2018-04-15 14:21:44 -04:00
# Private Internet Access Client (OpenVPN, Alpine and DNS over TLS with Unbound)
2018-02-06 21:57:41 -05:00
2018-04-15 14:15:58 -04:00
Docker VPN client to private internet access servers using [OpenVPN ](https://openvpn.net/ ) and [Cloudflare DNS 1.1.1.1 over TLS ](https://developers.cloudflare.com/1.1.1.1/dns-over-tls )
Optionally set the protocol (TCP, UDP) and the level of encryption using Docker environment variables.
2018-03-31 20:33:45 -04:00
2018-02-21 11:55:45 -05:00
[](https://hub.docker.com/r/qmcgaw/private-internet-access/)
2018-02-06 21:57:41 -05:00
2018-03-15 12:09:17 -04:00
[](https://travis-ci.org/qdm12/private-internet-access-docker)
2018-04-15 14:15:58 -04:00
[](https://hub.docker.com/r/qmcgaw/private-internet-access)
[](https://github.com/qdm12/private-internet-access-docker/issues)
[](https://github.com/qdm12/private-internet-access-docker/issues)
[](https://github.com/qdm12/private-internet-access-docker/issues)
[](https://hub.docker.com/r/qmcgaw/private-internet-access)
[](https://hub.docker.com/r/qmcgaw/private-internet-access)
[](https://hub.docker.com/r/qmcgaw/private-internet-access)
2018-03-15 12:09:17 -04:00
2018-04-01 13:56:20 -04:00
[](https://microbadger.com/images/qmcgaw/private-internet-access)
[](https://microbadger.com/images/qmcgaw/private-internet-access)
2018-04-01 13:56:56 -04:00
2018-04-01 13:56:20 -04:00
| Download size | Image size | RAM usage | CPU usage |
| --- | --- | --- | --- |
2018-04-16 14:50:24 -04:00
| 5.6MB | 13.5MB | 12MB | Low |
2018-04-15 14:15:58 -04:00
It is based on:
- [Alpine 3.7 ](https://alpinelinux.org )
- [OpenVPN 2.4.5-r1 ](https://pkgs.alpinelinux.org/package/edge/main/ppc64le/openvpn )
- [Unbound 1.7.0-r2 ](https://pkgs.alpinelinux.org/package/edge/main/aarch64/unbound )
2018-04-16 14:50:24 -04:00
- Ca-Certificates for the healthcheck (through HTTPS)
2018-03-31 21:56:18 -04:00
2018-02-06 21:57:41 -05:00
It requires:
2018-03-04 13:44:51 -05:00
- A Private Internet Access **username ** and **password ** - [Sign up ](https://www.privateinternetaccess.com/pages/buy-vpn/ )
2018-02-06 21:57:41 -05:00
- [Docker ](https://docs.docker.com/install/ ) installed on the host
2018-04-13 15:35:31 -04:00
The PIA * .ovpn * configuration files are downloaded from
[the PIA website ](https://www.privateinternetaccess.com/openvpn/openvpn.zip )
2018-04-15 14:15:58 -04:00
when the Docker image is built. You can build the image yourself if you are paranoid.
2018-04-13 15:35:31 -04:00
Cloudflare **DNS 1.1.1.1 over TLS ** is used to connect to any PIA server for multiple reasons:
- Man-in-the-middle (ISP, hacker, government) can't block you from resolving the PIA server domain name.
* For example, `austria.privateinternetaccess.com` maps to `185.216.34.229` *
- Man-in-the-middle (ISP, hacker, government) can't see to which server you connect nor when.
* As the domain name are sent to 1.1.1.1 over TLS, there is no way to examine what domains you are asking to be resolved *
2018-02-06 21:57:41 -05:00
2018-04-15 14:15:58 -04:00
## Setup
2018-02-06 21:57:41 -05:00
2018-06-01 16:04:13 -04:00
1. Make sure you have your `/dev/net/tun` device setup on your host with one of the following commands, depending on your OS:
2018-06-01 14:38:27 -04:00
```bash
insmod /lib/modules/tun.ko
```
2018-06-01 15:02:07 -04:00
2018-06-01 16:04:13 -04:00
Or
2018-06-01 15:02:07 -04:00
```bash
sudo modprobe tun
```
2018-06-01 14:38:27 -04:00
2018-04-13 15:35:31 -04:00
1. Create a network to be used by this container and other containers connecting to it with:
```bash
docker network create pianet
```
2018-02-21 11:55:45 -05:00
2018-03-31 20:33:45 -04:00
1. Create a file * auth.conf * in `/yourhostpath` (for example), with:
2018-02-06 21:57:41 -05:00
- On the first line: your PIA username (i.e. `js89ds7` )
- On the second line: your PIA password (i.e. `8fd9s239G` )
2018-04-15 14:15:58 -04:00
2018-03-31 20:33:45 -04:00
### Using Docker only
2018-04-15 14:15:58 -04:00
1. Run the container with (at least change `/yourhostpath` to your actual path):
2018-02-21 11:55:45 -05:00
2018-04-15 14:15:58 -04:00
```bash
2018-06-01 14:38:27 -04:00
docker run -d --restart=always --name=pia \
--cap-add=NET_ADMIN --device=/dev/net/tun --network=pianet \
-v /yourhostpath/auth.conf:/auth.conf:ro \
2018-04-15 14:15:58 -04:00
-e REGION=Germany -e PROTOCOL=udp -e ENCRYPTION=normal \
qmcgaw/private-internet-access
```
2018-02-21 11:55:45 -05:00
2018-04-15 14:15:58 -04:00
Note that you can change `REGION` , `PROTOCOL` and `ENCRYPTION` .
See the [Environment variables section ](#environment-variables )
1. Wait about 5 seconds for it to connect to the PIA server. You can check with:
2018-02-21 11:55:45 -05:00
2018-04-15 14:15:58 -04:00
```bash
docker logs pia
```
2018-02-21 11:55:45 -05:00
2018-04-15 14:15:58 -04:00
1. Follow the [**Testing section** ](#testing )
2018-02-21 11:55:45 -05:00
2018-03-31 20:33:45 -04:00
### Using Docker Compose
1. Download [**docker-compose.yml** ](https://github.com/qdm12/private-internet-access-docker/blob/master/docker-compose.yml )
2018-04-15 14:15:58 -04:00
1. Edit it and change at least `yourpath`
2018-03-31 20:33:45 -04:00
1. Run the container as a daemon in the background with:
```bash
docker-compose up -d
```
2018-04-15 14:15:58 -04:00
Note that you can change `REGION` , `PROTOCOL` and `ENCRYPTION` .
See the [Environment variables section ](#environment-variables )
1. Wait about 5 seconds for it to connect to the PIA server. You can check with:
2018-04-13 15:35:31 -04:00
```bash
docker logs pia
```
2018-04-15 14:15:58 -04:00
1. Follow the [**Testing section** ](#testing )
2018-04-13 15:35:31 -04:00
## Testing
2018-04-15 14:52:27 -04:00
1. Note that you can simply use the HEALTCHECK provided. The container will stop by itself
if the VPN IP is the same as your initial public IP address.
Otherwise you can follow these instructions:
2018-03-31 20:33:45 -04:00
1. Check your host IP address with:
```bash
curl -s ifconfig.co
```
1. Run the **curl ** Docker container using your * pia * container with:
```bash
2018-04-15 14:15:58 -04:00
docker run --rm --network=container:pia byrnedo/alpine-curl ifconfig.co
2018-03-31 20:33:45 -04:00
```
2018-04-13 15:35:31 -04:00
If the displayed IP address appears and is different that your host IP address,
the PIA client should fully work !
2018-02-06 21:57:41 -05:00
2018-04-15 14:15:58 -04:00
## Environment variables
| Environment variable | Default | Description |
| --- | --- | --- |
| `REGION` | `Switzerland` | Any one of the [regions supported by private internet access ](https://www.privateinternetaccess.com/pages/network/ ) |
| `PROTOCOL` | `tcp` | `tcp` or `udp` |
| `ENCRYPTION` | `strong` | `normal` or `strong` |
2018-02-06 21:57:41 -05:00
2018-04-15 14:15:58 -04:00
If you know what you're doing, you can change the container name (`pia` ),
the hostname (`piaclient` ) and the network name (`pianet` ) as well.
2018-02-21 11:55:45 -05:00
2018-04-13 15:35:31 -04:00
## Connect other containers to it
Connect other Docker containers to the PIA VPN connection by adding
`--network=container:pia` when launching them.
2018-04-15 14:15:58 -04:00
---
2018-04-13 15:35:31 -04:00
2018-04-15 14:15:58 -04:00
## EXTRA: Access ports of containers connected to the VPN container
2018-02-21 11:55:45 -05:00
You have to use another container acting as a Reverse Proxy such as Nginx.
**Example**:
2018-04-13 15:35:31 -04:00
- *Deluge* container with name **deluge ** connected to the `pia` container with `--network=container:pia`
- Deluge's WebUI runs on port TCP 8112
2018-02-21 11:55:45 -05:00
2018-04-13 15:35:31 -04:00
1. Create the Nginx configuration file * nginx.conf * :
2018-02-21 11:55:45 -05:00
```
2018-02-21 11:56:42 -05:00
user nginx;
worker_processes 1;
2018-02-21 11:55:45 -05:00
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
2018-02-21 11:56:42 -05:00
http {
2018-02-21 11:55:45 -05:00
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
location / {
proxy_pass http://deluge:8112/;
proxy_set_header X-Deluge-Base "/";
}
}
include /etc/nginx/conf.d/*.conf;
}
```
2018-04-13 15:35:31 -04:00
1. Run the Alpine [Nginx container ](https://hub.docker.com/_/nginx ) with:
2018-02-21 11:55:45 -05:00
```bash
2018-04-13 15:35:31 -04:00
docker -d --restart=always --name=proxypia -p 8000:80 \
--network=pianet --link pia:deluge \
2018-02-21 11:55:45 -05:00
-v /mypathto/nginx.conf:/etc/nginx/nginx.conf:ro nginx:alpine
```
2018-04-13 15:35:31 -04:00
1. Access the WebUI of Deluge at [localhost:8000 ](http://localhost:8000 )
For more containers, add more `--link pia:xxx` and modify * nginx.conf * accordingly
2018-04-15 14:15:58 -04:00
## EXTRA: For the paranoids
- You might want to build the image yourself
- The download and unziping is done at build for the ones not able to download the zip files with their ISPs.
- Checksums for PIA openvpn zip files are not used as these files change often
- You should use strong encryption for the environment variable `ENCRYPTION`
