Let us start our Private Internet Access (PIA) review by noting that they are managed by London Trust Media, Inc. whose stated goal is to return the Internet to a time when it provided you your own private little world where you were free to learn, explore, and create without “big data” or “big brother” watching your every move. Private Internet access has been in the privacy industry since August 2009. Surprisingly, despite their name, they are located in the United States. Private Internet Access says they log absolutely nothing, neither metadata nor session data from their users activity. They offer access to a worldwide VPN network that consists of over 3300+ servers in 36 locations across 25 countries at a very competitive price.
They have custom client software for Windows, Mac OS X, iOS, and Android. Although these clients have a minimalistic user interface, they have some advanced features behind the scenes. These include IPv6 leak protection, DNS leak protection, port forwarding, granular encryption control, and even an Internet kill switch. We will examine these in detail in the hands-on portion of our review.
Pricing and Special Offers
Private Internet access markets their VPN service as single package that is sold in term length plans. These plans are monthly, six months, and yearly. Just being a VPNFan reader, you can save even more off your Private Internet Access subscription. Our readers can get a month of their VPN for $6.45 which saves you $0.50 or 7% off their regular monthly price. This savings is even greater if you sign up for a year of service. You can get a year of their VPN for $38.95 which saves you $1.00 off their already discounted yearly price or 53% off the regular monthly price. This means you can enjoy a year of their service for just $3.25 a month.
So, what do you get for your $3.25 per month? Private Internet Access offers all VPN subscribers the following benefits regardless of your chosen plan:
Free custom VPN Software for Windows, Mac OS X, iOS, and Android
Absolutely no logging
5 Simultaneous connections
Unlimited VPN bandwidth and usage
Worldwide virtual IPs from more than 3300 servers in 25 different countries
Gigabit VPN port speeds on gateways
Shared IP addresses among subscribers for better privacy
Choice of VPN protocols: OpenVPN, PPTP, L2TP
Granular encryption choice – maximum, minimum, and even none
SOCKS5 proxy access for individual applications
Firewall protection against malware while using their VPN
The ability to bypass censorship and geo-restrictions
Wi-Fi hotspot protection against hackers and identity theft
VOIP support to save on long distance costs and P2P support
7-day money back guarantee
Private Internet Access offers a variety of ways to pay for their services. The credit cards they accept are VISA, MasterCard, American Express, and Discover. They accept transactions through alternative payment solutions like CashU, Ripple, and OK PAY. You can also pay using PayPal or Amazon Payments which will only require you to enter username, password, and an email address. Pay by using Bitcoin if you want to be more anonymous. They even accept some gift cards.
Risk-Free Trial Period
Private Internet Access does not have a free trial. However they know that you would like to try out their service for yourself before you make the decision to purchase it so they offer new subscribers a 7-day, 100% money back guarantee. This should be ample time for you to fully test out their service. If for any reason, you are not completely satisfied with it, they will refund the full purchase price of your chosen plan. You must request this refund within seven days of the purchase date. Requests made later than seven days from purchase date will not be honored.
In order to refund your payment, you will need to provide the following to verify your account:
The email address you entered during account registration
The 7-digit PIA Order number from your payment confirmation email
This information is necessary for security reasons so be sure to keep your confirmation email. This is the easiest way to verify your account to expedite your refund but their are other methods that you can use dependent on your method of payment. These can be found in the FAQ database of the PIA website.
Private Internet Access Network and Server Locations
The Private Internet Access VPN network of servers has grown in size and performance over the years as technology has advanced. Their network now has more than 3300 VPN servers in 25 different countries. They have servers on nearly every major continent including Europe, North America, South America, Asia, and Oceania.
All of the servers in their network have Gigabit ports. The best coverage is in Australia ( 170+ servers), Canada (190+ servers), The Netherlands (310 severs), the United Kingdom (200+ servers), and the United States (1660+ severs). Here is a list of the number of servers in each country, sorted by region:
Asia – 90+ VPN servers
Hong Kong (19), India (9), Israel (11), Japan (19), Singapore (19), Turkey (19)
Europe – 870+ VPN servers
Denmark (13), Finland (9), France (53), Germany (62), Ireland (9), Italy (19)
Netherlands (310)
Norway (14), Romania (16), Russia (14), Sweden (57), Switzerland (70),
United Kingdom – London (155), Southampton (78)
North America – 1800+ VPN servers
Canada – Toronto (128), North York (63)
United States – California (219), East (426), Florida (112), Midwest (303), New York City (98), Seattle (104), Silicon Valley (130), Texas (193), West (84)
South America – 40+ VPN servers
Brazil (19), Mexico (24)
Oceania – 180+ VPN servers
Australia – Melbourne (74), Sydney (98)
New Zealand (9)
It is easy to see from this list that Private Internet Access has servers all over the world and multiple fast servers in more popular locations as we saw above. Their network defaults primarily to the OpenVPN UDP protocol but also supports IKEv2, L2TP and PPTP.
Privacy and Security
Private Internet Access makes it very clear that they do not log any metatdata or traffic of users on their VPN network. They have an extensive privacy policy that spells out exactly what personal information they do keep on their users and how it is handled. Here is an except of their policy:
PIA absolutely does not keep any logs, of any kind, period. While this does make things harder in some cases, specifically dealing with outbound mail, advanced techniques to handle abuse issues, and things of that nature, this provides a high level of security and privacy to all of our users. Logs are never written to the hard-drives of any of our machines and are specifically written to the null device, which simply acts if the data never existed.
Due to this, we’re unable to provide information on our customers usage of our service under any circumstance, including subpoenas and court orders, which are extremely closely reviewed before we make any response by our experienced legal team.
We can unequivocally state that our company has not and still does not maintain metadata logs regarding when a subscriber accesses the VPN service, how long a subscriber’s use was, and what IP address a subscriber originated from. Moreover, the encryption system does not allow us to view and thus log what IP addresses a subscriber is visiting or has visited.
Private Internet Access is located in the United States – California and subject to all US and California laws and jurisdictional procedures. They feel the US is a good place for a VPN service since they have no mandatory data retention policy, where as some places in Europe now do. They would have to comply with all official judicial orders and hand over all the information about their users metadata and traffic. However, since all logs are written to a null device, essentially nowhere, they would comply with any such orders by turning over nothing as they have done in the past.
What kind of encryption does Private Internet Access offer to users of their VPN service? They implement OpenVPN as their primary default protocol in their Windows, Mac OS X, and Android clients. TLSv1.2 is used for server authentication and control. By default, it uses 2048 bit key exchange and 2048 bit RSA certificate for verification that the key that the actually came from a PIA server. Ephemeral Diffie-Hellman (DH) exchange really happened with a Private Internet Access server. This ensures forward secrecy for the encrypted traffic since the keys are randomly generated and used for a short time before being completely destroyed. All certificates are signed using SHA512. Also by default, all data is encrypted and decrypted using a AES-128-CBC cipher initialized with a 128 bit key and SHA1-160 bit is used for HMAC authentication. Their iOS app defaults to the IKEv2 protocol which is considered to be just as secure as OpenVPN but is good for mobile devices because it reconnects easily and maintains the VPN session when the connection is lost or changes. This is due to its support of MOBIKE. This means you can always be assured that all of your Internet traffic is securely encrypted with a reliable connection when accessing the PIA VPN network.
Private Internet Access Support
PIA provides 365/24/7 email ticket support for any problems you may have with an average turn around according to their website counter of about one hour and forty minutes. You must first choose which department your ticket concerns before filling it out and sending it. Your choices include tier 1 technical support, billing, and sales. Once you have chosen the department and pressed the “Next” button, you will then be directed to another page to create and send the ticket.
The ticket is very basic and its template is shown above. It requires your first name, email address, and subject followed by as detailed as possible description of your problem and any supporting files. Next verify the ticket so they know you are not a bot and then click on the green “SUBMIT” button.
Hands-On Testing of the PIA VPN Network
Private Internet Access has custom software for Windows, Mac OS X, iOS, Android, and a just released beta for Linux. You can download these custom clients from the PIA client support page of their website which can be accessed from clicking on the “Support” super menu which is above the site main menu. Once the drop down list opens, click on the “Client Download and Support” item as is shown below.
Once the support page opens, click on the “Download” button for your operating system as is shown in the next image to download the Private Internet Access client installer to your machine or transfer to iTunes Store to download the iOS app or Google Play for the Android app.
They also have manual setups here to configure their VPN using a variety of protocols including OpenVPN. L2TP/IPsec, and PPTP on Android, iOS, Linux, Tomato routers, DD-WRT routers, and Pfsence. Once you sign up for an account, they will send you a welcoming email with your username and password so that you can connect to their VPN network of servers using your chosen client software. This email will also have your 7-digit PIA order verification number so remember to save it.
Connecting with the Windows VPN Client
As we said before, you can download the Private Internet Access Windows software from the client setup page of their website by selecting “Support” from the Account menu above the main menu as we have shown at the beginning of the hands on section. Once you get on this page, click on the “Download” button in the Windows VPN box (shown at left). This will bring up a dialog window that will let you save the Windows client installation file to your computer. The client requires Windows XP or above. The client setup page also has manual setup guides to configure Windows to use their service with OpenVPN, L2TP/IPsec + PSK, and as a last resort if nothing else works PPTP.
Once the client is downloaded to your computer, right-click on the file and choose “Run as Administrator”. This will complete the installation of the Windows client. A window to install the Tap Wind driver will pop up during this process. Click the “Install” button when it does. The process does not create a desktop shortcut to run the client but you can make one if you wish as we have done. Just right click on the application file and select send to desktop or create shortcut.
You can now click on your shortcut to run the client. The first time you open it, you will see a verification and login page similar to the one shown on the right below.
Enter your “Username” and “Password” that you obtained from your welcoming email. If you have forgotten your password, you can click the forgot password option to start the process to reset it. You can also choose to set the following basic options:
Start application at login – This will start the client when you log into Windows.
Auto-Connect when app is started – Auto-connect to your chosen location when the Client starts up.
Region – This allows you to choose a country you want to auto-connect to. If set to auto, it will connect you to the fastest server from your current location.
Once you have set these basic options, then click the “Save” button and the client will finish launching. We will discuss the advanced options later in this section. The client does not have a fancy user interface. It simply loads into the system tray and looks as follows.
Hovering the mouse over the client in the tray or taskbar area will show you your current connection. Right-clicking on the client icon will open a list of servers for you to connect to as is shown to the right of this text.
We are currently connected to a server in UK London. Note, the virtual IP from that location is also shown but has been redacted in the image above. To change VPN servers, you must first disconnect from the current London server by clicking “Disconnect” at the top of the list. Notice that all other locations and “Connect” are greyed out and not selectable till you disconnect from the London server. This will close the location list and the client icon will turn red indicating that you are no longer connected as is shown in the image below.
Hovering the mouse over the icon as above shows that the client is currently “Disconnected”. Once disconnected, the client locations will no longer be greyed and right-clicking on the red icon will open the list so that you can connect to another location. All that is required to connect to a location is to select it. Clicking on auto will connect you to the fastest server based on your location. Clicking on “Connect” at the top of the list will connect you to your last server location you used.
There are a few more list items in the PIA client shown above right. The last list item “Exit” will shut down the client. The second, “Send Slow Speed Complaint” will let the staff at Private Internet Access know that they have a problem that needs to be examined. The first is “Settings” which will open a window like the one shown below-left. If it looks familiar, that is because it is the same login screen we saw earlier in this section. We are now going to take an in-depth look at the advanced features that the PIA client offers.
Clicking on the “Advanced” button results in a screen like the one on the right which has been expanded to show the advanced connection settings. Clicking on the “Simple” button will close the advanced settings and return you to the screen shown on the left above. The advanced connection settings are as follows:
Connection type – Their are two types of connections possible with the OpenVPN protocol over IP.
UDP – This is the User Datagram Protocol which is used with low latency connection and loss tolerating ones. This is the default OpenVPN protocol for the client and best for most users. Does not have to check for packet order or loss.
TCP – This is the Transfer Control Protocol and is good for high latency connections and those which cannot tolerate loss. It provides error checking for packet order and loss and resends packets to correct. This is usually slower because of the extra overhead involved in this process.
Remote Port – This lets you choose the remote port to tunnel data through.
Port 1194 – This is the standard OpenVPN port for both UDP and TCP.
Port 8080 – This is the alternative port to Port 80 for HTTP web services. It is commonly used as a proxy port.
Port 9201 – This is the port used for WAP (Wireless Application Protocol) services on mobile devices.
Port 53 – This is the port used by DNS.
Local port – This allows you to set a local port to route through the remote port.
Port forwarding – Turning this on allows you to set up an application which allows remote users to connect to it. The remote users must know the device name and port to successfully connect to it.
Port forwarding is only through the following gateways: CA Toronto, CA North York, Netherlands, Sweden, Switzerland, France, Germany, Russia, Romania, and Israel.
After enabling port forwarding and re-connecting, hover the mouse over the system tray icon to see the port number to put in your application.
VPN kill switch – Once set, this will kill all Internet traffic from the device if the VPN connection is dropped.
It will restore Internet traffic once the connection is re-established.
Disabling this switch or exiting the VPN client will also restore normal Internet access.
DNS leak protection – This ensures that all DNS request are routed through the VPN which will provide you with the greatest level of privacy.
IPv6 leak protection – This disables a IPv6 request while using the VPN.
Small packets – This transfers the data in smaller packets which can fix some network issues.
The links shown under port forwarding, VPN kill switch, DNS leak protection and IPv6 leak protection will take you to guides on the Private Internet Access website which contain more detailed imformation about that particular setting. Clicking on the “Encryption” button in the image on the right above will bring up the encryption options in place of the connection settings as shown in the image below.
The encryption panel consists of the following settings:
Data Encryption – This is the encryption used to encrypt and decrypt all of your Internet traffic once the initial encrypted tunnel has been established.
AES-128 – Advanced Encryption Standard (AES) is the National Institute of Standards and Technology (NIST) chosen protocol and the one used by the United States government for secret documents. This one uses a AES-128 CBC (Cipher Block Chaining) with a 128 bit key and will provide the best performance for most uses.
AES-256 – This uses the same encryption algorithm as above. AES-256 CBC uses a 256 bit key, thus is more secure and slower.
Blowfish – This uses Blowfish-128 CBC with a 128 bit key as an alternate to AES. This is a secure algorithm and was one of the runner-ups in the NIST standards competition.
None – This does not encrypt your data and is not recommended as it only hides you IP and thus means the VPN is being used as a pseudo proxy. You will be susceptible to passive attacks where your data is recorded by a third party without your knowledge. This can help you overcome geo-restrictions.
Data Authentication – This refers to the algorithm that authenticates all of your data to guard against active attacks (attack where an entity adds or removes packets from your message).
SHA1 – This uses HMAC (Key-Hash Message Authentication Code) with a 160 bit key.
SHA256 – This utilizes HMAC with a 256 bit key and is thus slower.
None – This opens you up for active attacks or Man-in-the-Middle (MitM) from outside sources where the attacker intercepts your message and alters it before sending it on the VPN server.
Handshake – This is the algorithm which establishes the initial secure connection and verifies that you are talking to a PIA Server and not an imposter. Hence the name handshake. Private Internet Access uses Transport Secure Layer v1.2 (TSL 1.2) for this connection and all certificates are signed using SHA512.
RSA-2048 – This uses a 2048 bit Ephemeral Diffie-Hellman (DH) key exchange and 2048bit RSA certificate for verification.
RSA-3072 – This uses the same algorithm as above with 3072 bit for both key exchange and RSA certificate.
RSA-4096 – This uses the same algorithm as above with 4096 bit for both key exchange and RSA certificate.
ECC-256k1 — Ephemeral Elliptic Curve DH key exchange and an Elliptic Curve Digital Signature Algorithm (ECDSA) certificate for verification. Curve secp256k1 (256bit) which is the curve that Bitcoin uses for its transactions and is used for both the key exchange and the certificate.
ECC-256r1 — Like above but curve prime256v1 (256 bit, also known as secp256r1) is used for both the key exchange and certificate used for verification.
ECC-521 — Like above but curve secp521r1 (521 bit) is used for both the key exchange and certificate verification.
You will receive a warning like we did in the above image if you select none for data encryption, none for data authentication, or one of the ECC handshake algorithms. The Private Internet Access client defaults to AES-128/SHA1/RSA-2048 which should provide the best balance of performance and security for most users. Clicking on the “default settings” link will open the VPN encryption page on their website and take you there. Clicking on the “decrease your safety” will also take you to their VPN encryption page and explain more about why you should not use the settings you have chosen.
Here are some endpoint encryption settings along with some comments about them.
Maximum Protection – AES-256/SHA256/RSA-4096: This is for those who want the maximum security for their data and can accept the extra speed loss.
Default Recommended Protection – AES-128/SHA1/RSA-2048: This provides the best balance of speed and protection and thus the desired setting for most users.
Risky – AES-128/None/RSA-2048: This configuration is suceptible to active MitM attacks.
All Speed No Safety – None/None/ECC-256k1: This is suceptible to both active and passive attacks from outside third parties (hackers). You might as well not have a VPN as only your IP is hidden.
The Private Internet Access client may not be the prettiest client in the field today but it offers some of the most advanced features that VPNs have today like a kill switch, DNS leak protection, disabling IPv4 Internet traffic, and small packets. This makes it appealing to those users who have more technical knowledge. At the same time it has a simple mode which uses default settings. This is probably best for most users. All that is necessary to connect to a one of their VPN servers is to select its location from the list that appears when you right click on the client icon in the system tray area. If the icon is green, you are safely connected and if it is red you are not. It does not get much simpler than that.
Connecting with the Mac OS X VPN Client
As we said before, you can download the Private Internet Access Mac OS X client from the client setup page of their website by selecting “Support” from the Account menu above the main menu as we have shown at the beginning of the hands on section. Once you get on this page, click on the “Download” button in the Mac OS X box (shown at left). This will bring up a dialog window that will let you save the Mac OS X client installer (.DMG file) to your computer. The Mac OS X client requires OS X 10.8 or newer. The client setup page also has manual setup guides to configure Mac OS X to use their service with OpenVPN, Viscosity, L2TP/IPsec + PSK, and as a last resort if nothing else works PPTP.
Once the client is downloaded to your computer, open the .DMG file and double click the Private Internet Access Installer.app. Once the installer app finishes, you will see a screen similar to the one below.
Enter your “Username” and “Password” from your welcoming email. It you have forgotten your password, you can click the “forgot password” option to start the process to reset it. You can also choose to set the following basic options:
Start application at login – This will start the client as soon as you log into to your computer.
Auto-Connect when app is started – This will auto-connect to your chosen location when the client starts.
Region – This allows you to choose the country that you want to auto-connect to. If set to auto, it will connect you to the fastest server based on your current location.
Once you have set these basic options, then click the “Save” button and the client will finish launching. We will discus the advanced options later in this section. The client does not have a graphical user interface. It simply loads into the menu bar as an icon and looks like the image on the left below. Clicking on the icon will display a list of locations that you can connect to. Notice, “Disconnect” has been greyed out but “Connect” and all the locations are selectable. This indicates that you are not currently connected. The middle image shows that there are other locations that you can connect to by selecting “More”. Selecting “Connect” will connect you to our last used location. Clicking on any of the regions will connect you to that location. The last image illustrates what the client looks like when you are connected to the Private Internet Access network. Notice, “Disconnect” is the only choice that you have. The check mark next to the icon also indicates that you are currently connected to the PIA network.
There are a few more list items in the client shown above. The last list item “Exit” closes out your connection and shuts down the client. The second, “Send Slow Speed Complaint” will let the technical support staff at PIA know that they have an issue. The first is “Settings” which will open the settings window which we looked at in the beginning of this section. We are now going to take an in-depth look at the advanced features that the PIA client offers. These are accessed by clicking on the “Advanced” button on the basic login-settings screen that we examined previously.
The two advanced settings screens are shown below. The one that we want to examine first is on the right below. This is the advanced connections settings screen. The setting options that you can choose are as follows:
Connection type – Their are two types of connections possible with the OpenVPN protocol over IP.
UDP – This is the User Datagram Protocol which is used with low latency connections and that can tolerate some loss in packets. This is the default OpenVPN protocol for the PIA Mac OS X client and best for most users. It does not have to check for packet order or loss but can do a checksum if desired.
TCP – This is the Transfer Control Protocol and is good for high latency connections and those which cannot tolerate any loss. It provides error checking for packet order and loss and resends packets if necessary. This makes it slower because of the extra overhead involved in error checking and resending of packets in the proper order.
Remote Port – This lets you choose the remote port to tunnel data through.
Port 1194 – This is the standard OpenVPN port.
Port 8080 – This is the alternative port to Port 80 for HTTP web services. It is commonly used for proxy port.
Port 9201 – This is the port used for WAP (Wireless Application Protocol) services on mobile devices.
Port 53 – This is the port used by DNS for requests.
Local port – This allows you to set a local port to send data through which is then redirected to the remote port.
Port forwarding – Turning this on allows you to set up an application which allows remote users to connect to it. The remote users must know the device name and the port number to successfully connect to it.
Port forwarding is only through the following gateways: CA Toronto, CA North York, Netherlands, Sweden, Switzerland, France, Germany, Russia, Romania, and Israel.
After enabling port forwarding and re-connecting, hover the mouse over the menu icon to see the port number to put in your application.
This will reduce your privacy.
VPN kill switch – Once set, this will kill all Internet traffic from the device if the VPN connection is dropped.
It will restore Internet traffic once the connection starts up again.
Disabling the kill switch or exiting the VPN client will also restore normal Internet operation.
IPv6 leak protection – This disables a IPv6 request while using the VPN.
Small packets – This transfers the data in smaller packets which can fix some network issues with some firewall or setups.
The links shown under port forwarding, VPN kill switch, and IPv6 leak protection will take you to guides on the Private Internet Access website which contain more detailed information about that particular setting. Clicking on the “Encryption” button in the image on the left below will replace the connection settings with the encryption options as shown in the image on the right below.
The encryption screen has the following settings that you can modify:
Data Encryption – This is the encryption used to encrypt and decrypt all of your Internet traffic once the initial secure tunnel has been established between your computer and a PIA server.
AES-128 – Advanced Encryption Standard (AES) is the National Institute of Standards and Technology’s (NIST) chosen protocol and the one used by the United States government for some secret documents. This one uses AES-128 CBC (Cipher Block Chaining) with a 128 bit key and should provide the best performance for most uses.
AES-256 – This uses the same encryption algorithm as above. AES-256 CBC uses a 256 bit key thus is more secure and slower. This is used by the US government for some top secret documents.
Blowfish – This uses Blowfish-128 CBC with a 128 bit key as an alternate to AES. This is a secure algorithm and was one of the runner-ups in the NIST standards competition.
None – This does not encrypt your data and is not recommended as it only hides you IP and thus means the VPN is being used as a pseudo proxy. You will be susceptible to passive attacks where your data is recorded by a third party without your knowledge. This can be used to help remove geo-blocks.
Data Authentication – This refers to the algorithm that authenticates all of your data to guard against active attacks (attack where an entity adds or removes packets from your message).
SHA1 – This uses HMAC (Key-Hash Message Authentication Code) with a 160 bit key.
SHA256 – This utilizes HMAC with a 256 bit key and is thus slower.
None – This opens you up for active attacks or Man-in-the-Middle (MitM) from outside sources where the attacker intercepts your message and then alters it before sending it on the VPN server without your knowledge.
Handshake – This is the algorithm which establishes the initial secure connection and verifies that you are talking to a PIA VPN Server and not an imposter. Hence the name handshake. Private Internet Access uses Transport Secure Layer v1.2 (TSL 1.2) for this connection and all certificates are signed using SHA512.
RSA-2048 – This uses a 2048 bit Ephemeral Diffie-Hellman (DH) key exchange and 2048bit RSA certificate for verification.
RSA-3072 – This uses the same algorithm as above with 3072 bit for both key exchange and RSA certificate.
RSA-4096 – This uses the same algorithm as above with 4096 bit for both key exchange and RSA certificate.
ECC-256k1 — Ephemeral Elliptic Curve DH key exchange and an Elliptic Curve Digital Signature Algorithm (ECDSA) certificate for verification. Curve secp256k1 (256bit) which is the curve that Bitcoin uses for its transactions is used for both the key exchange and the certificate.
ECC-256r1 — Like above but curve prime256v1 (256 bit, also known as secp256r1) is used for both the key exchange and the certificate.
ECC-521 — Like above but curve secp521r1 (521 bit) is used for both the key exchange and the certificate.
The Mac OS X client defaults to AES-128/SHA1/RSA-2048 which should provide the best balance of performance and security for most users. Clicking on the “default settings” link will take you to the VPN encryption page on their website.
Below are some endpoint encryption settings along with helpful suggestions for their use or non-use.
Maximum Protection – AES-256/SHA256/RSA-4096: This is for those who want the maximum security for their data and do not mind the extra speed loss.
Default Recommended Protection – AES-128/SHA1/RSA-2048: This provides the best balance of speed and protection and is the best setting for most users.
Risky – AES-128/None/RSA-2048: This configuration is suceptible to active MitM attacks where a hacker intercepts the message and modifies it before sending to the recipient.
All Speed No Safety – None/None/ECC-256k1: This is suceptible to both active and passive attacks from outside third parties (hackers). You might as well not have a VPN as only your IP is hidden. This makes the connection act like a SOCKS proxy.
The Private Internet Access Mac OS X client may not be the prettiest VPN client in the industry today, but it offers some of the most advanced features that are available to VPNs like a kill switch, disabling IPv6 Internet traffic, and small packets. This makes it appealing to the more technical users. At the same time it has a simple mode that is best for most uses. All that is necessary to connect to one of their VPN servers is to select its location from the list that appears when you click on the client icon in the menu area. It does not get much easier than that.
Connecting with the Android App
As we said before, you can download the Private Internet Access Android app from their client setup page of their website by selecting “Support” from the Account menu above the main menu as we have shown at the beginning of the hands on section. The client setup page also has manual setup guides to configure Android devices to use their service with OpenVPN Connect, L2TP/IPsec + PSK, and PPTP. Once you get on this page, click on the “Download” button in the Android App box (shown at left). This will take you to the Google Play Store where you can download and install the app to your Android device. You must allow in-app purchases for the installation to complete. The app requires Android 2.2 or greater. The images below illustrate this installation.
Once the app finishes installing, press the green “OPEN” button (shown above right) to launch it. This will bring up the login screen which is shown in the image on the left below. On this screen, you will need to enter the “Username” and “Password” from the welcoming email sent to you by Private Internet Access. Next, enter “your email address” in the appropriate field and tap the big green “LOG IN” button. You will notice the pricing on the image is $6.95 a month or $39.95 a year. Remember to use our VPNFan discount to save up to even more.
This will bring up a screen like the one shown in the middle above. This is the main connection screen for the Private Internet Access Android app. From this screen you can slide the connection slider right to connect to your chosen location. If you tap on the encircled greater than sign to the right of the current region (Automatic), it will bring up the location selection screen which is the last image above. As you can see, Automatic has a check and is outlined in a green box. This means that it is your chosen connection location. The locations are in alphabetical order and you can slide up and down through the list to find your location. Also note that the ping times are shown under each location to help you find the fastest one from your current location.
Now let us say you want to connect to Melbourne, Australia, just tap on the AU Melbourne location in the last screen above. This will set you current location to AU, Melbourne and return you to the main connection screen as shown in the first image below. To complete your connection to Melbourne, slide the status slider to the right. Since this is your first connection, you will see an attention screen like that shown in the second image below. You must trust the PIA VPN app and then tap “OK” for the connection process to continue.
Your will then see an image like the third one above which indicates that the app is authenticating the server certificate before completing the connection. The last screen above shows that you are now connected to Melbourne. IP addresses are also shown on these screens but have been redacted for this review. Once you are connected, you have a new virtual IP as yours has been masked. Also all of your Internet traffic is now securely encrypted. We have seen how to connect to a new location when you are not already connected to a VPN server. Now let us take a look at how you change locations using the Private Internet Access Android app. This process is illustrated in the below images.
The first image above shows that you are currently connected to AU Melbourne. Taping on your current location area will bring up the locations to select from as you previously saw. Tapping on the New York City location is all that is needed to change from Melbourne to New York City. Just a single tap will disconnect you from Melbourne and then connect you to New York City as is shown in the second and third images above. The last image shows that our new connection is indeed New York City as it is surrounded in a green box with a big green check.
The “?” icon in the upper right of the sceen will bring up copywright information on the app and the components it uses. You can look at this if your want. The last thing that we want to examine for the Android app is the settings which can be accessed by tapping the “gear” icon in the upper right of the screen below the “?” icon. The first of the settings which is not shown are account information and logout which will log you out of your current VPN session. Note if you logout you will have to re-enter your login credentials.
Sliding the screen up will reveal the connection settings which are shown in the below images.
The connection setting for the PIA Android app are as follows:
Block local network – This will keep other machines from being able to communicate with your device if you are on a LAN (Local Area Network).
Use TCP – Their are two protocols that can be used with an OpenVPN connection.
UDP – This is the User Datagram Protocol which is used with low latency connections and that can tolerate some loss in packets. This is the default OpenVPN protocol for the Private Internet Access Android app and best for most users. It does not have to check for packet order or loss but can do a checksum if desired.
TCP – This is the Transfer Control Protocol and is good for high latency connections and those which cannot tolerate any loss. It provides error checking for packet order and loss and resends packets if necessary. This makes it slower because of the extra overhead involved in error checking and resending of packets in the proper order.
Remote Port – This lets you choose the remote port to tunnel data through as is shown in the middle image above.
Auto – This will choose the best port for you.
Port 1194 – This is the standard OpenVPN port.
Port 8080 – This is the alternative port to Port 80 for HTTP web services. It is commonly used for proxy port.
Port 9201 – This is the port used for WAP (Wireless Application Protocol) services on mobile devices.
Port 53 – This is the port used by DNS for requests.
Local port – This allows you to set a local port to send data through which is then redirected to the remote port.
Internet kill switch – Once set, this will kill all Internet traffic from the device if the VPN connection is dropped.
It will restore Internet traffic once the connection starts up again.
Disabling the kill switch or exiting the VPN client will also restore normal Internet operation.
Request Port forwarding – Turning this on allows you to set up an application and allow remote users to connect to it. The remote uses must know the device name and the port number to successfully connect to it.
Port forwarding is only through the following gateways: CA Toronto, CA North York, Netherlands, Sweden, Switzerland, France, Germany, Russia, Romania, and Israel.
Only do this if you are running a service that you want others to connect to from outside as it will kill your privacy.
Use small packets – This transfers the data in smaller packets which can fix some network issues with some firewall or setups.
Below the connection settings are the encryption settings which are shown in the images below. The first of these is the data encryption which is shown in the first image. Tapping on the data encryption area will bring up a screen like that shown in the second image where you can select the level of encryption you want.
Data Encryption – This is the encryption used to encrypt and decrypt all of your Internet traffic once the initial secure tunnel has been established between your computer and a Private Internet Access VPN server. The four selection you can choose from are as follows:
AES-128 – Advanced Encryption Standard (AES) is the National Institute of Standards and Technology’s (NIST) chosen protocol and the one used by the United States government for some secret documents. This one uses a AES-128 CBC (Cipher Block Chaining) with a 128 bit key and is will provide the best performance for most uses.
AES-256 – This uses the same encryption algorithm as above. AES-256 CBC uses a 256 bit key thus is more secure and slower. This is used buy the US government for some top secret documents.
Blowfish – This uses Blowfish-128 CBC with a 128 bit key as an alternate to AES. This is a secure algorithm and was one of the runner-ups in the NIST standards competition.
None – This does not encrypt your data and not recommended as it only hides you IP and thus means the VPN is being used as a pseudo proxy. You will be susceptible to passive attacks where your data is recorded by a third party without your knowledge. This can help overcome geo-restrictions and censorship.
The second of these is the data authentication which is shown in the first image below. Tapping on the data encryption area will bring up a screen like that shown in the second image below where you can select the level of security for data authentication.
Data Authentication – This refers to the algorithm that authenticates all of your data to guard against active attacks (attack where an entity adds or removes packets from your message).
SHA1 – This uses HMAC (Key-Hash Message Authentication Code) with a 160 bit key.
SHA256 – This utilizes HMAC with a 256 bit key and is thus slower.
None – This opens you up for active attacks or Man-in-the-Middle (MitM) from outside sources where the attacker intercepts your message and then alters it before sending it on the VPN server without your knowledge.
The last of the encryption settings is called the handshake which is shown in the first image below. Tapping in the handshake area will bring up a screen like that shown in the second image below where you can select the type and level of security for the handshake.
Handshake – This is the algorithm which establishes the initial secure connection and verifies that you are talking to a PIA VPN Server and not an imposter. Hence the name handshake. Private Internet Access uses Transport Secure Layer v1.2 (TSL 1.2) for this connection and all certificates are signed using SHA512.
RSA-2048 – This uses a 2048 bit Ephemeral Diffie-Hellman (DH) key exchange and 2048bit RSA certificate for verification.
RSA-3072 – This uses the same algorithm as above with 3072 bit for both key exchange and RSA certificate.
RSA-4096 – This uses the same algorithm as above with 4096 bit for both key exchange and RSA certificate.
ECC-256k1 — Ephemeral Elliptic Curve DH key exchange and an Elliptic Curve Digital Signature Algorithm (ECDSA) certificate for verification. Curve secp256k1 (256bit) which is the curve that Bitcoin uses for its transactions is used for both the key exchange and the certificate.
ECC-256r1 — Like above but curve prime256v1 (256 bit, also known as secp256r1) is used for both the key exchange and the certificate.
ECC-521 — Like above but curve secp521r1 (521 bit) is used for both the key exchange and the certificate.
Below are some endpoint encryption settings along with helpful suggestions for their use or non-use.
Maximum Protection – AES-256/SHA256/RSA-4096: This is for those who want the maximum security for their data and don not mind the extra speed loss.
Default Recommended Protection – AES-128/SHA1/RSA-2048: This provides the best balance of speed and protection and is the best setting for most users.
Risky – AES-128/None/RSA-2048: This configuration is suceptible to active MitM attacks where a hacker intercepts the message and modifies it before sending to the recipient.
All Speed No Safety – None/None/ECC-256k1: This is suceptible to both active and passive attacks from outside third parties (hackers). You might as well not have a VPN as only your IP is hidden. which makes the connection act like a proxy.
The Private Internet Access Android app has a clean graphical interface and is easy to use. Simply select a location and press the status slider to the right to connect to it. Changing regions is even easier as all you have to do is open the locations screen and tap on a new location. The app will then automatically disconnect you from your old location and then connect you to your new one. The default settings used by Private Internet Acsess are ideal for most users so no technical knowledge is required to use their VPN. However, they offer manual settings for connection and encryption for those who are more technical and want more control over their VPN connection. Their app supports some advanced VPN features for those who understand how to use them. This includes a variety of remote ports, local ports, port forwarding, small packets, and even a kill switch to kill your Internet access if the VPN connection drops. Add to this, it includes the best encryption in the industry so you can be assured that you are safe at your local Wi-Fi hotspot.
Connecting with the iOS App
As