How to port forward with pfSense (Advanced Users)
(work in progress)
Please DO NOT ask PIA support to assist with these guides or steps in any manner as they are all unofficial! Thank you!
How to port forward with pfSense (Advanced Users)
=================================================
* NOTE: This guide assumes you have already setup your pfSense router with the following guide first...
"OpenVPN Step-by-Step Setup for pfsense [firewall/router] (with video)"
https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video
** If you have not, please do so first before attempting this guide!
Make sure your PIA VPN is working correctly!
============================================
- https://www.privateinternetaccess.com/pages/whats-my-ip/
- Should be "You are protected by PIA"
- http://dnsleak.com/
- Should be "Looks like your DNS is not leaking..."
- http://ipv6leak.com/
- Should be "Looks like your IPv6 not is leaking..."
- https://www.browserleaks.com/webrtc
- "Is WebRTC Enabled × False"
- disable media.peerconnection.enabled if shows true
Setup the port forwarding range between your pfSense router and the computer connected to it
============================================================================================
* Thanks to "splurben" and his "Port Forwarding - Step-by-Step - Demystified - pfSense 2 [SOLVED]" guide here - https://forum.pfsense.org/index.php?topic=55676.0
Step 1) Log into your pfSense router
- https://192.168.1.1/index.php
Note: * We need a static LAN IP for this to work, therefore we need to adjust the DHCP server
** Since I want to use an IP that is currently within the DHCP server range ( 192.168.1.222 ) I must first shrink the range for this IP to become useable
Step 2) Adjust the DHCP server range
- Go to Services…DHCP server
- Set the "Range" to be from 192.168.1.10 to 192.168.1.220
- Scroll down and click ‘Save’
Step 3) Set the static LAN IP for the computer
- Check under Status…DHCP Leases to find the IP Address and make it's address static
- Click the plus icon "add a static mapping for this MAC address"
- IP address 192.168.1.222
- Scroll down and click ‘Save’ and then ‘Apply’ on the next screen
- Disable, then reenable the network interface to obtain the new static LAN IP
- Confirm the new IP with ifconfig
Step 4) ALIASES FOR DESTINATION DEVICE(S) (HOST(S))
- Go to Firewall…Aliases from the main screen of pfSense
- Click the plus icon "Add a new alias"
- Name your host (no spaces or symbols; underscores allowed) Ex. MyManjaroVM
- Type: Host(s)
- Click the plus icon "add another entry" under "IP or FQDN"
- IP Address must match IP address of the "host" on your network Ex. 192.168.1.222
- Click ‘Save’ and then ‘Apply’ on the next screen
Step 5) ALIASES FOR NON-STANDARD PORTS
- Go to Firewall…Aliases from the main screen of pfSense.
- Click the plus icon.
- Name your port(s) alias (no spaces or symbols; underscores allowed) Ex. PIA_ports
- Type: Port(s)
- Click the plus icon under the Port(s) section.
- We want to forward a port range 13000 through 65535 from the Wide Area Network (WAN) PIAINTERFACE to one host on my Local Area Network (LAN).
- Enter 13000:65535 and press the ‘Save’ and then ‘Apply’
Step 6) CREATE NAT:RULE IN ONE STEP
- Go to Firewall…NAT.
- Click the Plus icon on the bottom-right.
- For "Interface" we need to choose "PIAINTERFACE"
- For "Destination" > "Type:" set "PIAINTERFACE address" or "any"
- Enter your port(s) alias name in Destination Port Range - Ex. PIA_ports
- Enter your Host alias name in "Redirect target IP" box - Ex. MyManjaroVM
- For "Filter rule association" set to "Add associated filter rule"
- Click ‘Save’ and then ‘Apply’ on the next screen
Now gather LAN IP of the PIAINTERFACE interface needed to request a port from PIA
=================================================================================
- From the main pfSense page get the LAN IP of the PIAINTERFACE interface
-- Ex. 10.115.1.6
Now follow the "Port Forwarding with OpenVPN (Linux/Windows/PfSense)" to request a port
=======================================================================================
To create, configure and run one of the scripts to request a port you will need the following 4 pieces of information...
1) - Your PIA VPN username
2) - Your PIA VPN password
3) - A Client ID (random 32 character hash)
4) - Finally your current LAN IP of the OpenVPN tunnel * Also known as the IP of the PIAINTERFACE interface within pfSense
-- Ex. 10.115.1.6
This info will look like the following...
piauser="p1234567"
piapass="Hi3kF3g283"
client_id="d077f244def8a70e5ea758bd8352fcd8"
local_ip="10.115.1.6"
# Generate a random 32 character hash
# Go to http://www.freecodeformat.com/md5.php
# Type in some random caracters or words.
# Click the "MD5 Hash 32_Lowercase" button to get your 32 character hash!
# Enter your unique Hash here between the double quotes
# Example: client_id="d077f244def8a70e5ea758bd8352fcd8" <-- DO NOT USE THIS ONE!!!
Port Forwarding with OpenVPN on Linux/Windows/PfSense (Advanced Users)
- basic-pia-port.bash (Linux/PfSense Bash Script)
- pia-port.bash (Linux Bash Script)
- pia-port.ps1 (Windows PowerShell Script)
Please DO NOT ask PIA support to assist with these guides or steps in any manner as they are all unofficial! Thank you!
How to port forward with pfSense (Advanced Users)
=================================================
* NOTE: This guide assumes you have already setup your pfSense router with the following guide first...
"OpenVPN Step-by-Step Setup for pfsense [firewall/router] (with video)"
https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video
** If you have not, please do so first before attempting this guide!
Make sure your PIA VPN is working correctly!
============================================
- https://www.privateinternetaccess.com/pages/whats-my-ip/
- Should be "You are protected by PIA"
- http://dnsleak.com/
- Should be "Looks like your DNS is not leaking..."
- http://ipv6leak.com/
- Should be "Looks like your IPv6 not is leaking..."
- https://www.browserleaks.com/webrtc
- "Is WebRTC Enabled × False"
- disable media.peerconnection.enabled if shows true
Setup the port forwarding range between your pfSense router and the computer connected to it
============================================================================================
* Thanks to "splurben" and his "Port Forwarding - Step-by-Step - Demystified - pfSense 2 [SOLVED]" guide here - https://forum.pfsense.org/index.php?topic=55676.0
Step 1) Log into your pfSense router
- https://192.168.1.1/index.php
Note: * We need a static LAN IP for this to work, therefore we need to adjust the DHCP server
** Since I want to use an IP that is currently within the DHCP server range ( 192.168.1.222 ) I must first shrink the range for this IP to become useable
Step 2) Adjust the DHCP server range
- Go to Services…DHCP server
- Set the "Range" to be from 192.168.1.10 to 192.168.1.220
- Scroll down and click ‘Save’
Step 3) Set the static LAN IP for the computer
- Check under Status…DHCP Leases to find the IP Address and make it's address static
- Click the plus icon "add a static mapping for this MAC address"
- IP address 192.168.1.222
- Scroll down and click ‘Save’ and then ‘Apply’ on the next screen
- Disable, then reenable the network interface to obtain the new static LAN IP
- Confirm the new IP with ifconfig
Step 4) ALIASES FOR DESTINATION DEVICE(S) (HOST(S))
- Go to Firewall…Aliases from the main screen of pfSense
- Click the plus icon "Add a new alias"
- Name your host (no spaces or symbols; underscores allowed) Ex. MyManjaroVM
- Type: Host(s)
- Click the plus icon "add another entry" under "IP or FQDN"
- IP Address must match IP address of the "host" on your network Ex. 192.168.1.222
- Click ‘Save’ and then ‘Apply’ on the next screen
Step 5) ALIASES FOR NON-STANDARD PORTS
- Go to Firewall…Aliases from the main screen of pfSense.
- Click the plus icon.
- Name your port(s) alias (no spaces or symbols; underscores allowed) Ex. PIA_ports
- Type: Port(s)
- Click the plus icon under the Port(s) section.
- We want to forward a port range 13000 through 65535 from the Wide Area Network (WAN) PIAINTERFACE to one host on my Local Area Network (LAN).
- Enter 13000:65535 and press the ‘Save’ and then ‘Apply’
Step 6) CREATE NAT:RULE IN ONE STEP
- Go to Firewall…NAT.
- Click the Plus icon on the bottom-right.
- For "Interface" we need to choose "PIAINTERFACE"
- For "Destination" > "Type:" set "PIAINTERFACE address" or "any"
- Enter your port(s) alias name in Destination Port Range - Ex. PIA_ports
- Enter your Host alias name in "Redirect target IP" box - Ex. MyManjaroVM
- For "Filter rule association" set to "Add associated filter rule"
- Click ‘Save’ and then ‘Apply’ on the next screen
Now gather LAN IP of the PIAINTERFACE interface needed to request a port from PIA
=================================================================================
- From the main pfSense page get the LAN IP of the PIAINTERFACE interface
-- Ex. 10.115.1.6
Now follow the "Port Forwarding with OpenVPN (Linux/Windows/PfSense)" to request a port
=======================================================================================
To create, configure and run one of the scripts to request a port you will need the following 4 pieces of information...
1) - Your PIA VPN username
2) - Your PIA VPN password
3) - A Client ID (random 32 character hash)
4) - Finally your current LAN IP of the OpenVPN tunnel * Also known as the IP of the PIAINTERFACE interface within pfSense
-- Ex. 10.115.1.6
This info will look like the following...
piauser="p1234567"
piapass="Hi3kF3g283"
client_id="d077f244def8a70e5ea758bd8352fcd8"
local_ip="10.115.1.6"
# Generate a random 32 character hash
# Go to http://www.freecodeformat.com/md5.php
# Type in some random caracters or words.
# Click the "MD5 Hash 32_Lowercase" button to get your 32 character hash!
# Enter your unique Hash here between the double quotes
# Example: client_id="d077f244def8a70e5ea758bd8352fcd8" <-- DO NOT USE THIS ONE!!!
Port Forwarding with OpenVPN on Linux/Windows/PfSense (Advanced Users)
- basic-pia-port.bash (Linux/PfSense Bash Script)
- pia-port.bash (Linux Bash Script)
- pia-port.ps1 (Windows PowerShell Script)
To donate, please scan the QR code to the left or send bitcoins to the following address:
17ioPjLoCLDsUKwNpGV9dGtnLmpM8ioyUn
Comments
Not sure if the bottom part was meant to be links or downloads but I get lost at that bit lol. Might try this some time threw the week .
Also do you need to forward that port range above or could you just do a single port if you wanted a single port? or does PIA send you a random port to use and if so how can you tell what the port is
piauser="TYPE YOUR PIA USERNAME HERE"
piapass="TYPE YOUR PIA PASSWORD HERE"
client_id="TYPE YOUR MD5 CLIENT ID HERE"
With your individual details inside the quotes, keeping the quotation marks. Enjoy
#!/bin/sh
# PIA VPN PfSense 2.3 config script
######################################################
# Configuration Section
######################################################
piauser="TYPE YOUR PIA USERNAME HERE"
piapass="TYPE YOUR PIA PASSWORD HERE"
client_id="TYPE YOUR MD5 CLIENT ID HERE"
######################################################
# End of Configuration Section
######################################################
# Warning!
# Warning! Do not edit anything below unless to intend to modify this script
clear
echo "========================================================"
# The PIA port request URL (You should not need to change this)
pia_request_url="https://www.privateinternetaccess.com/vpninfo/port_forward_assignment"
# Test if running at root or not
user=`whoami`
echo ""
if [ "$user" = "root" ]; then
echo "- User is root (Good!)"
else
echo "This script must be run as root! You are currently logged in as \"$user\""
echo ""
echo "Please switch to root and run the script again!"
echo ""
exit
fi
# Gather current time and date
date_now=$(/bin/date +"%Y-%m-%d_%H:%M:%S")
# Check for ovpnc1
tuncheck=$( { ifconfig ovpnc1; } 2>&1 )
#echo "tun check = "$tuncheck # Uncomment for debugging
#echo "" # Uncomment for debugging
if [ $? -eq 0 ]; then
# Working on debian based bl-Hydrogen-rc1
local_ip=$(ifconfig ovpnc1 | grep inet | awk 'NR>1 {print $2}')
if [ "$local_ip" = "" ]; then
# The following worked for Manjaro
echo "- local_ip pull failed! Attempting alternet pull!"
local_ip=$(ifconfig ovpnc1 | grep inet | awk 'NR>1 {print $2}')
fi
else
# Inform user that the tunnel is not up! You are not connected to the VPN!
echo "ovpnc1 not present - Please connect to the VPN and run this script again" >> $path_to_script"openvpn_pia_port_fwd.txt"
fi
# Var output for reference
echo ""
echo "Requesting a port with the following information from..."
echo "... $pia_request_url"
echo "- client_id = $client_id"
echo "- local_ip = $local_ip"
echo ""
echo "Hint: Change client_id to cycle to a new port number"
echo ""
echo "One moment..."
echo ""
# The magic part! PIA don't let me down!
# Post a request for a port to PIA's https://www.privateinternetaccess.com/vpninfo/port_forward_assignment
pia_response=$(curl -d "user=$piauser&pass=$piapass&client_id=$client_id&local_ip=$local_ip" $pia_request_url 2>/dev/null)
# Check if PIA actually responded or not
if [ ${#pia_response} -gt 0 ]; then
echo "PIA has responded as of $date_now"
else
# Inform user that the pia server failed to respond in an expected manner
echo "Failed to get response from PIA with request sent."
echo ""
exit
fi
echo "PIA's Response: $pia_response"
echo ""
echo "========================================================"
I hope to be able to try this out sometime!
w
i have my RT-AC56R router with ASUSWRT on it, I use openvpn config files from PIA website. is there a way to modify them to request a port? I cant seem to find any info on the subject.
Thank you for your efforts.
EDIT:
Does this help?
https://www.pantz.org/software/openvpn/openvpn_with_private_internet_access_and_port_forwarding.html