A script to setup and run PIA through WireGuard on OpenWrt
https://github.com/bolemo/pia_wg/
- This thread: https://forum.openwrt.org/t/private-internet-access-pia-wireguard-vpn-on-openwrt/155475
- And @Lazerdog's script: https://github.com/jimhall718/piawg/blob/main/piawgx.sh
1.0.7
- Connect to your OpenWrt router with SSH
- Go to (and create if needed) the location you want to install the script
For example:mkdir /opt/scripts; cd /opt/scripts
- Download the script:
wget https://raw.githubusercontent.com/bolemo/pia_wg/main/pia_wg.sh
- Give execution permission to the script:
chmod +x pia_wg.sh
- Install packages which the script depends on:
opkg update && opkg install jq curl wireguard-tools luci-proto-wireguard coreutils-stty coreutils-nl
- Configure and run:
- To configure and run PIA, use
./pia_wg.sh start
(or./pia_wg.sh start --watchdog
if you want the watchdog installed) and answer the questions - To just configure, use
./pia_wg.sh configure
and answer the questions
Then you can setup network advanced/expert settings (see below) and then to run, use./pia_wg.sh start
(or./pia_wg.sh start --watchdog
)
- To configure and run PIA, use
The firewall setup depends on your needs and your personal configuration.
For a typical setup (direct all LAN traffic to/from internet through the newly created wireguard interface), you'll need to update your firewall this way:
- Navigate to Network > Firewall
- Create a new Zone, name it PIA or whatever you want
- In the General Settings tab, enable Masquerading and MSS Clamping, then add LAN to Allow forward from source zones
- In the Advanced Settings tab, set Covered Devices to wg_pia
- Save the zone
- Now edit your zone starting with LAN
- Set Allow forward to destination zones to PIA or whatever you named the previously created zone
- Traffic should now only be allowed through the wireguard connection
The script can be updated to the latest version using: pia_wg.sh update
You can setup the script to set any OpenWrt WireGuard network interface or peer settings this way (after running the initial configuration):
- for network WireGuard PIA interface:
uci set pia_wg.@net_interface[0].<option>=<value>
thenuci commit pia_wg.@net_interface[0]
- for network WireGuard PIA peer:
uci set pia_wg.@net_peer[0].<option>=<value>
thenuci commit pia_wg.@net_peer[0]
For example, to prevent OpenWrt to route all the traffic through the VPN:
uci set pia_wg.@net_peer[0].route_allowed_ips='0'
uci commit pia_wg.@net_peer[0]
Or to put a fwmark on the outgoing VPN traffic:
uci set pia_wg.@net_interface[0].fwmark='0x1'
uci commit pia_wg.@net_interface[0]
Then, next time you use ./pia_wg.sh start
(if not already started, otherwise you need to restart or do stop then start to enable the new configuration) or ./pia_wg.sh restart
, it will use these extra settings when OpenWrt WireGuard will create the PIA interface and the PIA peer.
The script can install a watchdog that will check regularly the status and restart the VPN if needed.
For that, just use --watchdog
when using start
or restart
, or run the command ./pia_wg.sh watchdog install
To unsinstall/remove the watchdog, use ./pia_wg.sh watchdog remove
; when ./pia_wg.sh stop
is used, the watchdog is automatically removed
When the watchdog is enabled, the scripts log is located in /var/log/pia_wg_watchdog.log
The log can be displayed using pia_wg.sh log show
and cleared using pia_wg_sh log clear
Usage: `pia_wg.sh { configure
Details:
configure
: same as configure allconfigure all
: configure all settingsconfigure user
: set PIA user ID and passwordconfigure region
: set/choose PIA regionconfigure keys
: generate local WireGuard keysconfigure network
: generate default network settingsinit-network
: setup PIA WireGuard network (no start)start
: start PIA WireGuard (if not already up)start --watchdog
: same as start and install the watchdogrestart
: start or restart PIA WireGuardrestart --watchdog
: same as restart and install the watchdogstop
: stop PIA WireGuard (and remove the watchdog)status
: show PIA WireGuard statuswatchdog install
: install the watchdogwatchdog remove
: remove the watchdoglog show
: display the watchdog loglog clear
: clear the watchdog loglog path
: set a custom Directory Path for the logupdate
: update the script to latest version
Please, take into account that the script is only creating and setting up the WireGuard interface. It is up to the user to set up/adapt his firewall zones (either including the interface in the WAN zone, or creating a specific zone for it named VPN, PIA or whichever name you want).
A user reported an issue not directly linked to this script but that others users might experience : on his OpenWrt setup, when his router restarts, the time is not properly set and it prevents the interface to go up. He proposed a solution here: #5
©2024 bOLEMO