-
-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Wireguard support for PIA #612
Comments
Actually this is problematic since it requires to send a request to PIA outside the VPN to obtain/register a Wireguard key. Having the whole container focused on not leaking anything before the tunnel is up, this is... bothering. I guess I can do some firewall gymnastics to allow connections to PIA before Wireguard is up, but it does not feel like the ideal solution 馃槩 |
It's probably overly complicated, but could Gluetun connect to PIA over OpenVPN initially, obtain the Wireguard key, then disconnect via OpenVPN and re-connect using Wireguard? |
I thought about that, but that looks like weeks to implement 馃槩 There is also Surfshark (and possibly NordVPN, Cyberghost) which also work the same as PIA where you need to make an API call initially. Why would anyone design such horror 馃槃 Anyway, I think setting up a dumb OpenVPN at start to do API calls is the solution here. It might not be that hard either, but it feels... over-complicated 馃ゼ |
Another potential solution is to do the API calls through a sock5 proxy. Curl and Go both support this out of the box. It does require separate credentials for PIA though. https://www.privateinternetaccess.com/helpdesk/kb/articles/do-you-offer-a-socks5-proxy |
They designed it this way to support their own desktop/mobile applications. That also means that the official VPN client apps leak this info (making requests to a VPN provider's API endpoint).
Whether you access an API endpoint of a VPN provider or connecting to one of their VPN servers, it is very clear (for your ISP/NSA/etc.) what you are trying to do - establish a VPN connection with a particular VPN provider. As long as the API connection is encrypted (which it is), you are not exposing any additional information. Your intents are still pretty obvious. The major downside to this process is that it's much easier to block as single API endpoint compared to blocking ranges of IPs of VPN servers. |
True, true.
Yep. Regarding IP level sniffing, it doesn't change much, but blocking-wise, it's much easier to block a single IP address than N ones that might change over time.
They only have a single public IP address sadly. Well I guess PIA users should expect protection similar to PIA's official app anyway. If they're not happy, other providers are more privacy robust like Ivpn, Mullvad or Windscribe (at least for Wireguard). I'll take the do-the-api-call-outside-the-vpn route (which is already complex given the existing setup), otherwise it's really mind hard to implement. Maybe log a warning to the user about it. |
Any progress on this? Would be a nice function |
I see the optional info, but it's not clear to me how (or even if possible) to use that to manually create the token and give that to gluetun to use PIA's Wireguard. I have no problem updating and running the mentioned scripts to grab a token, (I certainly understand that it is difficult to automatically implement) but I'd like to be able to manually do that if I can. |
I think the "do-the-api-call-outside-the-vpn" approach sounds like the most sensible option. Warnings about the behaviour in the console and in the wiki would be sufficient. I've seen the wiki documentation on adding new service providers however it seems like there are some other complexities for this feature. Does anybody know if there have been any other similar providers added, that require an initial fetch for a token, since this issue was first created? As a reference point. |
I found this PIA + Wireguard project: https://github.com/thrnz/docker-wireguard-pia Could be helpful as a reference for implementing this feature in gluetun |
I have 3 more years with PIA. Please release this feature! I don't mind ISP knowing that I'm connecting to PIA. Mullvad just pulled port forwarding from their service which is a huge issue if you want to torrent stuff using VPN. |
In the vast and intricate tapestry of digital landscapes, a shadowy need has emerged, longing for your wise touch. A request, nay, a fervent plea, escapes my lips like an incantation carried by the winds of destiny. I beseech thee, conjure forth the wondrous enchantment known as WireGuard within the heart of your creation. |
Hi, I've implemented this feature in #1836, but I don't have a PIA account to test it. Help for testing would be greatly appreciated! 馃檹 You can build the image by cloning my branch, and then run:
Now, the image would be build with the name |
What's the feature? 馃
Optional extra information 馃殌
connect_to_wireguard_with_token.sh
get_token.sh
the token is generated with a call to https://privateinternetaccess.com/gtoken/generateToken using thePIA_USERNAME
andPIA_PASSWORD
. (thanks @marciocm)TODOs
VPNSP
for WireguardThe text was updated successfully, but these errors were encountered: