Install Debian 11 and update
apt update && apt dist-upgrade -y && apt install libgthread curl ufw -yIf the only account is root, create a new account
adduser pia-gateway
usermod -aG sudo pia-gateway
su pia-gatewayDownload and run the PIA installer, once done exit pia-gateway user and reboot
wget https://installers.privateinternetaccess.com/download/pia-linux-3.3.1-06924.run
sudo chmod +x pia-linux-3.3.1-06924.run
exit
reboot Create a .txt file with your PIA username and password (on seperate lines) and login to PIA
nano login.txt
piactl login login.txtSet PIA to use WireGuard, Allow PIA to run in the background (without this KillSwitch will not work), Allow server to connect to LAN and set the killswitch to on to prevent leaking
piactl set protocol wireguard
piactl set background true
piactl set allowlan true
piactl -u applysettings '{"killswitch":"on"}'Check your current (none hidden) IP, connect, and then check the IP again
curl checkip.dyndns.org
piactl connect
curl checkip.dyndns.orgSet Linux to forward traffic and disable IPv6
nano /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1now run sudo sysctl -p to save changes
Allow LAN traffic to PIA and PIA to LAN.
iptables -A FORWARD -i eth0 -o wgpia0 -j ACCEPT
iptables -A FORWARD -i wgpia0 -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o wgpia0 -j MASQUERADEAny servers using this server as a gateway will now be using the PIA VPN, you can confirm by running curl checkip.dyndns.org
Finally create a crontab -e entry
@reboot /usr/local/bin/piactl connect
@reboot /usr/sbin/iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
@reboot /usr/sbin/iptables -A FORWARD -i wgpia0 -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTNow create firewall rules on your network to block all outbound traffic from the network not from your gateway