Linux/macOS command line scripts for connecting to Private Internet Access next-gen Wireguard servers.
Based on the pia-foss/manual-connections reference scripts, but built for use.
Note: these are unofficial scripts, not affiliated with Private Internet Access®, created for personal use without warranty or guarantee.
- wireguard-tools
- jq
- curl
- xargs (Note: busybox version doesn't work)
- awk
The quick-start scripts runs the other scripts in order to connect to the Wireguard VPN server.
To enable port-forwarding, you must run the port_forwarding.sh script manually after connecting.
git pull https://github.com/derekn/piavpn-scripts.git
cd piavpn-scripts
PIA_USER=user PIA_PASS=pass ./setup.sh
# VPN should now be connecting, if there were no errors.
# interface name is "pia", and can be checked using `wg show pia`
# optionally enable port-forwarding
./port_forwarding.sh
# disconnect
wg-quick down piaFor advanced usage, see setup.sh for an example of manually running scripts.
Scripts should be run in the following order, exporting the output environment variables to pass to the next script.
- get_region - outputs
REGION_ID,WG_SERVER_IP,WG_HOSTNAME,META_SERVER_IPandMETA_HOSTNAME - get_token - outputs
PIA_TOKEN - connect_wireguard
- port_forwarding - optional, outputs
PAYLOAD_AND_SIGNATURE,PORT_FORWARD_PORTandPORT_EXPIRES_AT
| Script | Required Variables | Purpose |
|---|---|---|
| setup.sh | PIA_USERPIA_PASS |
Quick-start script for running all below scripts and getting connected. All optional variables from other scripts are supported. |
| get_region.sh | Get region details. Optional, PREFERRED_REGION to set specific region by id (ex. ca_toronto). PIA_PF=true to only select regions supporting port-forwarding. |
|
| get_token.sh | PIA_USERPIA_PASS |
Get token for API operations. |
| connect_wireguard.sh | PIA_TOKENWG_SERVER_IPWG_HOSTNAME |
Connect to Wireguard server obtained from get_region.sh. Optional, PIA_DNS=false to use host DNS servers, default true. |
| port_forwarding.sh | WG_SERVER_IPWG_HOSTNAMEPIA_TOKEN |
Enable port forwarding and bind port. Optional, PAYLOAD_AND_SIGNATURE to reuse existing port for keep-alive loop. |
| refresh_cacert.sh | Download the latest CA certificate for PIA servers. | |
| latency_test.sh | Show lowest latency regions. PIA_PF=true to only select regions supporting port-forwarding. |
The scripts do not do any additional modifications to the system other than creating the Wireguard interface and disabling IPv6.
It's recommended to setup iptables/ufw firewall rules to prevent non-VPN traffic from leaking.
Below is an example using iptables.
iptables -I OUTPUT ! -o pia -m mark ! --mark $(wg show pia fwmark) -m addrtype ! --dst-type LOCAL -j REJECT