 |
Today I'll be talking a little bit about VPNs. I've been interesting |
|
in getting myself setup with a ubiquitous vpn for a while. I have a |
|
VPN server running on my router (an x86 desktop running PFSense) which |
|
was fine for when I was on public wifi and needed a little protection. |
|
But that meant my ISP could still see, and modify, my traffic. With |
|
the looming death of net neutrality, I thought it was high time I fix |
|
this situation. |
|
|
|
After doing a bit of shopping around I found a company called Private |
|
Internet Access (PIA)[1] which claims geographically separated, log-less |
|
and secure VPN service for just $3.33/month (at the time of this |
|
writing). The deal sounded too good to pass up and the reviews were |
|
outstanding so I decided to give it a try. There are few times in life |
|
when you make really good decisions, I think this was one of those |
|
times. |
|
|
|
My initial impressions with PIA are very positive. They provide a |
|
graphical client for Windows, MacOS, Ubuntu Linux, Android and iOS. |
|
They also support OpenVPN and L2TP so you can use any generic OpenVPN |
|
or L2TP client as well. If that wasn't enough, they have some really |
|
good documentation and well written scripts to help configure things |
|
on the non-standard platforms. This includes a script for setting up a |
|
NetworkManager entry for each VPN endpoint they have, compatible with |
|
Debian, Ubuntu, Fedora, CentOS and Arch Linux. A great tutorial on |
|
configuring PFSense to be an OpenVPN client to their service and much |
|
much more. |
|
|
|
As it stands, I have my laptop (Fedora) configured using their |
|
automatic config script for NetworkManager. This created an entry in |
|
/etc/NetworkManager/system-connections for each of their geographic |
|
endpoints. And my desktop and phone configured with the official |
|
client. So far, everything works really really well on that front. |
|
|
|
The only snag I've hit so far is not really anything to do with PIA. I |
|
had originally configured PFSense to act as a OpenVPN client to one of |
|
their endpoints. This worked well and the instructinos were clear and |
|
accurate but I quickly found out that it was somewhat impractical to |
|
forward all of my traffic through the VPN without consquence. For |
|
example, Netflix blocks all well known VPN IP addresses. Since PIA is |
|
a well known VPN provider, they're blocked. Without doing additional |
|
advanced configuration to split the network traffic for certain |
|
devices (IE. my television) this was not going to work. For now, I'm |
|
sticking with client side configurations only. |
|
|
|
My one complaint about the service itself so far is latency related. I |
|
get that using a VPN adds an amount of overhead to the network |
|
connection reducing it's speed and latency to some degree. This is |
|
unavoidable. I've noticed a few times where latency was very high, |
|
however, and sometimes the connectin would drop all togheter. Since |
|
they offer a service with a large number of endpoints, switching to |
|
another of these endpoints was easy and usually solves the problem. I |
|
do wish they would find a way to make the service a little more |
|
stable, though. |
|
|
|
The official PIA client has a setting to automatically connect to a |
|
specified endpoint at startup. If you're using a generic OpenVPN |
|
client, such as NetworkManager, this is slightly more complicated. |
|
What I ended up doing was creating a script in |
|
/etc/NetworkManager/dispatcher.d which watches for my wireless network |
|
adapter to come up and activates the VPN connection. It's a fairly |
|
trivial script and the dispatcher.d scripts are well documented on the |
|
gnome.org [2] website. |
|
|
|
|
|
h[1] Private Internet Access URL:https://www.privateinternetaccess.com |
 |
[2] Gnome NetworkManager Page |
