Run Script when OpenVPN connects, Get Port From Provider and add firewall rule

  • Hello,
    I have used Pfsense off and on for 8 years, I just built me a new box and decided to get fancy. I have solved most of my issues but there is one that is out of my league. Have just started using the VPN provider PIA (Private Internet Access), I have the OpenVPN connection working just fine, and can send & receive data through it. The problem is that I need to have a port forwarded through the VPN connection. PIA allows this on certain connections with their software, and a guide is available for advanced users to use a SSL secured API interface. But this is way outside of my knowledge.
    The Guide says “You can easily make a script and call it in the 'up' section of the OpenVPN configuration.  You will need to save the JSON output and act accordingly.” But I have no Idea how to implement this. Below is the relevant section of the guide which is located at

    POST to:
    Vars:     user=username
              client_id=a random string that no one should be able to guess, use the same string every time
              local_ip=the 10.x.x.x IP you get assigned after connecting to the VPN
    Make client_id:
    osx:   head -n 100 /dev/urandom | md5 > ~/.pia_client_id
    linux: head -n 100 /dev/urandom | md5sum > ~/.pia_client_id
    EDIT:  linux: head -n 100 /dev/urandom | md5sum | tr -d " -" > ~/.pia_client_id 
    (Thanks rcbarnes)
    curl -d "user=USERNAME&pass=PASSWORD&client_id=$(cat ~/.pia_client_id)&local_ip=LOCAL_IP"
    { "port": 23423 }

    So to summarize, what I want to do is

    • Connect to the VPN server

    • Run Script to retrieve Port from PIA

    • Insert port-forward  rule into firewall rules and reload

    • Remove rule when OpenVPN disconnects.

    Any help would be appreciated.

    The Doc.

  • I apologize as I do not have an answer to your question, but am seeking an answer to my own.  I am also using PFSense and OpenVPN and I am attempting to configure the firewall to allow only the VPN traffic and block everything else.  So, if/when the OpenVPN connection drops, so does all other traffic.  I accomplished this on a linux router previously using the following IPtables rules, but can not how to conceptually do the same with pfsense, as there is not a "source port" option in the GUI.  Any help would be awesome!

    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -p udp -m udp –sport 53 -j ACCEPT
    -A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
    -A INPUT -j DROP
    -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
    -A OUTPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT

    Completed on Thu Jan 14 11:13:06 2016

    Generated by iptables-save v1.4.7 on Thu Jan 14 11:13:06 2016

    :OUTPUT ACCEPT [0:0]

Log in to reply