#!/bin/sh# Enter your PIA Account details PIA_USER='p1111111'PIA_PASS='1

1. #!/bin/sh
2.  
3. # Enter your PIA Account details
4. PIA_USER='p1111111'
5. PIA_PASS='12341234'
6. # Enter your wireguard PIA server details find them at https://serverlist.piaservers.net/vpninfo/servers/v6 search for the country or city you want to connect to and look for the 'wg' which stands for wireguard here is an example "wg": [{"ip": "188.126.89.149", "cn": "helsinki403"} replace below with the ones you want
7. WG_SERVER_IP='188.126.89.149'
8. WG_HOSTNAME='helsinki403'
9.  
10. #using /opt to store files you could use else where
11. mkdir -p /opt/wireguard
12.  
13. #getting the pia token
14. generateTokenResponse=$(curl -s -u "$PIA_USER:$PIA_PASS" \
15. "https://privateinternetaccess.com/gtoken/generateToken")
16. if [ "$(echo "$generateTokenResponse" | jq -r '.status')" != "OK" ]; then
17. echo
18. echo -e "Could not authenticate with the login credentials provided!"
19. echo
20. exit
21. fi
22. PIA_TOKEN=$(echo "$generateTokenResponse" | jq -r '.token')
23.  
24. echo $PIA_TOKEN>/opt/wireguard/PIA_TOKEN || exit 1
25.  
26. # Create ephemeral wireguard keys, that we don't need to be saved to disk.
27. PRIVKEY="$(wg genkey)"
28. PUBKEY="$( echo "$PRIVKEY" | wg pubkey)"
29.  
30. # Authenticate via the PIA WireGuard RESTful API.
31. # This will return a JSON with data required for authentication.
32. # The certificate is required to verify the identity of the VPN server.
33. # In case you didn't clone the entire repo, get the certificate from:
34. # https://github.com/pia-foss/manual-connections/blob/master/ca.rsa.4096.crt this file needs to be in the same dir as this script
35. # In case you want to troubleshoot the script, replace -s with -v.
36. echo Trying to connect to the PIA WireGuard API on $WG_SERVER_IP...
37. wireguard_json="$(curl -s -G \
38. --connect-to "$WG_HOSTNAME::$WG_SERVER_IP:" \
39. --cacert "ca.rsa.4096.crt" \
40. --data-urlencode "pt=${PIA_TOKEN}" \
41. --data-urlencode "pubkey=$PUBKEY" \
42. "https://${WG_HOSTNAME}:1337/addKey" )"
43. export wireguard_json
44. echo $wireguard_json>/opt/wireguard/wireguard_json
45. # Create the WireGuard config based on the JSON received from the API
46. # This uses a PersistentKeepalive of 25 seconds to keep the NAT active
47. # on firewalls. You can remove that line if your network does not
48. # require it.
49.  
50. echo -n "Trying to write /opt/wireguard/pia.conf..."
51. echo
52.  
53. DNSSERVER="$(echo "$wireguard_json" | jq -r '.dns_servers[0]')"
54. LISTENPORT=$(echo "$wireguard_json" | jq -r '.server_port')
55. ADDRESS=$(echo "$wireguard_json" | jq -r '.peer_ip')
56. PUBLICKEY=$(echo "$wireguard_json" | jq -r '.server_key')
57. echo "
58. [Interface]
59. PrivateKey = $PRIVKEY
60. ListenPort = $LISTENPORT
61. Address = $ADDRESS
62. DNS = $DNSSERVER
63. [Peer]
64. PublicKey = $PUBLICKEY
65. AllowedIPs = 0.0.0.0/0
66. Endpoint = $WG_SERVER_IP:$LISTENPORT
67. PersistentKeepalive = 25
68. " > /opt/wireguard/pia.conf || exit 1
69. echo -n "Trying to set wireguard nvram variables..."
70. echo
71. #configfile nvram settings
72. nvram set oet1_private=$PRIVKEY
73. nvram set oet1_port=$LISTENPORT
74. nvram set oet1_ipaddrmask=$ADDRESS
75. nvram set oet1_dns=$DNSSERVER
76. nvram set oet1_peerkey0=$PUBLICKEY
77. nvram set oet1_aip="0.0.0.0/0"
78. nvram set oet1_rem0=$WG_SERVER_IP
79. nvram set oet1_peerport0=$LISTENPORT
80. nvram set oet1_ka0="25"
81. #other nvram settings
82.  
83. nvram commit