Automated scripts for Private Internet Access port forwarding
-
Not sure I can help as I don't have My VPN back up yet since my box crashed and I had to reflash and set it backup,,,But before the crash I did have PIA up and working on Pfsense 2.1.3.
I didn't have any trouble with it changing IP's when they switched around…my logs showed Pfsense detecting the change and just remaking the tunnel.....and I never noticed it............until I happened to check the logs.....
Their is a how to on line somewhere I went by to set it up. The setup was for ONLY the Client setup. I think maybe everyone is Making the Issue More complex than needed.
Check this link. http://www.bodenzord.com/archives/324
Maybe it will helpChow
-
OMG This post is the Holy Grail I had to revive it! (And because I have a question)
Thanks a lot! I only changed
PORT=curl -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignmentto
PORT=
curl -k -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignmentBecause I was getting an error… Now it's fine!
BUT...
Would anyone have an idea on how to go about reading the pia_port.txt file from a remote windows machine running utorrent client???
Thanks again!
-
Hello, yes I had to make that change to, something regarding certificates on the SSH.
Also I made a small change to Bagpuss pfsense script, to make it use a Alias with a port, instead of changing the rules. That way I can use the torrent port in other rules.
It assumes a port alias with the name "TorrentBoxPortPIA".
#!/bin/sh export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin # Private Internet Access Advanced Port Forward Script for pfSense # v1.0 (21st January 2014) # Pre-requisites for this script: # pfSense v2.1 (Port forward NAT return destination broken in earlier versions) # curl - pkg_add -r curl # xmlstarlet - pkg_add -r xmlstarlet # Add your PIA username and password USERNAME=USER PASSWORD=PASSWORD PIACLIENTID=/cf/conf/pia_client_id CONFFILE=/cf/conf/config.xml # Check to see if we have a valid PIA Client ID file. # If not, create one. Linux is included for illustration only. if [ ! -e $PIACLIENTID ]; then # OSX/FreeBSD (pfSense) head -n 100 /dev/urandom | md5 > $PIACLIENTID # Linux #head -n 100 /dev/urandom | md5sum | tr -d " -" > $PIACLIENTID logger "pia-port: Created new PIA Client ID." fi # Find out the tunnelling device for your VPN and get your IP address. # There are several options presented here. Personally, I prefer to use # the interface which I know relates to my VPN tunnel for forwarding. #DEVICE=`ifconfig | grep -o "tun[0-9]"` #LOCAL_IP=`ifconfig $DEVICE | grep -Po "(?<=addr.)[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*"` LOCAL_IP=`ifconfig ovpnc1 | grep "inet " | cut -d\ -f2` # Get the port number for the forwarded port PORT=`curl -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" -k https://www.privateinternetaccess.com/vpninfo/port_forward_assignment` PORTNUM=`echo $PORT | grep -oE "[0-9]+"` # Some error detection. If PORTNUM is longer than 5 characters, we know that # an error has been returned. We log it to syslog, and exit. len=`expr $PORTNUM : '.*'` echo $len if [ $len -gt 5 ]; then logger "pia-port: $PORTNUM" exit 0 fi logger "pia-port: Port number acquired: $PORTNUM" # Get current NAT port number using xmlstarlet to parse the config file. CURPORT=`xml sel -t -v '//alias[name="TorrentBoxPortPIA"]/address' $CONFFILE` logger "pia-port: Current port forward: $CURPORT" # The port mapping doesn't always change. # We don't want to force pfSense to re-read it's config if we don't need to. if [ "$CURPORT" = "$PORTNUM" ]; then logger "pia-port: Port not changed. Exiting." exit 0 fi # Port forward has changed, so we update the rules in the config file. xml ed -u '//alias[name="TorrentBoxPortPIA"]/address' -v $PORTNUM $CONFFILE > /tmp/config.pia # Put the config file in the correct location. cp /tmp/config.pia $CONFFILE # Create a file in the pfSense web server root that contains the current port. # This can then be read by other hosts in order to update the open port in # whatever torrent client is in use. echo $PORTNUM > /usr/local/www/pia_port.txt # Force pfSense to re-read it's config rm /tmp/config.cache logger "pia-port: New port number ($PORTNUM) inserted into config file."Best Regards
-
Sorry for resurrecting an old post but I just found it and I have it 90% working. The problem I am having is with the transmission script, I am using an Ubuntu server instead of a Synology system for transmission, and apparently I wasn't lucky enough for this script to work out of the box for me. Can someone please point me in the right direction so I can convert this to a linux script so I can get it to work?
Error I am getting is:
jeff@behemuth:/usr/local/bin$ sh transmission-port transmission-port: 40: transmission-port: Syntax error: end of file unexpected ( expecting "then") jeff@behemuth:/usr/local/bin$Thank you
-
First,
Thank everyone for their hard work on this thread, it was exactly what i needed to get my tunnel working. Since it took me some work to get this operational I thought I would share the final files I am running with. -
Thank you for the information! And the script/instructions.
I managed to make the PFSense side work by adding "-k" to this line in pia-port script Line 46 as someone suggested here:PORT=
curl –interface $INTERFACE -k -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignmentPIA was not allowing port forwarding on the original server I was connected to, and did not see that error message till after I changed this line. After I changed servers to one that allowed port forwarding, it was working.
Instead of a second script running to change the port on the application side, can we hard code the port on the destination side to match the application? PIA assigned me 27494, and I thought I would try it, but failed. Tried changing the destination port to 29493 and hard coding the application to this, but the connection would not work unless all the port numbers were the same right to the application. Would an outbound rule need to be created then added to the script as well? Figured if this was possible, it would keep the config in one spot, cleaner for me.
Line 90:
xml ed -u '//rule[descr="Torrent"]/destination/port' -v $PORTNUM -u '//rule[descr="Torrent"]/local-port' -v 29493 -u '//rule[descr="NAT Torrent"]/destination/port' -v $PORTNUM $CONFFILE > /tmp/config.pia -
Thank you for the information! And the script/instructions.
I managed to make the PFSense side work by adding "-k" to this line in pia-port script Line 46 as someone suggested here:PORT=
curl –interface $INTERFACE -k -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignmentPIA was not allowing port forwarding on the original server I was connected to, and did not see that error message till after I changed this line. After I changed servers to one that allowed port forwarding, it was working.
Instead of a second script running to change the port on the application side, can we hard code the port on the destination side to match the application? PIA assigned me 27494, and I thought I would try it, but failed. Tried changing the destination port to 29493 and hard coding the application to this, but the connection would not work unless all the port numbers were the same right to the application. Would an outbound rule need to be created then added to the script as well? Figured if this was possible, it would keep the config in one spot, cleaner for me.
Line 90:
xml ed -u '//rule[descr="Torrent"]/destination/port' -v $PORTNUM -u '//rule[descr="Torrent"]/local-port' -v 29493 -u '//rule[descr="NAT Torrent"]/destination/port' -v $PORTNUM $CONFFILE > /tmp/config.piaYou want to keep the NAT Torrent destination port as the static port as well.
What I did is a little different;
I do the port verification against the Torrent rule's destination port;
CURPORT=
xml sel -t -v '//rule[descr="Torrent"]/destination/port' $CONFFILEand only write it again if it changed
xml ed -u '//rule[descr="Torrent"]/destination/port' -v $PORTNUM $CONFFILE > /tmp/config.pia
I also added /etc/rc.filter_configure at the end of the script pfsense didn't really seem to reload the config properly.
-
I know this is an old thread, but it is the first one to come up in google when searching "pfSense PIA Portforward". So I just wanted to add a few things on how I got port-forwarding using PIA setup with pfSense and a separate torrent download box running Deluge. I've attached two txt files to this post (pia-port.txt and deluge-port.txt), both of these are edited versions of soloam's and Bagpuss' scripts.
soloam's script I only edited slightly in order to get working (added a -k to the curl command and tweaked a few names). In pfSense 2.3.1 you also only need to run the below command to install xmlstarlet and don't need to worry about installing curl.
pkg install xmlstarlet
Once that's done you just need to edit the pia-port script, put it somewhere on the pfSense box (/usr/local/bin is the path recommended by Bagpuss) and use chmod 755 so you can run it. You will also need to configure the Cron plugin to run it every hour. Lastly make sure you have an port alias setup called PIAPort in pfSense and port forwards as necessary setup.
#!/bin/sh export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin # Private Internet Access Advanced Port Forward Script for pfSense # v1.0 (21st January 2014) # v1.1 (24th June 2016) # Pre-requisites for this script: # pfSense v2.1 (Port forward NAT return destination broken in earlier versions) # curl - pkg_add -r curl # xmlstarlet - pkg_add -r xmlstarlet # Add your PIA username and password USERNAME=USERNAME PASSWORD=PASSWORD PIACLIENTID=/cf/conf/pia_client_id CONFFILE=/cf/conf/config.xml # Check to see if we have a valid PIA Client ID file. # If not, create one. Linux is included for illustration only. if [ ! -e $PIACLIENTID ]; then # OSX/FreeBSD (pfSense) head -n 100 /dev/urandom | md5 > $PIACLIENTID # Linux #head -n 100 /dev/urandom | md5sum | tr -d " -" > $PIACLIENTID logger "pia-port: Created new PIA Client ID." fi # Find out the tunnelling device for your VPN and get your IP address. # There are several options presented here. Personally, I prefer to use # the interface which I know relates to my VPN tunnel for forwarding. #DEVICE=`ifconfig | grep -o "tun[0-9]"` #LOCAL_IP=`ifconfig $DEVICE | grep -Po "(?<=addr.)[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*"` LOCAL_IP=`ifconfig ovpnc1 | grep "inet " | cut -d\ -f2` # Get the port number for the forwarded port PORT=`curl -k -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" -k https://www.privateinternetaccess.com/vpninfo/port_forward_assignment` PORTNUM=`echo $PORT | grep -oE "[0-9]+"` # Some error detection. If PORTNUM is longer than 5 characters, we know that # an error has been returned. We log it to syslog, and exit. len=`expr $PORTNUM : '.*'` echo $len if [ $len -gt 5 ]; then logger "pia-port: $PORTNUM" exit 0 fi logger "pia-port - Port number acquired: $PORTNUM" # Get current NAT port number using xmlstarlet to parse the config file. CURPORT=`xml sel -t -v '//alias[name="PIAPort"]/address' $CONFFILE` logger "pia-port - Current Port Forward: $CURPORT" # The port mapping doesn't always change. # We don't want to force pfSense to re-read it's config if we don't need to. if [ "$CURPORT" = "$PORTNUM" ]; then logger "pia-port - Port Not Changed. Exiting." exit 0 fi # Port forward has changed, so we update the rules in the config file. xml ed -u '//alias[name="PIAPort"]/address' -v $PORTNUM $CONFFILE > /tmp/config.pia # Put the config file in the correct location. cp /tmp/config.pia $CONFFILE # Create a file in the pfSense web server root that contains the current port. # This can then be read by other hosts in order to update the open port in # whatever torrent client is in use. echo $PORTNUM > /usr/local/www/pia-port.txt # Force pfSense to re-read it's config rm /tmp/config.cache logger "pia-port - New port number ($PORTNUM) inserted into config file."Once the pia-port script is running on pfSense then on whatever box is running Deluge you simply need to copy the below script, edit it with credentials as necessary, run chmod 755 on it and then configure Cron to run it shortly after the pia-port script runs.
#!/bin/sh export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin # Script to update port used by Deluge torrent client # Developed for use on FreeNAS 9.10\. Should work on other platforms. # v1.0 (24th June 2016) # This script is configured to work with Deluge that has password # protection on the daemon. You can remove this stuff if you don't use it. USERNAME="USERNAME" PASSWORD="PASSWORD" if [ ! -e /tmp/pia-port.txt ]; then logger -p user.crit "deluge-port: Setting up port forward for first time." cd /tmp && curl -O -k https://192.168.200.254/pia-port.txt read -r NEWPORT < /tmp/pia-port.txt deluge-console "connect 127.0.0.1:58846 $USERNAME $PASSWORD; config --set listen_ports ($NEWPORT,$NEWPORT)" else read -r CURPORT < /tmp/pia-port.txt cd /tmp && curl -o pia-new.txt -k https://192.168.200.254/pia-port.txt read -r NEWPORT < /tmp/pia-new.txt logger -p user.crit "deluge-port: Current port: $CURPORT" logger -p user.crit "deluge-port: New Port: $NEWPORT" if [ "$CURPORT" = "$NEWPORT" ]; then logger -p user.crit "deluge-port: Port not changed. Exiting." exit 0 fi logger -p user.crit "deluge-port: Updating port. Port: $NEWPORT" mv /tmp/pia_new.txt /tmp/pia-port.txt deluge-console "connect 127.0.0.1:58846 $USERNAME $PASSWORD; config --set listen_ports ($NEWPORT,$NEWPORT)" fi exit 0The credentials that need to be used are the Deluge daemon login credentials. If you haven't configured any should be able to remove the bits of code for connections and the rest of the script should run fine.
connect 127.0.0.1:58846 $USERNAME $PASSWORD;Hopefully this information/these scripts prove useful to someone else that stumbles onto this page.
-
Thank you for following up on this!!
The timing could not have been more perfect. I just got done configuring my pfSense box, got PIA running and figured out how to route certain interfaces around PIA directly to the WAN.
I am not script savvy, but I do have the know-how to properly edit your script with my appropriate information. (I think) I have set up deluged, deluge-web and deluge-webui on my Ubuntu 16.04 box following this guide and it seems to be running just fine.
If you have the time, I'd appreciate a bit of assistance configuring this properly to work with my setup.
-
The step in which I'm supposed to configure the port Alias "PIAPort" . . . I'm not sure what port forwards I should assign to that Alias. Would that be for outgoing ports I assign in Deluge (ie: not set to random)?
-
pia-port gets to the length check for the port number and then spits a syntax error.
[2.3.1-RELEASE][admin@pfsense.mydomain.net]/usr/local/bin: ./pia-port VENDOR SSH_CLIENT LSCOLORS LOGNAME OSTYPE MACHTYPE FTP_PASSIVE_MODE CLICOLOR MAIL PATH HOST REMOTEHOST SSH_AUTH_SOCK PWD GROUP TERM SSH_TTY USER HOME SSH_CONNECTION HOSTTYPE SHELL BLOCKSIZE SHLVL % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 149 100 57 100 92 26 42 0:00:02 0:00:02 --:--:-- 42 expr: syntax error [: -gt: unexpected operator [2.3.1-RELEASE][admin@pfsense.mydomain.net]/usr/local/bin:(edited to change host and domain)
Output from System.log:
Jun 28 20:47:41 pfsense admin: pia-port - Port number acquired: Jun 28 20:47:41 pfsense admin: pia-port - Current Port Forward: 62420:62430Doesn't seem to be acquiring a port?
2a: Just curious why all those Uppercase field appear at the beginning of the runtime of the script . . . (VENDOR, SSH_CLIENT, LSCOLORS, LOGNAME, etc. etc.)
For now, that's all I have until I can get pia-port properly executing and providing the pia-port.txt file in /usr/local/www/ , I can't verify the functionality of deluge-port.txt. ;-)
THANK YOU for putting the time into creating this. I have every confidence it will be a huge help for me once I fix these simple issues. I just definitely need some help to iron out these kinks.
Any and all help is greatly appreciated.
ADD: silly detail, but might be worth mentioning . . . in deluge-port, second line has "exporrt" not "export"
-
-
I've noticed that in 2.3_5 that removing config.cache does NOT reload the port settings. I have found a workaround but I'm hoping some other people can test this so that I can be sure that I'm not just crazy…
http://www.ipfingerprints.com/portscan.php
Example: If my port was previously 25623 and it changed to 42344 I can easily see that 42344 is NOT open. However if I re-save the NAT Port Forward Rule 42344 opens. Hopefully someone else can see this on 2.3_5.
-
madhartigan,
The PIAPort alias can be set as anything to start with. As long as the PIAPort alias exists it will update to the correct value the first time you run the script.
Regarding the syntax error, I've checked over the scripts I posted for something that could be causing it and I can't see anything. One thing I did notice however, was that when I copied out of the code field from the forums that the formatting changed compared to the attached txt file. So if you copied it from there you might want to try downloading the text file version and using that. Failing that can you please post an exact copy of the script you're using (attach it as txt file)? Just remember to edit out the USERNAME and PASSWORD fields first.
To answer your last question those uppercase fields shouldn't appear at all. I suspect these are related to the syntax/formatting error. When you run the script the only output should be the last 3 lines of text before the syntax error.
Lastly what version of pfSense are you using? Because if Elegant is right and 2.3_5 doesn't update the port when clearing the config.cache then the script I posted won't work. I'm still running 2.3.1 at the moment.
Elegant, what was the workaround you are using to reload the port settings?
PS. madhartigan thanks for picking up that typo in the deluge-port script. I've now fixed it and edited my post to use the correct information.
-
First let me say this script and post was extremely helpful and works great (mostly)!
I am running 2.3.1-RELEASE-p5 and have the same issue as Elegant in that the rules don't seem to get updated unless I use the web GUI to save and then apply changes. I see the port number getting updated in the web GUI but the port is not actually open on the firewall until I manually save and use the button to apply changes.
What is the workaround you spoke of? Is it something that can be easily automated?
Thanks!
-
I know this is an old post. I've already created a new topic post but have yet to receive any replies to it. Thought I would just throw this in here and hope someone will reply back with helpful into.
I am attempting to add a script to my pfSense box that pulls or receives a port assignment from PIA. I'm basing my script on one created and modified from https://forum.pfsense.org/index.php?topic=71725.15 I'm not sure if something has changed with either pfSense or PIA since last July but I'm not able to get a port number with this script. It keeps coming back with "Port forward not available for this region." I've tried both Netherlands and Switzerland which are both servers that have port forwarding available. My first hunch is maybe I have a setting incorrectly set in pfSense. Or maybe PIA has changed something in their URL. Not sure. Anyway, I've verified that the variables going into the command below to receive a port assignment from PIA are correct (ie - username, password, client_id, local_ip).
PORT=
curl -k -d "user=$USERNAME&pass=$PASSWORD&client_id=$(cat $PIACLIENTID)&local_ip=$LOCAL_IP" -k https://www.privateinternetaccess.com/vpninfo/port_forward_assignmentI've got a working OpenVPN tunnel created to the Netherlands currently. Just can't seem to get this script to get a port number.
Any ideas would be greatly appreciated. If you need more info let me know.
Thank you.
-
I am interested in this as well. Does anyone know if this is working completely with the most recent release?
-
OK… I got my script working. Turns out it wasn't the command that pulls the port from PIA that was causing my issue. It was the line where the CLIENTID is generated. It seems just adding the pipe the removes " -" made the difference. Not sure why but it doesn't matter. It's all happy now.
CLIENTID=
head -n 100 /dev/urandom | md5 -r | tr -d " -"However, I am having the same issue now that Elegant and qwertytheking are having with regards to a port change not applying at least right away. Like qwertytheking mentioned, if you access the port alias and save/apply it, it opens that port but until then, it's still closed.
Is there a command or something that saves/applies these changes through CLI that I can add to my script?
-
Looks like PIA introduced a new API in February. The announcement is here:
The old API will be going away, they say. And the new one works a little different. For example:
-
The query for the port must be done withing the first 2 minutes after the connection is made.
-
You no longer need to poll the API periodically, the initial request is sufficient
Does anyone have a working solution using the new API that they're willing to share?
-
-
I appear to have worked out a script with the new API that works if anyone wants to test it. Preconditions are:
1. That you have deluge set up on a server that you can ssh into without a password.
2. That the user you are SSHing into is able to edit deluge-console.
3. That you have xmlstarlet installed (curl appears to be preinstalled on my version, otherwise install it as well).
4. That you have a port forward setup using an alias name of PIAPort.You'll need to append –route-up /location/script.sh to the custom options of your VPN setup.#!/bin/sh CONFFILE=/cf/conf/config.xml TMP_CONFFILE=/tmp/config.pia #Interface name of vpn connection INTERFACE='ovpnc7' #IP of server deluge is running on SERVER_IP='' #Username that has ssh setup that is able to edit deluge-console USER='' #Delay for 5 seconds to ensure vpn is up sleep 5 #Generate a client ID. CLIENT_ID=`head -n 100 /dev/urandom | sha256 | tr -d " -"` #Get a forwarded port from PIA PORT=`curl --interface $INTERFACE "http://209.222.18.222:2000/?client_id=$CLIENT_ID"` #Cleanup port output PORTNUM=`echo $PORT | grep -oE "[0-9]+"` # Some error detection. If PORTNUM is not 5 characters, we know that # an error has been returned. We log it to syslog, and exit. if [ ${#PORTNUM} -ne 5 ]; then logger "pia-port - Error setting port" exit 0 fi logger "pia-port - Port number acquired: $PORTNUM" #Change Deluge port ssh $USER@$SERVER_IP "deluge-console 'config --set listen_ports ($PORTNUM, $PORTNUM)'" # Update the port forward rules in the config file. xml ed -u '//alias[name="PIAPort"]/address' -v $PORTNUM $CONFFILE > $TMP_CONFFILE # Put the config file in the correct location. cp $TMP_CONFFILE $CONFFILE # Force pfSense to re-read it's config rm /tmp/config.cache #Reload the filter /etc/rc.filter_configure logger "pia-port - New port number ($PORTNUM) inserted into config file."Edit: Upon further testing the script works but executing it that way would only work some of the time. I added the below code to the end of /etc/devd.conf which is responsible for executing tasks depending on kernel events. It seems to work consistently this way. Edit ovpnc to the interface number of your vpn connection and change /location/script.sh to the location that you saved the script.
notify 0 { match "system" "IFNET"; match "subsystem" "(ovpnc7)"; match "type" "LINK_UP"; action " /location/script.sh"; }; -
Thanks AccountIsTaken.
~~Correct me if I'm wrong but isn't the portion of the script dealing with the torrent client optional? As long as my pfsense NAT rule forwards the port I'm opening on the WAN side (set to the PIAPort Alias) to the port of my torrent client in my LAN subnet I should be ok, right? In other words:
WAN:PIAPort –> LAN:TorrentClient:port
I only care about updating the alias and will leave the port on the client side unchanged, letting pfSense port forwarding do it's thing.~~
I figured it would be easier to just test it out. I used your script minus the lines dealing with Deluge, meaning the script will only update the port alias and reload the filter in pfSense once the VPN connection is established. It works like a charm. My NAT rule has the port forwarding in the WAN interface using the PIAport alias but the destination port for the forwarded traffic on the LAN IP is a static value that never changes. That way I don't have to update my torrent client every time I reconnect the VPN.
-
Glad it's working for you jhboricua.
Yes the part dealing with the torrent client is completely optional. You could strip out that part without any problems as you've found. You could also program multiple port forwards as long as each port forward runs through a separate vpn client connection if you wanted to run various services. You just have to create multiple connections and update for each connection.
-
Thank you AccountIsTaken :D
Great script! Deluge is working perfectlyCan this be modified to work with Plex? I do get a port from PIA but I have to change the port manually in PMS every time it changes.