fm407 / pia-nextgen-portforwarding Goto Github PK

New PIA pfSense (Private Internet Access) port forwarding API script for next gen servers and transmission support.

Shell 100.00%

pia private internet access pfsense freebsd linux bash transmission pia-pfsense pia-portforwarding

pia-nextgen-portforwarding's Introduction

PIA NextGen Servers Port Forwarding + Transmission support - Unofficial

New PIA pfSense (Private Internet Access) port forwarding API script for next gen servers. Tested on pfSense 2.4.5-RELEASE-p1 (amd64) and transmission-daemon 2.94.

Issue introduced in 2.5.1: Regression #11805 breaks port forwarding. Please use 2.5.2.

Before starting make sure to have configured PIA on your pfSense according to this guide: https://blog.networkprofile.org/private-internet-access-vpn-on-pfsense/

For a list of nextgen servers supporting port forwarding: https://github.com/fm407/PIA-NextGen-PortForwarding/blob/master/nextgen-portforward-servers.txt

The scripts have variables that you must change in order for the script to work, make sure to read the scripts before running them.

Your pfSense needs the following packages: xmlstarlet jq (details in step I.8.)

Now you can follow this guide:

I. pfSense side

1.Enable SSH on pfSense
System -> Advanced => tick "Enable Secure Shell"

2.Create custom user
-Go to System -> User manager -> Add
-Fill Username, password
-Add "admins" group
-Grant "WebCfg - All pages" and "User - System: Shell account access" priviledges
-(Optional) generate SSH keys for your custom user

3.Install SUDO package
-Go to System -> Package Manager => install SUDO package
-Go to System -> sudo => create user permissions as bellow

4.Create Alias for port forward
-Go to Firewall -> Aliases -> Ports
-Create new port with name "Transmission_Port"
-Give it the current port (if you have it) or non-zero value

5.Create Alias for Transmission IP address
-Go to Firewall -> Aliases -> IP
-Create new port with name "Transmission_IP"
-Define IP or FQDN of your Transmisson daemon server

6.Create NAT rule for port-forward using the ALIAS instead of specific port/IP
-Go to Firewall -> NAT
-Create new rule like bellow (some values could be different depending on your current VPN configuration)

7.Create custom devd config file
-SSH to the pfSense box with the user created in step 2.

sudo su -
#<enter your user password>
#Enter an option: 8 for shell
mkdir /usr/local/etc/devd
cd /usr/local/etc/devd
vi piaport.conf

-paste following code and save ( :wq )- This will start the service when the PIA interface is up and stop it when down

notify 0 {
        match "system"          "IFNET";
        match "subsystem"       "(ovpnc1)";
        match "type"            "LINK_UP";
        action "logger $subsystem is UP";
        action "service piaportforwarding start";
};

notify 0 {
        match "system"          "IFNET";
        match "subsystem"       "(ovpnc1)";
        match "type"            "LINK_DOWN";
        action "logger $subsystem is DOWN";
        action "service piaportforwarding stop";
};

-Restart devd to properly parse the new definition

service devd restart

Note: The "ovpnc1" is a technical name of the OpenVPN interface from within the pfSense UI

8.Install xmlstarlet and jq packages
-Still under root user from previous step do

perl -pi -e 's/FreeBSD:\ \{\ enabled:\ no/FreeBSD:\ \{\ enabled:\ yes/g' /usr/local/etc/pkg/repos/FreeBSD.conf
perl -pi -e 's/FreeBSD:\ \{\ enabled:\ no/FreeBSD:\ \{\ enabled:\ yes/g' /usr/local/share/pfSense/pkg/repos/pfSense-repo.conf
pkg install xmlstarlet

-Answer "y" to the installation prompts
-jq should be already present (which jq returns path to binary) but in case it is missing install it by pkg install jq

9.Create the custom port-update script
-Still under root user from step 7. do

mkdir -p /home/custom/piaportforward
cd /home/custom/piaportforward
touch pia-pfSense.sh
chmod u+x pia-pfSense.sh
vi pia-pfSense.sh

-Paste the code from https://github.com/fm407/PIA-NextGen-PortForwarding/blob/master/pia-pfSense.sh OR just download it and chmod +x it.
!!! Some customization is necessary. Please read the script. It will need at minimum your PIA user and pass and the Transmission rpc user/pass !!!

Put https://github.com/fm407/PIA-NextGen-PortForwarding/blob/master/pia-portforwarding-rc in /usr/local/etc/rc.d (rename to pia-portforwarding) and chmod +x it or just:

touch /usr/local/etc/rc.d/piaportforwarding
chmod +x /usr/local/etc/rc.d/piaportforwarding
vi /usr/local/etc/rc.d/piaportforwarding

And paste the following in it:

#!/bin/sh

# REQUIRE: LOGIN

. /etc/rc.subr

name="piaportforwarding"
rcvar="${name}_enable"
command="/home/custom/piaportforward/pia-pfSense.sh"
command_interpreter="/bin/sh"
pf_user=root
start_cmd="/usr/sbin/daemon -f -u $pf_user $command"

load_rc_config $name
run_rc_command "$1"

Then:

touch /etc/rc.conf.local
vi /etc/rc.conf.local

And paste the following: piaportforwarding_enable="YES"

-Disconnect form pfSense
-(Optional) Disable SSH via WebUI under System -> Advanced => un-tick "Enable Secure Shell"

II. Transmission host side

-This part is for a Debian 10 host, your mileage may vary depending on the distro you use for your Transmission host.
-If there is something already configured on your side please read the steps anyway just to be sure there are no tiny difference.

1.Secure Transmission RPC Protocol
-STOP the transmission daemon by systemctl stop transmission
-Edit /etc/transmission-daemon/settings.json
-Note that the location of settings.json may vary. The above path is from Debian 10.
-Update/add following parameters. Replace username, password. Ensure that IP address of your pfSense is in whitelist, you can whitelist additional IPs.

"rpc-authentication-required": true,
"rpc-username": "SomeUserName",
"rpc-password": "SomePassword",
"rpc-whitelist": "127.0.0.1,10.10.10.1,10.10.10.5",

-Start the transmission service again systemctl start transmission

2.Restart OpenVPN in pfSense

-Wait for ~15secs and check Status -> System logs to see results

-All OK, port changed

pia-nextgen-portforwarding's People

Contributors

Stargazers

Watchers

Forkers

awkimball lwong-cloud hakun1n seamonkey82 pmccabe joeknock90 captainsobeking 104ru 8ctorres aspartam1987 bpbastos tosunkaya

pia-nextgen-portforwarding's Issues

VPN offline - empty destination port?

Hi.
Dont know what im doing wrong??

General
Empty destination port alias 'Transmission_Port' for rule 'NAT Transmission Port Forward' @ 2020-12-21 20:24:01
Empty destination port alias 'Transmission_Port' for rule 'NAT Transmission Port Forward' @ 2020-12-21 20:30:20
Empty destination port alias 'Transmission_Port' for rule 'NAT Transmission Port Forward' @ 2020-12-21 20:30:21
Empty destination port alias 'Transmission_Port' for rule 'NAT Transmission Port Forward' @ 2020-12-21 20:30:22
Filter Reload
There were error(s) loading the rules: /tmp/rules.debug:91: syntax error - The line in question reads [91]: rdr on ovpnc1 proto tcp from any to 10.8.112.75 port $Transmission_Port -> $Transmission_IP
@ 2020-12-21 20:24:02
There were error(s) loading the rules: /tmp/rules.debug:91: syntax error - The line in question reads [91]: rdr on ovpnc1 proto tcp from any to 10.2.112.31 port $Transmission_Port -> $Transmission_IP
@ 2020-12-21 20:30:23

Can some one help me?

Use Transmission RPC interface rather than SSH?

Rather than setting up the SSH stuff to be able to ssh to the transmission server, it's much easier to just use the Transmission RPC API directly. Is there a reason you went with the ssh and transportupdate.sh script instead of direct RPC?

Here is some example code (which I added to the pfSense script and am currently using) to use the RPC API:

update_transmission_port () {
  # transmission user name
  TRANSUSER=transmission
  # transmission password
  TRANSPASS="RPCPasswordGoesHere"
  TRANSHOST=$TRANSIP

  SESSION_HEADER=$(curl -u $TRANSUSER:$TRANSPASS ${TRANSHOST}:9091/transmission/rpc 2>/dev/null | sed 's/.*<code>//g;s/<\/code>.*//g')

  if [ "x$SESSION_HEADER" != "x" ]; then
    DATA="{\"method\": \"session-set\", \"arguments\": { \"peer-port\" : $pf_port } }"
    echo $DATA
    CURLOUT=$(curl -u $TRANSUSER:$TRANSPASS --silent http://${TRANSHOST}:9091/transmission/rpc -d "$DATA" -H "$SESSION_HEADER")
    echo $CURLOUT
    echo "pia-nextgen-pf: $(date) Updated Transmission port number via RPC"
    logger "pia-nextgen-pf: Updated Transmission port number via RPC"
  else
    echo "pia-nextgen-pf: $(date) No Transmission RPC Session Header retrieved"
    logger "pia-nextgen-pf: No Transmission RPC Session Header retrieved"
  fi
}

xmlstarlet install instructions

including instructions to include freebsd repositories to pkg configuration files and installing xmlstarlet could go a long way.

netgate docs says to edit pfSense.conf
my install has a FreeBSD.conf as well

I edited both.

/usr/local/etc/pkg/repos

FreeBSD: { enabled: yes }

Port Forwarding stopped working after update to pfSense 2.5.1

I have been running these scripts for several months without issue on pfSense 2.4.5 and 2.5.0. After updating to 2.5.1, I noticed port forwarding did not seem to be working. I redid all the pfSense related steps to implement the scripts in case something got deleted or broken during the update.

The log file makes it look as if the scripts are still functioning properly, the pfSense alias for the port is being updated with the new port properly and being updated in transmission as well but when I check to see if the port is open it shows that it is not.

This is what the log file looks like after restarting my OpenVPN connection,

Jun 9 12:39:03	root	56055	[Trans] New port 32264 successfully updated in remote Transmission system.
Jun 9 12:39:03	root	54104	[PIA] New port 32264 updated in pfSense config file.
Jun 9 12:39:03	check_reload_status	416	Reloading filter
Jun 9 12:39:02	root	52603	[PIA] Acquired NEW forwarding port: 32264, current NAT rule port: 37799

Thanks for the help, up until this point the script has been great.

response from incoming traffic is going out through the default route

Hi,

I'm using this exact setup with pfsense, PIA, and transmission. However I find that the replies to the incoming connection requests are gonig out through the default route.
To be exact:

I can see the SYN requests for incoming connection requests come in through the VPN interface.
The SYN/ACK response is going out through my default route though which is the WAN interface.

I saw that there were bug reports for pfsense 2.5.1 with this problem but they claim it's fixed in 2.5.2? I am using pfsense 2.5.2.

Set GitHub project to "Public Archive"

You can set a repo to "Public Archive" to clearly indicate that this is not longer maintained. More info: https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories

Dumb question about the service

I apologize for posting this as an 'issue', but I've been beating my head against the wall. The script runs great, and I have it set to update Transmission, however I can't for the life of me figure out how to enable the service to run.

Following the instructions I get (or some variation on it):

[2.4.5-RELEASE][[email protected]]/usr/local/etc/rc.d: service pia-portforwarding start
/etc/rc.conf: pia-portforwarding_enable=YES: not found
/etc/rc.conf.local: pia-portforwarding_enable=YES: not found
/etc/rc.conf: pia-portforwarding_enable=YES: not found
/etc/rc.conf.local: pia-portforwarding_enable=YES: not found
/usr/local/etc/rc.d/pia-portforwarding: WARNING: $pia-portforwarding_enable is not set properly - see rc.conf(5).
Cannot 'start' pia-portforwarding. Set pia-portforwarding_enable to YES in /etc/rc.conf or use 'onestart' instead of 'start'.

[2.4.5-RELEASE][[email protected]]/usr/local/etc/rc.d: ./pia-portforwarding start
/etc/rc.conf: pia-portforwarding_enable=YES: not found
/etc/rc.conf.local: pia-portforwarding_enable=YES: not found
./pia-portforwarding: WARNING: $pia-portforwarding_enable is not set properly - see rc.conf(5).
Cannot 'start' pia-portforwarding. Set pia-portforwarding_enable to YES in /etc/rc.conf or use 'onestart' instead of 'start'.

even though my rc.conf.local is (I've tried one and the other, finally I just got ticked and put both in there):
pia-portforwarding_enable="YES"
pia-portforwarding_enable=YES

So I imagine it's just something I'm missing, not a BSD guy admittedly. Any suggestions?

pia-nextgen-pf.sh $verify appears undefined

pia-nextgen-pf.sh line 32 and 45, $verify appears undefined, am I missing something here?

README is missing step 7

Just what the title says. Step 8 refers to staying root like the previous step, but the previous step in the readme is step 6 and it's in the GUI.

Daemon exiting after rebind

Another question, should we be putting a service start into crontab or something to restart every ten minutes or so?

The reason is that the code for rebinding:

# If the acquired port is the same as already configured do not pointlessly reload config.
if [ "$NATPORT" -eq "$pf_port" ]; then
	logger "[PIA] Acquired port $pf_port equals the already configured port $NATPORT - no action required."
	exit 0
fi

causes the daemon to exit, stopping further rebinds (since we apparently need to do it every fifteen minutes or so with the nextgen servers.

I could take out the "exit 0" but I honestly don't know if that would affect the rest of the script negatively, plus it wouldn't help the base code. This would also affect the other "exit 0" locations, though you might want them to actually die with those instances.

As example, I restarted the service at 10:10 or so, it worked and updated, then the rebind ran and exited the daemon fifteen minutes later:

Sep 23 10:10:02 | root |   | [PIA] Acquired forwarding port: 35381
Sep 23 10:10:02 | root |   | [PIA] Current NAT rule port: 51485
Sep 23 10:10:03 | root |   | [PIA] New port 35381 udpated in pfSense config file.
Sep 23 10:10:04 | root |   | [PIA] New port successfully updated in remote Transmission system.
Sep 23 10:25:04 | root |   | [PIA] Acquired forwarding port: 35381
Sep 23 10:25:04 | root |   | [PIA] Current NAT rule port: 35381
Sep 23 10:25:04 | root |   | [PIA] Acquired port 35381 equals the already configured port 35381 - no action required.

Also a nitpicking jerk comment, sorry... there's a typo in the "New port 35381 udpated in pfSense config file." line in 'updated'. :)

Novice seeking help guidance..

devd triggers the service and my system logs state:

/usr/local/etc/rc.d/piaportforwarding: WARNING: cannot read shebang line from /home/custom/piaportforward/pia-pfSense.sh

I went through the instructions several times and I have not been able to resolve this.

Any advice is appreciated!

v/r,
jg

Pfsense 2.6.0 (and perhaps PIA VPN in 2022?)

Two things I had to modify in my scripts while taking from this tutorial.

Line 47 in pia-pfSense.sh

I changed the part that says the following:

get_auth_token () {
tok=$(curl --interface ${ovpniface} --insecure --silent --show-error --request POST --max-time $curl_max_time
--header "Content-Type: application/json"
--data "{"username":"$piauser","password":"$piapass"}"
"https://www.privateinternetaccess.com/api/client/v2/token" | jq -r '.token')

TO THIS:
get_auth_token () {
tok=$(curl -s -u $piauser:$piapass --interface $ovpniface --insecure --silent --show-error --max-time 15 "https://privateinternetaccess.com/gtoken/generateToken" | jq -r '.token')

In addition, perhaps due to the way I was using PIA? The following modification I had to make to interpret the gateway of the openvpn interface.

on line 96 it reads:
vpn_ip=$(traceroute -i ${ovpniface} -m 1 privateinternetaccess.com | tail -n 1 | awk '{print $2}')

I modified it to this:
vpn_ip=$(ifconfig | grep ${ovpniface} -2 | grep "inet 10" | awk '{print $4}')

[PIA-API] Error! Failed to receive Signature!

Hello,
Thanks for the guide and the awesome documentation.
I have a problem after launching the service: this appears in my logs:
[PIA-API] Error! Failed to receive Signature!

Do you have an idea ?

Thanks

Base64

Not an issue but would it be easier to use 'b64decode -r' instead of 'base64 -d' which means installing the package?

Torguard?

Hi, Can this script be adapted for use on torguard vpn as that can use port forwarding?

fantastic work :)

pfSense 2.7.0

Hello everyone,

I had some version mismatch problem with installing the xmlstarlet package on fresh pfSense 2.7.0 setup, so I had to modify the pia-pfSense.sh file to not use this package and also there was not needed to add any other package (jq was installed with the system already).

Actually the solution was replacing:

Line 39:
transip=$(xml sel -t -v "//alias[name=\"$ipalias\"]/address" $conffile)
to:
transip=$(xmllint --xpath '//alias[name="'$ipalias'"]/address/text()' $conffile)
Line 123:
natport=$(xml sel -t -v "//alias[name=\"$portalias\"]/address" $conffile)
to:
natport=$(xmllint --xpath '//alias[name="'$portalias'"]/address/text()' $conffile)
Line 138:
xml ed -u "//alias[name=\"$portalias\"]/address" -v $pf_port $conffile > $tmpconffile
to:
cp $conffile $tmpconffile xmlxml=$(xmllint --shell $tmpconffile << EOF cd /pfsense/aliases/alias[name="$portalias"]/address set $pf_port save EOF )
Line 144:
xml val -q $tmpconffile
to:
xmlwf -s $tmpconffile

Now, the code is fully working with pfSense 2.7.0

Help with Deluge

This is more of a request. I've been trying to get your script to work with Deluge instead of Transmission. Using the guide from their official docs (https://deluge.readthedocs.io/en/latest/devguide/how-to/curl-jsonrpc.html) I've been able to run curl commands from my pfsense terminal to change the listen port on my deluge server:

curl -d '{"method": "auth.login", "params": ["DelugePassword"], "id": 1}' -K /home/custom/piaportforward/curl.cfg
curl -d '{"method": "core.set_config", "params":[{"listen_ports": [1, 1]}], "id": 1}' -K /home/custom/piaportforward/curl.cfg

My problem is that I cannot get it to integrate into your script as I am very unfamiliar with shellscript, especially under pfsense