top of page

Private Internet Access (PIA) on QNap TS-253 Pro

Updated: Dec 31, 2021


Striped Skunk in Grand Teton National Park; photo by Ryan Murphy.

I recently encountered the task of encrypting all traffic from my QNap TS-253 Pro NAS using my current VPN provider Private Internet Access (PIA). Unfortunately, there’s no clear cut way of getting PIA setup on the QNap TS-253 Pro. After some digging and trial and error I was able to get this working.


1) Download PIA’s newest root certificates. This contains the root certificate for RSA 4096-bit encryption... https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip


2) Use WinSCP or FileZilla to SCP in to your QNap and copy the ca.rsa.4096.crt and ca.rsa.4096.pem files to /etc/config/openvpn/keys


3) Open up the QNap Management Portal and configure the VPN client

  • System Settings -> Applications -> VPN Client

  • New -> OpenVPN Connection

Name: PIA VPN Connection
Server: ca-toronto.privateinternetaccess.com (or any other     valid PIA server)
Port: 1197
Import ca.rsa.4096.crt

4) Click “Connect”, it may or may not connect, but if it does connect you won’t see any traffic. Click “Disconnect”

  • SCP into your Qnap

  • Open /etc/config/openvpn/clients/client1

  • Replace everything up to the <ca> line

dev tun2001
proto udp
remote ca-toronto.privateinternetaccess.com 1197
client
nobind
cipher AES-256-CBC
auth SHA256
comp-lzo
writepid /var/run/openvpn.client1.pid
reneg-sec 0
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
tls-exit
remap-usr1 SIGTERM
connect-retry-max 1
auth-retry nointeract
resolv-retry infinite
route-noexec
auth-user-pass /etc/config/openvpn/clients/client1.auth
script-security 3
up /etc/openvpn/openvpn_up
down /etc/openvpn/openvpn_down
daemon openvpn-client
plugin /usr/lib/vpn_ext.so 1
ca /etc/config/openvpn/keys/ca.rsa.4096.crt
crl-verify /etc/config/openvpn/keys/crl.rsa.4096.pem

6) Save the file and close the session


7) Go back to your VPN Client in your QNap and click “Connect”

  • You should now start to see traffic

  • You may see SHA256/AES256 configuration errors in the logs, you can safely ignore these unless you’re seeing issues with connecting.


8) Test your connection by SSHing into your QNap and simply pinging www.google.com

 
 
 
  • Instagram
  • Facebook
  • LinkedIn

© 2026 Ryan Murphy -- All images are property of Ryan Murphy and are not to be reused without written consent.

bottom of page