cat /dev/brain |

Wireguard box for PIA

published on Wednesday, July 3, 2024

This article shows how to setup a WireGuard connection for PIA inside a linux network namespace. This means that applications started in this namespace never see other network interfaces even if the VPN is disrupted.

This is a follow-up on VPN in a Nutshell and VPN autostart which describe how to do the same for the OpenVPN based connection. However, openssl 3.3.0 rejects the current PIA certificate with X509_REVOKED causing the OpenVPN connection to fail — which has made it necessary for me to migrate to WireGuard. More in this GitHub discussion.

Using WireGuard with network namespaces seems to be a standard approach that is well-documented in various places, so I won't explain the steps here, and just provide the setup and code. I recommend reading Using WireGuard for specific Apps on Linux and Routing & Network Namespace Integration for more details.

PIA has published code for setting up wireguard connections in their manual-connections repository. If you're not interested in the custom setup shown in this article here, I recommend you check it out.

Enough talk, more action!


You can determine an appropriate PIA host using

git clone
sudo ./manual-connections/

Look for a line near the bottom of the output that reads:

Wireguard   IP ADDRESS      -   HOSTNAME

Now, create a file with your PIA credentials and server that you want to connect to:



Prevent others from reading this file to protect your credentials:

sudo chown root:root /etc/wireguard/pia-wirebox.conf
sudo chmod 600       /etc/wireguard/pia-wirebox.conf


Download the pia-wirebox script, read it (!), adapt it to your needs if necessary, and install it on your system, for example in /usr/local/bin/pia-wirebox.

Make sure that it is only writable by root:

sudo chown root:root /usr/local/bin/pia-wirebox
sudo chmod 711       /usr/local/bin/pia-wirebox


I also like to setup passwordless sudo for my user. To do so start editing the sudoers file by running

sudo visudo

Note: Using visudo is important to avoid accidentally locking yourself out of your system due to a malformed sudoers! Do not falter if you detest vi(m). Contrary to what it's name suggests, it can also be used with a different editor by using e.g. sudo SUDO_EDITOR=nano visudo (but the editor command needs to be blocking, i.e. stay in foreground until the file is closed).

Add this line near the bottom and replace thomas by your actual username:


thomas ALL = (root) NOSETENV: NOPASSWD: /usr/local/bin/pia-wirebox *

Note: Make sure env_reset is not disabled and SUDO_USER is not added to env_keep. Otherwise, please don't use passwordless sudo. The pia-wirebox script uses the $SUDO_USER environment variable provided by sudo to run the command after run as the original user who executed sudo (you can check this by running pia-wirebox run id -u). Along with the described sudoers config, I believe this should be enough to prevent privilege escalation, but run at your own risk.

If your sudoers has a line that reads @includedir /etc/sudoers.d it may be preferred to add this setting in a separate file under /etc/sudoers.d using:

sudo visudo /etc/sudoers.d/pia-wirebox

An sleek alternative (that simplifies the installation process and avoids the risk of misconfiguring your system) is to make use of the SUID bit. However, linux does not allow this for interpretable scripts for security reasons. Hence, this approach requires creating a real binary (using e.g. shc), but this is outside the scope of this article.


With the above setup you should now be able to bring up the VPN and run a command in the network namespace by hitting:

sudo wirebox run COMMAND [args..]

# For example, determine your external (VPN) IP as seen by the outside world:
sudo wirebox run dig +short -4

If desired, set up a script or an alias to make this easier for you, e.g.:


alias wirebox="sudo /usr/local/bin/pia-wirebox run"

This entry was tagged config, gist, linux, privacy, vpn and wireguard