Wooops. there has been a big bug in all php-gui releases so far .... sorry. Then Web-UI Overview would show an incorrect port number, so incoming port forwarding did not work with that port. The port number returned by the pia-status command was correct.
Please use the update button on the "Tools" page to get the latest changes, then close your browser. The UI should now display the correct port.
I verified the current releases by running a webserver behind the tunnel so port forwarding should REALLY work again
I'm Dl'ing the new version now, I'll have a go at it tomorrow.
re the port forwarding:- I'm no linux guru (and certainly no scripter) more a cisco guy, but on a cisco firewall/router I can translate the outside destination adress to the same or different port number
This would translate any tcp traffic hitting the outside interface ip address 209.165.200.15 port 25 to ip address 172.16.11.15 port 2525
You must somehow be natting the PIA assigned ip address to 192.168.10.101 so If Linux supports PAT (port address translation) I was hoping it would be possible to script the translation of the 'assigned' port number to a static number on the 192.168.10.101 host.
I'm running uTorrent which supports upnp (i beleive) so it might be possible to get linux to tell utorrent to use a particular port.
Yes, your torrent client needs to know which port is forwarded. As far as I know, UPnP does not support assigning specific ports to clients. I don't think it's supported by NAT-PMP either.
First you have to find a way to let the torrent client know about it. The actual forwarding-to-another-port is not really the problem (and REDIRECT is not the correct solution).
But if the nat will translate the changing assigned port to a preset static port then the torrent client will not need to know about it, as it will always be set the same. In the same way that the torrent client does not know what the outside ip address is, it only cares about its local ip address.
A torrent client needs to announce its publicly reachable IP and port to peers. Most trackers have detection for private address ranges and silently replace the private IP with the one where the announce originated from. However, the tracker does nothing about the port number. This translation does also not work in trackerless swarms, because the DHT has no central authority to check IP addresses. It will also not work if you have more than one IP uplink and your outgoing connections use another IP than the one that you want your incoming connections to use. That is why torrent clients allow you to specify your outside IP address.
The port which a torrent client announces can be anything, the tracker has no way of knowing if it is usable or not. When you set your torrent client to port 6881, it will announce 6881 irregardless if you have a firewall in place translating 1886->6881 or not*. That is why you need to tell your torrent client about 1886. So that it can tell its peers.
*Some protocols have NAT-helpers (or conntrack-helpers) which analyze outgoing packets to see if a LAN client sends its internal address to external hosts. With those helpers, the firewall can dynamically map ports and also rewrite those packets to include the correct public addresses and mapped ports. As far as I know no such helper is available for torrent connections.
yep pretty much what "VPN" said. The port is assigned to you so any dynamic "port magic" will not work. UPNP also works the other way around, software asks for a port to be opened. It is also a security NIGHTMARE so it will never be enabled on this VM, at least not by me.
I wrote a monitoring script for Windows that can reconfigure Deluge and qBittorrent when the port is changed. I looked into uTorrent but they use some sort of binary config file which is a pain to work with. I have not been happy with the advertising supported version of uTorrent and have only been looking for a reason to drop that turd. Looks like I finally found one.
Today I tried this puppy and it runs great in the VM... but when I enter my user name and password to try and log in it says "Login Incorrect". So I checked my password in the windows client and it is the same.
OK, maybe my password was too long, so I logged into pia and changed my password to something shorter and simpler (and I hate short simple passwords). Again, the windows client works and the VM client does not.
So I thought maybe I need to enter the xUsername/pw and not the pUsername/pw. Nope, that ain't it either. Tried both combos about 5 times before giving up.
So, can the VM client not handle symbols/punctuation? Are there some other limits?
EDIT: I think I may have figured out the problems, the main one being it is late and I am not thinking clearly. I will look at it tomorrow morning.
VPN_Dude, Sorry for the rambling bs in my last post, it was late after a few beers (in my defense it was Peregrine- a really awesome beer ).
So I followed your documentation (very clear and well written BTW) and was able to connect to the VPN server in the PIA-management-interface. I configured the network with the public LAN IP from the VM as instructed, set up the VM network adapters as outlined. I logged into my hardware firewall and can see that both the laptop AND the VM are connected (that surprised me, how did you do that?)
BUT the laptop is still not bridging through the VM gateway. If I go to i.e. whatsmyip.org it always displays my ISP's IP address. I suspect the problem is from page 2 of the pdf: "Enter the name of LAN segment. For example 'VPN Bridge' ". I have no idea what to enter here. Is this one of the Network Adapters?
I have tried this setup both through wireless and the LAN ethernet port, both yield the same results. I wish I could somehow post an image here - I would show some screen snapshots.
Also - in the VM the keyboard layout defaults to a German keyboard. Is there a way to change this?
EDIT: A warning for root passwords: do NOT use special symbols or letters "y" or "z" in your password. The German keyboard map is different from other keyboards. The y and z keys are flipped and many of the symbols are on different keys altogether. Since the password is hidden you will not notice this! Two keys you may need to run linux commands are the "-" which is on the "/" key and the "/" is shift-7. I tried running "vi" to change the keyboard mapping to the "us" keyboard but was not successful.
Okay, got some progress - it seems that the /etc/network/interfaces configuration in my PIA-Tunnel VM didn't contain a "gateway" entry for eth0 - adding "gateway xxx.xxx.xxx.xxx" into that eth0 entry and rebooting the VM with "reboot" seems to have done the trick.
The web GUI will now happily connect to a VPN and the PIA Daemon will start.
I actually got this working on a Mac with VMware Fusion using Vuze for torrents. I had to put all regular traffic over Ethernet and all VPN traffic over WiFi to get it to work. After setting VMware Fusion to use the WiFi connection and setting the WiFi router in network preferences to the IP the VM provided it worked. Then I just went in Vuze, enabled advanced mode and set the advanced network settings to bind to my WiFi IP address; and select enforce IP bindings.
All you have to do at that point is put in the port for port forwarding and it all works.
Wouldn't this be easier and more neat with using VLANs?
I generally run two routers, one that does VPN encryption and one that doesn't.
My gateway router runs no vpn, but runs 3 wireless access vlans and a wired trunk vlan.
VLAN 1 is my general access vlan
VLAN 2 is my VLAN that my VPN gateway router plugs into
VLAN 3 is my security VLAN that has all my cameras and video recording storage.
The last wired VLAN acts as a trunking to push the rest out to the modem.
This setup also works to limit the amount of cross traffic happening. My VPN router was taking on too much load, as it was bulk encrypting while also dealing with 3-4 Mbit/s of security video.
My ultimate goal will probably get myself a second hand enterprise level router (ie CISCO 2811 or 2911) and run my wireless routers as simple access points/bridges and have the router do bulk encryption since they have dedicated crypto processors. That and the feature set is much richer.
I am always skeptical of using PCs to establish the tunnel for encryption. While they're good for performance capability, the complexity of a PC operating system means the surface area for potential attack or bugs is huge. Dedicated routers run a much more slimmed down interface and when properly configured do better as a perimeter security device.
I do support the idea of using an old PC as a inside or outside firewall, but as network security I don't trust them.
Set to en_US.UTF-8 locale or change with 'dpkg-reconfigure locales' later on
Then you should stop getting the translation popups in chrome!
Also note, if you build it, don't use a 64bit debian, else the proxy won't work! Should be fixed in the next update though I believe. Had some issues with that (but great support to fix)
Maybe running in a VM is a better option than running on a low spec dedicated router for some. I use a VM as a gateway for other VMs, so I don't have to mess with iptables, and so I'm not limited by hardware slowing my connection.
With this virtual machine you can have all your torrent traffic go over the VPN but keep all legal traffic going over your regular internet connection.
Love what you're doing with this, but had a quick question. When doing an update through the web interface, does it also update the debian packages? Should you also do an apt-get update && apt-get upgrade?
Ok, I am currently using an old notebook running windows and connecting via the windows client (I like the kill switch)... I use Qbittorrent on that, and use the WebGUI to allow me to submit magenets to this machine, from elsewhere on my lan (non-vpn).
I like this setup, but want to substitute the notebook with a VM on another overpowered machine that is just running KODI. I'd like to do away with the other notebook. I have a bit of VM experience, but very little command line debian level experience...
So, am I over-reaching? is there a way to still use Qbittorrent in a way that I can submit to it from elsewhere on the LAN? I use a Chrome extension called "Remote Torrent Adder" to do that part with. It's always been solid up until this latest 3.2.0 release,
Comments
Then Web-UI Overview would show an incorrect port number, so incoming port forwarding did not work with that port.
The port number returned by the pia-status command was correct.
Please use the update button on the "Tools" page to get the latest changes, then close your browser.
The UI should now display the correct port.
I verified the current releases by running a webserver behind the tunnel so port forwarding should REALLY work again
A torrent client needs to announce its publicly reachable IP and port to peers. Most trackers have detection for private address ranges and silently replace the private IP with the one where the announce originated from. However, the tracker does nothing about the port number.
This translation does also not work in trackerless swarms, because the DHT has no central authority to check IP addresses. It will also not work if you have more than one IP uplink and your outgoing connections use another IP than the one that you want your incoming connections to use.
That is why torrent clients allow you to specify your outside IP address.
The port which a torrent client announces can be anything, the tracker has no way of knowing if it is usable or not. When you set your torrent client to port 6881, it will announce 6881 irregardless if you have a firewall in place translating 1886->6881 or not*. That is why you need to tell your torrent client about 1886. So that it can tell its peers.
*Some protocols have NAT-helpers (or conntrack-helpers) which analyze outgoing packets to see if a LAN client sends its internal address to external hosts. With those helpers, the firewall can dynamically map ports and also rewrite those packets to include the correct public addresses and mapped ports. As far as I know no such helper is available for torrent connections.
yep pretty much what "VPN" said. The port is assigned to you so any dynamic "port magic" will not work.
UPNP also works the other way around, software asks for a port to be opened. It is also a security NIGHTMARE so it will never be enabled on this VM, at least not by me.
I wrote a monitoring script for Windows that can reconfigure Deluge and
qBittorrent when the port is changed. I looked into uTorrent but they use some sort of binary
config file which is a pain to work with.
I have not been happy with the advertising supported version of uTorrent and have only been looking for a reason to drop that turd. Looks like I finally found one.
Please run update from the "Tools" menu then open the latest documentation and check page 12.
I have been testing the monitor for a few days and it appears to work
well. Here is a screenshot of it in action ... yep pretty boring but it
works
OK, maybe my password was too long, so I logged into pia and changed my password to something shorter and simpler (and I hate short simple passwords). Again, the windows client works and the VM client does not.
So I thought maybe I need to enter the xUsername/pw and not the pUsername/pw. Nope, that ain't it either. Tried both combos about 5 times before giving up.
So, can the VM client not handle symbols/punctuation? Are there some other limits?
EDIT:
I think I may have figured out the problems, the main one being it is late and I am not thinking clearly. I will look at it tomorrow morning.
Sorry for the rambling bs in my last post, it was late after a few beers (in my defense it was Peregrine- a really awesome beer ).
So I followed your documentation (very clear and well written BTW) and was able to connect to the VPN server in the PIA-management-interface. I configured the network with the public LAN IP from the VM as instructed, set up the VM network adapters as outlined. I logged into my hardware firewall and can see that both the laptop AND the VM are connected (that surprised me, how did you do that?)
BUT the laptop is still not bridging through the VM gateway. If I go to i.e. whatsmyip.org it always displays my ISP's IP address. I suspect the problem is from page 2 of the pdf: "Enter the name of LAN segment. For example 'VPN Bridge' ". I have no idea what to enter here. Is this one of the Network Adapters?
I have tried this setup both through wireless and the LAN ethernet port, both yield the same results. I wish I could somehow post an image here - I would show some screen snapshots.
Also - in the VM the keyboard layout defaults to a German keyboard. Is there a way to change this?
EDIT: A warning for root passwords: do NOT use special symbols or letters "y" or "z" in your password. The German keyboard map is different from other keyboards. The y and z keys are flipped and many of the symbols are on different keys altogether. Since the password is hidden you will not notice this! Two keys you may need to run linux commands are the "-" which is on the "/" key and the "/" is shift-7. I tried running "vi" to change the keyboard mapping to the "us" keyboard but was not successful.
thank zou verz much! That worked! That German kezboard was driving me crayz.
:P
Except now the VM does not connect to the VPN. (unrelated to the keyboard change, it was happening before I touched the mapping).
I'm going to try and troubleshoot and report back any findings.
The web GUI will now happily connect to a VPN and the PIA Daemon will start.
Wouldn't this be easier and more neat with using VLANs?
I generally run two routers, one that does VPN encryption and one that doesn't.
My gateway router runs no vpn, but runs 3 wireless access vlans and a wired trunk vlan.
VLAN 1 is my general access vlan
VLAN 2 is my VLAN that my VPN gateway router plugs into
VLAN 3 is my security VLAN that has all my cameras and video recording storage.
The last wired VLAN acts as a trunking to push the rest out to the modem.
This setup also works to limit the amount of cross traffic happening. My VPN router was taking on too much load, as it was bulk encrypting while also dealing with 3-4 Mbit/s of security video.
My ultimate goal will probably get myself a second hand enterprise level router (ie CISCO 2811 or 2911) and run my wireless routers as simple access points/bridges and have the router do bulk encryption since they have dedicated crypto processors. That and the feature set is much richer.
I am always skeptical of using PCs to establish the tunnel for encryption. While they're good for performance capability, the complexity of a PC operating system means the surface area for potential attack or bugs is huge. Dedicated routers run a much more slimmed down interface and when properly configured do better as a perimeter security device.
I do support the idea of using an old PC as a inside or outside firewall, but as network security I don't trust them.
I found that most of the symbol keys are wrong.
and how to configure network adaptor in virtualbox ?
I imported the ovf in virtualbox.
network adaptor 1 is bridged network
network adaptor 2 is internal network
is that correct?
When booting up the vm, I could not see any IPs shown in boot up screen.
How to add those in the pia-tunnel vm ?
Thanks PIA!