Private Internet Access

April 19, 2026 ยท View on GitHub

OpenVPN

docker run -it --rm --cap-add=NET_ADMIN --device /dev/net/tun \
-e VPN_SERVICE_PROVIDER="private internet access" \
-e OPENVPN_USER=abc -e OPENVPN_PASSWORD=abc \
-v /yourpath/gluetun:/gluetun \
-e SERVER_REGIONS=Netherlands qmcgaw/gluetun

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ./gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=private internet access
      - OPENVPN_USER=abc
      - OPENVPN_PASSWORD=abc
      - SERVER_REGIONS=Netherlands

Required environment variables

  • VPN_SERVICE_PROVIDER=private internet access
  • OPENVPN_USER
  • OPENVPN_PASSWORD

Optional environment variables

  • SERVER_REGIONS: Comma separated list of regions
  • SERVER_NAMES: Comma separated list of server names
  • SERVER_HOSTNAMES: Comma separated list of server hostnames. Beware this is the narrowest filter, so if you set this to a single hostname and this hostname disappears from the Gluetun servers data due to an update, your container will no longer work until this filter is changed. I would suggest avoiding it unless you know this reliability risk.
  • PORT_FORWARD_ONLY: Set to true to select servers with port forwarding only
  • PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET: Encryption preset, defaulting to strong, which can be set to normal or strong.
  • OPENVPN_ENDPOINT_PORT: Custom OpenVPN server endpoint port
  • VPN_PORT_FORWARDING: defaults to off and can be set to on to enable port forwarding on the VPN server
  • OPENVPN_PROTOCOL: udp or tcp, defaults to udp

Wireguard

๐Ÿ’ For now, native support cannot be added, but this is a slow work in progress.

In the meantime, @Kieros proposes to use kylegrantlucas/pia-wg-config to extract a Wireguard configuration file which you can then use with the custom provider.

For VPN server port fowarding with Wireguard, you need to set:

  • VPN_PORT_FORWARDING=on
  • VPN_PORT_FORWARDING_PROVIDER=private internet access
  • VPN_PORT_FORWARDING_USERNAME=yourusername
  • VPN_PORT_FORWARDING_PASSWORD=yourpassword
  • SERVER_NAMES=the-tls-server-name for example panama408

VPN server port forwarding

Warning

In my experience, port forwarding with PIA is not really working for some reason. It seems to only work for p2p applications, PIA might be doing deep packet inspection on the forwarded port.

From @ddelange on issue #464, further confirming this:

PIA replied that their service does not support incoming connections over a forwarded port. I also don't understand the answer (I was asking specifically about hosting a webserver on the forwarded port), because incoming connections on the forwarded port seem to work fine e.g. for P2P protocols

Setup

First refer to the VPN server port forwarding setup page.

Once enabled, you will keep the same forwarded port for 60 days as long as you bind mount the /gluetun directory. It will be automatically refreshed.

Deluge

@jawilson developed a plugin to automagically update the forwarded port in Deluge: deluge-piaportplugin

Servers

To see a list of servers available, list the VPN servers with Gluetun.