Today I'll be talking a little bit about VPNs. I've been interesting | |
in getting myself setup with a ubiquitous vpn for a while. I have a | |
VPN server running on my router (an x86 desktop running PFSense) which | |
was fine for when I was on public wifi and needed a little protection. | |
But that meant my ISP could still see, and modify, my traffic. With | |
the looming death of net neutrality, I thought it was high time I fix | |
this situation. | |
After doing a bit of shopping around I found a company called Private | |
Internet Access (PIA)[1] which claims geographically separated, log-less | |
and secure VPN service for just $3.33/month (at the time of this | |
writing). The deal sounded too good to pass up and the reviews were | |
outstanding so I decided to give it a try. There are few times in life | |
when you make really good decisions, I think this was one of those | |
times. | |
My initial impressions with PIA are very positive. They provide a | |
graphical client for Windows, MacOS, Ubuntu Linux, Android and iOS. | |
They also support OpenVPN and L2TP so you can use any generic OpenVPN | |
or L2TP client as well. If that wasn't enough, they have some really | |
good documentation and well written scripts to help configure things | |
on the non-standard platforms. This includes a script for setting up a | |
NetworkManager entry for each VPN endpoint they have, compatible with | |
Debian, Ubuntu, Fedora, CentOS and Arch Linux. A great tutorial on | |
configuring PFSense to be an OpenVPN client to their service and much | |
much more. | |
As it stands, I have my laptop (Fedora) configured using their | |
automatic config script for NetworkManager. This created an entry in | |
/etc/NetworkManager/system-connections for each of their geographic | |
endpoints. And my desktop and phone configured with the official | |
client. So far, everything works really really well on that front. | |
The only snag I've hit so far is not really anything to do with PIA. I | |
had originally configured PFSense to act as a OpenVPN client to one of | |
their endpoints. This worked well and the instructinos were clear and | |
accurate but I quickly found out that it was somewhat impractical to | |
forward all of my traffic through the VPN without consquence. For | |
example, Netflix blocks all well known VPN IP addresses. Since PIA is | |
a well known VPN provider, they're blocked. Without doing additional | |
advanced configuration to split the network traffic for certain | |
devices (IE. my television) this was not going to work. For now, I'm | |
sticking with client side configurations only. | |
My one complaint about the service itself so far is latency related. I | |
get that using a VPN adds an amount of overhead to the network | |
connection reducing it's speed and latency to some degree. This is | |
unavoidable. I've noticed a few times where latency was very high, | |
however, and sometimes the connectin would drop all togheter. Since | |
they offer a service with a large number of endpoints, switching to | |
another of these endpoints was easy and usually solves the problem. I | |
do wish they would find a way to make the service a little more | |
stable, though. | |
The official PIA client has a setting to automatically connect to a | |
specified endpoint at startup. If you're using a generic OpenVPN | |
client, such as NetworkManager, this is slightly more complicated. | |
What I ended up doing was creating a script in | |
/etc/NetworkManager/dispatcher.d which watches for my wireless network | |
adapter to come up and activates the VPN connection. It's a fairly | |
trivial script and the dispatcher.d scripts are well documented on the | |
gnome.org [2] website. | |
h[1] Private Internet Access URL:https://www.privateinternetaccess.com | |
[2] Gnome NetworkManager Page |