Automated scripts for Private Internet Access port forwarding
-
Thank you for following up on this!!
The timing could not have been more perfect. I just got done configuring my pfSense box, got PIA running and figured out how to route certain interfaces around PIA directly to the WAN.
I am not script savvy, but I do have the know-how to properly edit your script with my appropriate information. (I think) I have set up deluged, deluge-web and deluge-webui on my Ubuntu 16.04 box following this guide and it seems to be running just fine.
If you have the time, I'd appreciate a bit of assistance configuring this properly to work with my setup.
-
The step in which I'm supposed to configure the port Alias "PIAPort" . . . I'm not sure what port forwards I should assign to that Alias. Would that be for outgoing ports I assign in Deluge (ie: not set to random)?
-
pia-port gets to the length check for the port number and then spits a syntax error.
[2.3.1-RELEASE][admin@pfsense.mydomain.net]/usr/local/bin: ./pia-port VENDOR SSH_CLIENT LSCOLORS LOGNAME OSTYPE MACHTYPE FTP_PASSIVE_MODE CLICOLOR MAIL PATH HOST REMOTEHOST SSH_AUTH_SOCK PWD GROUP TERM SSH_TTY USER HOME SSH_CONNECTION HOSTTYPE SHELL BLOCKSIZE SHLVL % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 149 100 57 100 92 26 42 0:00:02 0:00:02 --:--:-- 42 expr: syntax error [: -gt: unexpected operator [2.3.1-RELEASE][admin@pfsense.mydomain.net]/usr/local/bin:
(edited to change host and domain)
Output from System.log:
Jun 28 20:47:41 pfsense admin: pia-port - Port number acquired: Jun 28 20:47:41 pfsense admin: pia-port - Current Port Forward: 62420:62430
Doesn't seem to be acquiring a port?
2a: Just curious why all those Uppercase field appear at the beginning of the runtime of the script . . . (VENDOR, SSH_CLIENT, LSCOLORS, LOGNAME, etc. etc.)
For now, that's all I have until I can get pia-port properly executing and providing the pia-port.txt file in /usr/local/www/ , I can't verify the functionality of deluge-port.txt. ;-)
THANK YOU for putting the time into creating this. I have every confidence it will be a huge help for me once I fix these simple issues. I just definitely need some help to iron out these kinks.
Any and all help is greatly appreciated.
ADD: silly detail, but might be worth mentioning . . . in deluge-port, second line has "exporrt" not "export"
-
-
I've noticed that in 2.3_5 that removing config.cache does NOT reload the port settings. I have found a workaround but I'm hoping some other people can test this so that I can be sure that I'm not just crazy…
http://www.ipfingerprints.com/portscan.php
Example: If my port was previously 25623 and it changed to 42344 I can easily see that 42344 is NOT open. However if I re-save the NAT Port Forward Rule 42344 opens. Hopefully someone else can see this on 2.3_5.
-
madhartigan,
The PIAPort alias can be set as anything to start with. As long as the PIAPort alias exists it will update to the correct value the first time you run the script.
Regarding the syntax error, I've checked over the scripts I posted for something that could be causing it and I can't see anything. One thing I did notice however, was that when I copied out of the code field from the forums that the formatting changed compared to the attached txt file. So if you copied it from there you might want to try downloading the text file version and using that. Failing that can you please post an exact copy of the script you're using (attach it as txt file)? Just remember to edit out the USERNAME and PASSWORD fields first.
To answer your last question those uppercase fields shouldn't appear at all. I suspect these are related to the syntax/formatting error. When you run the script the only output should be the last 3 lines of text before the syntax error.
Lastly what version of pfSense are you using? Because if Elegant is right and 2.3_5 doesn't update the port when clearing the config.cache then the script I posted won't work. I'm still running 2.3.1 at the moment.
Elegant, what was the workaround you are using to reload the port settings?
PS. madhartigan thanks for picking up that typo in the deluge-port script. I've now fixed it and edited my post to use the correct information.
-
First let me say this script and post was extremely helpful and works great (mostly)!
I am running 2.3.1-RELEASE-p5 and have the same issue as Elegant in that the rules don't seem to get updated unless I use the web GUI to save and then apply changes. I see the port number getting updated in the web GUI but the port is not actually open on the firewall until I manually save and use the button to apply changes.
What is the workaround you spoke of? Is it something that can be easily automated?
Thanks!
-
I know this is an old post. I've already created a new topic post but have yet to receive any replies to it. Thought I would just throw this in here and hope someone will reply back with helpful into.
I am attempting to add a script to my pfSense box that pulls or receives a port assignment from PIA. I'm basing my script on one created and modified from https://forum.pfsense.org/index.php?topic=71725.15 I'm not sure if something has changed with either pfSense or PIA since last July but I'm not able to get a port number with this script. It keeps coming back with "Port forward not available for this region." I've tried both Netherlands and Switzerland which are both servers that have port forwarding available. My first hunch is maybe I have a setting incorrectly set in pfSense. Or maybe PIA has changed something in their URL. Not sure. Anyway, I've verified that the variables going into the command below to receive a port assignment from PIA are correct (ie - username, password, client_id, local_ip).
PORT=
curl -k -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" -k https://www.privateinternetaccess.com/vpninfo/port_forward_assignment
I've got a working OpenVPN tunnel created to the Netherlands currently. Just can't seem to get this script to get a port number.
Any ideas would be greatly appreciated. If you need more info let me know.
Thank you.
-
I am interested in this as well. Does anyone know if this is working completely with the most recent release?
-
OK… I got my script working. Turns out it wasn't the command that pulls the port from PIA that was causing my issue. It was the line where the CLIENTID is generated. It seems just adding the pipe the removes " -" made the difference. Not sure why but it doesn't matter. It's all happy now.
CLIENTID=
head -n 100 /dev/urandom | md5 -r | tr -d " -"
However, I am having the same issue now that Elegant and qwertytheking are having with regards to a port change not applying at least right away. Like qwertytheking mentioned, if you access the port alias and save/apply it, it opens that port but until then, it's still closed.
Is there a command or something that saves/applies these changes through CLI that I can add to my script?
-
Looks like PIA introduced a new API in February. The announcement is here:
The old API will be going away, they say. And the new one works a little different. For example:
-
The query for the port must be done withing the first 2 minutes after the connection is made.
-
You no longer need to poll the API periodically, the initial request is sufficient
Does anyone have a working solution using the new API that they're willing to share?
-
-
I appear to have worked out a script with the new API that works if anyone wants to test it. Preconditions are:
1. That you have deluge set up on a server that you can ssh into without a password.
2. That the user you are SSHing into is able to edit deluge-console.
3. That you have xmlstarlet installed (curl appears to be preinstalled on my version, otherwise install it as well).
4. That you have a port forward setup using an alias name of PIAPort.You'll need to append –route-up /location/script.sh to the custom options of your VPN setup.#!/bin/sh CONFFILE=/cf/conf/config.xml TMP_CONFFILE=/tmp/config.pia #Interface name of vpn connection INTERFACE='ovpnc7' #IP of server deluge is running on SERVER_IP='' #Username that has ssh setup that is able to edit deluge-console USER='' #Delay for 5 seconds to ensure vpn is up sleep 5 #Generate a client ID. CLIENT_ID=`head -n 100 /dev/urandom | sha256 | tr -d " -"` #Get a forwarded port from PIA PORT=`curl --interface $INTERFACE "http://209.222.18.222:2000/?client_id=$CLIENT_ID"` #Cleanup port output PORTNUM=`echo $PORT | grep -oE "[0-9]+"` # Some error detection. If PORTNUM is not 5 characters, we know that # an error has been returned. We log it to syslog, and exit. if [ ${#PORTNUM} -ne 5 ]; then logger "pia-port - Error setting port" exit 0 fi logger "pia-port - Port number acquired: $PORTNUM" #Change Deluge port ssh $USER@$SERVER_IP "deluge-console 'config --set listen_ports ($PORTNUM, $PORTNUM)'" # Update the port forward rules in the config file. xml ed -u '//alias[name="PIAPort"]/address' -v $PORTNUM $CONFFILE > $TMP_CONFFILE # Put the config file in the correct location. cp $TMP_CONFFILE $CONFFILE # Force pfSense to re-read it's config rm /tmp/config.cache #Reload the filter /etc/rc.filter_configure logger "pia-port - New port number ($PORTNUM) inserted into config file."
Edit: Upon further testing the script works but executing it that way would only work some of the time. I added the below code to the end of /etc/devd.conf which is responsible for executing tasks depending on kernel events. It seems to work consistently this way. Edit ovpnc to the interface number of your vpn connection and change /location/script.sh to the location that you saved the script.
notify 0 { match "system" "IFNET"; match "subsystem" "(ovpnc7)"; match "type" "LINK_UP"; action " /location/script.sh"; };
-
Thanks AccountIsTaken.
~~Correct me if I'm wrong but isn't the portion of the script dealing with the torrent client optional? As long as my pfsense NAT rule forwards the port I'm opening on the WAN side (set to the PIAPort Alias) to the port of my torrent client in my LAN subnet I should be ok, right? In other words:
WAN:PIAPort –> LAN:TorrentClient:port
I only care about updating the alias and will leave the port on the client side unchanged, letting pfSense port forwarding do it's thing.~~
I figured it would be easier to just test it out. I used your script minus the lines dealing with Deluge, meaning the script will only update the port alias and reload the filter in pfSense once the VPN connection is established. It works like a charm. My NAT rule has the port forwarding in the WAN interface using the PIAport alias but the destination port for the forwarded traffic on the LAN IP is a static value that never changes. That way I don't have to update my torrent client every time I reconnect the VPN.
-
Glad it's working for you jhboricua.
Yes the part dealing with the torrent client is completely optional. You could strip out that part without any problems as you've found. You could also program multiple port forwards as long as each port forward runs through a separate vpn client connection if you wanted to run various services. You just have to create multiple connections and update for each connection.
-
Thank you AccountIsTaken :D
Great script! Deluge is working perfectlyCan this be modified to work with Plex? I do get a port from PIA but I have to change the port manually in PMS every time it changes.
-
Hello
Anyone else having trouble executing the script after updating to pfsense 2.4.0 ??
I have added this to the end of "/etc/devd.conf"
notify 0 { match "system" "IFNET"; match "subsystem" "(ovpnc5)"; match "type" "LINK_UP"; action "/usr/local/bin/piaport/DelugePort_2.sh"; }; */
I have also tride adding the belowe lines to OpenVPN -> Advanced Configuration -> Custom options
persist-key persist-tun remote-cert-tls server reneg-sec 0 route-up /usr/local/bin/piaport/DelugePort_2.sh
seems like it's not executing.
But if i open a ssh and run it manually it works like before. -
OK glad its not just me. I am having the exact same issue and since I'm new to pfSense and started with 2.4 I wasnt sure if this was just a problem with mine or not. Sorry I don't have a fix but its not just you.
-
It looks like you added the lines inside a comment. In any event, try putting it in a new .conf file in /usr/local/etc/devd/
You will probably have to create the devd directory. Name the file anything you want, as long as it ends in .conf
Do a /etc/rc.d/devd restart, and it should pick up the new rule.
This is working for me in 2.4.
Andy
-
Thank you ProHill
Your solution works for me too :D :D
-
Great thread, saved me lots of effort.
-
I seem to be getting inconsistent results all of a sudden, I notice the script works fine, I get the port from PIA and update the alias, the script exits correctly but checking if the port is open results in a close port.
If I run the "/etc/rc.filter_configure" from the command line after the script runs then the port becomes open. Running 2.4.3. Thoughts on what could be going on here?
-
Please see the second post in the thread for some new updates that take into account changes being made by PIA to the port forwarding mechanism.
My original scripts will stop working soon, as PIA are discontinuing the original API -
I seem to be getting inconsistent results all of a sudden, I notice the script works fine, I get the port from PIA and update the alias, the script exits correctly but checking if the port is open results in a close port.
If I run the "/etc/rc.filter_configure" from the command line after the script runs then the port becomes open. Running 2.4.3. Thoughts on what could be going on here?
Not sure what's going on there. I'm still running 2.4.2-p1.
I'll upgrade and see if I get the same behaviour.You might also want to give the new v1.05 script a try, as this works with the new API that PIA have introduced for port forwarding.