Connecting to PIA using WireGuard on OPNsense

So I’ve been using PIA (Private Internet Access) as my VPN provider since 2014, over the years you could say they’ve had a bit of a bumpy road but nothing has come to light showing them giving out any logs/details to authorities, plus this has been tested twice in court to my knowledge and TorrentFreak talk about the second case on their blog. I’ve always connected to PIA via OpenVPN, which has worked well for many years and offering their service on different ports has also allowed me to get around the odd captive portal.

I’ve been running my own router in form of pfsense and in recent years OPNsense with OpenVPN connection to PIA to tunnel certain traffic as and when required. In the last year PIA announced their WireGuard service allowing users to now connect to their NextGen VPN servers using this latest VPN technology. You can read about how WireGuard works on their website. Since WireGuard is more performant, due to having less overheads plus each OS will eventually have a kernel module allowing even better performance over OpenVPN, than it may already have, allowing higher speeds, lower latency. Linux already has a kernel module, FreeBSD is also now having one developed but currently its not mature enough to be included in the FreeBSD source code. OPNsense currently uses the WireGuard-go implementation which is fast enough for my needs as my internet connection is only 50/5 (VDSL line) but I know of people getting 500/30 speeds over WireGuard-go on OPNsense no problem. I have no doubt once the kernel module is ready for FreeBSD, OPNsense will put this in to replace the go version.

So how do we connect OPNsense to PIA’s NextGen WireGuard VPN servers? So some VPN providers its very simple, you give your VPN provider your WireGuard public key, and then return they give you the connection details you require to connect to their WireGuard servers. When your a small VPN company this is very simple, since they have 16,777,214 IPs in the IP range to play with, so after you take away a few thousand addresses for their management networks, still give them a lot of IPs they can permanently assign to their WireGuard users. Assuming they have servers just for serving WireGuard clients, the total number of addresses would be even smaller if they’re running OpenVPN on the same servers. So when your the size of PIA and each server hosts multiple VPN protocols and users have multiple devices, the issue of getting close to running out of IPs, which becomes a bit of an issue, if they are globally unique IPs. So PIA uses a different strategy to connect to their servers via WireGuard, they have an API on each VPN server, which you then ask for WireGuard connection details from, that allows you to connect to that one and only server. If you want to connect to another server you repeat this process again for another VPN server.

Since connecting to PIA’s WireGuard servers require an API, you need their client or script to do this process for you. PIA provide a github repo that contains manual connection scripts, that allows you to connect to their WireGuard servers without needing the official PIA client. So what we need is a OPNsense version of this script, so it can handle the API part of the connection process.

Now after a lot of searching it was very apparent such a script didn’t exist for OPNsense. I decided I would look in to getting a script created so I can take advantage of their WireGuard servers and if anyone else was interested in using PIA on OPNsense using WireGuard they too could do it. After a weekend of reading through the manual connections, talking to PIA staff in their IRC channel, I made this following script (Linked Below). I’ve iterated the script a little bit since I did my first commit to make sure any bugs were ironed out, it’s now pretty robust, unless your trying to do something special with it. The github repo contains a README of how to setup the script. It will take care of maintaining the connection to PIA and rotate servers when required. Just give the script some connection details and a region it’ll take care of the rest.


Hopefully others will find this script useful and I will keep it updated as and when required, if you get any issues or errors setting up the script don’t hesitate to open up an issue.

Leave a Reply

Your email address will not be published.