I’m soon going to be moving to Charter Communications territory, but I don’t trust Charter and don’t want it to keep records of all the websites that I visit.  The natural solution is to use a VPN, and the natural first choice is Private Internet Access, since it’s a huge financial supporter of GNOME, and I haven’t heard anybody complain about problems with using it. This will be a short review of my experience.
The service is not free. That’s actually good: it means I’m the customer, not the product. Cost is $40 per year if you pay a year in advance, but you should probably start with the $7/month plan until you’re sure you’re happy with the service and will be keeping it long-term. Anyway, this is a pretty reasonable price that I’m happy to pay.
The website is fairly good. It makes it easy to buy or discontinue service, so there are no pricing surprises, and there’s a pretty good library of support documentation. Unfortunately some of the claims on the website seem to be — arguably — borderline deceptive. A VPN service provides excellent anonymity against your ISP, but relying on a VPN would be a pretty bad idea if your adversary is the government (it can perform a traffic correlation attack) or advertising companies (they know your screen resolution, the performance characteristics of your graphics card, and until recently the rate your battery drains…). But my adversary is going to be Charter Communications, so a VPN is the perfect solution for me. If you need real anonymity, you absolutely must use the Tor Browser Bundle, but that’s going to make your life harder, and I don’t want my life to be harder, so I’ll stick with a VPN.
Private Internet Access provides an Ubuntu app, but I’m going to ignore that because (a) I use Fedora, not Ubuntu, and (b) why on Earth would you want a separate desktop app for your VPN when OpenVPN integration is already built-in on Ubuntu and all modern Linux desktops? Unfortunately the documentation provided by Private Internet Access is not really sufficient — they have a script to set it up automatically, but it’s really designed for Ubuntu and doesn’t work on Fedora — so configuration was slightly challenging.  I wound up following instructions on some third-party website, which I have long since forgotten. There are many third-party resources for how to configure PIA on Linux, which you might think is good but actually indicates a problem with the official documentation in my opinion. So there is some room for improvement here. PIA should ditch the pointless desktop app and improve its documentation for configuring OpenVPN via NetworkManager. (Update: After publishing this post, I discovered this article. Seems the installation script now supports for Fedora/RHEL and Arch Linux. So my claim that it only works on Ubuntu is outdated.) But anyway, once you get it configured properly with NetworkManager, it works: no need to install anything (besides the OpenVPN certificate, of course).
Well, it mostly works. Now, I have two main requirements to ensure that Charter can’t keep records of the websites I’m visiting:
- NetworkManager must autoconnect to the VPN, so I don’t have to do it manually.
- NetworkManager must reconnect to the VPN service if connection drops, and must never send any data if the VPN is off.
The first requirement was hard to solve, and I still don’t have it working perfectly. There is no GUI configuration option for this in gnome-control-center, but I eventually found it in nm-connection-editor: you have to edit your normal non-VPN connection, which has a preference to select a VPN to connect to automatically. So we should improve that in gnome-control-center. Unfortunately, it doesn’t work at all the first time your computer connects to the internet after it’s booted. Each time I boot my computer, I’m greeted with a Connection Failed notification on the login screen. This is probably a NetworkManager bug. Anyway, after logging in, I just have to manually connect once, then it works.
As for the next requirement, I’ve given up. My PIA connection is routinely lost about once every 30-45 minutes, usually when watching YouTube or otherwise using a lot of data. This is most likely a problem with PIA’s service, but I don’t know that: it could just as well be my current ISP cutting the connection, or maybe even some client-side NetworkManager bug. Anyway, I could live with brief connection interruptions, but when this happens, I lose connection entirely for about a minute — too long — and then the VPN times out and NetworkManager switches back to sending all the data outside the VPN. That’s totally unacceptable. To be clear, sending data outside the VPN is surely a NetworkManager problem, not a PIA problem, but it needs to be fixed for me to be comfortable using PIA. I see some discussion about that on this third-party GitHub issue, but the “solution” there is to stop using NetworkManager, which I’m not going to do. This is probably one of the reasons why PIA provides a desktop app — I think the PIA app doesn’t suffer from this issue? — but like I said, I’m not going to use a third-party OpenVPN app instead of the undoubtedly-nicer support that’s built in to GNOME.
Another problem is that I can’t connect to Freenode when I’m using the VPN. GIMPNet works fine, so it’s not a problem with IRC in general: Freenode is specifically blocking Private Internet Access users. This seems very strange, since Freenode has a bunch of prominent advertising for PIA all over its website. I could understand blocking PIA if there are too many users abusing it, but not if you’re going to simultaneously advertise it.
I also cannot access Igalia’s SIP service when using PIA. I need that too, but that’s probably something we have to fix on our end.
So I’m not sure what to do now. We have two NetworkManager bugs and a problem with Freenode. Eventually I’ll drop Empathy in favor of Matrix or some other IRC client where registering with NickServ is not a terrible mistake (presumably they’re only blocking unregistered users?), so the Freenode issue seems less-important. I think I’d be willing to just stop visiting Freenode if required to use PIA, anyway. But those NetworkManager issues are blockers to me. With those unfixed, I’m not sure if I’m going to renew my PIA subscription or not. I would definitely renew if someone were to fix those two issues. The ideal solution would be for PIA to adopt NetworkManager’s OpenVPN plugin and ensure it gets cared for, but if not, maybe someone else will fix it?
Update: See part two for how to solve some of these problems.
What are your thoughts on Algo? https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
I’d never heard of Algo. I’d kind of rather my traffic be mixed in with a bunch of other people’s. But if you don’t mind, aren’t looking for anonymity, and are just trying to transfer trust from your ISP to your hosting provider, then hosting your own VPN seems like a fine solution.
I find it a bit odd that IPSec is considered more trusted than TLS. I would not rely on IPSec if your adversary is the NSA. But I already said you shouldn’t rely on a VPN if your adversary is the government, so I guess that doesn’t matter.
Hey, I’m using PIA via NM/OpenVPN without any unexpected disconnects on my Fedora 25 laptop.
I’ve also had a VM that was configured for PIA-only connectivity. I had iptables rules using disallowing user access to eth0 via –uid-owner. This effectively prevented *user data* from going through unprotected internet. I was starting the VPN via systemd unit (openvpn@…). It fit the requirement I had at the time, although I didn’t have to worry about wifi on the VM.
Additionally, you may be able to configure openvpn on your router, and route all outbound traffic by default (but keep an alternate, manual route to use as required). That really depends on what you’ve got for a router.
Thanks for sharing your experience with PIA. I’m about to sign up with them as well, and I too use Fedora, so this was helpful.
About the connection drop issue, try to use TCP instead of UDP for the VPN
Good suggestion. I’ve switched and… so far, so good. But I haven’t tested it enough yet to be confident that this has fixed that issue.
Can’t you just remove the default route from your main internet connection (and ignore those from DHCP), and only have a route to PIA. That will prevent data from going over the regular internet.
I tried to do this at your suggestion, but can’t figure out how. I switch the Automatic toggle button to the off position in control-center, but it still sets a default route.
Strangely, it still sets an IPv6 address as well, even when I’ve turned that off (knowing that PIA doesn’t support IPv6). Is this yet another NetworkManager bug, I wonder?
But the OpenVPN client itself needs that route, in order to reach the VPN server…
Hi Michael,
freenode requires SASL for a number of gateways (VPNs, tor, etc.) as this is how we ensure that legitimate users are not affected by any bans (manual or automated) placed against such services in the event of abuse.
In short this means that you need to send your nickserv credentials through during the connection process rather than after — https://freenode.net/kb/answer/sasl will let you know what you need to do for your specific client.
Hope that helps!
Cheers,
Christel
Well it’s good to know what’s going on, but using NickServ is unacceptable to me as I don’t want to get a GNOME desktop notification that I have to manually type my password into each time I start Empathy. We’re going to need some major work on Empathy to add proper NickServ support, which I suspect will never happen.
Have you looked into something like vpnfailsafe:
https://github.com/wknapik/vpnfailsafe