Run Script when OpenVPN connects, Get Port From Provider and add firewall rule
-
Hello,
I have used Pfsense off and on for 8 years, I just built me a new box and decided to get fancy. I have solved most of my issues but there is one that is out of my league. Have just started using the VPN provider PIA (Private Internet Access), I have the OpenVPN connection working just fine, and can send & receive data through it. The problem is that I need to have a port forwarded through the VPN connection. PIA allows this on certain connections with their software, and a guide is available for advanced users to use a SSL secured API interface. But this is way outside of my knowledge.
The Guide says “You can easily make a script and call it in the 'up' section of the OpenVPN configuration. You will need to save the JSON output and act accordingly.” But I have no Idea how to implement this. Below is the relevant section of the guide which is located at https://www.privateinternetaccess.com/forum/index.php?p=/discussion/180/port-forwarding-without-the-application-advanced-usersPOST to: https://www.privateinternetaccess.com/vpninfo/port_forward_assignment Vars: user=username pass=password client_id=a random string that no one should be able to guess, use the same string every time local_ip=the 10.x.x.x IP you get assigned after connecting to the VPN Make client_id: osx: head -n 100 /dev/urandom | md5 > ~/.pia_client_id linux: head -n 100 /dev/urandom | md5sum > ~/.pia_client_id EDIT: linux: head -n 100 /dev/urandom | md5sum | tr -d " -" > ~/.pia_client_id (Thanks rcbarnes) curl -d "user=USERNAME&pass=PASSWORD&client_id=$(cat ~/.pia_client_id)&local_ip=LOCAL_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment RETURNS: { "port": 23423 }
So to summarize, what I want to do is
-
Connect to the VPN server
-
Run Script to retrieve Port from PIA
-
Insert port-forward rule into firewall rules and reload
-
Remove rule when OpenVPN disconnects.
Any help would be appreciated.
The Doc.
-
-
I apologize as I do not have an answer to your question, but am seeking an answer to my own. I am also using PFSense and OpenVPN and I am attempting to configure the firewall to allow only the VPN traffic and block everything else. So, if/when the OpenVPN connection drops, so does all other traffic. I accomplished this on a linux router previously using the following IPtables rules, but can not how to conceptually do the same with pfsense, as there is not a "source port" option in the GUI. Any help would be awesome!
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp –sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A OUTPUT -j DROP
COMMITCompleted on Thu Jan 14 11:13:06 2016
Generated by iptables-save v1.4.7 on Thu Jan 14 11:13:06 2016
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.2.2/32 -o tun0 -j MASQUERADE
COMMIT