Automated scripts for Private Internet Access port forwarding

zounder1

To clarify this.  Change the "PORT" line in the the script with this:

PORT=curl –interface $LOCAL_IP -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment

This should be put into V1.02 of this script.  For setups with multiple gateways you need this to ensure the request goes out via the proper PIA VPN connection.  With this change the script will try and use the default gateway which may not be the correct gateway.

Hats off to Bagpuss the creator of this script!  This is awesome.

Hats off to  ppierre for adding that important last catch with the script.

@ppierre:

Nice script.

Juste an edge case that I've encounter. I've got this reply :

{"error":"port forwarding not available for this region"} 

Ewrything was fine, but in my setup I haven't setup the VPN as default route (only one IP go through it).

So I had to add this to your script :

curl [b]--interface [/b]"$LOCAL_IP" ...

And everything went smooth. It seem IPA need to get the port request from his own network.
Maybe you should add it to your post. In case someone would try a similar setup.

Bagpuss

@zounder1:

To clarify this.  Change the "PORT" line in the the script with this:

PORT=curl –interface $LOCAL_IP -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment

This should be put into V1.02 of this script.  For setups with multiple gateways you need this to ensure the request goes out via the proper PIA VPN connection.  With this change the script will try and use the default gateway which may not be the correct gateway.

Hats off to Bagpuss the creator of this script!  This is awesome.

Hats off to  ppierre for adding that important last catch with the script.

Not checked this thread for a while, and I've just realised that I hadn't posted v1.02 where I did indeed catch this bug. My apologies.
My fix is slightly different, but it achieves the same thing.

Attached to this post is v1.03, where I've caught another issue.
I kept seeing entries in my syslog which said 'pfSense is restoring the configuration /conf/backup/config-1393680553.xml' or similar.
Further debugging revealed that the PIA address wasn't resolving for curl, and hence the script returned a NULL for the port number.
I wasn't catching this error, and so the script was copying an empty /tmp/config.pia over the config.xml.

The new script fixes this, and also provides the return code from curl, so you can try and work out what went wrong.

pia-port.v103.txt

Bagpuss

@dalesd:

Hi Andy,
I'm also a PIA customer and I'm trying your script for port forwarding.

So far, it's not working.  Where do I find the log file so I can troubleshoot this?  Your post says to check the /var/log/messages file, but there isn't one.

Sorry. That should have been /var/log/system.log

Bagpuss

As an aside, my original instructions contain details for managing cron from the command line.
Whilst this works, there is a cron GUI package available, and this works just as well.

I'm pretty sure that anyone who is okay with installing this stuff in the first place can use cron,
but the pfSense preferred way is to use the GUI package. I'm told that changes to the underlying
pfSense OS going forward might mean that command line cron entries are lost across reboots.
The GUI package stores the cron entries in your config.xml, thereby ensuring their survival.

binaryjay

Amazing post.  I was in the middle of reinventing this wheel (moving away from openvpn client on specific hosts) but this saved me a bunch of time.  Had to make some minor changes to account for nanoBSD which I have PM'd you about.  May be worth checking if the filesystem is ro and remounting before continuing to make your script pfsense distribution agnostic.

Also, instead of force deleting config.cache (doesn't that seem a little messy?), would it not be better to just run:
/etc/rc.reload_all

?  Scratch that, running that manually seems to kill everything and requires a reboot.

After I started running this script I've been seeing inetd complaining in the logs about connection aborts and I wonder if it has something to do with the unexpected blowing away of config.cache.

Imaginos

So these two commands are causing an interesting problem:

pkg_add -r curl
pkg_add -r xmlstarlet

They both reach out to ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/… and both generate the following error.

Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/xmlstarlet.tbz: File unavailable (e.g., file not found, no access)
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/xmlstarlet.tbz' by URL

A brief investigation reveals that the error is correct and that file path does not exist. There is a packages-8-stable, 8.4-release, 9-stable and others, but not an 8.3 flavor.

You can see the directory here http://ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/.

I'm at a loss of how to proceed and my kung fu with this is 30 years old and not potent enough to figure it out.

Cino

@Imaginos:

So these two commands are causing an interesting problem:

pkg_add -r curl
pkg_add -r xmlstarlet

They both reach out to ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/… and both generate the following error.

Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/xmlstarlet.tbz: File unavailable (e.g., file not found, no access)
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/xmlstarlet.tbz' by URL

A brief investigation reveals that the error is correct and that file path does not exist. There is a packages-8-stable, 8.4-release, 9-stable and others, but not an 8.3 flavor.

You can see the directory here http://ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/.

I'm at a loss of how to proceed and my kung fu with this is 30 years old and not potent enough to figure it out.

searching with help your kung fu

https://forum.pfsense.org/index.php?topic=78935.0

AMD64
setenv PACKAGESITE http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.3-release/

I386
setenv PACKAGESITE http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.3-release/

zounder1

@Cino:

@Imaginos:

So these two commands are causing an interesting problem:

pkg_add -r curl
pkg_add -r xmlstarlet

They both reach out to ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/… and both generate the following error.

Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/xmlstarlet.tbz: File unavailable (e.g., file not found, no access)
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/xmlstarlet.tbz' by URL

A brief investigation reveals that the error is correct and that file path does not exist. There is a packages-8-stable, 8.4-release, 9-stable and others, but not an 8.3 flavor.

You can see the directory here http://ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/.

I'm at a loss of how to proceed and my kung fu with this is 30 years old and not potent enough to figure it out.

searching with help your kung fu

https://forum.pfsense.org/index.php?topic=78935.0

AMD64
setenv PACKAGESITE http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.3-release/

I386
setenv PACKAGESITE http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.3-release/

I used:
setenv PACKAGESITE http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.3-release/Latest/

Then I could install curl.

But quite the output for xmlstarlet
pkg_add -r xmlstarlet
Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.3-release/Latest/xmlstarlet.tbz… Done.
Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.3-release/All/pkg-config-0.25_1.tbz... Done.
Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.3-release/All/libxml2-2.7.8_2.tbz... Done.
pkg_add: warning: package 'libxml2-2.7.8_2' requires 'libiconv-1.13.1_2', but 'libiconv-1.14_1' is installed
Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.3-release/All/libgpg-error-1.10.tbz... Done.
pkg_add: warning: package 'libgpg-error-1.10' requires 'libiconv-1.13.1_2', but 'libiconv-1.14_1' is installed
pkg_add: warning: package 'libgpg-error-1.10' requires 'gettext-0.18.1.1', but 'gettext-0.18.3.1' is installed
Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.3-release/All/libgcrypt-1.5.0.tbz... Done.
pkg_add: warning: package 'libgcrypt-1.5.0' requires 'libiconv-1.13.1_2', but 'libiconv-1.14_1' is installed
pkg_add: warning: package 'libgcrypt-1.5.0' requires 'gettext-0.18.1.1', but 'gettext-0.18.3.1' is installed
Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.3-release/All/libxslt-1.1.26_3.tbz... Done.
pkg_add: warning: package 'libxslt-1.1.26_3' requires 'libiconv-1.13.1_2', but 'libiconv-1.14_1' is installed
pkg_add: warning: package 'libxslt-1.1.26_3' requires 'gettext-0.18.1.1', but 'gettext-0.18.3.1' is installed
pkg_add: warning: package 'xmlstarlet-1.0.5' requires 'libiconv-1.13.1_2', but 'libiconv-1.14_1' is installed
pkg_add: warning: package 'xmlstarlet-1.0.5' requires 'gettext-0.18.1.1', but 'gettext-0.18.3.1' is installed

It seems to have installed xmlstarlet despite the warnings.  But I'm new to this package manager so I'm not sure if this is asking for trouble or if it just installs and hopes that everything runs with different versions of the dependencies.

Soloam

@ppierre:

Nice script.

Juste an edge case that I've encounter. I've got this reply :

{"error":"port forwarding not available for this region"} 

Ewrything was fine, but in my setup I haven't setup the VPN as default route (only one IP go through it).

So I had to add this to your script :

curl [b]--interface [/b]"$LOCAL_IP" ...

And everything went smooth. It seem IPA need to get the port request from his own network.
Maybe you should add it to your post. In case someone would try a similar setup.

Hello, I'm having the same error

{"error":"port forwarding not available for this region"} 

All runs well, the pia_port.txt is created but in the log I get that error.

Can any one help me? Using last version of the script.

Best Regards
Soloam

saytar

Not sure I can help as I don't have My VPN back up yet since my box crashed and I had to reflash and set it backup,,,But before the crash I did have PIA up and working on Pfsense 2.1.3.

I didn't have any trouble with it changing IP's when they switched around…my logs showed Pfsense detecting the change and just remaking the tunnel.....and I never noticed it............until I happened to check the logs.....

Their is a how to on line somewhere I went by to set it up. The setup was for ONLY the Client setup. I think maybe everyone is Making the Issue More complex than needed.

Check this link.  http://www.bodenzord.com/archives/324
Maybe it will help

Chow

khyr0n

OMG This post is the Holy Grail I had to revive it! (And because I have a question)

Thanks a lot! I only changed
PORT=curl -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment

to

PORT=curl -k -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment

Because I was getting an error… Now it's fine!

BUT...

Would anyone have an idea on how to go about reading the pia_port.txt file from a remote windows machine running utorrent client???

Thanks again!

Soloam

Hello, yes I had to make that change to, something regarding certificates on the SSH.

Also I made a small change to Bagpuss pfsense script, to make it use a Alias with a port, instead of changing the rules. That way I can use the torrent port in other rules.

It assumes a port alias with the name "TorrentBoxPortPIA".

#!/bin/sh
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin

# Private Internet Access Advanced Port Forward Script for pfSense
# v1.0 (21st January 2014)

# Pre-requisites for this script:
# pfSense v2.1 (Port forward NAT return destination broken in earlier versions)
# curl - pkg_add -r curl
# xmlstarlet - pkg_add -r xmlstarlet

# Add your PIA username and password
USERNAME=USER
PASSWORD=PASSWORD
PIACLIENTID=/cf/conf/pia_client_id
CONFFILE=/cf/conf/config.xml

# Check to see if we have a valid PIA Client ID file.
# If not, create one. Linux is included for illustration only.
if [ ! -e $PIACLIENTID ]; then

	# OSX/FreeBSD (pfSense)
	head -n 100 /dev/urandom | md5 > $PIACLIENTID

	# Linux
	#head -n 100 /dev/urandom | md5sum | tr -d " -" > $PIACLIENTID

	logger "pia-port: Created new PIA Client ID."
fi

# Find out the tunnelling device for your VPN and get your IP address.
# There are several options presented here. Personally, I prefer to use
# the interface which I know relates to my VPN tunnel for forwarding.

#DEVICE=`ifconfig | grep -o "tun[0-9]"`
#LOCAL_IP=`ifconfig $DEVICE | grep -Po "(?<=addr.)[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*"`
LOCAL_IP=`ifconfig ovpnc1 | grep "inet " | cut -d\  -f2`

# Get the port number for the forwarded port
PORT=`curl -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" -k https://www.privateinternetaccess.com/vpninfo/port_forward_assignment`

PORTNUM=`echo $PORT | grep -oE "[0-9]+"` 

# Some error detection. If PORTNUM is longer than 5 characters, we know that
# an error has been returned. We log it to syslog, and exit.
len=`expr $PORTNUM : '.*'`
echo $len

if [ $len -gt 5 ]; then
	logger "pia-port: $PORTNUM"
	exit 0
fi

logger "pia-port: Port number acquired: $PORTNUM"

# Get current NAT port number using xmlstarlet to parse the config file.
CURPORT=`xml sel -t -v '//alias[name="TorrentBoxPortPIA"]/address' $CONFFILE`

logger "pia-port: Current port forward: $CURPORT"

# The port mapping doesn't always change. 
# We don't want to force pfSense to re-read it's config if we don't need to.
if [ "$CURPORT" = "$PORTNUM" ]; then
	logger "pia-port: Port not changed. Exiting."
	exit 0
fi

# Port forward has changed, so we update the rules in the config file.
xml ed -u '//alias[name="TorrentBoxPortPIA"]/address' -v $PORTNUM $CONFFILE > /tmp/config.pia

# Put the config file in the correct location.
cp /tmp/config.pia $CONFFILE

# Create a file in the pfSense web server root that contains the current port.
# This can then be read by other hosts in order to update the open port in
# whatever torrent client is in use.
echo $PORTNUM > /usr/local/www/pia_port.txt

# Force pfSense to re-read it's config
rm /tmp/config.cache

logger "pia-port: New port number ($PORTNUM) inserted into config file."

Best Regards

plainzwalker

Sorry for resurrecting an old post but I just found it and I have it 90% working. The problem I am having is with the transmission script, I am using an Ubuntu server instead of a Synology system for transmission, and apparently I wasn't lucky enough for this script to work out of the box for me. Can someone please point me in the right direction so I can convert this to a linux script so I can get it to work?

Error I am getting is:

jeff@behemuth:/usr/local/bin$ sh transmission-port
transmission-port: 40: transmission-port: Syntax error: end of file unexpected (                  expecting "then")
jeff@behemuth:/usr/local/bin$

Thank you

DocLove

First,
    Thank everyone for their hard work on this thread, it was exactly what i needed to get my tunnel working. Since it took me some work to get this operational I thought I would share the final files I am running with.

Attackduck

Thank you for the information!  And the script/instructions.
I managed to make the PFSense side work by adding "-k" to this line in pia-port script Line 46 as someone suggested here:

PORT=curl –interface $INTERFACE -k -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment

PIA was not allowing port forwarding on the original server I was connected to, and did not see that error message till after I changed this line.  After I changed servers to one that allowed port forwarding, it was working.

Instead of a second script running to change the port on the application side, can we hard code the port on the destination side to match the application?  PIA assigned me 27494, and I thought I would try it, but failed.  Tried changing the destination port to 29493 and hard coding the application to this, but the connection would not work unless all the port numbers were the same right to the application.  Would an outbound rule need to be created then added to the script as well?  Figured if this was possible, it would keep the config in one spot, cleaner for me.
Line 90:
xml ed -u '//rule[descr="Torrent"]/destination/port' -v $PORTNUM -u '//rule[descr="Torrent"]/local-port' -v 29493 -u '//rule[descr="NAT Torrent"]/destination/port' -v $PORTNUM $CONFFILE > /tmp/config.pia

thumbsp0t

@Attackduck:

Thank you for the information!  And the script/instructions.
I managed to make the PFSense side work by adding "-k" to this line in pia-port script Line 46 as someone suggested here:

PORT=curl –interface $INTERFACE -k -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment

PIA was not allowing port forwarding on the original server I was connected to, and did not see that error message till after I changed this line.  After I changed servers to one that allowed port forwarding, it was working.

Instead of a second script running to change the port on the application side, can we hard code the port on the destination side to match the application?  PIA assigned me 27494, and I thought I would try it, but failed.  Tried changing the destination port to 29493 and hard coding the application to this, but the connection would not work unless all the port numbers were the same right to the application.  Would an outbound rule need to be created then added to the script as well?  Figured if this was possible, it would keep the config in one spot, cleaner for me.
Line 90:
xml ed -u '//rule[descr="Torrent"]/destination/port' -v $PORTNUM -u '//rule[descr="Torrent"]/local-port' -v 29493 -u '//rule[descr="NAT Torrent"]/destination/port' -v $PORTNUM $CONFFILE > /tmp/config.pia

You want to keep the NAT Torrent destination port as the static port as well.

What I did is a little different;

I do the port verification against the Torrent rule's destination port;

CURPORT=xml sel -t -v '//rule[descr="Torrent"]/destination/port' $CONFFILE

and only write it again if it changed

xml ed -u '//rule[descr="Torrent"]/destination/port' -v $PORTNUM $CONFFILE > /tmp/config.pia

I also added /etc/rc.filter_configure at the end of the script pfsense didn't really seem to reload the config properly.

Defyant

I know this is an old thread, but it is the first one to come up in google when searching "pfSense PIA Portforward". So I just wanted to add a few things on how I got port-forwarding using PIA setup with pfSense and a separate torrent download box running Deluge. I've attached two txt files to this post (pia-port.txt and deluge-port.txt), both of these are edited versions of soloam's and Bagpuss' scripts.

soloam's script I only edited slightly in order to get working (added a -k to the curl command and tweaked a few names). In pfSense 2.3.1 you also only need to run the below command to install xmlstarlet and don't need to worry about installing curl.

pkg install xmlstarlet

Once that's done you just need to edit the pia-port script, put it somewhere on the pfSense box (/usr/local/bin is the path recommended by Bagpuss) and use chmod 755 so you can run it. You will also need to configure the Cron plugin to run it every hour. Lastly make sure you have an port alias setup called PIAPort in pfSense and port forwards as necessary setup.

#!/bin/sh
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin

# Private Internet Access Advanced Port Forward Script for pfSense
# v1.0 (21st January 2014)
# v1.1 (24th June 2016)

# Pre-requisites for this script:
# pfSense v2.1 (Port forward NAT return destination broken in earlier versions)
# curl - pkg_add -r curl
# xmlstarlet - pkg_add -r xmlstarlet

# Add your PIA username and password
USERNAME=USERNAME
PASSWORD=PASSWORD
PIACLIENTID=/cf/conf/pia_client_id
CONFFILE=/cf/conf/config.xml

# Check to see if we have a valid PIA Client ID file.
# If not, create one. Linux is included for illustration only.
if [ ! -e $PIACLIENTID ]; then

        # OSX/FreeBSD (pfSense)
        head -n 100 /dev/urandom | md5 > $PIACLIENTID

        # Linux
        #head -n 100 /dev/urandom | md5sum | tr -d " -" > $PIACLIENTID

        logger "pia-port: Created new PIA Client ID."
fi

# Find out the tunnelling device for your VPN and get your IP address.
# There are several options presented here. Personally, I prefer to use
# the interface which I know relates to my VPN tunnel for forwarding.

#DEVICE=`ifconfig | grep -o "tun[0-9]"`
#LOCAL_IP=`ifconfig $DEVICE | grep -Po "(?<=addr.)[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*"`
LOCAL_IP=`ifconfig ovpnc1 | grep "inet " | cut -d\  -f2`

# Get the port number for the forwarded port
PORT=`curl -k -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" -k https://www.privateinternetaccess.com/vpninfo/port_forward_assignment`

PORTNUM=`echo $PORT | grep -oE "[0-9]+"`

# Some error detection. If PORTNUM is longer than 5 characters, we know that
# an error has been returned. We log it to syslog, and exit.
len=`expr $PORTNUM : '.*'`
echo $len

if [ $len -gt 5 ]; then
        logger "pia-port: $PORTNUM"
        exit 0
fi

logger "pia-port - Port number acquired: $PORTNUM"

# Get current NAT port number using xmlstarlet to parse the config file.
CURPORT=`xml sel -t -v '//alias[name="PIAPort"]/address' $CONFFILE`

logger "pia-port - Current Port Forward: $CURPORT"

# The port mapping doesn't always change.
# We don't want to force pfSense to re-read it's config if we don't need to.
if [ "$CURPORT" = "$PORTNUM" ]; then
       logger "pia-port - Port Not Changed. Exiting."
       exit 0
fi

# Port forward has changed, so we update the rules in the config file.
xml ed -u '//alias[name="PIAPort"]/address' -v $PORTNUM $CONFFILE > /tmp/config.pia

# Put the config file in the correct location.
cp /tmp/config.pia $CONFFILE

# Create a file in the pfSense web server root that contains the current port.
# This can then be read by other hosts in order to update the open port in
# whatever torrent client is in use.
echo $PORTNUM > /usr/local/www/pia-port.txt

# Force pfSense to re-read it's config
rm /tmp/config.cache

logger "pia-port - New port number ($PORTNUM) inserted into config file."

Once the pia-port script is running on pfSense then on whatever box is running Deluge you simply need to copy the below script, edit it with credentials as necessary, run chmod 755 on it and then configure Cron to run it shortly after the pia-port script runs.

#!/bin/sh
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin

# Script to update port used by Deluge torrent client
# Developed for use on FreeNAS 9.10\. Should work on other platforms.
# v1.0 (24th June 2016)

# This script is configured to work with Deluge that has password
# protection on the daemon. You can remove this stuff if you don't use it.

USERNAME="USERNAME"
PASSWORD="PASSWORD"

if [ ! -e /tmp/pia-port.txt ]; then

        logger -p user.crit "deluge-port: Setting up port forward for first time."
        cd /tmp && curl -O -k https://192.168.200.254/pia-port.txt
        read -r NEWPORT < /tmp/pia-port.txt
        deluge-console "connect 127.0.0.1:58846 $USERNAME $PASSWORD; config --set listen_ports ($NEWPORT,$NEWPORT)"

else

        read -r CURPORT < /tmp/pia-port.txt
        cd /tmp && curl -o pia-new.txt -k https://192.168.200.254/pia-port.txt
        read -r NEWPORT < /tmp/pia-new.txt

        logger -p user.crit "deluge-port: Current port: $CURPORT"
        logger -p user.crit "deluge-port: New Port: $NEWPORT"

        if [ "$CURPORT" = "$NEWPORT" ]; then
                logger -p user.crit "deluge-port: Port not changed. Exiting."
                exit 0
        fi

        logger -p user.crit "deluge-port: Updating port. Port: $NEWPORT"
        mv /tmp/pia_new.txt /tmp/pia-port.txt
        deluge-console "connect 127.0.0.1:58846 $USERNAME $PASSWORD; config --set listen_ports ($NEWPORT,$NEWPORT)"

fi

exit 0

The credentials that need to be used are the Deluge daemon login credentials. If you haven't configured any should be able to remove the bits of code for connections and the rest of the script should run fine.

connect 127.0.0.1:58846 $USERNAME $PASSWORD;

Hopefully this information/these scripts prove useful to someone else that stumbles onto this page.

pia-port.txt
deluge-port.txt

madhartigan

Thank you for following up on this!!

The timing could not have been more perfect.  I just got done configuring my pfSense box, got PIA running and figured out how to route certain interfaces around PIA directly to the WAN.

I am not script savvy, but I do have the know-how to properly edit your script with my appropriate information.  (I think)  I have set up deluged, deluge-web and deluge-webui on my Ubuntu 16.04 box following this guide and it seems to be running just fine.

If you have the time, I'd appreciate a bit of assistance configuring this properly to work with my setup.

1. The step in which I'm supposed to configure the port Alias "PIAPort" . . . I'm not sure what port forwards I should assign to that Alias.  Would that be for outgoing ports I assign in Deluge (ie: not set to random)?

2. pia-port gets to the length check for the port number and then spits a syntax error.

[2.3.1-RELEASE][admin@pfsense.mydomain.net]/usr/local/bin: ./pia-port
VENDOR
SSH_CLIENT
LSCOLORS
LOGNAME
OSTYPE
MACHTYPE
FTP_PASSIVE_MODE
CLICOLOR
MAIL
PATH
HOST
REMOTEHOST
SSH_AUTH_SOCK
PWD
GROUP
TERM
SSH_TTY
USER
HOME
SSH_CONNECTION
HOSTTYPE
SHELL
BLOCKSIZE
SHLVL
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   149  100    57  100    92     26     42  0:00:02  0:00:02 --:--:--    42
expr: syntax error

[: -gt: unexpected operator
[2.3.1-RELEASE][admin@pfsense.mydomain.net]/usr/local/bin:

(edited to change host and domain)

Output from System.log:

Jun 28 20:47:41 pfsense admin: pia-port - Port number acquired:
Jun 28 20:47:41 pfsense admin: pia-port - Current Port Forward: 62420:62430

Doesn't seem to be acquiring a port?

2a: Just curious why all those Uppercase field appear at the beginning of the runtime of the script . . . (VENDOR, SSH_CLIENT, LSCOLORS, LOGNAME, etc. etc.)

For now, that's all I have until I can get pia-port properly executing and providing the pia-port.txt file in /usr/local/www/ , I can't verify the functionality of deluge-port.txt.  ;-)

THANK YOU for putting the time into creating this.  I have every confidence it will be a huge help for me once I fix these simple issues.  I just definitely need some help to iron out these kinks.

Any and all help is greatly appreciated.

ADD: silly detail, but might be worth mentioning . . . in deluge-port, second line has "exporrt" not "export"

Elegant

I've noticed that in 2.3_5 that removing config.cache does NOT reload the port settings. I have found a workaround but I'm hoping some other people can test this so that I can be sure that I'm not just crazy…

http://www.ipfingerprints.com/portscan.php

Example: If my port was previously 25623 and it changed to 42344 I can easily see that 42344 is NOT open. However if I re-save the NAT Port Forward Rule 42344 opens. Hopefully someone else can see this on 2.3_5.

Defyant

madhartigan,

The PIAPort alias can be set as anything to start with. As long as the PIAPort alias exists it will update to the correct value the first time you run the script.

Regarding the syntax error,  I've checked over the scripts I posted for something that could be causing it and I can't see anything. One thing I did notice however, was that when I copied out of the code field from the forums that the formatting changed compared to the attached txt file. So if you copied it from there you might want to try downloading the text file version and using that. Failing that can you please post an exact copy of the script you're using (attach it as txt file)? Just remember to edit out the USERNAME and PASSWORD fields first.

To answer your last question those uppercase fields shouldn't appear at all. I suspect these are related to the syntax/formatting error. When you run the script the only output should be the last 3 lines of text before the syntax error.

Lastly what version of pfSense are you using? Because if Elegant is right and 2.3_5 doesn't update the port when clearing the config.cache then the script I posted won't work. I'm still running 2.3.1 at the moment.

Elegant, what was the workaround you are using to reload the port settings?

PS. madhartigan thanks for picking up that typo in the deluge-port script. I've now fixed it and edited my post to use the correct information.