Private Internet Access Review
PrivateInternetAcces (PIA), run by London Trust Media (their HQ is actually in Michigan, hence the DMCA notification) is very popular, attested by their repeated appearance on r/vpn. Their site is not as flashy as some of their competitors’ but PIA has some good information behind the homepage. In my opinion this is a conscious choice by the web developers as they show the same no-frills efficiency on all categories of the site: client support – user account – blog – forum – tech support.
At first glance PrivateInternetAccess has everything to satisfy its customers :
- Low prices, especially annually - $39.95 (only $3.33 per month)
- Efficient connection client with OpenVPN
- Proxy SOCKS5 available as well as PPTP, OpenVPN and L2TP
The only obvious flaw is the limited number of countries , only 10, which include: the USA , UK , Canada , Switzerland , Holland , Sweden , France , Germany , Romania and Hong Kong . But is this a real problem? A specialist told me that 95% of users concentrate on 5-6 countries : USA – UK – NL – SE – CA .
My introduction to PIA has three parts:
- Payment with Bitcoin for PIA
- Description of OpenVPN connection client – PIA software
- Proxy SOCKS5
PIA + Bitcoin ; What is Bitcoin ?
Bitcoin is the payment method that best matches the spirit of VPN use:
—> Personal data protection for the user
Since PIA is very much oriented towards data protection and securing the network, it is only logical that it accepts decentralised currency. On the page dedicated to Bitcoin you can learn the basics, the principles and some advice which will help you learn and make the best of this new currency.
Nothing could be easier than paying a monthly subscription by Bitcoin. Select your package, choose the Bitcoin tab and add the email you use for PIA communications.
A window will open with the desired BTC amount (depending on the current value) and the BTC address for Private Internet Access. Payment must be made in 15 minutes. PIA uses BitPay as an intermediary.
Then in your Wallet you type in the appropriate sum and the BTC address for PIA.
A Bitcoin payment is non-refundable, and therefore final. So no trial offers!
Straightaway you should receive three emails, one of which includes the link to the client to download with a simple tutorial.
Once the connection client has been downloaded and installed all you have to do is to explore!
It has a simple interface since on start-up it offers by default just a list of available servers. Click on Advanced to discover some good surprises. The point of the second section is to explain a little more about the options available for you.
This is the real and unique bonus of PIA in that they let you choose your type and level of encryption.
- Data Encryption = Choose between the encryption algorithm of AES, Blowfish or nothing.
- Data Authentication = Choose from SHA-1, SHA-256 or no hash code.
- Handshake = Exchange of Diffie-Hellman keys with RSA Certificates (2048 or 3072 or 4096bit) or exchange of Diffie-Hellman keys with ECDSA encryption (Elliptic Curve Digital Signature Algorithm). The recommended curve is secp256k1 (256bit key). PIA also offers secp256r1 (256 or 512bit key).
We were delighted with the clear instructions for the three step connection process for OpenVPN. And the choice to be able to take or leave the encryption level or hash code function. VPNs that offer all this information are few and far between. Normally they settle for a 2048bit level of encryption for OpenVPN and that is it. One of the only services to be open on the subject is HideMyAss who specify but without the option of changing:
CBC mode of Blowfish with encryption strength of 128bit, hash algorithm is 160bit SHA1, and the control channel is same TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
These are the recommended settings for PIA:
AES-128 / SHA1 / RSA-2048
Of course we tried this configuration to check and it worked perfectly. We also used the following, with UDP port, which has such a high level of protection you can be almost totally certain of the confidentiality of information on the network:
Blowfish / SHA1 / RSA-2048
And to a lesser extent :
Blowfish / SHA256 / ECC-256k1
In the end the only point on which we would question the site is for Handshake which serves as a mutual identification using a key. Some doubts have been raised recently around the security of ECC (Elliptic Curve Encryption). ECC offers a fast and perhaps too greedy encryption with keys. It is in direct competition with the great RSA but offers smaller keys with “lighter” calculations compared to its competitor.
Some doubts come from the secp256r1 curve certified by the NIST. According to some experts (including the wise Bruce Schneier) the NSA influenced the American Institute of Normalisation, NIST, to certify this pseudo-random number generator that has a weak point. In other words the numbers generated are not unpredictable. A backdoor, or entry point, into a mechanism for generating random numbers means the whole security system will be compromised and vulnerable to attackers or surveillance organisations. If you still wish to use elliptic curves we advise secp256k1 (certified by Certicom) the one that uses Bitcoin for transaction signatures.
- Connection Type: Connection Type: default ports for OpenVPN are UDP or TCP
TCP / UDP : What is the difference ? The UDP protocol guarantees a fluid transfer since it does not control any of the stages of transmission. It is useful for streaming applications for which losing packets is not detrimental. In fact, during these transmissions, lost packets will be ignored. The TCP protocol does check data transmission during the transfer. Its role is to verify that the IP packets are received in good condition, without any loss or change in integrity. In summary, use UDP most of the time for a rapider transfer.
- Remote Port: Select the standard connection port. The default should be 1194. If you have any doubts, leave it in Auto. Only change it if the network gets blocked. For example, use 443 for TCP (usually only for HTTPS) in order to bypass firewalls (often found in public wifi, schools, etc).
- Local Port: The local port setting can be used when there is a firewall on your network blocking the VPN. Set a local port to be open in the firewall (a local port cannot be used to access your network from outside your local network), then set that local port in the PIA client, and it will sometimes allow you to connect when you could not before.
- Port Forwading: Only works with these countries: Netherlands - Canada - Switzerland or Romania . To find a port that shows up as << Connected – Country [#####]>> just hover the mouse over the PIA icon.
On paper it seems simple but in reality it can be deceiving since HighID doesn’t work with Emule (even when opening the Port of your router – be aware that this changes regularly) although uTorrent works well. (Be aware as well that it works in the same way without ticking the box for Port Forwarding.)
- VPN Kill Swith aka VPN Guard – IP Guard - IP Bind – Secure IP Bind – Connection Guard: the same principle as all the others, only with a different name. Essential to protect the IP of your ISP.
- DNS Leak protection: this option stops any DNS leaks. DNS has a server name correspond to an IP address. Each ISP uses their own DNS, though others exist through OpenDNS and Google. A DNS leak happens when your request to the primary DNS happens outside of the VPN’s protection. So your ISP knows the site you want to visit. You can be reassured by the fact that all VPNs know of the possibility of DNS leaks and use alternative DNS or local DNS servers => Alternative DNS servers
You can test to see if you have any DNS leaks: DNS Leak Test. Most of the time you will get this result Looks like your DNS might be leaking…because we use the default DNS of our ISP. Tick the box and you will get: Looks like your DNS is not leaking…
- IPv6 Leak Protection: If you have IPv6 connectivity, your VPN tunnel is not fully protecting your identity. Because the tunnels support IPv4 only at the moment, your network stack sends IPv6 data out without using the tunnel. The IPv6 source address that you’re using is directly traceable to you if you have native service, or to your tunnel broker (who will probably not maintain your privacy if challenged) if you’re using a tunnel for IPv6 connectivity. Dans ce cas vous pouvez faire un test sur cette page IPv6 Leak Test
N.B. These options can be changed when a VPN connection is active. You may notice that there is no connection button on the programme, so to connect you need to go to the Systray icon and then click on Connect.
In this last section we will look at SOCKS proxies. If you need to know more about PROXIES we recommend you read the page dedicated to HTTP and SOCKS proxies.
This option is included free with all of PIA’s packages. Note that VPNs that offer a SOCKS proxy are rare. Apart from PIA, the VPN services PerfectPrivacy - SurfoNym - TonVPN - VPNSecure offer it too.
- Many users say that SOCKS5 is the fastest protocol.
- Flexibility. The advantage of installing SOCKS only on certain programmes while keeping the IP from your ISP. For example, you can install PIA’s SOCKS5 on IDM, Utorrent (UTorrent + SOCKS) and surf the net at the same time with the IP of your ISP.
- A large range of programmes can benefit from the advantages of SOCKS proxies to get around filters or other restrictions. To configure an application for a SOCKS proxy is really simple. Applications that support SOCKS proxies have a field or a window where you can add the address of your proxy, your login and password.
- In case it cuts out, your ISP IP will never be revealed, instead the programme will be unable to connect if the proxy is inactive.
What are the technical attributes of SOCKS with Private Internet Access?
- Adress: proxy-nl.privateinternetaccess.com
- Port 1080
- Login and password are not the same as for the OpenVPN programme. For SOCKS, PPTP and L2TP you need to create them in your user account.
- You can check if the proxy works by using ProxyChecker
Once you have completed these steps we can show you the usage of SOCKS with mIRC (IRC network) much more clearly.
mIRC ? miRC (for My Internet Relay Chat) is a programme as old as the internet itself that lets you chat directly (instant messaging) on discussion groups with the IRC protocol. (Internet Relay Chat). Apart from the means of sending and receiving fies, mIRC offers lists of friends, mlti-server connections, IPv6, SSL encryption, UTF-8 posting, UPnP, voice message, etc.
IRC ? IRC is a protocol that lets you discuss online and isntantly with other people. It is equally possible to connect two clients directly for a private conversation or a file transfer.
Even if IRC is no longer cutting edge and can see difficult at first glance we do recommend you discover or rediscover this tool where anonymity is totally respected (apart from the IP, hence the need for SOCKS5); where user information is non-existent: just a pseudo, no profile or presentation, no email needed, no links to confirm sign-up.
There is nothing special to know for the installation. There is a 30 day free trial, after which it will cost you $24 for lifetime usage. We will just show you the options for installing SOCKS5 and to retrieve files on XDCC.
Connect options – choose a username
DCC options to download on IRC in XDCC
- Connect to a server
By default mIRC hosts a list of servers (IRC Networks). You can add other by clicking on Add. We counted more than 630.
Once connected to the server you can connect to the channels hosted there
- Add a channel
You can add a channel from the defaut list of mIRC (the window opens automatically).
Or add one that you know via the Status window using the command line /join
Or use the List function to discover those that are hosted by the server to which you are connected. Tools => Channel List => Get List. Then double-click on the channel you want. The big advantage of this method is the short description of the channel.
In either case, whatever the method you can find your channels again on your left, to the right of the public discussion boards.
There are many forums (on all possible themes, some so specialised they don’t have many visitors). The biggest ones are:
- Freenode – IRC Service for free and open-source programmes. Hosts the #bitcoin chan and the channel for the official forum for Private Internet Access on IRC: #privateinternetaccess. Though it isn’t an official tool you can find other users there from PIA and for the official Snipa.
- DALnet – Some francophone forums like #france
Once in the forum, you can talk to different people connected there, obviously respecting “Netiquette” and the rules appropriate to the forum.
XDCC is a protocol to share files via IRC (search engine: XDCC Search engine). Some Chans also offer packs that you can obtain. Sometimes the list of all the packs disappears, on other channels you need to use the command !list so they appear again.
N.B. Every Chan has its rules. You need to read the rules, they are posted from the start. Some commands are forbidden or some rules are specifically for downloading. Personally some Chans are incomprehensible to me, some seem simple and logical. Up to you to work it out.
Once you have found the find you need to check two things:
- Pack number, often preceded by #
- Name of the Bot
For this pack :
<+[ET]_\pimpo\> #91 [806M] ubuntu-12.04.2-desktop-i386.iso.zip
So you type :
|[ET]_\pimpo\ XDCC SEND #91|
The download will start using your whole bandwidth (XDCC Bots are hosted on servers with large bandwidth, often more than 100Mbit/s).
We used PIA (and still have a subscription with them) for two months and were totally satisfied with the results. Three articles have been published about this VPN (a good sign!) while we still need to talk about PIA on a modified router and as an Android app! But we have summarised everything on our blog. Private Internet Access ★★★★★ is a very good VPN service – now we understand why it appears so often on Reddit VPN.
The annual rate of $39.95 ($3.33 per month) with all of their extra options is an excellent deal. Its only flaws are fewer countries compared to the other big VPNs (HMA! – OverPlay – IPVanish) and that Port Forwarding doesn’t give HighID – however depending on your usage, these points may not concern you at all!