I understand why PIA doesn't want to provide an updater for individual applications, but the built-in application should have some sort of scripting application for when the port changes.
At the very least, let us make some REST calls w/ basic variable passing, that would cover 99% of your use cases. Even an IFTTT call would be better than nothing.
{"error":"port forwarding not available for this region"}
What am I doing wrong here guys?
Much appreciated.
Edit: The only cause I can think of is that I changed the client_id string in the course of troubleshooting (and unfortunately lost the original one). Is there a way to reset it if my account somehow became associated with the original one I used?
Also, thought I'd mention Support for a quicker response.
Finally add a couple of configuration scripts. The first prevents any possibility of leaking packets from the LAN to WAN. All traffic must go through the VPN.
Tomato >> Administration >> Scripts >> Firewall
iptables -I FORWARD -i br0 -o vlan2 -j DROP
The second script causes traffic from the VPN to be evaluated by the upnp prerouting rules. This assumes you have enabled NAT-PMP on the LAN as described below. The upnp forwarding rules are configured by the uTorrent application using the NAT-PMP protocol (must be enabled within uTorrent).
Tomato >> Administration >> Scripts >> WAN Up
iptables -t nat -A PREROUTING -i tun11 -j upnp
@mornay I was able to get your script to determine the vpn port number working on my router, but I was woundering if it were possible to set a route from that port to a static port on my NAS. The torrent client is Transmission, but there is not way to change the listening port remotely (at least to my knowledge). My knowledge of iptables isn't that great so I woundering if you or someone else could provide some help?
I found the below commands that implement forwarding to the same port number on my NAS, but I'm not sure how to modify them to forward to a static port number: iptables -t nat -A PREROUTING -p tcp --dport <your_port_number> -j DNAT --to-destination <your_destination_IP_address> iptables -A FORWARD -s <your_VPN_IP> -p tcp --dport <your_port_number> -j ACCEPT
EDIT: it seems the --to-destination argument can also include a port number, this might be what I'm looking for! The question is now, how can I flush only the existing rule while keeping my other iptable rules intact before specifying the new rule?
So, for Mac users with Viscosity and Transmission, here it is all in one script: This script is broken.
A heavily modified version that binds all Transmission traffic to tun0 is at this gist. Requires you to change username and password using Applescript.
indolering,
I assume this script needs to be run before launching Transmission (as you can't change the port, via the command line/plist while the application is running). That's cool as I already have a script that launches Transmission after I make the PIA connection, so I'll just run this script before launching Transmission.
My question though—will this work (for testing purposes) with the PIA client (I use Viscosity, but for port forwarding, I've been testing with the PIA client so I can see what the port should be, etc.). Anyway, if I run this script, it does update the peer listening port in Transmission, but the port number that it's populating it with is different than the port listed in the PIA client?
The thing is, Transmission is reporting both ports (the PIA indicated port, when I enter it manually) and the port that results from your script, as "open". Does that mean there's more than one port being forwarded to my IP and the PIA client sees one and your script sees another?
Any insight would be appreciated (as I'd love to go back to using Viscosity and stop having to manually enter the port).
I apologize to everyone who might be impatient with this request, but I'm not as familiar with port forwarding as everyone else. I can set it up on my router, but with an AT&T router, I'm not able to install something like DD-WRT on it. So, port forwarding with PIA is impossible at the router level.
I'm on Ubuntu running Transmission. Can anyone direct me to a step-by-step instruction to set this up? Thank you in advance.
I'd like to second that request. There are plenty of other VPN providers that allow for a range of ports to be forwarded and I was under the impression that this would as well only to find out after signing up for a year that it isn't the case. It's 2013. People run multiple services. This service need to accommodate these needs.
I know these are shared IPs, but is there any chance we could eventually make a handful of requests with a small set of randomizer strings (instead of only one such string per system now), in order to open up multiple port forwarding s? The unprivileged ports (or even just the high-numbered ports for short-lived connections) number in the tens of thousands so I hope they are not a scant resource. :-P
I ask because with only one, I have to select a single one of my desktop's services to enable at a time when on the VPN, but that means seeding and backing up my system are mutually exclusive, not to mention blocking inbound SSH connections (which I use very regularly) if I forget to switch back to that before I leave my apartment.
In short: the new port forwarding mechanism is awesome, thanks! (And can we eventually use it to open a few more application's inbound ports?)
do shell script "defaults delete org.m0k.transmission BindAddressIPv4" #delete previously written ipv4binding value
do shell script "defaults write org.m0k.transmission BindAddressIPv4 " & vpn_ip & "" #write current vpn ip into transmission.plist
Save this as an AppleScript and use Viscosity to run it when the VPN tunnel is established. Configure Transmission with "randomize port on launch" UNchecked and "automatically map port" checked in the Network preferences.
Thanks for the AppleScript to get Viscosity / Transmission connecting to ports.
I'm not an advanced user but I generally get by with a bit of assistance. I have saved the AppleScript as both a script and application. I have assosciated the script with my VPN connection (Thanks to this guide for Viscosity: http://www.sparklabs.com/support/running_applescripts_when_conn/) and the VPN connects however port is still closed (is there a specific port I should use?)
How can I rectify this and get the AppleScript working with Viscosity so I can port forward with Transmission?
I ask because with only one, I have to select a single one of my desktop's services to enable at a time when on the VPN, but that means seeding and backing up my system are mutually exclusive, not to mention blocking inbound SSH connections (which I use very regularly) if I forget to switch back to that before I leave my apartment.
Why not configure your iptables (-t mangle) to forward your ssh listening port out your wan ip and then use your wan ip for ssh while the rest of the ports continue to use the vpn? I did this on my router running tomato.
Why not configure your iptables (-t mangle) to forward your ssh listening port out your wan ip and then use your wan ip for ssh while the rest of the ports continue to use the vpn? I did this on my router running tomato.
Thanks for the reply, but SSH wasn't really the point. The fact remains that PIA only allows for a single forwarded port, no matter how many services you run. Even within a torrent client like Azureus/Vuze, it may require listening on two distinct TCP ports and a UDP port for good measure. And that's only one application. I also want to run a Tor relay. This policy is extremely limiting, in my opinion.
Hi all, For those who are interested in, I adapt the powershell script for Vuze TCP port update. You could find it here : http://forum.vuze.com/thread.jspa?messageID=274658񃃢 Thanks to the developers of the firsts versions. Regards.
Hey, I have been trying to accomplish port forwarding from my Pfsense 2.1 (beta) box which runs my PIA openvpn client. Hopefully someone can help me out a bit.
The following command worked, to create the client ID: head -n 100 /dev/urandom | md5 > ~/.pia_client_id
The following command needed to be changed: ifconfig tun0 | grep "inet " | cut -d\ -f2|tee /tmp/vpn_ip works when changed to: ifconfig OPT1 | grep "inet " | cut -d\ -f2|tee /tmp/vpn_ip
The following command would not work when entered into Pfsene: curl ifconfig.me/ip|tee /tmp/vpn_external_ip My work around was to simply add the VPN IP address im connected to into
a file named "vpn_external_ip" located in /tmp. I only connect to an individual
IP. I do not use "us-east.privateinternetaccess.com" for example.
When I enter this final command, I get no output or confirmation. I am unsure whether or not this command can be used with Pfsense, or how to change it to make it work??
Any insight would be great, as I would like to type up a Pfsense tutorial soon to help others
pfsense is not built on linux, as such some commands would be different.
The curl command involves transmitting information to the PIA servers, and should return a port assignment. If you are absolutely sure that you transmit the correct information AND your selected server supports port forwards, you should file a bug report.
Thank you "VPN" for your insight. That is what I am specifically asking, is what would be the equivlant command in a bsd/pfsense environment. For example, if I enter IFCONFIG into the pfsense shell comand box, I will get the results directly under where it is entered, much like a mini terminal. When I enter the curl commands, It shows just what I have entered with no return. Im assuming that there are likely some quotations or slashes in the wrong places, but am unsure how to modify the scipt to work inside of bsd/pfsense?
#This changes the permission of items in my watch directory. I use dropbox to queue file transfers when I'm away from home. What this does is to change the owner/group of the *.torrent files to debian-transmission and moves the files to the local watch directory
#Things to change: PATH-TO-DROPBOX-WATCH-DIR, LOCAL-WATCH-DIR
@moo 1) (If you haven't done this already... also do this once and once only as it won't open the ports with a different clientID) open terminal and copy/paste the following and press enter:
head -n 100 /dev/urandom | md5 > ~/.pia_WHATEVERyouWANTtoNAMEthis
2) Open AppleScript Editor. Only replace what is highlighted. Copy/Paste exactly as it is written only replacing w/the variables above. Also, I don't think you can put special characters like & and ! in you PW, change your PW if that's true(not sure).
set Username to "USERNAME" set PW to "PASSWORD"
set vpn_ip to do shell script "ifconfig tun0 | grep inet | awk '{print $2}'" # get current ip of vpn interface
4) Run the script from Step 2 again. you shouldn't get the 'error "The command exited with a non-zero status." number 1'. you should be good at this point
5) if you get get something along the lines of Domain (org.m0k.transmission) could not be found; do an application Reset aka delete the following file/folders:
a. ~/Library/Caches/org.m0k.transmission b. ~/Library/Saved Application State/org.m0k.transmission.savedState c. ~/Library/Preferences/org.m0k.transmission.plist d. ~/Library/Preferences/org.m0k.transmission.LSSharedFileList.plist
6) Open Transmission then quit Transmission and follow steps 2-3a+b. If it still shows an error then there's probably a typo or too many spaces. I've tested myself copy/pasting from the format it displays when I submit this and it works perfectly if you only replace what's highlighted, nothing more and nothing less.
7) This is how you set it up to run though Viscosity after the connection to the VPN has been made.
8) After you click save make sure transmission is not running and disconnect and reconnect to the PIA server you just modified.
@bigbudd911: curl should be available for pfsense, maybe google how to install it. If it already is installed, maybe you do not get any output because the requested port assignment cannot be made, e.g. when using a PIA server which does not support port forwarding.
You can try the port forwarding api from a browser to check if it works!
VPN - Thank you very much for the advice I will be giving this a shot again today when I get home from work.
MacAir - Also thank you for that working script. In the event that I cannot get pfsense working, I would like to switch to a full Debian install as you have done. I have heard that running a full OS will slow things down a lot, is there any truth to this? Currently I have a 100mbit line, and can get 97mbps without my VPN running, and about 92-94mbps with pfsense running the VPN client. May be a stupid question, but I am assuming Debian could handle this? I have heard numerous times that a full linux distro can significantly slow things down (which was my entire reason for sellecting pfsense in the first place!)
Thanks for the advice guys, it is greatly appreciated!
While pfsense is optimized for the exact scenario you use it for, a few more background services with a generic distro should not cause significant problems. Throughput on the VPN depends mainly on crypto speed and the hardware's ability to handle interrupts, at a fast enough rate so saturate a network link with small packets. If your hardware manages now, it will most likely manage with other operating systems.
I'd probably have used pfsense myself if it came with decent IPv6 support.
I've got OpenVPN setup on a headless 12.04 LTS headless server. When I run the curl line it provides me with a port number. However that port number is not forwarding and any testing I do shows that the port is not open. Earlier in my troubleshooting i deleted the pia_client_id and am trying to determine if PIAs system is providing me the wrong port number or if there is another issue.
Edit: Scratch that it was a configuration issue with Deluge not being able to set the port through the UI. Running it through the CLI fixed the issue.
Okay so good news. Lots of progress this week, havent had too much time to update. VPN - as it turns out, you were correct. The "curl" commands would not do anything, and I eventually found out that my pfsense install was corrupted. Did a clean install, and now I have progress. I can get the commands to entere successfully from shell. I get the correct port. However, now I am trying to get this to work with "Cron" so that the commands are run on a schedule.
It is set to run every minute. However, I enter the entry and reboot, and it still never outputs the file. I made this post on the pfsene board which has lots more info about my setup:
Any ideas guys? I am pretty sure that it is simply a syntax mixup that cron is having difficulty processing ( a space or slash). Thanks for everyhting so far guys, I am nearly there
I've been using port forwarding with Debian and openvpn using the Canadian gateways without issue for months. However, for the past week or so, I've been unable to retrieve the forwarded port number using the scripts outlined in this thread. Has something changed? Is there some way I can reset my client ID or something?
I have the script working in applescript, but everytime I run it, it gives me a different port. Any of these ports that insert into transmission are "closed." I thought that the port lasted up to an hour?
good news, almost got this fully working in Pfsense with cron on a timer. First 2 of 3 commands work perfect. Just trying to figure out the syntax for the last command. Running the command in shell gives {port#} in that format. running the script in cron gives empty {} . This is on the command i am talking about:
@bugbudd911: The command uses a subcommand (in "$(cat ~/.pia_client_id)") which references a variable. The "~" character stands for $HOME, which is likely unset in Cron execution. Replace "~" with the full directory of the file, maybe like so: "$(cat /home/username/.pia_client_id)". You could also directly replace that subcommand with the actual client-id, maybe like so: "...&client_id=RaNdOmStRiNg&local_ip=...".
Comments
I found the below commands that implement forwarding to the same port number on my NAS, but I'm not sure how to modify them to forward to a static port number:
iptables -t nat -A PREROUTING -p tcp --dport <your_port_number> -j DNAT --to-destination <your_destination_IP_address>
iptables -A FORWARD -s <your_VPN_IP> -p tcp --dport <your_port_number> -j ACCEPT
EDIT: it seems the --to-destination argument can also include a port number, this might be what I'm looking for! The question is now, how can I flush only the existing rule while keeping my other iptable rules intact before specifying the new rule?
#!/bin/sh
CONF="/opt/pia/api.conf"
PIAURL="https://www.privateinternetaccess.com/vpninfo/port_forward_assignment"
USER=`head -n 1 /etc/openvpn/client1/up`
PASSWD=`tail -n 1 /etc/openvpn/client1/up`
CLIENT_ID=`awk "/^apikey/ {print \\$2}" $CONF`
VPN_IP=`ifconfig tun11 | grep -oE "inet addr: *10\.[0-9]+\.[0-9]+\.[0-9]+" | tr -d "a-z :"`
VPN_PORT=`curl -s -d "user=$USER&pass=$PASSWD&client_id=$CLIENT_ID&local_ip=$VPN_IP" $PIAURL | grep -o "[0-9]*"`
if [[ -z "$VPN_PORT" ]]; then
logger "api.sh[8]: Failed to determine PIA VPN port."
exit 1
else
logger "api.sh[8]: The PIA VPN port is $VPN_PORT"
fi
BTHOST=`awk "/^host/ {print \\$2}" $CONF`
BTPORT=`awk "/^port/ {print \\$2}" $CONF`
BTUSER=`awk "/^user/ {print \\$2}" $CONF`
BTPASSWD=`awk "/^passwd/ {print \\$2}" $CONF`
curlout=`curl -u $BTUSER:$BTPASSWD $BTHOST:$BTPORT/transmission/rpc 2>/dev/null`
SESSIONID=`echo $curlout | awk -F"X-Transmission-Session-Id\: " '{print substr($2,0,48)}'`
data='{"method": "session-set", "arguments": { "peer-port" :'
data="$data $VPN_PORT } }"
CURLRSP=`curl -u $BTUSER:$BTPASSWD http://$BTHOST:$BTPORT/transmission/rpc -d "$data" -H "X-Transmission-Session-Id: $SESSIONID"`
logger "api.sh[28]: $CURLRSP"
Thanks for the AppleScript to get Viscosity / Transmission connecting to ports.
See here: http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/ Post #9 & #35
For those who are interested in, I adapt the powershell script for Vuze TCP port update.
You could find it here : http://forum.vuze.com/thread.jspa?messageID=274658񃃢
Thanks to the developers of the firsts versions.
Regards.
Hey, I have been trying to accomplish port forwarding from my Pfsense 2.1 (beta) box which runs my
PIA openvpn client. Hopefully someone can help me out a bit.
The following command worked, to create the client ID:
head -n 100 /dev/urandom | md5 > ~/.pia_client_id
The following command needed to be changed:
ifconfig tun0 | grep "inet " | cut -d\ -f2|tee /tmp/vpn_ip
works when changed to:
ifconfig OPT1 | grep "inet " | cut -d\ -f2|tee /tmp/vpn_ip
curl ifconfig.me/ip|tee /tmp/vpn_external_ip
My work around was to simply add the VPN IP address im connected to into
curl -d "user=USERNAME&pass=PASSWORD&client_id=$(cat ~/.pia_client_id)&local_ip=$(cat /tmp/vpn_ip)" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment
When I enter this final command, I get no output or confirmation. I am unsure whether or not
this command can be used with Pfsense, or how to change it to make it work??
The curl command involves transmitting information to the PIA servers, and should return a port assignment. If you are absolutely sure that you transmit the correct information AND your selected server supports port forwards, you should file a bug report.
Thank you "VPN" for your insight. That is what I am specifically asking, is what would be the equivlant command in a bsd/pfsense environment. For example, if I enter IFCONFIG into the pfsense shell comand box, I will get the results directly under where it is entered, much like a mini terminal. When I enter the curl commands, It shows just what I have entered with no return. Im assuming that there are likely some quotations or slashes in the wrong places, but am unsure how to modify the scipt to work inside of bsd/pfsense?
1) (If you haven't done this already... also do this once and once only as it won't open the ports with a different clientID) open terminal and copy/paste the following and press enter:
head -n 100 /dev/urandom | md5 > ~/.pia_WHATEVERyouWANTtoNAMEthis
2) Open AppleScript Editor. Only replace what is highlighted. Copy/Paste exactly as it is written only replacing w/the variables above. Also, I don't think you can put special characters like & and ! in you PW, change your PW if that's true(not sure).
set Username to "USERNAME"
set PW to "PASSWORD"
set vpn_ip to do shell script "ifconfig tun0 | grep inet | awk '{print $2}'" # get current ip of vpn interface
set vpn_port to do shell script "curl -d \"user=" & Username & "&pass=" & PW & "&client_id=$(cat ~/.pia_IDname)&local_ip=" & vpn_ip & "\" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment 2>/dev/null|grep -oE \"[0-9]+\""
do shell script "defaults delete org.m0k.transmission BindPort" # delete previous port value
do shell script "defaults write org.m0k.transmission BindPort " & vpn_port & ""
do shell script "defaults delete org.m0k.transmission BindAddressIPv4" #delete previously written ipv4binding value
do shell script "defaults write org.m0k.transmission BindAddressIPv4 " & vpn_ip & "" #write current vpn ip into transmission.plistUsername
3a)If the end result isn't """ and you still have errors. Open Terminal and copy/paste/enter this:
defaults write org.m0k.transmission BindPort "45678"
3b) More copy/pasta:
defaults write org.m0k.transmission BindAddressIPv4 "192.168.0.123"
4) Run the script from Step 2 again. you shouldn't get the 'error "The command exited with a non-zero status." number 1'. you should be good at this point
5) if you get get something along the lines of Domain (org.m0k.transmission) could not be found; do an application Reset aka delete the following file/folders:
a. ~/Library/Caches/org.m0k.transmission
b. ~/Library/Saved Application State/org.m0k.transmission.savedState
c. ~/Library/Preferences/org.m0k.transmission.plist
d. ~/Library/Preferences/org.m0k.transmission.LSSharedFileList.plist
6) Open Transmission then quit Transmission and follow steps 2-3a+b. If it still shows an error then there's probably a typo or too many spaces. I've tested myself copy/pasting from the format it displays when I submit this and it works perfectly if you only replace what's highlighted, nothing more and nothing less.
7) This is how you set it up to run though Viscosity after the connection to the VPN has been made.
8) After you click save make sure transmission is not running and disconnect and reconnect to the PIA server you just modified.
If it already is installed, maybe you do not get any output because the requested port assignment cannot be made, e.g. when using a PIA server which does not support port forwarding.
You can try the port forwarding api from a browser to check if it works!
VPN - Thank you very much for the advice
I will be giving this a shot again today when I get home from work.
MacAir - Also thank you for that working script. In the event that I cannot get pfsense working, I would like to switch to a full Debian install as you have done. I have heard that running a full OS will slow things down a lot, is there any truth to this? Currently I have a 100mbit line, and can get 97mbps without my VPN running, and about 92-94mbps with pfsense running the VPN client. May be a stupid question, but I am assuming Debian could handle this? I have heard numerous times that a full linux distro can significantly slow things down (which was my entire reason for sellecting pfsense in the first place!)
Thanks for the advice guys, it is greatly appreciated!
I'd probably have used pfsense myself if it came with decent IPv6 support.
Edit: Scratch that it was a configuration issue with Deluge not being able to set the port through the UI. Running it through the CLI fixed the issue.
Okay so good news. Lots of progress this week, havent had too much time to update. VPN - as it turns out, you were correct. The "curl" commands would not do anything, and I eventually found out that my pfsense install was corrupted. Did a clean install, and now I have progress. I can get the commands to entere successfully from shell. I get the correct port. However, now I am trying to get this to work with "Cron" so that the commands are run on a schedule.
1st script, located in /etc/
#!/bin/sh
/sbin/ifconfig ovpnc1 | /usr/bin/grep "inet " | /usr/bin/cut -d\ -f2|/usr/bin/tee /tmp/vpn_ip
And my Cron entry looks as follows:
1 * * * * root /usr/bin/nice -n20 /etc/script1
It is set to run every minute. However, I enter the entry and reboot, and it still never outputs the file. I made this post on the pfsene board which has lots more info about my setup:
http://forum.pfsense.org/index.php/topic,62771.0.html
Any ideas guys? I am pretty sure that it is simply a syntax mixup that cron is having difficulty processing ( a space or slash). Thanks for everyhting so far guys, I am nearly there
curl -d "user=USERNAME&pass=PASSWORD&client_id=$(cat ~/.pia_client_id)&local_ip=$(cat /tmp/vpn_ip)" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment
When this is done, I will be making a tutorial for anyone trying to get this working in Pfsense.