Add PrivateInternetAccess Wireguard support

[jamesmcm]

Now out of private beta

[jonjonw]

This may be helpful as an example of how to connect to PIA via wireguard. https://github.com/pia-foss/manual-connections/blob/master/connect_to_wireguard_with_token.sh

[jamesmcm]

Thanks, it uses wg-quick the same as vopono.

The main issue is I don't have a PIA account to test the config generation, etc. at the moment.

[mobad]

@jamesmcm I've been looking in to implementing this but I've run in to an issue that could potentially require some larger changes so I figured I'd ask for your input first.

The issue with PIA's Wireguard implementation is that it doesn't have an account wide wg pub key.
It's per server and it gets deleted some time after no traffic (relies on PersistentKeepAlive and apparently deletes key after around 7 hours of no traffic), so basically every time you connect you need to do three things:

1. Get a PIA 24 hour token from https://www.privateinternetaccess.com/gtoken/generateToken using your user/pass.
2. Use that token and your pub key to make a request to https://${WG_HOSTNAME}:1337/addKey with a certain SSL cert.
3. This will return your client address and the server pub key so you can use those to make the config.

I really don't think we should be making a request to all like 1000 servers during config generation so we basically have to leave the configs half done and fill them in later on connect.
To do this I'd need to add a way of doing something preconnection.
Probably by adding a preconnection type function to VpnProvider (with a empty default impl for everything except PIA wg) that would take in a config.

I looked in maybe adding a PostUp function to the wg config and it might work but it's pretty tricky, you'd have to do all the PIA network requests then use "wg set" to set peer pub key then, since wg set doesn't allow for a way to change the client IP, you'd have to set it yourself manually. Not entirely sure if this would even work either.

What do you think? Or does adding these ethereal style configs to vopono even make sense? It might open a can of worms as I believe if your computer goes to sleep overnight you'd probably have to reconnect.

[milahu]

I really don't think we should be making a request to all like 1000 servers

huh?
usually the VPN server is selected either by latency (parallel ping) or by region (to escape geoblocking)

[mobad]

@milahu The way vopono works (at least how I understand it) is you first run vopono sync which generates a valid configuration file for every server, then later on you'd run vopono exec with the server of your choice (I don't think vopono does any latency detection, you have to choose the server).
But with PIA's Wireguard implementation it requires us to make a network request to add our wg public key to the wg server to get the information required to generate a valid wg config for that server.

So to generate a config for all of PIA's Wireguard servers we'd have to add our key to all of them which requires a network request to each one and there are something like 1000 servers.
But even then, those configs would only last something like 7 hours so you'd basically have to run sync all the time.

So doing this isn't really feasible, which is why we probably want to generate a partial config then get the rest of the information on connection time, rather than config generation time

[jamesmcm]

I think it is worth it if we can get it to work, but it's quite a lot of steps.

But in theory we could either check if the provider is PIA in the client (like we do for handling OpenConnect seperately atm) or have a different config type (or even make it its own "protocol" but that might be a bit hacky).

But I think the approach you described is good overall - what would we save at sync time though? Just the user+pass (if we want to save that?) or can we rely on the servers being the same as at runtime? (probably not if they're trying to evade Netflix bans, etc.)

[mobad]

@jamesmcm

what would we save at sync time though? Just the user+pass (if we want to save that?) or can we rely on the servers being the same as at runtime? (probably not if they're trying to evade Netflix bans, etc.)

At sync time we'd save all wireguard servers from https://serverlist.piaservers.net/vpninfo/servers/v6 in wg-quick format with maybe some placeholders? It really could be anything but a wg-quick config makes sense as we can parse it pretty easily I think.
I'm thinking of adding a config option for servers with portforwarding or not. (Portforwarding would be left up to the user as it requires a script to be running in the background calling bindPort every 10 min)

Unfortunately we'd have to save the username/password somewhere (probably just an auth.txt like openvpn) as we need it to generate a token valid for 24h which is needed to add our pubkey.
On every reconnect I think we'd have to do the whole addKey stuff again to be safe or else we'd have to connect, verify connection works somehow, if it doesn't then do the addKey stuff, but that seems like too much work for minimal benefit.

The server IPs, I'd imagine, don't change that often but they apparently reboot every 2 months or so. So I don't think we need to re-sync every time we connect, just do the addKey stuff, get server pub key/client IP, and generate a config.

But in theory we could either check if the provider is PIA in the client (like we do for handling OpenConnect seperately atm) or have a different config type (or even make it its own "protocol" but that might be a bit hacky).

That might be a bit weird as PIA already has openvpn support. (Not really familiar with how Custom/OpenConnect works now)

I'll probably try to hack something together this weekend with a preconnection step to see how it looks.

[jamesmcm]

Thanks, it sounds good, maybe put it in its own file for now just to try to keep the general Wireguard related code cleaner (you can then import the functions, etc. you need there).