GUIDE: Setting up Transmission with OpenVPN and PIA

[Scharbag]

PIA seems to have switched to NextGen and as such, port forwarding seems to be broken. It may have something to do with the following address no longer being valid:

Code:

https://www.privateinternetaccess.com/vpninfo/port_forward_assignment

Just wondering if anyone has an updated address for the port forward assignment.

Thanks.

 

[weingeist]

I am also struggling a lot with the new PIA servers. My transmission is virtually inactive due to this. I had a script according to post #21 of this thread:

There's a setup for pfsense port forwarding through PIA here: https://forum.pfsense.org/index.php?topic=71725.0

Now all I get is {"error":"Port forwarding not available for this region"}

After some research I found this:

Introducing Next Generation Port Forwarding - News / Announcements - PIA Support Portal

www.privateinternetaccess.com

It reads "If you are using OpenVPN, you can find the gateway by checking the routing table with ip route s t all." Does anybody know how this translates to FreeBSD? I assume it to be a Linux command.

 

[dak180]

PIA seems to have switched to NextGen and as such, port forwarding seems to be broken.

I am also struggling a lot with the new PIA servers. My transmission is virtually inactive due to this.

You may want to checkout my script for PIA's 4 gen servers.

 

[weingeist]

You may want to checkout my script for PIA's 4 gen servers.

dude, you're my hero. thank you very much! that's what I call fast help : )

The only thing I needed to add was authentication from my old script for Transmission

Line 88:

Code:

json="$(transmission-remote --auth $RPCUSER:$RPCPASSWORD -pt 2>&1)"

Line 199:

Code:

if ! transmission-remote --auth $RPCUSER:$RPCPASSWORD -p "${PORTNUM}" &> /dev/null; then

as well as setting the two variables RPCUSER and RPCPASSWORD in the beginning.

 

[Scharbag]

You may want to checkout my script for PIA's 4 gen servers.

You, good sir, are a damn genius. Clean, crisp and concise. Well done.

Cheers,

 

[dak180]

The only thing I needed to add was authentication from my old script for Transmission

Line 88:
Code:
json="$(transmission-remote --auth $RPCUSER:$RPCPASSWORD -pt 2>&1)"


Line 199:
Code:
if ! transmission-remote --auth $RPCUSER:$RPCPASSWORD -p "${PORTNUM}" &> /dev/null; then


as well as setting the two variables RPCUSER and RPCPASSWORD in the beginning.

The reason I do not have that in my script is that rather than password auth I whitelist ip addresses instead. Because I am in a position to control ip assignments on my network I find it is a much simpler way to work.

 

[alwu]

PIA just released some new scripts to connect to their new servers. connecting via wireguard is now available.

https://www.privateinternetaccess.c...manual-connection-and-port-forwarding-scripts

i tried them out and it was relatively painless. one thing that didn't work for me was port forwarding. a downside to these scripts is that they need to be run manually, so they need to be run every time the jail is restarted. i don't know how to get them to run during jail startup.

here are a few things i had to do to get the scripts to work.

• install packages for curl, jq, bash, base64, and wireguard (pkg install curl jq bash base64 wireguard).
• update all the sh scripts with the correct location for bash. the scripts assume /bin/bash, but for me it was /usr/local/bin/bash.
• i had to increase the latency so the scripts could find servers to connect to. i suggest trying the default latency first and then increasing it if needed.

the tunnel interface that got created was called pia instead of tun0, so the the firewall rules(/etc/ipfw.rules) needed to be updated to use the new tunnel name.

 

[alwu]

i tried running the new PIA scripts again and this time port forwarding worked. the instructions from PIA say that if you enable port forwarding, you need to keep the terminal window open. this is because the script will send a keep alive signal to the server every 15 minutes until the port expires in 2 months. instead of doing that, i ran the setup script with nohup and then put it in the background.

Code:

nohup ./run_setup.sh
provide the information asked for by the prompts.
wait until the script looks like it's done. it's actually sleeping for 15 minutes.
Ctrl-Z (to suspend the job).
bg (to put the job into the background).

port_forwarding.sh as is from PIA will output an error message about an illegal option for the date command. this is ok and won't affect the port creation. but if you want to fix it, here are the edits i made.

original code

Code:

expires_at="$(echo "$payload" | base64 -d | jq -r '.expires_at')"

modified code

Code:

expires_at="$(echo "$payload" | base64 -d | jq -r '.expires_at')"
expires_at="$(echo "$expires_at" | cut -d . -f1)"
expires_at="${expires_at}UTC"

original code

Code:

This port will expire on $(date --date="$expires_at")

modified code

Code:

This port will expire on $(date -j -f %Y-%m-%dT%H:%M:%S%Z "$expires_at")

 

[Dave-g08]

Thanks for the script @dak180 !
I've had to recreate my transmission jail. I've tried the script but get the following error:

Code:

| VPN connection up.
curl: (45) Couldn't bind to ''
| Acquired new auth token.
| Failed to acquire new auth token.
ifconfig: interface  does not exist
curl: (3) URL using bad/illegal format or missing URL
| Acquired new Signature.
| Status is not ok.
| Closed port detected.
| Loading port forward assignment information..
| Garbled data:
| Cannot set the port.

My ifconfig settings are:

Code:

root@transmission:~ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
    groups: pflog
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:ff:60:03:aa:47
    hwaddr 02:89:a3:9e:7f:0b
    inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=1<PERFORMNUD>

Any suggestions?

 

[dak180]

Thanks for the script @dak180 !
I've had to recreate my transmission jail. I've tried the script but get the following error:

Code:

| VPN connection up.
curl: (45) Couldn't bind to ''
| Acquired new auth token.
| Failed to acquire new auth token.
ifconfig: interface  does not exist
curl: (3) URL using bad/illegal format or missing URL
| Acquired new Signature.
| Status is not ok.
| Closed port detected.
| Loading port forward assignment information..
| Garbled data:
| Cannot set the port.

Any suggestions?

I am not sure why it is saying that the vpn is up when there is no tun0 in ifconfig but that seems to indicate to me that the vpn is not working correctly. You might look in /var/log/messages in the jail to see what might be going on there.

 

[Scharbag]

PIA just changed a bunch of their sh!te to the NextGen configs.

Try running the following to see if your setup is working properly:

Code:

openvpn --config /usr/local/etc/pia_openvpn/pia_vpn.conf

with the directory and file names that match your system. See what the response looks like. It should be something like this:

Code:

Sun Dec 27 09:06:07 2015 OpenVPN 2.3.9 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec 22 2015
Sun Dec 27 09:06:07 2015 library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Sun Dec 27 09:06:08 2015 UDPv4 link local: [undef]
Sun Dec 27 09:06:08 2015 UDPv4 link remote: [AF_INET]66.55.134.213:1194
Sun Dec 27 09:06:09 2015 [Private Internet Access] Peer Connection Initiated with [AF_INET]66.55.134.213:1194
Sun Dec 27 09:06:12 2015 TUN/TAP device /dev/tun0 opened
Sun Dec 27 09:06:12 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Dec 27 09:06:12 2015 /sbin/ifconfig tun0 10.194.1.6 10.194.1.5 mtu 1500 netmask 255.255.255.255 up
add net 66.55.134.213: gateway 192.168.50.1
add net 0.0.0.0: gateway 10.194.1.5
add net 128.0.0.0: gateway 10.194.1.5
add net 10.194.1.1: gateway 10.194.1.5
Sun Dec 27 09:06:12 2015 Initialization Sequence Completed

Cheers,

 

[Dave-g08]

Thanks for the replies @dak180 and @Scharbag

openvpn --config returns:

Code:

Thu Nov 19 11:09:04 2020 OpenVPN 2.4.9 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct  4 2020
Thu Nov 19 11:09:04 2020 library versions: OpenSSL 1.1.1d-freebsd  10 Sep 2019, LZO 2.10
Thu Nov 19 11:09:04 2020 CRL: loaded 1 CRLs from file /usr/local/etc/openvpn/crl.rsa.2048.pem
Thu Nov 19 11:09:04 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]184.170.241.194:1198
Thu Nov 19 11:09:04 2020 UDP link local: (not bound)
Thu Nov 19 11:09:04 2020 UDP link remote: [AF_INET]184.170.241.194:1198
Thu Nov 19 11:10:04 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Nov 19 11:10:04 2020 TLS Error: TLS handshake failed
Thu Nov 19 11:10:04 2020 SIGUSR1[soft,tls-error] received, process restarting

var log mentions:

Code:

Nov 19 11:11:21 transmission openvpn[87363]: TCP/UDP: Preserving recently used remote address: [AF_INET]184.170.242.199:1198
Nov 19 11:11:21 transmission openvpn[87363]: UDP link local: (not bound)
Nov 19 11:11:21 transmission openvpn[87363]: UDP link remote: [AF_INET]184.170.242.199:1198
Nov 19 11:12:21 transmission openvpn[87363]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 19 11:12:21 transmission openvpn[87363]: TLS Error: TLS handshake failed
Nov 19 11:12:21 transmission openvpn[87363]: SIGUSR1[soft,tls-error] received, process restarting

These are my IPFW rules

Code:

# Allow internal traffic
add 03000 allow ip from 192.168.1.4/24 to 192.168.1.0/24 keep-state
add 03000 allow ip from 192.168.1.0/24 to 192.168.1.4/24 keep-state

# Allow access to Entrace IP for VPN
add 04000 allow ip from 192.168.1.4/24 to <IP of VPN Entrance Node> keep-state

# Allow any traffic over the VPN interface
add 05000 allow ip from any to any via tun*

# Deny any other traffic
add 65534 deny ip from any to any

As you mentioned it appears tun0 doesn't exist. Is there anything I need to do in freenas or the jail to create it?

 

[Scharbag]

Thanks for the replies @dak180 and @Scharbag

openvpn --config returns:

Code:

Thu Nov 19 11:09:04 2020 OpenVPN 2.4.9 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct  4 2020
Thu Nov 19 11:09:04 2020 library versions: OpenSSL 1.1.1d-freebsd  10 Sep 2019, LZO 2.10
Thu Nov 19 11:09:04 2020 CRL: loaded 1 CRLs from file /usr/local/etc/openvpn/crl.rsa.2048.pem
Thu Nov 19 11:09:04 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]184.170.241.194:1198
Thu Nov 19 11:09:04 2020 UDP link local: (not bound)
Thu Nov 19 11:09:04 2020 UDP link remote: [AF_INET]184.170.241.194:1198
Thu Nov 19 11:10:04 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Nov 19 11:10:04 2020 TLS Error: TLS handshake failed
Thu Nov 19 11:10:04 2020 SIGUSR1[soft,tls-error] received, process restarting

var log mentions:

Code:

Nov 19 11:11:21 transmission openvpn[87363]: TCP/UDP: Preserving recently used remote address: [AF_INET]184.170.242.199:1198
Nov 19 11:11:21 transmission openvpn[87363]: UDP link local: (not bound)
Nov 19 11:11:21 transmission openvpn[87363]: UDP link remote: [AF_INET]184.170.242.199:1198
Nov 19 11:12:21 transmission openvpn[87363]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 19 11:12:21 transmission openvpn[87363]: TLS Error: TLS handshake failed
Nov 19 11:12:21 transmission openvpn[87363]: SIGUSR1[soft,tls-error] received, process restarting

These are my IPFW rules

Code:

# Allow internal traffic
add 03000 allow ip from 192.168.1.4/24 to 192.168.1.0/24 keep-state
add 03000 allow ip from 192.168.1.0/24 to 192.168.1.4/24 keep-state

# Allow access to Entrace IP for VPN
add 04000 allow ip from 192.168.1.4/24 to <IP of VPN Entrance Node> keep-state

# Allow any traffic over the VPN interface
add 05000 allow ip from any to any via tun*

# Deny any other traffic
add 65534 deny ip from any to any

As you mentioned it appears tun0 doesn't exist. Is there anything I need to do in freenas or the jail to create it?

Double check where you are connecting to. As I said, PIA changed stuff recently. Big change is this:

Code:

old address: <location>.privateinternetaccess.com <port>
new address: <location>.privacy.network <port>

Your error looks very similar to the one I just dealt with last week as PIA is changing everything to their new NextGen server infrastructure. Even the OS X, Windows and iOS applications needed to be updated to allow connectivity.

Cheers,

 

[Mannekino]

For those having issues with port forwarding, nextgen servers and also IPv6 related error messages. I've put everything in this post that I've done to get it working: https://github.com/pia-foss/manual-connections/issues/30#issuecomment-721326610

Content below:

I managed to fix all the issues I was having with the update to OpenVPN 2.5. Hopefully the solutions are solid. I will check the logs tomorrow. So far, so good. I'm running FreeNAS-11.3-U5 and my Jails are at 11.4-RELEASE.

Here is what I did to solve everything:

I used the PIA 4th generation strong encryption configuration file

https://www.privateinternetaccess.com/helpdesk/kb/articles/where-can-i-find-your-ovpn-files

In particular I'm using the Berlin server to connect to.

For port forwarding I used the following script

https://github.com/dak180/TrueNAS-Scripts/blob/master/pia-port-foward.sh

I made some minor changes because I'm using authentication for my Transmission instance. So I added a transUser and transPass variable at the top after the other variables:

Code:

transUser=[username]
transPass=[password]

And everywhere in the script where transmission-remote is invoked I added the following right after transmission-remote :

Code:

--auth "${transUser}":"${transPass}"

To get rid of the IPv6 errors I changed the OpenVPN configuration file

Thanks to another user on the TrueNAS forums I solved the IPv6 problems: https://www.truenas.com/community/threads/pia-and-openvpn-v2-5.88459/#post-613168

Right before the line that starts with <crl-verify> I added the following two lines:

Code:

pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6 "

To get rid of a cipher warning I changed this

I still got some warning about the ciphers. The solution was in the warning itself. Right after the cipher line in the configuration file I added this line:

Code:

data-ciphers aes-256-cbc

To make sure the port stays forwarded I added a cronjob to FreeNAS

Using the GUI of FreeNAS I added a cronjob that runs the above mentioned script every 10 minutes to refresh the port forwarding. I noticed the port closed after 15 minutes in Transmission.

Code:

iocage exec [jailname] [path_to_script]/pia-port-foward.sh

If I did anything wrong, or if I can improve on anything please let me know.

 

[Dave-g08]

Thanks all for the information.

I've checked my openvpn.conf and I can't see anything wrong (but clearly something is). service openvpn start returns without error, but then service openvpn status is not running.

Code:

client
dev tun
proto udp
remote sweden.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass pass.txt
compress
verb 1
reneg-sec 0
crl-verify *correct path*
CA *correct path*
disable-occ

var log now showing error with the tun interface

Code:

Nov 19 20:09:10 transmission openvpn[8826]: OpenVPN 2.4.9 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct  4 2020
Nov 19 20:09:10 transmission openvpn[8826]: library versions: OpenSSL 1.1.1d-freebsd  10 Sep 2019, LZO 2.10
Nov 19 20:09:10 transmission openvpn[8827]: CRL: loaded 1 CRLs from file [[INLINE]]
Nov 19 20:09:10 transmission openvpn[8827]: TCP/UDP: Preserving recently used remote address: [AF_INET]195.246.120.112:1198
Nov 19 20:09:10 transmission openvpn[8827]: UDP link local: (not bound)
Nov 19 20:09:10 transmission openvpn[8827]: UDP link remote: [AF_INET]195.246.120.112:1198
Nov 19 20:09:10 transmission openvpn[8827]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 19 20:09:10 transmission openvpn[8827]: [stockholm404] Peer Connection Initiated with [AF_INET]195.246.120.112:1198
Nov 19 20:09:11 transmission openvpn[8827]: GDG6: problem writing to routing socket
Nov 19 20:09:11 transmission openvpn[8827]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by e>
Nov 19 20:09:11 transmission openvpn[8827]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
Nov 19 20:09:11 transmission openvpn[8827]: Cannot allocate TUN/TAP dev dynamically
Nov 19 20:09:11 transmission openvpn[8827]: Exiting due to fatal error

Any advice where to start checking is greatly appreciated

 

[Mannekino]

Thanks all for the information.

I've checked my openvpn.conf and I can't see anything wrong (but clearly something is). service openvpn start returns without error, but then service openvpn status is not running.

Code:

client
dev tun
proto udp
remote sweden.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass pass.txt
compress
verb 1
reneg-sec 0
crl-verify *correct path*
CA *correct path*
disable-occ

var log now showing error with the tun interface

Code:

Nov 19 20:09:10 transmission openvpn[8826]: OpenVPN 2.4.9 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct  4 2020
Nov 19 20:09:10 transmission openvpn[8826]: library versions: OpenSSL 1.1.1d-freebsd  10 Sep 2019, LZO 2.10
Nov 19 20:09:10 transmission openvpn[8827]: CRL: loaded 1 CRLs from file [[INLINE]]
Nov 19 20:09:10 transmission openvpn[8827]: TCP/UDP: Preserving recently used remote address: [AF_INET]195.246.120.112:1198
Nov 19 20:09:10 transmission openvpn[8827]: UDP link local: (not bound)
Nov 19 20:09:10 transmission openvpn[8827]: UDP link remote: [AF_INET]195.246.120.112:1198
Nov 19 20:09:10 transmission openvpn[8827]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 19 20:09:10 transmission openvpn[8827]: [stockholm404] Peer Connection Initiated with [AF_INET]195.246.120.112:1198
Nov 19 20:09:11 transmission openvpn[8827]: GDG6: problem writing to routing socket
Nov 19 20:09:11 transmission openvpn[8827]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by e>
Nov 19 20:09:11 transmission openvpn[8827]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
Nov 19 20:09:11 transmission openvpn[8827]: Cannot allocate TUN/TAP dev dynamically
Nov 19 20:09:11 transmission openvpn[8827]: Exiting due to fatal error

Any advice where to start checking is greatly appreciated

Literally check my comment above yours for the IPv6 issue. Also, I think you should be connecting to port 1197 for the nextgen servers with strong encryption.

 

[Scharbag]

Thanks all for the information.

I've checked my openvpn.conf and I can't see anything wrong (but clearly something is). service openvpn start returns without error, but then service openvpn status is not running.

Code:

client
dev tun
proto udp
remote sweden.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass pass.txt
compress
verb 1
reneg-sec 0
crl-verify *correct path*
CA *correct path*
disable-occ

var log now showing error with the tun interface

Code:

Nov 19 20:09:10 transmission openvpn[8826]: OpenVPN 2.4.9 amd64-portbld-freebsd12.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct  4 2020
Nov 19 20:09:10 transmission openvpn[8826]: library versions: OpenSSL 1.1.1d-freebsd  10 Sep 2019, LZO 2.10
Nov 19 20:09:10 transmission openvpn[8827]: CRL: loaded 1 CRLs from file [[INLINE]]
Nov 19 20:09:10 transmission openvpn[8827]: TCP/UDP: Preserving recently used remote address: [AF_INET]195.246.120.112:1198
Nov 19 20:09:10 transmission openvpn[8827]: UDP link local: (not bound)
Nov 19 20:09:10 transmission openvpn[8827]: UDP link remote: [AF_INET]195.246.120.112:1198
Nov 19 20:09:10 transmission openvpn[8827]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 19 20:09:10 transmission openvpn[8827]: [stockholm404] Peer Connection Initiated with [AF_INET]195.246.120.112:1198
Nov 19 20:09:11 transmission openvpn[8827]: GDG6: problem writing to routing socket
Nov 19 20:09:11 transmission openvpn[8827]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by e>
Nov 19 20:09:11 transmission openvpn[8827]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
Nov 19 20:09:11 transmission openvpn[8827]: Cannot allocate TUN/TAP dev dynamically
Nov 19 20:09:11 transmission openvpn[8827]: Exiting due to fatal error

Any advice where to start checking is greatly appreciated

Try some other sites to see if one server is not happy? I know the ca-vancouver.privacy.network server is online today. Also, verify with a windows or iOS client to make sure the servers are up.

I also just used the exact .ovpn files from PIA when troubleshooting to check that everything was OK. Once I knew it worked, then I made my own custom configuration file with links to the CA and CRL.

Keep after it, you will get it figured.

Cheers,

 

[dak180]

I've had to recreate my transmission jail.

Nov 19 20:09:11 transmission openvpn[8827]: Cannot allocate TUN/TAP dev dynamically

Just to check; you did give the new jail permission to setup tun interfaces, right?

 

[Dave-g08]

So a reboot of my freeness box solved the issue. tun exists, openvpn connect and @dak180 script works like a dream. Thanks to all for the help

 

[goerz]

PIA just released some new scripts to connect to their new servers. connecting via wireguard is now available.

https://www.privateinternetaccess.c...manual-connection-and-port-forwarding-scripts

i tried them out and it was relatively painless. one thing that didn't work for me was port forwarding. a downside to these scripts is that they need to be run manually, so they need to be run every time the jail is restarted. i don't know how to get them to run during jail startup.

I managed to run the scripts when the jail starts, so that the jail connects to the vpn via wireguard, and transmission uses the forwarded port for its connection. I started from the scripts found here:

GitHub - glorious1/manual-connections: Scripts for manual connections to Private Internet Access

Scripts for manual connections to Private Internet Access - glorious1/manual-connections

github.com

I put all these scripts in /PIA. I changed most of the references from relative to absolute paths. In run_setup.sh I specified the location of a file with my VPN credentials, and I set the connection mode to wireguard:

Code:

PIA_AUTOCONNECT="wireguard"

I also fixed a small error in connect_to_wireguard_with_token.sh that prevented port forwarding: the variables PF_GATEWAY and PF_HOSTNAME must exported in order to be used by the port_forwarding.sh script.

Code:

PIA_TOKEN=$PIA_TOKEN \
  PF_GATEWAY="$(echo "$wireguard_json" | jq -r '.server_vip')" \
export PF_GATEWAY
  PF_HOSTNAME="$WG_HOSTNAME" \
export PF_HOSTNAME

Then I wrote another simple script and saved it in /PIA as VPNstart.sh:

Code:

#!/usr/local/bin/bash

cd /PIA
/usr/local/bin/bash /PIA/run_setup.sh

it is important to change the working directory to where your scripts are, otherwise the wireguard script won't find the authentication certificate (ca.rsa.4096.crt). And I added these lines in /etc/crontab:

Code:

@reboot root /PIA/VPNstart.sh

*/15 * * * * root /PIA/refresh_pia_port.sh

However, it is important to change the SHELL line in crontab to use bash instead of sh:

Code:

SHELL=/usr/local/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin

Hope this helps. My transmission jail has been running smoothly for more than a day now.