fm407 / pia-nextgen-portforwarding Goto Github PK

Another question, should we be putting a service start into crontab or something to restart every ten minutes or so?

The reason is that the code for rebinding:

# If the acquired port is the same as already configured do not pointlessly reload config.
if [ "$NATPORT" -eq "$pf_port" ]; then
	logger "[PIA] Acquired port $pf_port equals the already configured port $NATPORT - no action required."
	exit 0
fi

causes the daemon to exit, stopping further rebinds (since we apparently need to do it every fifteen minutes or so with the nextgen servers.

I could take out the "exit 0" but I honestly don't know if that would affect the rest of the script negatively, plus it wouldn't help the base code. This would also affect the other "exit 0" locations, though you might want them to actually die with those instances.

As example, I restarted the service at 10:10 or so, it worked and updated, then the rebind ran and exited the daemon fifteen minutes later:

Sep 23 10:10:02 | root |   | [PIA] Acquired forwarding port: 35381
Sep 23 10:10:02 | root |   | [PIA] Current NAT rule port: 51485
Sep 23 10:10:03 | root |   | [PIA] New port 35381 udpated in pfSense config file.
Sep 23 10:10:04 | root |   | [PIA] New port successfully updated in remote Transmission system.
Sep 23 10:25:04 | root |   | [PIA] Acquired forwarding port: 35381
Sep 23 10:25:04 | root |   | [PIA] Current NAT rule port: 35381
Sep 23 10:25:04 | root |   | [PIA] Acquired port 35381 equals the already configured port 35381 - no action required.

Also a nitpicking jerk comment, sorry... there's a typo in the "New port 35381 udpated in pfSense config file." line in 'updated'. :)

Hello everyone,

I had some version mismatch problem with installing the xmlstarlet package on fresh pfSense 2.7.0 setup, so I had to modify the pia-pfSense.sh file to not use this package and also there was not needed to add any other package (jq was installed with the system already).

Actually the solution was replacing:

• Line 39:
  transip=$(xml sel -t -v "//alias[name=\"$ipalias\"]/address" $conffile)
  to:
  transip=$(xmllint --xpath '//alias[name="'$ipalias'"]/address/text()' $conffile)

• Line 123:
  natport=$(xml sel -t -v "//alias[name=\"$portalias\"]/address" $conffile)
  to:
  natport=$(xmllint --xpath '//alias[name="'$portalias'"]/address/text()' $conffile)

• Line 138:
  xml ed -u "//alias[name=\"$portalias\"]/address" -v $pf_port $conffile > $tmpconffile
  to:
  cp $conffile $tmpconffile xmlxml=$(xmllint --shell $tmpconffile << EOF cd /pfsense/aliases/alias[name="$portalias"]/address set $pf_port save EOF )

• Line 144:
  xml val -q $tmpconffile
  to:
  xmlwf -s $tmpconffile

Now, the code is fully working with pfSense 2.7.0

Rather than setting up the SSH stuff to be able to ssh to the transmission server, it's much easier to just use the Transmission RPC API directly. Is there a reason you went with the ssh and transportupdate.sh script instead of direct RPC?

Here is some example code (which I added to the pfSense script and am currently using) to use the RPC API:

update_transmission_port () {
  # transmission user name
  TRANSUSER=transmission
  # transmission password
  TRANSPASS="RPCPasswordGoesHere"
  TRANSHOST=$TRANSIP

  SESSION_HEADER=$(curl -u $TRANSUSER:$TRANSPASS ${TRANSHOST}:9091/transmission/rpc 2>/dev/null | sed 's/.*<code>//g;s/<\/code>.*//g')

  if [ "x$SESSION_HEADER" != "x" ]; then
    DATA="{\"method\": \"session-set\", \"arguments\": { \"peer-port\" : $pf_port } }"
    echo $DATA
    CURLOUT=$(curl -u $TRANSUSER:$TRANSPASS --silent http://${TRANSHOST}:9091/transmission/rpc -d "$DATA" -H "$SESSION_HEADER")
    echo $CURLOUT
    echo "pia-nextgen-pf: $(date) Updated Transmission port number via RPC"
    logger "pia-nextgen-pf: Updated Transmission port number via RPC"
  else
    echo "pia-nextgen-pf: $(date) No Transmission RPC Session Header retrieved"
    logger "pia-nextgen-pf: No Transmission RPC Session Header retrieved"
  fi
}

I apologize for posting this as an 'issue', but I've been beating my head against the wall. The script runs great, and I have it set to update Transmission, however I can't for the life of me figure out how to enable the service to run.

Following the instructions I get (or some variation on it):

[2.4.5-RELEASE][[email protected]]/usr/local/etc/rc.d: service pia-portforwarding start
/etc/rc.conf: pia-portforwarding_enable=YES: not found
/etc/rc.conf.local: pia-portforwarding_enable=YES: not found
/etc/rc.conf: pia-portforwarding_enable=YES: not found
/etc/rc.conf.local: pia-portforwarding_enable=YES: not found
/usr/local/etc/rc.d/pia-portforwarding: WARNING: $pia-portforwarding_enable is not set properly - see rc.conf(5).
Cannot 'start' pia-portforwarding. Set pia-portforwarding_enable to YES in /etc/rc.conf or use 'onestart' instead of 'start'.

or

[2.4.5-RELEASE][[email protected]]/usr/local/etc/rc.d: ./pia-portforwarding start
/etc/rc.conf: pia-portforwarding_enable=YES: not found
/etc/rc.conf.local: pia-portforwarding_enable=YES: not found
./pia-portforwarding: WARNING: $pia-portforwarding_enable is not set properly - see rc.conf(5).
Cannot 'start' pia-portforwarding. Set pia-portforwarding_enable to YES in /etc/rc.conf or use 'onestart' instead of 'start'.

even though my rc.conf.local is (I've tried one and the other, finally I just got ticked and put both in there):
pia-portforwarding_enable="YES"
pia-portforwarding_enable=YES

So I imagine it's just something I'm missing, not a BSD guy admittedly. Any suggestions?

including instructions to include freebsd repositories to pkg configuration files and installing xmlstarlet could go a long way.

netgate docs says to edit pfSense.conf
my install has a FreeBSD.conf as well

I edited both.

/usr/local/etc/pkg/repos

FreeBSD: { enabled: yes }

devd triggers the service and my system logs state:

/usr/local/etc/rc.d/piaportforwarding: WARNING: cannot read shebang line from /home/custom/piaportforward/pia-pfSense.sh

I went through the instructions several times and I have not been able to resolve this.

Any advice is appreciated!

v/r,
jg

Two things I had to modify in my scripts while taking from this tutorial.

Line 47 in pia-pfSense.sh

I changed the part that says the following:

get_auth_token () {
tok=$(curl --interface ${ovpniface} --insecure --silent --show-error --request POST --max-time $curl_max_time
--header "Content-Type: application/json"
--data "{"username":"$piauser","password":"$piapass"}"
"https://www.privateinternetaccess.com/api/client/v2/token" | jq -r '.token')

TO THIS:
get_auth_token () {
tok=$(curl -s -u $piauser:$piapass --interface $ovpniface --insecure --silent --show-error --max-time 15 "https://privateinternetaccess.com/gtoken/generateToken" | jq -r '.token')

In addition, perhaps due to the way I was using PIA? The following modification I had to make to interpret the gateway of the openvpn interface.

on line 96 it reads:
vpn_ip=$(traceroute -i ${ovpniface} -m 1 privateinternetaccess.com | tail -n 1 | awk '{print $2}')

I modified it to this:
vpn_ip=$(ifconfig | grep ${ovpniface} -2 | grep "inet 10" | awk '{print $4}')

I have been running these scripts for several months without issue on pfSense 2.4.5 and 2.5.0. After updating to 2.5.1, I noticed port forwarding did not seem to be working. I redid all the pfSense related steps to implement the scripts in case something got deleted or broken during the update.

The log file makes it look as if the scripts are still functioning properly, the pfSense alias for the port is being updated with the new port properly and being updated in transmission as well but when I check to see if the port is open it shows that it is not.

This is what the log file looks like after restarting my OpenVPN connection,

Thanks for the help, up until this point the script has been great.

You can set a repo to "Public Archive" to clearly indicate that this is not longer maintained. More info: https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories

Just what the title says. Step 8 refers to staying root like the previous step, but the previous step in the readme is step 6 and it's in the GUI.

Hi.
Can you guide me how to get this to work with deluge docker?
:)

pia-nextgen-pf.sh line 32 and 45, $verify appears undefined, am I missing something here?

Hi.
Dont know what im doing wrong??

General
Empty destination port alias 'Transmission_Port' for rule 'NAT Transmission Port Forward' @ 2020-12-21 20:24:01
Empty destination port alias 'Transmission_Port' for rule 'NAT Transmission Port Forward' @ 2020-12-21 20:30:20
Empty destination port alias 'Transmission_Port' for rule 'NAT Transmission Port Forward' @ 2020-12-21 20:30:21
Empty destination port alias 'Transmission_Port' for rule 'NAT Transmission Port Forward' @ 2020-12-21 20:30:22
Filter Reload
There were error(s) loading the rules: /tmp/rules.debug:91: syntax error - The line in question reads [91]: rdr on ovpnc1 proto tcp from any to 10.8.112.75 port $Transmission_Port -> $Transmission_IP
@ 2020-12-21 20:24:02
There were error(s) loading the rules: /tmp/rules.debug:91: syntax error - The line in question reads [91]: rdr on ovpnc1 proto tcp from any to 10.2.112.31 port $Transmission_Port -> $Transmission_IP
@ 2020-12-21 20:30:23

Can some one help me?

Not an issue but would it be easier to use 'b64decode -r' instead of 'base64 -d' which means installing the package?

Hi, Can this script be adapted for use on torguard vpn as that can use port forwarding?

fantastic work :)

Hello,
Thanks for the guide and the awesome documentation.
I have a problem after launching the service: this appears in my logs:
[PIA-API] Error! Failed to receive Signature!

Do you have an idea ?

Thanks

Hi,

I'm using this exact setup with pfsense, PIA, and transmission. However I find that the replies to the incoming connection requests are gonig out through the default route.
To be exact:

• I can see the SYN requests for incoming connection requests come in through the VPN interface.
• The SYN/ACK response is going out through my default route though which is the WAN interface.

I saw that there were bug reports for pfsense 2.5.1 with this problem but they claim it's fixed in 2.5.2? I am using pfsense 2.5.2.

This is more of a request. I've been trying to get your script to work with Deluge instead of Transmission. Using the guide from their official docs (https://deluge.readthedocs.io/en/latest/devguide/how-to/curl-jsonrpc.html) I've been able to run curl commands from my pfsense terminal to change the listen port on my deluge server:

curl -d '{"method": "auth.login", "params": ["DelugePassword"], "id": 1}' -K /home/custom/piaportforward/curl.cfg
curl -d '{"method": "core.set_config", "params":[{"listen_ports": [1, 1]}], "id": 1}' -K /home/custom/piaportforward/curl.cfg

My problem is that I cannot get it to integrate into your script as I am very unfamiliar with shellscript, especially under pfsense