Hello, newbie here. I have read and read, and read. I just cant piece this together. I know there is a way to do it, but i just cant figure it out. A step by step would be appreciated. I have a AsusWRT Merlin On My Asus router. I want to connect to PIA servers using the .ovpn files, use the servers that have the ability to port forward, and call that server for port-forwarding from my router, not the app. Now i know that i needed Merlin to do it, so i upgraded my router to the newest. works great. But here is where i get stuck. I have the .ovpn files on hand, the Asus Merlin fired up and ready to go. What do i do next?????
I believe that this excerp from another post is what i need, but i cant find the directions....
I'm a former IPredator user and that just worked. I could connect, put any random port in uTorrent, forward that port in my router, and I had no problems.
If you forwarded the port on your router then the VPN was logically never active and your torrents were running outside of the VPN. When you request port forwarding in the app, it creates a forwarded port between the PIA gateway to the PIA app through the VPN tunnel. The router is never involved in this process, it's strictly between your computer and the PIA gateway. Because of that, it also means that the forwarded port arrives directly at your computer, so you should only have to put that port number into any software and it should just work (unless you have a firewall, and said firewall blocks that incoming connection from the TAP interface).
That is unless you use your router to connect to PIA and project all of your computers at once. In that case, running the script(s) on your computer will never work because even if you do get the port forwarded it will be forwarded to your router at which point it won't know what to do with it. This bypasses the rules in the configuration interface (as those create rules for connections arriving at the WAN side, not from a VPN interface). For this to work, you will need to request the port in a script running on the router, and then have that script create the required firewall rule to redirect it to your computer. If this is your setup, I would heavily recommend running the VPN on the computer instead to simplify the process.
(that piece was from another post that ultimately was re-directed to this current post.. :-/)
specifically:
---"For this to work, you will need to request the port in a script running on the router, and then have that script create the required firewall rule to redirect it to your computer. "---
Has anyone managed to get this new API to work with a pfsense router? One thing I did need to do was to install bash on the router as the script just won't run without it. Once I managed to get bash installed, I continued to receive a "Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding".
I have 3 outbound routes set on my box based on the source IP address. The default route is WAN but the other two outbound go to 2 different PIA servers. I believe VPN 1 is Switzerland and the second is "East Coast".
Any advice will be much appreciated. One thing I did try since I have the VPNs set to not pull routes is to specify curl --interface ovpnc1 to see if that would work. After manually setting the client ID in the script, I was finally able to get the script to kick back a port number that does not appear to be random in nature. I then make sure that my programs are using this port as the open port on the PC however nothing happens. I read the guide about pfsense and port forwarding and did my best to ensure those settings were completed. At this point, no traffic seems to be able to make it to the PC. Any suggestions?
Thank you for the inquiry. Were these the steps you followed for the Pfsense router? Pfsense -- https://doc.pfsense.org/index.php/What_hardware_is_supported However, In all likelihood, you will need to install ("flash") such custom router firmware onto your router. Please be aware that router flashing falls outside our support scope, and doing so would be at your discretion and liability.
As for the port forwarding, we do not directly support it. We make is possible but offer little to no troubleshooting regarding the port forwarding. The Port Forwarding option is available for only our Windows, Mac, and Android software.
To enable port forwarding in our PIA app, first please disconnect from the VPN.
For MacOS, Windows, and Linux click on the VPN icon (right click for Windows) and select "Settings." After this, click the "Advanced" button and you'll see the port forwarding feature to the right-hand side. Enable it and select "Save."
For the Android app, click the Settings icon in the top right of the login screen. Then, check the box for "Request Port forwarding."
Once you have enabled port Forwarding, you can then connect to one of the servers that are capable of performing port forwarding. Those servers are:
- CA Toronto - CA Montreal - CA Vancouver - Czech Republic - France - Germany Berlin - Germany Frankfurt - Israel - Romania - Spain - Sweden - Switzerland
While connected to our new client on one of these port forwarding gateways, please open the application. You will see the forwarded port just below the VPN IP address.
While connected to one of these gateways within our legacy client, wait approximately 30-60 seconds, then hover over the PIA application's icon in your system tray; you'll get a small tool-tip window come up, which will include a port number. This randomly-assigned port is what you need to enter into your torrent client. - PIA CS TEAM
I've spent hours trying to set up PIA on a Synology NAS and get port forwarding to work for certain applications. All the servers which support port forwarding were set up using OpenVPN and all were connecting fine, I just could not for the life of me find which port was being used.
Excellent stuff. I will be renewing my subscription again in 3 years. Thanks @doaks and @Max-P
Did you execute the script soon after starting the connection? As stated in post#2, it has to be ran within 2 mnutes of opening a connection (yes I found out the hard way).
I wanted to report that I've been trying to run the curl command and all I receive is a 'connection refused' message. I've tried multiple servers (Vancouver, Toronto, Montreal) and I get the same message. This has worked fine for years and now all of a sudden it's failing. Here is the output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0
curl: (7) Failed to connect to 209.222.18.222 port 2000: Connection refused
Well, I have a few answers now. It turns out that the next gen does NOT work with this port forwarding api. I think I also had a messed up firewall rule because some of there stuff is on 10net now, which is what I use internally. I got all this squared away and while the API doesn't work through curl on my pfsense box anymore, I can trigger it from a workstation on my pia vpn vlan.
There seems to be a bug where once a token is generated, it sticks. So even if you create a new one, you must use the old one. The server responds that this token lasts for 24 hours, but to me it should be overwritten when you create a new one
Anyhow, you can work around this by saving the the token and using it again until it doesn't work and grab a new one all via script. The other issue is that you need to loop the bind response every 15 minutes or they drop the forward
I did make a script and I would share it, but it tailored to my needs since I use a second interface. I hope they create one for everyone as the article indicates.
Ditto, cannot get port forwarding to work at all on my QNAP now I'm forced to use this next-gen servers. Bravo PIA.
The official script has no way of working from what I can tell so far. Hopefully someone can deconstruct it to work, but at this rate I'll be taking my custom elsewhere.
I'm getting the impression these forums will die soon as you can't seem to get to them from PIA's main site anymore, only a google search. Anyway. If you have a QNAP, the community have managed to figure out how to keep the port alive.
Comments
I have a AsusWRT Merlin On My Asus router. I want to connect to PIA servers using the .ovpn files, use the servers that have the ability to port forward, and call that server for port-forwarding from my router, not the app. Now i know that i needed Merlin to do it, so i upgraded my router to the newest. works great. But here is where i get stuck. I have the .ovpn files on hand, the Asus Merlin fired up and ready to go. What do i do next?????
I believe that this excerp from another post is what i need, but i cant find the directions....
(that piece was from another post that ultimately was re-directed to this current post.. :-/)
specifically:
---"For this to work, you will need to request the port in a script running on the router, and then have that script create the required firewall rule to redirect it to your computer. "---
That is what i need to accomplish.
Please and thank you.
Thank you for the inquiry. Were these the steps you followed for the Pfsense router? Pfsense -- https://doc.pfsense.org/index.php/What_hardware_is_supported However, In all likelihood, you will need to install ("flash") such custom router firmware onto your router. Please be aware that router flashing falls outside our support scope, and doing so would be at your discretion and liability.
As for the port forwarding, we do not directly support it. We make is possible but offer little to no troubleshooting regarding the port forwarding. The Port Forwarding option is available for only our Windows, Mac, and Android software.
To enable port forwarding in our PIA app, first please disconnect from the VPN.
For MacOS, Windows, and Linux click on the VPN icon (right click for Windows) and select "Settings." After this, click the "Advanced" button and you'll see the port forwarding feature to the right-hand side. Enable it and select "Save."
For the Android app, click the Settings icon in the top right of the login screen. Then, check the box for "Request Port forwarding."
Once you have enabled port Forwarding, you can then connect to one of the servers that are capable of performing port forwarding.
Those servers are:
- CA Toronto
- CA Montreal
- CA Vancouver
- Czech Republic
- France
- Germany Berlin
- Germany Frankfurt
- Israel
- Romania
- Spain
- Sweden
- Switzerland
While connected to our new client on one of these port forwarding gateways, please open the application. You will see the forwarded port just below the VPN IP address.
While connected to one of these gateways within our legacy client, wait approximately 30-60 seconds, then hover over the PIA application's icon in your system tray; you'll get a small tool-tip window come up, which will include a port number. This randomly-assigned port is what you need to enter into your torrent client. - PIA CS TEAMI've spent hours trying to set up PIA on a Synology NAS and get port forwarding to work for certain applications. All the servers which support port forwarding were set up using OpenVPN and all were connecting fine, I just could not for the life of me find which port was being used.
Excellent stuff. I will be renewing my subscription again in 3 years. Thanks @doaks and @Max-P
Here is the command I"m using:
$ curl --interface ovpnc1 http://209.222.18.222:2000/?client_id=08e0790b48607a30d83ef8c781690d949538c0cda916951fce1e1bb874fdf128
https://www.privateinternetaccess.com/helpdesk/news/posts/introducing-next-generation-port-forwarding
https://www.privateinternetaccess.com/helpdesk/kb/articles/next-generation-port-forwarding
https://github.com/pia-foss/manual-connections/blob/master/port_forwarding.sh
There are a few things I had to modify for the script to work such as getting, "ca.rsa.4096.crt" from:
https://www.privateinternetaccess.com/helpdesk/kb/articles/which-encryption-auth-settings-should-i-use-for-ports-on-your-gateways-2
--cacert "/etc/openvpn/ca.rsa.4096.crt"
I also used the 4th gen ovpn files:
https://www.privateinternetaccess.com/helpdesk/kb/articles/where-can-i-find-your-ovpn-files
There seems to be a bug where once a token is generated, it sticks. So even if you create a new one, you must use the old one. The server responds that this token lasts for 24 hours, but to me it should be overwritten when you create a new one
Anyhow, you can work around this by saving the the token and using it again until it doesn't work and grab a new one all via script. The other issue is that you need to loop the bind response every 15 minutes or they drop the forward
I did make a script and I would share it, but it tailored to my needs since I use a second interface. I hope they create one for everyone as the article indicates.
I see PIA have announced v1.0 of the scripts
https://www.privateinternetaccess.com/helpdesk/news/posts/the-full-release-of-port-forwarding-and-manual-connection-scripts
https://www.privateinternetaccess.com/helpdesk/kb/articles/manual-connection-and-port-forwarding-scripts
...however I have no idea how to run this correctly on my Synology!
Thanks.
The official script has no way of working from what I can tell so far. Hopefully someone can deconstruct it to work, but at this rate I'll be taking my custom elsewhere.
https://forum.qnap.com/viewtopic.php?f=231&t=157651