Today I'll be talking a little bit about VPNs. I've been interesting
in getting myself setup with a ubiquitous vpn for a while. I have a
VPN server running on my router (an x86 desktop running PFSense) which
was fine for when I was on public wifi and needed a little protection.
But that meant my ISP could still see, and modify, my traffic. With
the looming death of net neutrality, I thought it was high time I fix
this situation.
After doing a bit of shopping around I found a company called Private
Internet Access (PIA)[1] which claims geographically separated, log-less
and secure VPN service for just $3.33/month (at the time of this
writing). The deal sounded too good to pass up and the reviews were
outstanding so I decided to give it a try. There are few times in life
when you make really good decisions, I think this was one of those
times.
My initial impressions with PIA are very positive. They provide a
graphical client for Windows, MacOS, Ubuntu Linux, Android and iOS.
They also support OpenVPN and L2TP so you can use any generic OpenVPN
or L2TP client as well. If that wasn't enough, they have some really
good documentation and well written scripts to help configure things
on the non-standard platforms. This includes a script for setting up a
NetworkManager entry for each VPN endpoint they have, compatible with
Debian, Ubuntu, Fedora, CentOS and Arch Linux. A great tutorial on
configuring PFSense to be an OpenVPN client to their service and much
much more.
As it stands, I have my laptop (Fedora) configured using their
automatic config script for NetworkManager. This created an entry in
/etc/NetworkManager/system-connections for each of their geographic
endpoints. And my desktop and phone configured with the official
client. So far, everything works really really well on that front.
The only snag I've hit so far is not really anything to do with PIA. I
had originally configured PFSense to act as a OpenVPN client to one of
their endpoints. This worked well and the instructinos were clear and
accurate but I quickly found out that it was somewhat impractical to
forward all of my traffic through the VPN without consquence. For
example, Netflix blocks all well known VPN IP addresses. Since PIA is
a well known VPN provider, they're blocked. Without doing additional
advanced configuration to split the network traffic for certain
devices (IE. my television) this was not going to work. For now, I'm
sticking with client side configurations only.
My one complaint about the service itself so far is latency related. I
get that using a VPN adds an amount of overhead to the network
connection reducing it's speed and latency to some degree. This is
unavoidable. I've noticed a few times where latency was very high,
however, and sometimes the connectin would drop all togheter. Since
they offer a service with a large number of endpoints, switching to
another of these endpoints was easy and usually solves the problem. I
do wish they would find a way to make the service a little more
stable, though.
The official PIA client has a setting to automatically connect to a
specified endpoint at startup. If you're using a generic OpenVPN
client, such as NetworkManager, this is slightly more complicated.
What I ended up doing was creating a script in
/etc/NetworkManager/dispatcher.d which watches for my wireless network
adapter to come up and activates the VPN connection. It's a fairly
trivial script and the dispatcher.d scripts are well documented on the
gnome.org [2] website.
h[1] Private Internet Access URL:https://www.privateinternetaccess.com
HTML [2] Gnome NetworkManager Page