Private Internet Access (pia) wireguard VPN on OpenWrt

Hello I've adapted the pia wireguard script for openwrt.

It requires a VPN setup using the client instructions in the wiki

You must update the top variables with information relevant to your configuration. If you run it once with the variables updated, it will output information you can use to do the initial setup of your VPN client.

It depends on jq and curl

In my own setup, I combined the script with watchcat. Every time the internet goes down or on boot, watchcat will run the script and bring up the VPN again.

It's not the prettiest, but it works. It could be refined if there's interest.


For context, what problem does this solve? Does PIA's wireguard not play well with OpenWRTs standard runtime network luci/config wireguard proto packages? I'm using it for an always-on connection in a containerized instance of OpenWRT (wg kernel module in the host of course) to a different provider and it's pretty robust right out of the box; starts on boot, recovers from WAN outages, etc.

In order to get the connection details to initiate a connection, you need to send some web requests. These values expire after a period as far as I'm aware.

How does your current provider manage this? Do you get the same static public key etc for their server?

Yes, their setup uses all static values in the client configuration, generated for you on request. (I'm fairly new to wireguard, I may not be familiar with whether/why this isn't ideal.)

Sounds good to me!

I'd prefer a static config over messing around with web requests. What provider do you use? Perhaps I can move to them in the future.

I sent an email to PIA and they cannot provide static keys.

"We do not support Wireguard on router"

Yeah thought as much

I have pia, so my script is a solution to get wireguard working on openwrt for pia.

1 Like

I don't want any downtime with the renewal of the token.

Fair enough. I've not noticed any issues to be honest. No downtime.

I believe that the connection details need to be renewed every 24 hours

They don't. I think the token expires after 24 hours so you would need a new one if you wanted to request new details, but as long as the connection remains up (even small interruptions such as restarting the router are fine) there's no need to renew anything.

Having said that, PIA have previously said their servers are routinely restarted every few months during maintenance windows so all existing connections would be closed and a renew of token/connection details would be required.


I've noticed with PIA wire guard on OpenWRT if you stay connected, The token is valid for a long time.

1 Like

You only require the authentication token to connect to PIA, once connected the token will expire at 48 hours in my testing.


I'll check again but mine was up for weeks.

1 Like

I am stuggling so much with this, If you could give me detailed instructions on what to do with this to get my router working with pia wireguard it would really mean alot

Hello, welcome to the forum. Do you have any wireguard setup at all?

I've updated the script slightly to bring down the interface at the start of the script.

Great script, very useful.

@bigjoe20233, be sure to install jq and curl, something like
opkg update
opkg install curl
opkg install jq

I only have OpenVPN installed. Not used ssh before. OpenVPN works but just gets around 15mb connection. How do I find my pia Wireguard user,pass,pub/private keys?