Implement support for Wireguard in PIA

[FireMasterK]

Closes #612
Untested, as I don't have a PIA account

Warning: I don't really write a lot of Go code, so the structure may be bad!

[garlik82]

I'm willing to test this. Already built the image but what should I put in my compose file?

[FireMasterK]

I'm willing to test this. Already built the image but what should I put in my compose file?

You should be able to set your account credentials in the openvpn user credentials, and set VPN_TYPE=wireguard. You need not configure any wireguard keys, as ephemeral keys are automatically registered and used in the API.

[garlik82]

I'm willing to test this. Already built the image but what should I put in my compose file?

You should be able to set your account credentials in the openvpn user credentials, and set VPN_TYPE=wireguard. You need not configure any wireguard keys, as ephemeral keys are automatically registered and used in the API.

ERROR VPN settings: provider settings: VPN provider name is not valid for Wireguard: value is not one of the possible choices: private internet access must be one of airvpn, custom, ivpn, mullvad, nordvpn, surfshark or windscrib.

This is what I get.

If I put custom instead of PIA I get the error saying no endpoint set

[FireMasterK]

ERROR VPN settings: provider settings: VPN provider name is not valid for Wireguard: value is not one of the possible choices: private internet access must be one of airvpn, custom, ivpn, mullvad, nordvpn, surfshark or windscrib.

This is what I get.

If I put custom instead of PIA I get the error saying no endpoint set

I've fixed this in the latest commit, please build and try it again.

[garlik82]

ERROR VPN settings: provider settings: VPN provider name is not valid for Wireguard: value is not one of the possible choices: private internet access must be one of airvpn, custom, ivpn, mullvad, nordvpn, surfshark or windscrib.
This is what I get.
If I put custom instead of PIA I get the error saying no endpoint set

I've fixed this in the latest commit, please build and try it again.

Now I get this:

ERROR [vpn] finding a VPN server: filtering servers: no server found: for VPN wireguard; protocol udp; region dk copenhagen; encryption preset strong

[FireMasterK]

I've fixed this in the latest commit, please build and try it again.

Now I get this:

ERROR [vpn] finding a VPN server: filtering servers: no server found: for VPN wireguard; protocol udp; region dk copenhagen; encryption preset strong

Hi, please try again, this should now be fixed!

[garlik82]

How do I know the right thing to put in SERVER_REGIONS= ?

[FireMasterK]

How do I know the right thing to put in SERVER_REGIONS= ?

Anything that works with OpenVPN should most likely work with Wireguard too.

[garlik82]

How do I know the right thing to put in SERVER_REGIONS= ?

Anything that works with OpenVPN should most likely work with Wireguard too.

It doesn't. Must likely it's searching on servers.json for a wireguard server but PIA only has ovpn server in the built in server list.

https://raw.githubusercontent.com/qdm12/gluetun/master/internal/storage/servers.json (builtin server list)
https://serverlist.piaservers.net/vpninfo/servers/v6 (pia server list)

[FireMasterK]

It doesn't. Must likely it's searching on servers.json for a wireguard server but PIA only has ovpn server in the built in server list.

https://raw.githubusercontent.com/qdm12/gluetun/master/internal/storage/servers.json (builtin server list) https://serverlist.piaservers.net/vpninfo/servers/v6 (pia server list)

Could you give it a go again? I managed to reproduce those errors without an account, and each of them should be fixed now.

You may need to disable the firewall with FIREWALL=off (not sure how to work around it currently)

[garlik82]

almost there.

ERROR [vpn] getting Wireguard connection: HTTP status code is not OK: https://www.privateinternetaccess.com/gtoken/generateToken: 403 403 Forbidden: response received: <title>403 Forbidden</title>

403 Forbidden

---

cloudflare </html

[qdm12]

Thanks for the contribution!

Unfortunately this requires connectivity before the VPN is up, and that's a deal breaker for Gluetun. I'm slowly working towards a solution but this is far from done. The PR won't be useless though, it will be used at some point in the future 👍 !

[qdm12]

please keep this unexported (lowercase first letter), there is no need to export it

[qdm12]

please move this back to original location; you can do a subsequent PR to move these around after for cleanup if necessary, but let's keep this PR focused on what it's supposed to do.

[qdm12]

handle the error

Suggested change

	client, err := newHTTPClient(connection.Hostname)
	client, err := newHTTPClient(connection.Hostname)
	if err != nil {
	return fmt.Errorf("creating http client: %w", err)
	}

[qdm12]

nit comment unneeded

Suggested change

// create http client to make requests to the server's API

[qdm12]

nit comment unneeded

Suggested change

// generate a new private key

[qdm12]

remove before merging

[qdm12]

rename file to token.go, avoid utils in filename or directory, it's rather meaningless

[qdm12]

since this is used outside openvpn-only, we should inject the username and password and not use the openvpn auth file anymore (especially if it's for Wireguard, that makes it super strange)

[qdm12]

you could even panic here, since that would be a programming error:

Suggested change

	return "", fmt.Errorf("token type %q is not supported", tokenType)
	panic(fmt.Sprintf("token type %q is not supported", tokenType))

[qdm12]

⚠️ This calls www.privateinternetaccess.com and that's a deal breaker for the killswitch and to avoid leaking data outside the tunnel (especially from other containers/devices connecting through gluetun). For example if the tunnel takes 5 seconds to setup, data will leak for 5 seconds; if the tunnel never manages to setup, it would leak for hours.
That's also why I did not implement this yet, but don't worry, your code will be used at some point.

I'm working on a few other moving parts, and the idea is that connecting to privateinternetaccess.com over https (and its dns resolution) would be the only one allowed outside the vpn, temporarily. But this is far from done, so expect this pull request to stay opened for a few months unfortunately.

[bryanvaz]

Theoretically, if the agent were to connect via openvpn over a sideband, download the necessary wireguard configs over the ovpn tunnel, then bring up the primary wireguard tunnel using the downloaded wireguard credentials, would that address the leakage risk?

Obviously the scenario assumes all tunnelled traffic is only routed over wireguard, and thus is blocked till the wireguard tunnel is up. I would assume this should be the default behaviour anyways in the event of the PIA dropping the wireguard tunnel to rotate IPs.

[Nikamura]

any way I could help to get support added for PIA wireguard?