Automated scripts for Private Internet Access port forwarding

urby

I am interested in this as well.  Does anyone know if this is working completely with the most recent release?

SpaceAvenger

OK… I got my script working. Turns out it wasn't the command that pulls the port from PIA that was causing my issue. It was the line where the CLIENTID is generated. It seems just adding the pipe the removes " -" made the difference. Not sure why but it doesn't matter. It's all happy now.

CLIENTID=head -n 100 /dev/urandom | md5 -r | tr -d " -"

However, I am having the same issue now that Elegant and qwertytheking are having with regards to a port change not applying at least right away. Like qwertytheking mentioned, if you access the port alias and save/apply it, it opens that port but until then, it's still closed.

Is there a command or something that saves/applies these changes through CLI that I can add to my script?

jhboricua

Looks like PIA introduced a new API in February. The announcement is here:

New PIA Port Forwarding API

The old API will be going away, they say. And the new one works a little different. For example:

• The query for the port must be done withing the first 2 minutes after the connection is made.

• You no longer need to poll the API periodically, the initial request is sufficient

Does anyone have a working solution using the new API that they're willing to share?

AccountIsTaken

I appear to have worked out a script with the new API that works if anyone wants to test it. Preconditions are:

1. That you have deluge set up on a server that you can ssh into without a password.
2. That the user you are SSHing into is able to edit deluge-console.
3. That you have xmlstarlet installed (curl appears to be preinstalled on my version, otherwise install it as well).
4. That you have a port forward setup using an alias name of PIAPort.

You'll need to append –route-up /location/script.sh to the custom options of your VPN setup.

#!/bin/sh
CONFFILE=/cf/conf/config.xml
TMP_CONFFILE=/tmp/config.pia

#Interface name of vpn connection
INTERFACE='ovpnc7'

#IP of server deluge is running on
SERVER_IP=''

#Username that has ssh setup that is able to edit deluge-console
USER=''

#Delay for 5 seconds to ensure vpn is up
sleep 5

#Generate a client ID.
CLIENT_ID=`head -n 100 /dev/urandom | sha256 | tr -d " -"`

#Get a forwarded port from PIA
PORT=`curl --interface $INTERFACE "http://209.222.18.222:2000/?client_id=$CLIENT_ID"`

#Cleanup port output
PORTNUM=`echo $PORT | grep -oE "[0-9]+"`

# Some error detection. If PORTNUM is not 5 characters, we know that
# an error has been returned. We log it to syslog, and exit.
if [ ${#PORTNUM} -ne 5 ]; then
	logger "pia-port - Error setting port"
	exit 0
fi

logger "pia-port - Port number acquired: $PORTNUM"

#Change Deluge port
ssh $USER@$SERVER_IP "deluge-console 'config --set listen_ports ($PORTNUM, $PORTNUM)'"

# Update the port forward rules in the config file.
xml ed -u '//alias[name="PIAPort"]/address' -v $PORTNUM $CONFFILE > $TMP_CONFFILE

# Put the config file in the correct location.
cp $TMP_CONFFILE $CONFFILE

# Force pfSense to re-read it's config
rm /tmp/config.cache

#Reload the filter
/etc/rc.filter_configure

logger "pia-port - New port number ($PORTNUM) inserted into config file."

Edit: Upon further testing the script works but executing it that way would only work some of the time. I added the below code to the end of /etc/devd.conf which is responsible for executing tasks depending on kernel events. It seems to work consistently this way. Edit ovpnc to the interface number of your vpn connection and change /location/script.sh to the location that you saved the script.

notify 0 {
        match "system"          "IFNET";
        match "subsystem"       "(ovpnc7)";
        match "type"            "LINK_UP";
        action " /location/script.sh";
};

jhboricua

Thanks AccountIsTaken.

~~Correct me if I'm wrong but isn't the portion of the script dealing with the torrent client optional? As long as my pfsense NAT rule forwards the port I'm opening on the WAN side (set to the PIAPort Alias) to the port of my torrent client in my LAN subnet I should be ok, right? In other words:

WAN:PIAPort –> LAN:TorrentClient:port

I only care about updating the alias and will leave the port on the client side unchanged, letting pfSense port forwarding do it's thing.~~

I figured it would be easier to just test it out. I used your script minus the lines dealing with Deluge, meaning the script will only update the port alias and reload the filter in pfSense once the VPN connection is established. It works like a charm.  My NAT rule has the port forwarding in the WAN interface using the PIAport alias but the destination port for the forwarded traffic on the LAN IP is a static value that never changes. That way I don't have to update my torrent client every time I reconnect the VPN.

AccountIsTaken

Glad it's working for you jhboricua.

Yes the part dealing with the torrent client is completely optional. You could strip out that part without any problems as you've found. You could also program multiple port forwards as long as each port forward runs through a separate vpn client connection if you wanted to run various services. You just have to create multiple connections and update for each connection.

Hakon74

Thank you AccountIsTaken  :D
Great script! Deluge is working perfectly

Can this be modified to work with Plex? I do get a port from PIA but I have to change the port manually in PMS every time it changes.

Hakon74

Hello

Anyone else having trouble executing the script after updating to pfsense 2.4.0 ??

I have added this to the end of "/etc/devd.conf"

notify 0 {
        match "system"          "IFNET";
        match "subsystem"       "(ovpnc5)";
        match "type"            "LINK_UP";
        action "/usr/local/bin/piaport/DelugePort_2.sh";
};

*/

I have also tride adding the belowe lines to OpenVPN -> Advanced Configuration -> Custom options

persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
route-up /usr/local/bin/piaport/DelugePort_2.sh

seems like it's not executing.
But if i open a ssh and run it manually it works like before.

KirkDiggler

OK glad its not just me. I am having the exact same issue and since I'm new to pfSense and started with 2.4 I wasnt sure if this was just a problem with mine or not. Sorry I don't have a fix but its not just you.

ProHill

It looks like you added the lines inside a comment.  In any event, try putting it in a new .conf file in /usr/local/etc/devd/

You will probably have to create the devd directory.  Name the file anything you want, as long as it ends in .conf

Do a /etc/rc.d/devd restart, and it should pick up the new rule.

This is working for me in 2.4.

Andy

Hakon74

Thank you ProHill

Your solution works for me too  :D :D

joelones

Great thread, saved me lots of effort.

joelones

I seem to be getting inconsistent results all of a sudden, I notice the script works fine, I get the port from PIA and update the alias, the script exits correctly but checking if the port is open results in a close port.

If I run the "/etc/rc.filter_configure" from the command line after the script runs then the port becomes open. Running 2.4.3. Thoughts on what could be going on here?

Bagpuss

Please see the second post in the thread for some new updates that take into account changes being made by PIA to the port forwarding mechanism.
My original scripts will stop working soon, as PIA are discontinuing the original API

Bagpuss

@joelones:

I seem to be getting inconsistent results all of a sudden, I notice the script works fine, I get the port from PIA and update the alias, the script exits correctly but checking if the port is open results in a close port.

If I run the "/etc/rc.filter_configure" from the command line after the script runs then the port becomes open. Running 2.4.3. Thoughts on what could be going on here?

Not sure what's going on there. I'm still running 2.4.2-p1.
I'll upgrade and see if I get the same behaviour.

You might also want to give the new v1.05 script a try, as this works with the new API that PIA have introduced for port forwarding.

Bagpuss

@joelones:

I seem to be getting inconsistent results all of a sudden, I notice the script works fine, I get the port from PIA and update the alias, the script exits correctly but checking if the port is open results in a close port.

If I run the "/etc/rc.filter_configure" from the command line after the script runs then the port becomes open. Running 2.4.3. Thoughts on what could be going on here?

Just updated to 2.4.3, and am not seeing this behaviour on my system with the 1.05 script.

Bagpuss

Please check second post for another update.
For those who use Deluge on Synology NAS, I've now provided updated scripts to support it.

joelones

I noticed that over time the PIA assigned port tends to close on me. Not sure if others experience the same. I find myself visiting port verifying sites like yougetsignal.com, etc to check whether the port is still open.

Any thoughts on how to script this check from the command line, I assume it would have to be able to use the specific interface and whatnot.

Just wondering if someone could put together a script to check whether the port is still open and if not, restart the vpn client.
EDIT: So I wrote a little script that checks the port, if closed from the exterior restarts the vpn service and sends an email. Of course, it  assumes that you have installed AccountIsTaken's script (including the devd portion), email set up, and an alias for the forwarded port. I slapped it in a cron job.

#!/bin/sh
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin

# Config file
CONFFILE=/cf/conf/config.xml

# Interface name of vpn connection
VPNCLIENT=2
INTERFACE="ovpnc$VPNCLIENT"

# Get current NAT port number using xmlstarlet to parse the config file - requires alias 'PIAPort' to be present
CURPORT=`xml sel -t -v '//alias[name="PIAPort"]/address' $CONFFILE`

# Check forwarded port from the exterior
OUTPUT=$(curl -s --interface $INTERFACE --max-time 10 -d "portNumber=$CURPORT" -X POST https://ports.yougetsignal.com/check-port.php 2>&1)
if ! echo $OUTPUT | grep -iq "open";  then
    logger "pia-port - Port ($CURPORT) is closed on VPN ($INTERFACE) on `date`"

    # Notify via email
    echo "pia-port - Port ($CURPORT) is closed on VPN ($INTERFACE) on `date`" | /usr/local/bin/php /usr/local/bin/mail.php -s"pfSense PIA Port Forward" &

    # Restart openvpn client
    /usr/local/sbin/pfSsh.php playback svc restart openvpn client $VPNCLIENT
fi

PnoT

@bagpuss None of the attachments you've linked are downloadable now. Do you have any updated links so I can give this solution a try?

Thanks

Bagpuss

@pnot Have re-uploaded the files in post 2. I'm guessing the move to new forum software broke the original links.
Apologies for not responding sooner.