Wireguard box for PIA
published on Wednesday, July 3, 2024
This article shows how to setup a WireGuard connection for PIA inside a linux network namespace. This means that applications started in this namespace never see other network interfaces even if the VPN is disrupted.
This is a follow-up on VPN in a Nutshell and VPN autostart which describe how to do the same for the OpenVPN based connection. However, openssl 3.3.0 rejects the current PIA certificate with X509_REVOKED causing the OpenVPN connection to fail — which has made it necessary for me to migrate to WireGuard. More in this GitHub discussion.
Using WireGuard with network namespaces seems to be a standard approach that is well-documented in various places, so I won't explain the steps here, and just provide the setup and code. I recommend reading Using WireGuard for specific Apps on Linux and Routing & Network Namespace Integration for more details.
PIA has published code for setting up wireguard connections in their manual-connections repository. If you're not interested in the custom setup shown in this article here, I recommend you check it out.
Enough talk, more action!
pia-wirebox.conf
You can determine an appropriate PIA host using get_region.sh:
git clone https://github.com/pia-foss/manual-connections.git sudo ./manual-connections/get_region.sh
Look for a line near the bottom of the output that reads:
Wireguard IP ADDRESS - HOSTNAME
Now, create a file with your PIA credentials and server that you want to connect to:
/etc/wireguard/pia-wirebox.conf
PIA_USER=p1234567 PIA_PASS=your-password WG_HOSTNAME=frankfurt408 WG_SERVER_IP=138.199.18.71
Prevent others from reading this file to protect your credentials:
sudo chown root:root /etc/wireguard/pia-wirebox.conf
sudo chmod 600 /etc/wireguard/pia-wirebox.conf
pia-wirebox
Download the pia-wirebox script, read it (!), adapt it to your needs if necessary, and install it on your system, for example in /usr/local/bin/pia-wirebox.
Make sure that it is only writable by root:
sudo chown root:root /usr/local/bin/pia-wirebox
sudo chmod 711 /usr/local/bin/pia-wirebox
sudoers
I also like to setup passwordless sudo for my user. To do so start editing the sudoers file by running
sudo visudo
Note: Using visudo is important to avoid accidentally locking yourself out of your system due to a malformed sudoers! Do not falter if you detest vi(m). Contrary to what it's name suggests, it can also be used with a different editor by using e.g. sudo SUDO_EDITOR=nano visudo (but the editor command needs to be blocking, i.e. stay in foreground until the file is closed).
Add this line near the bottom and replace thomas by your actual username:
/etc/sudoers
thomas ALL = (root) NOSETENV: NOPASSWD: /usr/local/bin/pia-wirebox *
Note: Make sure env_reset is not disabled and SUDO_USER is not added to env_keep. Otherwise, please don't use passwordless sudo. The pia-wirebox script uses the $SUDO_USER environment variable provided by sudo to run the command after run as the original user who executed sudo (you can check this by running pia-wirebox run id -u). Along with the described sudoers config, I believe this should be enough to prevent privilege escalation, but run at your own risk.
If your sudoers has a line that reads @includedir /etc/sudoers.d it may be preferred to add this setting in a separate file under /etc/sudoers.d using:
sudo visudo /etc/sudoers.d/pia-wirebox
An sleek alternative (that simplifies the installation process and avoids the risk of misconfiguring your system) is to make use of the SUID bit. However, linux does not allow this for interpretable scripts for security reasons. Hence, this approach requires creating a real binary (using e.g. shc), but this is outside the scope of this article.
Usage
With the above setup you should now be able to bring up the VPN and run a command in the network namespace by hitting:
sudo wirebox run COMMAND [args..] # For example, determine your external (VPN) IP as seen by the outside world: sudo wirebox run dig @resolver4.opendns.com myip.opendns.com +short -4
If desired, set up a script or an alias to make this easier for you, e.g.:
~/.bashrc
alias wirebox="sudo /usr/local/bin/pia-wirebox run"