
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 96, in create_connection
    raise err
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 86, in create_connection
    sock.connect(sa)
TimeoutError: [Errno 60] Operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 353, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 181, in _new_conn
    raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/conf/PIAWireguard.py", line 202, in <module>
    r = requests.get(f'{opnsenseURL}/api/wireguard/server/searchServer/', auth=(config['opnsenseKey'], config['opnsenseSecret']), verify=urlVerify)
  File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 76, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))
root@OPNsense:~ #


[FingerlessGloves]

Hmm...I've installed the latest version of the script, and it has stopped working for me.  I've done something stupid, I'm sure, but I don't know what.

Can anyone help?

Code Select Expand

root@OPNsense:~ # /conf/PIAWireguard.py debug
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 169, in _new_conn
    conn = connection.create_connection(
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 96, in create_connection
    raise err
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 86, in create_connection
    sock.connect(sa)
TimeoutError: [Errno 60] Operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 353, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 181, in _new_conn
    raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/conf/PIAWireguard.py", line 202, in <module>
    r = requests.get(f'{opnsenseURL}/api/wireguard/server/searchServer/', auth=(config['opnsenseKey'], config['opnsenseSecret']), verify=urlVerify)
  File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 76, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))
root@OPNsense:~ #


Error messages are saying they can't connect to the web interface.

Have you changed its port?

[richardk3]

Error messages are saying they can't connect to the web interface.

Have you changed its port?
[/quote]

Wow, thanks for the instantaneous reply and solution!

I had changed from https to http, and hadn't changed the line in PIAWireguard.json.

It's working now!

[FingerlessGloves]

Error messages are saying they can't connect to the web interface.

Have you changed its port?

Wow, thanks for the instantaneous reply and solution!

I had changed from https to http, and hadn't changed the line in PIAWireguard.json.

It's working now!
[/quote]

Glad to hear it's working 💪

[someone1337]

FG,

I am trying to add my second tunnel according to your instructions on the bottom of page one, but I am getting the same error as Learning:

Code Select Expand

wireguardserver addKey request failed non 200 status code - Trying to add instance public key to server in exchnage for connection information

A search on the word 'exchnage' shows the script is choking at line 575.

I have a different name, port, and region ID in PIAWireguard.json, and I've renamed the script to indicate the different region so I don't get confused (and added the action lines as well).

This is the output:

Code Select Expand

WGInstanceUUID:
WGPeerUUID:
WGInstance:
WGPeer:
WGPeer is blank but this isn't an issue
metaServer
toronto438
178.249.214.97
wgServer
toronto438
178.249.214.109
Your PIA Token (Meta), DO NOT GIVE THIS TO ANYONE
{
    "status": "OK",
    "token": "redacted"
}

wireguardserver addKey request failed non 200 status code - Trying to add instance public key to server in exchnage for connection information

Your previous comment mentions that the script prints out `opnsenseWGPubkey` but I don't see that displayed in the debug output or have any reason to believe it's incorrect (?).

Any other ideas?  I don't know how to interact with PIA's API to get my own wireguard key and set it all up manually (but I suppose I could read your URLs and figure that out :P )

The script worked perfectly on the first tunnel, so thanks for all the hard work!

Cheers!