Actually this is problematic since it requires to send a request to PIA outside the VPN to obtain/register a Wireguard key. Having the whole container focused on not leaking anything before the tunnel is up, this is... bothering.

I guess I can do some firewall gymnastics to allow connections to PIA before Wireguard is up, but it does not feel like the ideal solution 😢

It's probably overly complicated, but could Gluetun connect to PIA over OpenVPN initially, obtain the Wireguard key, then disconnect via OpenVPN and re-connect using Wireguard?

I thought about that, but that looks like weeks to implement 😢 There is also Surfshark (and possibly NordVPN, Cyberghost) which also work the same as PIA where you need to make an API call initially. Why would anyone design such horror 😄 Anyway, I think setting up a dumb OpenVPN at start to do API calls is the solution here. It might not be that hard either, but it feels... over-complicated 🥼

Another potential solution is to do the API calls through a sock5 proxy. Curl and Go both support this out of the box.

It does require separate credentials for PIA though.

https://www.privateinternetaccess.com/helpdesk/kb/articles/do-you-offer-a-socks5-proxy

I thought about that, but that looks like weeks to implement 😢 There is also Surfshark (and possibly NordVPN, Cyberghost) which also work the same as PIA where you need to make an API call initially. Why would anyone design such horror 😄

They designed it this way to support their own desktop/mobile applications. That also means that the official VPN client apps leak this info (making requests to a VPN provider's API endpoint).

.. setting up a dumb OpenVPN at start to do API calls is the solution here. It might not be that hard either, but it feels... over-complicated

Whether you access an API endpoint of a VPN provider or connecting to one of their VPN servers, it is very clear (for your ISP/NSA/etc.) what you are trying to do - establish a VPN connection with a particular VPN provider. As long as the API connection is encrypted (which it is), you are not exposing any additional information. Your intents are still pretty obvious.

The major downside to this process is that it's much easier to block as single API endpoint compared to blocking ranges of IPs of VPN servers.

Whether you access an API endpoint of a VPN provider or connecting to one of their VPN servers

True, true.

The major downside to this process is that it's much easier to block as single API endpoint compared to blocking ranges of IPs of VPN servers.

Yep. Regarding IP level sniffing, it doesn't change much, but blocking-wise, it's much easier to block a single IP address than N ones that might change over time.

nslookup privateinternetaccess.com
Address:  23.10.89.37

They only have a single public IP address sadly.

Well I guess PIA users should expect protection similar to PIA's official app anyway. If they're not happy, other providers are more privacy robust like Ivpn, Mullvad or Windscribe (at least for Wireguard).

I'll take the do-the-api-call-outside-the-vpn route (which is already complex given the existing setup), otherwise it's really mind hard to implement. Maybe log a warning to the user about it.

Any progress on this? Would be a nice function

I see the optional info, but it's not clear to me how (or even if possible) to use that to manually create the token and give that to gluetun to use PIA's Wireguard. I have no problem updating and running the mentioned scripts to grab a token, (I certainly understand that it is difficult to automatically implement) but I'd like to be able to manually do that if I can.

I think the "do-the-api-call-outside-the-vpn" approach sounds like the most sensible option. Warnings about the behaviour in the console and in the wiki would be sufficient.

I've seen the wiki documentation on adding new service providers however it seems like there are some other complexities for this feature. Does anybody know if there have been any other similar providers added, that require an initial fetch for a token, since this issue was first created? As a reference point.

I found this PIA + Wireguard project: https://github.com/thrnz/docker-wireguard-pia

Could be helpful as a reference for implementing this feature in gluetun

I have 3 more years with PIA. Please release this feature! I don't mind ISP knowing that I'm connecting to PIA.

Mullvad just pulled port forwarding from their service which is a huge issue if you want to torrent stuff using VPN.

In the vast and intricate tapestry of digital landscapes, a shadowy need has emerged, longing for your wise touch. A request, nay, a fervent plea, escapes my lips like an incantation carried by the winds of destiny. I beseech thee, conjure forth the wondrous enchantment known as WireGuard within the heart of your creation.

Hi, I've implemented this feature in #1836, but I don't have a PIA account to test it. Help for testing would be greatly appreciated! 🙏

You can build the image by cloning my branch, and then run:

docker build . -t gluetun

Now, the image would be build with the name gluetun.