Run Script when OpenVPN connects, Get Port From Provider and add firewall rule

DocLove · Jul 6, 2015, 1:54 AM

Hello,
I have used Pfsense off and on for 8 years, I just built me a new box and decided to get fancy. I have solved most of my issues but there is one that is out of my league. Have just started using the VPN provider PIA (Private Internet Access), I have the OpenVPN connection working just fine, and can send & receive data through it. The problem is that I need to have a port forwarded through the VPN connection. PIA allows this on certain connections with their software, and a guide is available for advanced users to use a SSL secured API interface. But this is way outside of my knowledge.
The Guide says “You can easily make a script and call it in the 'up' section of the OpenVPN configuration. You will need to save the JSON output and act accordingly.” But I have no Idea how to implement this. Below is the relevant section of the guide which is located at https://www.privateinternetaccess.com/forum/index.php?p=/discussion/180/port-forwarding-without-the-application-advanced-users

POST to:  https://www.privateinternetaccess.com/vpninfo/port_forward_assignment
Vars:     user=username
          pass=password
          client_id=a random string that no one should be able to guess, use the same string every time
          local_ip=the 10.x.x.x IP you get assigned after connecting to the VPN

Make client_id:
osx:   head -n 100 /dev/urandom | md5 > ~/.pia_client_id
linux: head -n 100 /dev/urandom | md5sum > ~/.pia_client_id
EDIT:  linux: head -n 100 /dev/urandom | md5sum | tr -d " -" > ~/.pia_client_id 
(Thanks rcbarnes)

curl -d "user=USERNAME&pass=PASSWORD&client_id=$(cat ~/.pia_client_id)&local_ip=LOCAL_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment

RETURNS:
{ "port": 23423 }

So to summarize, what I want to do is

Connect to the VPN server
Run Script to retrieve Port from PIA
Insert port-forward rule into firewall rules and reload
Remove rule when OpenVPN disconnects.

Any help would be appreciated.

The Doc.

sawick61 · Jan 27, 2016, 3:17 PM

I apologize as I do not have an answer to your question, but am seeking an answer to my own. I am also using PFSense and OpenVPN and I am attempting to configure the firewall to allow only the VPN traffic and block everything else. So, if/when the OpenVPN connection drops, so does all other traffic. I accomplished this on a linux router previously using the following IPtables rules, but can not how to conceptually do the same with pfsense, as there is not a "source port" option in the GUI. Any help would be awesome!

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp –sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A OUTPUT -j DROP
COMMIT

Completed on Thu Jan 14 11:13:06 2016

Generated by iptables-save v1.4.7 on Thu Jan 14 11:13:06 2016

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.2.2/32 -o tun0 -j MASQUERADE
COMMIT