The server list endpoint returns JSON on line 1 with a base64-encoded
RSA-SHA256 signature on lines 3+. This was previously ignored. Add
verifyServerList() that checks the signature against PIA's public
signing key before trusting the data. On failure the service aborts
and systemd restarts it.
Also bump RestartSec to 5m to avoid hammering PIA servers on repeated
failures, and add openssl to container dependencies.
Replace the single VPN container (veth pair, host-side auth scripts) with a
multi-container setup on a shared bridge network:
- Dedicated VPN container handles all PIA auth, WireGuard config, NAT, and
optional port forwarding DNAT
- Service containers default-route through VPN container (leak-proof by topology)
- Host runs tinyproxy on bridge for PIA API bootstrap before WG is up
- WG interface is still created in host netns and moved into VPN container
namespace
- Monthly renewal to ensure that connection stays up (PIA allows connections to
last up to 2 months)
- Drop OpenVPN support entirely
