@lavamind My solution is much simpler, and you don't need systemd for it to work, it works on any linux, also your solution forwards a different port every time it is run, my script forwards the same port every time unless you request a new one with the -n switch. PIA client bash
It's working for 99%. The issue I've got is that when the script is called automatically, PIA does not allow calling the API (Curl HTTP://something). For now, I've left that part to an external monitor that will signal the VPN is UP and will react by calling the up.sh script.
Does anyone have a non-systemd solution for this? Calling a script from my openvpn_up fails to connect the curl command, but it works when I manually run that same script.
It's working for 99%. The issue I've got is that when the script is called automatically, PIA does not allow calling the API (Curl HTTP://something). For now, I've left that part to an external monitor that will signal the VPN is UP and will react by calling the up.sh script.
Does anyone have a non-systemd solution for this? Calling a script from my openvpn_up fails to connect the curl command, but it works when I manually run that same script.
look up 2 posts. my script has all the features of the official client and works on all linux.
It's working for 99%. The issue I've got is that when the script is called automatically, PIA does not allow calling the API (Curl HTTP://something). For now, I've left that part to an external monitor that will signal the VPN is UP and will react by calling the up.sh script.
Does anyone have a non-systemd solution for this? Calling a script from my openvpn_up fails to connect the curl command, but it works when I manually run that same script.
look up 2 posts. my script has all the features of the official client and works on all linux.
I was trying to run this on my NAS, so I kinda wanted to keep with the stock connection implementation, but I'll dig through that to see if it give me any clues on code to modify. Thanks.
It's working for 99%. The issue I've got is that when the script is called automatically, PIA does not allow calling the API (Curl HTTP://something). For now, I've left that part to an external monitor that will signal the VPN is UP and will react by calling the up.sh script.
Does anyone have a non-systemd solution for this? Calling a script from my openvpn_up fails to connect the curl command, but it works when I manually run that same script.
This is because openvpn won't allow packets across the tunnel interface until all scripts started by it have finished. To get around this, I have the openvpn_up script call another in the background and not wait for it to complete. Then, in that script I sleep for a bit, then run the port_forwarding commands. That seems to take care of it.
Heya. I've written a script that is for putting the mapped port into Transmission's configuration. What would be nice is if there was a way to kick off scripts from the PIA client upon connect and close. I could use the one triggered by a connection to configure Transmission, and use one triggered by connection closed to kill any Transmission processes. Any chance we could get that feature added to the PIA manager?
This is because openvpn won't allow packets across the tunnel interface until all scripts started by it have finished. To get around this, I have the openvpn_up script call another in the background and not wait for it to complete. Then, in that script I sleep for a bit, then run the port_forwarding commands. That seems to take care of it.
Can you show your script? My openvpn_up script call the port_forward script (sh /tmp/port_forward.sh &) but it is not working
This is because openvpn won't allow packets across the tunnel interface until all scripts started by it have finished. To get around this, I have the openvpn_up script call another in the background and not wait for it to complete. Then, in that script I sleep for a bit, then run the port_forwarding commands. That seems to take care of it.
Can you show your script? My openvpn_up script call the port_forward script (sh /tmp/port_forward.sh &) but it is not working
Check this reddit discussion, I had exactly the same problem on freeNAS and I think I found a solution:
I am having trouble getting this script to work, I think..? I login to PIA through dd-wrt which I run on a nighthawk router. I am able to download the port_forwarding.sh script and run it in cmd but it keeps returning "Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding"
I have tried to run it within 2 minutes of rebooting the router. I cannot figure out what my issue may be. Can anyone assist? I am not certain that there is or is not a port open as I am not sure how to verify which port may be open. Thanks!
@billwill976 Just to make sure, which PIA region are you connected to? In theory that setup should work just fine, so I'm thinking maybe you forgot to connect to a PF-enabled region?
@billwill976 Just to make sure, which PIA region are you connected to? In theory that setup should work just fine, so I'm thinking maybe you forgot to connect to a PF-enabled region?
I'm connected through Netherlands. I have been working on this today and have been getting a different result. The script now consistently returns {"error":"bad client_id"}. Since I'm not declaring a client ID I am not certain how to remedy this. Any thoughts?
@billwill976 Just to make sure, which PIA region are you connected to? In theory that setup should work just fine, so I'm thinking maybe you forgot to connect to a PF-enabled region?
I'm connected through Netherlands. I have been working on this today and have been getting a different result. The script now consistently returns {"error":"bad client_id"}. Since I'm not declaring a client ID I am not certain how to remedy this. Any thoughts?
The client_id should be generated by the script itself, however it might be failing because the router lacks some files or commands that are expected to be present on a regular Linux system.
I tried it on DD-WRT and this is what I get:
[email protected]:~# head -n 100 /dev/urandom | sha256sum | tr -d " -"
-sh: sha256sum: not found
so you are likely indeed not providing a valid client_id unknowingly.
Try this command alone instead of the script (which is what it ends up generating):
Make sure to run this as a scheduled task (Boot-up task) so it will run automatically and just once after your NAS boots. The 30 seconds sleep is to give the connection time to get up first. You will need shasum or sha256sum which is part of md5deep and can be obtained via iPKG) It will also log to Log Center so you can see what is going on and confirm the port matched with the setting in Download Station.
@Max-P, that command did return a port number if executed immediately after reestablishing a connection. However, the port is not forwarding according to various resources. I've opened the port on DD-WRT but it's not working for some reason. Do you have any other thoughts?
@Max-P, that command did return a port number if executed immediately after reestablishing a connection. However, the port is not forwarding according to various resources. I've opened the port on DD-WRT but it's not working for some reason. Do you have any other thoughts?
How did you set up the port forwarding on DD-WRT?
If you have ran my command and got a port, you have the port routed to your router. Now you need to find a way to tell DD-WRT how to forward that to your computer, which is a bit trickier than it sounds because if you use the regular port forwarding GUI in DD-WRT, it generates iptables rules that hardcodes your WAN IP, like this (where 192.168.0.176 is my WAN IP):
On top of that, the iptables rules are entirely flushed and regenerated/reapplied everytime your network configuration changes on the router. So for this setup to work, you will need to make a script that's called on every connection change/firewall reload and add custom rules to forward your forwarded port from the tun to your computer on the LAN.
Honestly I think it would be much simpler to just run the client on the computer itself, as forwarding a port from a router from a VPN where the port can change at any moment can quickly get hacky and complicated...
Heya. I've written a script that is for putting the mapped port into Transmission's configuration. What would be nice is if there was a way to kick off scripts from the PIA client upon connect and close. I could use the one triggered by a connection to configure Transmission, and use one triggered by connection closed to kill any Transmission processes. Any chance we could get that feature added to the PIA manager?
#!/bin/bash
PATH=$HOME/bin:$PATH export PATH
# Get forwarding port number from api script: APIPORT="$(port_forwarding.sh)" PORT="$(echo ${APIPORT} | jq '.port')"
# Update Transmission config with new port number: if [ -z "${PORT}" ]; then exit 1 fi
# Make a temp file, because jq doesn't do in-place edits. tmp=$(mktemp) # Make another temp file because jq REFUSES to accept the # filter as a variable. Use jq -f to get filter from this # file. tmp2=$(mktemp)
# Create filter and put it in file: FILTER=( ".[\"peer-port\"] = $PORT" ) echo -n "${FILTER[@]}" > ${tmp2}
# Use jq to change transmission's port. env jq -f ${tmp2} ${HOME}/.config/transmission/settings.json > "${tmp}" && cat "${tmp}" > ${HOME}/.config/transmission/settings.json
So at the risk of asking a stupid question, is the forwarded port TCP only, or both UDP and TCP? I have it working on my torrent docker client, but before I go tweaking a fiddly script, I want to figure out if it's possible to run the torrent connection on this port (TCP) and DHT on it as well (UDP)
So at the risk of asking a stupid question, is the forwarded port TCP only, or both UDP and TCP? I have it working on my torrent docker client, but before I go tweaking a fiddly script, I want to figure out if it's possible to run the torrent connection on this port (TCP) and DHT on it as well (UDP)
Yep, just tested it on my machine and the port is both TCP and UDP!
Make sure to run this as a scheduled task (Boot-up task) so it will run automatically and just once after your NAS boots. The 30 seconds sleep is to give the connection time to get up first. You will need shasum or sha256sum which is part of md5deep and can be obtained via iPKG) It will also log to Log Center so you can see what is going on and confirm the port matched with the setting in Download Station.
I also receive only "Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding".
I'm definitely calling the example script within two minutes of establishing the connection, and it doesn't seem to matter which gateway I'm trying.
I can't seem to use the old API either.
Is the roll-out of the new API not actually completed yet?
Okay- in my case the issue was my older route up scripts for openvpn needed updating. I use ip route/rule commands for split tunneling, so needed to add an "ip rule add from all to 209.222.18.222 lookup 10" to ensure the curl connection goes through the VPN'd interface.
Once that change was made I successfully got a port... Thanks!
Thank you zzzasdf. That is just what I needed. I now have two vpn tunnels, tun0 and tun1 on my dd-wrt router. I only have one device, my htpc going through tun0 to a port forwarding server so it is not the default gateway. This caused the script to fail as tun1 (us based) tunnel is the default gateway. I have my default route for tun0 in table 1 so I just added your line "ip rule add from all to 209.222.18.222 table 1" and the script works. Now I just have to add parsing to the script to get just port # and iptables rules to add that port to port forwarding in the PREROUTING and FORWARD chains.
I am having trouble getting this script to work, I think..? I login to PIA through dd-wrt which I run on a nighthawk router. I am able to download the port_forwarding.sh script and run it in cmd but it keeps returning "Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding"
I have tried to run it within 2 minutes of rebooting the router. I cannot figure out what my issue may be. Can anyone assist? I am not certain that there is or is not a port open as I am not sure how to verify which port may be open. Thanks!
I am having trouble getting this script to work, I think..? I login to PIA through dd-wrt which I run on a nighthawk router. I am able to download the port_forwarding.sh script and run it in cmd but it keeps returning "Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding"
I have tried to run it within 2 minutes of rebooting the router. I cannot figure out what my issue may be. Can anyone assist? I am not certain that there is or is not a port open as I am not sure how to verify which port may be open. Thanks!
Is there a valid answer here that I have missed?
Never mind finally got it. Now just need to know how to use that port number on DD-WRT. Some firewall script I am told.
And I did so because it can be a bit tricky to get this working on the router, at least for the average user.
One of the problems I find w/ using the OpenVPN scripting engine for these purposes is that normally the tunnel is NOT accessible while under construction. As a result, during event handling, it's highly unlikely you'll be able to access anything over the tunnel until after the OpenVPN client has completed initialization. In fact, sometimes, well after initialization.
That's why my scripts work *outside* the scripting engine, only after the OpenVPN client has completed initialization. I actually monitor the OpenVPN process on the router and wait until I get a successful ping of the PIA port forwarding service IP (209.222.18.222). Even so, sometimes I may have to wait up to 30-40 seconds before that ping will respond! Once it does (if it does, every once in a blue moon it will NOT respond within the two minutes), then and only then do I get the external port, configure the local firewall, and optionally, update DDNS (dnsomatic.com) w/ the PIA public IP.
At least that has been my experience in dealing w/ the OpenVPN scripting engine. I've used it for many other projects over the years, and have run into this problem of wanting to use the tunnel from within the scripting engine (ip, route-up, etc.) and never had much success. At best, if it ever worked at all, it was unreliable.
So hopefully dd-wrt and tomato users will find these scripts useful. I don't claim them to be the definitive answer. I'm sure there are other options. But again, I developed them specifically for dd-wrt and tomato users to ease the burden of implementation on those platforms. If you have questions, feel free to ask. I also hangout regularly on the dd-wrt and tomato forums (linksysinfo.org).
Found a strange problem last night w/ the PIA API. Just wondering if anyone else has found the same.
Because I'm supporting the PIA API on dd-wrt and tomato routers, which are very limited environments, I don't have the luxury of having access to any and all Linux utilities. In this case, curl. Some builds have it, some don't. And because of this, I try to write my scripts to the lowest common denominator, which means I'll try to use only wget and avoid curl if I can get away with it.
So last night I update the scripts to use wget w/ the PIA API instead of curl, and it works just fine. Tested it over and over, no issues. Then I get up this morning and suddenly it doesn't work. Keeps telling me the connection has been reset by the peer. I try repeatedly, no luck. So I go back to using curl, it works.
What's going on here? The PIA API just doesn't seem reliable unless I use curl. Now I suppose there's always the possibility that my version of wget has a problem w/ the PIA servers, but wget is also a pretty simple utility. And like w/ curl, I'm only using http, not https. But as I said, it worked initially. And repeatedly. Then several hours later, no code changes, it stops working.
If it matters, I was (and alway have been) using the sweden.privateinternetaccess.com server.
I guess the bottom line is, does the PIA API *require* curl?
@eibgrad We use curl because it's the simplest command for the job, but it's just a normal HTTP request so any client should work including wget (or even netcat which I think is included in busybox).
The catch is that the API is only available for two minutes after connecting to the VPN, so that all settings are set and locked for the duration of the VPN session (and allows the server to clean up the firewall/routing table a bit). You can also call the API only once: on the first call, it gives you a port and disables itself. If you try to open a second port, you can't as the API is already gone.
The only reason it's a separate API in the first place is because there's no way to pass custom options to the OpenVPN server while remaining compatible with unmodified OpenVPN clients.
I plan on doing a write up soon, but the gist of my set up is that I wanted the VPN server with port forwarding to always run, but I only wanted Torrent traffic to traverse the VPN. So I set up my openvpn server to call a script that sets a setfib route over the VPN, then that script calls another script to run the port forward API and bring up transmission using the setfib route, you need to do some sed editing to automagically set the port in the transmission config. A bit complicated but works very nice.
OMG THANK YOU THANK YOU! Works beautifully!! Port forwarding on my kali linux box has been a [email protected]! No matter what I tried it NEVER WORKED!! I've been struggling with it for over 2 years. I have no problem port forwarding from my windows machine on the same network. Anyways, I'm finally able to do it; this script did the trick!!
Guys: If you're getting an error that your PF has expired or you're not in the correct region, what part of that statement is unclear to you? 1. Disconnect PIA 2. Reconnect to a PIA region that allows PF (that info is given on this site a million times) ** If you already were connected to a PF region to begin with, this time connect to a different one. 3. Run PF script. **You must run the script within 2 minutes of launching PIA in order to get a port assignment otherwise it expires and you get the above mentioned error. 4. Get PF info
Comments
My solution is much simpler, and you don't need systemd for it to work, it works on any linux, also your solution forwards a different port every time it is run, my script forwards the same port every time unless you request a new one with the -n switch.
PIA client bash
my script has all the features of the official client and works on all linux.
Check this reddit discussion, I had exactly the same problem on freeNAS and I think I found a solution:
https://www.reddit.com/r/freenas/comments/7liuce/transmission_port_forwarding_using_pia_vpn/
I have tried to run it within 2 minutes of rebooting the router. I cannot figure out what my issue may be. Can anyone assist? I am not certain that there is or is not a port open as I am not sure how to verify which port may be open. Thanks!
I tried it on DD-WRT and this is what I get:
so you are likely indeed not providing a valid client_id unknowingly.
Try this command alone instead of the script (which is what it ends up generating):
Most recent version on https://gist.github.com/GamerGun/20f08da8ff2712db6e62c5edc83fd541
Make sure to run this as a scheduled task (Boot-up task) so it will run automatically and just once after your NAS boots.
The 30 seconds sleep is to give the connection time to get up first.
You will need shasum or sha256sum which is part of md5deep and can be obtained via iPKG)
It will also log to Log Center so you can see what is going on and confirm the port matched with the setting in Download Station.
Test using https://torguard.net/checkmytorrentipaddress.php and https://www.yougetsignal.com/tools/open-ports/
Feel free to contact me in case of issues / questions.
If you have ran my command and got a port, you have the port routed to your router. Now you need to find a way to tell DD-WRT how to forward that to your computer, which is a bit trickier than it sounds because if you use the regular port forwarding GUI in DD-WRT, it generates iptables rules that hardcodes your WAN IP, like this (where 192.168.0.176 is my WAN IP):
Honestly I think it would be much simpler to just run the client on the computer itself, as forwarding a port from a router from a VPN where the port can change at any moment can quickly get hacky and complicated...
#!/bin/bash
PATH=$HOME/bin:$PATH
export PATH
# Get forwarding port number from api script:
APIPORT="$(port_forwarding.sh)"
PORT="$(echo ${APIPORT} | jq '.port')"
# Update Transmission config with new port number:
if [ -z "${PORT}" ]; then
exit 1
fi
# Make a temp file, because jq doesn't do in-place edits.
tmp=$(mktemp)
# Make another temp file because jq REFUSES to accept the
# filter as a variable. Use jq -f to get filter from this
# file.
tmp2=$(mktemp)
# Create filter and put it in file:
FILTER=( ".[\"peer-port\"] = $PORT" )
echo -n "${FILTER[@]}" > ${tmp2}
# Use jq to change transmission's port.
env jq -f ${tmp2} ${HOME}/.config/transmission/settings.json > "${tmp}" && cat "${tmp}" > ${HOME}/.config/transmission/settings.json
# Clean-up our messy temp files.
rm -f ${tmp} ${tmp2}
exit 0
Can be combined with the previous script i wrote of course. Just run that one after a succesfull reconnect!
https://gist.github.com/GamerGun/0c82142f434178867c1de0cbd29622a4
Brian
The catch is that the API is only available for two minutes after connecting to the VPN, so that all settings are set and locked for the duration of the VPN session (and allows the server to clean up the firewall/routing table a bit). You can also call the API only once: on the first call, it gives you a port and disables itself. If you try to open a second port, you can't as the API is already gone.
The only reason it's a separate API in the first place is because there's no way to pass custom options to the OpenVPN server while remaining compatible with unmodified OpenVPN clients.
Works beautifully!!
Port forwarding on my kali linux box has been a [email protected]! No matter what I tried it NEVER WORKED!! I've been struggling with it for over 2 years. I have no problem port forwarding from my windows machine on the same network. Anyways, I'm finally able to do it; this script did the trick!!
Guys: If you're getting an error that your PF has expired or you're not in the correct region, what part of that statement is unclear to you? 1. Disconnect PIA 2. Reconnect to a PIA region that allows PF (that info is given on this site a million times) ** If you already were connected to a PF region to begin with, this time connect to a different one. 3. Run PF script. **You must run the script within 2 minutes of launching PIA in order to get a port assignment otherwise it expires and you get the above mentioned error. 4. Get PF info