Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Jun 28, 2019 8:27 Post subject:
Just a thought:
(disclaimer I do not use transmission)
Could it be that transmission advertises its port you entered? That port is not open, it is the external PIA port which is open.
If you get the same PIA port after connecting (when using the same hash) maybe you should enter that in transmission (and in the script) so that the port number is not changed but only forwarded?
BTW the duplicate entries are strange, although it indicates the script rerun (unfortunately with a different external port).
I know @eibgrad always takes great care in removing earlier entries if the script reruns.
Not a big problem the script will work but it is not up to @eibgrad's usual standard
Edit: when I have some more time later this week I will setup port forwarding from PIA, I have an account, but at the moment I am in the summer residence, so busy doing nothing
EDIT 2:
Once the option is set, please connect to one of the following port forwarding enabled gateways:
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Jun 28, 2019 11:57 Post subject:
I just tested with PIA Roemenia.
Used the script without anything so basically forwarding external port to 192.168.1.1:80
AND: ..... got my login page and could enter the routers GUI from PIA IP Roemnia:80.
I am at the moment behind a residential gateway without any means for port forwarding and was going to use this to get to my VPN server and to the camera's on my network.
Later I'll make more test but for now I only did this
PIA client on my pc, then connected to swiss server, with port forward enabled, then I installed transmission on pc and configured the port that pia say, cheched the status and port open!
Like I say later I'll do some more test.
Btw, I disabled SFE even if on pia guide is enabled, I'm on the latest kong for R7800
This's my dns settings
I'm on latest transmission, I can compile the old one not a problem. What do you suggest for a client? I use radarr and sonarr so not all clients are good, with transmission I can set seeding time and ratio from radarr or sonarr.
I can try another client and see what happens.
BTW transmission use the port I indicate like other P2P client, if opened is better
Is transmission itself on the VPN? IOW, it is configured to use the VPN for initiating outbound connections? If not, then perhaps it's using the WAN, then advertising its remote access as WAN_IP + PIA external port, which would be incorrect.
The nas is under 10.0.0.100 and all connection is only over vpn with this firewall rules on dd-wrt:
Code:
iptables -I FORWARD -s 10.0.0.100/32 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE
So from nas ssh:
Code:
$ curl ipinfo.io/ip
185.220.70.134
This's the actual ext_port_forward.html
Code:
Fri Jun 28 20:32:18 CEST 2019: PIA external port forward: 185.220.70.134 : 43876
After this I've to say that
[quote=egc]What you can try:
Look at the external port number you get from PIA.
Set that port number in the script.
Set that port number in transmission. [/quote]
Do the trick, see now:
I'm not expert at all, to me seems that now the 2 "same" port are in communication and before even if the port was the same was like they are on 2 different "universe"
The only I can add is that on my nas I've this rule inside the /etc/network/interfaces
Code:
## static ip config START ##
up /sbin/ip route add 10.8.0.0/24 via 10.0.0.1 dev bond0
down /sbin/ip route delete 10.8.0.0/24 via 10.0.0.1 dev bond0
## static ip config END ##
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sat Jun 29, 2019 16:37 Post subject:
It looks like there is activity on the PIA external port, is transmission working?
About the static route on your NAS, I am not sure what that could be for.
Just a theory:
You have a VPN server runing on your router with 10.8.0.0/24 and if you want to reach your NAS via the VPN server and you have a VPN client running on your NAS, you might need that static route otherwise the packets coming from the VPN server on your router will be routed out via the VPN client on the NAS and that will not work, hence the necessary static route.
Just a theory, you are not running a VPN client on your NAS?
It looks like there is activity on the PIA external port, is transmission working?
About the static route on your NAS, I am not sure what that could be for.
Just a theory:
You have a VPN server runing on your router with 10.8.0.0/24 and if you want to reach your NAS via the VPN server and you have a VPN client running on your NAS, you might need that static route otherwise the packets coming from the VPN server on your router will be routed out via the VPN client on the NAS and that will not work, hence the necessary static route.
Just a theory, you are not running a VPN client on your NAS?
The firewall rules on your router are the kill switch for the NAS and the routing of the VPN server connections out via the internet. Looks good to me
All correct! I've a client and server on router, and when I connect from outside to the server I want to access to the NAS that is the only under PIA vpn.
Glad to ear that the rule are right, in part is thanks to you!
Any idea why I've to put the same port for forwarding?
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sun Jun 30, 2019 11:53 Post subject:
I do not use transmission but I guess it is advertising its port to the internet but this is a different port from what PIA gives you and hence it will not work because the port transmission advertises is not open.
Luckily PIA gives you the same port when using the same client id, so once you know it you enter that port in transmission.
But not a fool proof solution.
What you can do is on your NAS which is Linux based (regarding your static rule) you can make a script which queries the html page on the router with the port PIA has opened for you (as defined by the script from @eibgrad) and then start Transmission from the CLI of your router with this port.
Make a loop to check every 60 seconds or so and if altered kill transmission and start again with the new port.
Can be done with a few lines of code.
If you get it working please publish it for further use
(state your NAS)
I do not use transmission but I guess it is advertising its port to the internet but this is a different port from what PIA gives you and hence it will not work because the port transmission advertises is not open.
Luckily PIA gives you the same port when using the same client id, so once you know it you enter that port in transmission.
But not a fool proof solution.
What you can do is on your NAS which is Linux based (regarding your static rule) you can make a script which queries the html page on the router with the port PIA has opened for you (as defined by the script from @eibgrad) and then start Transmission from the CLI of your router with this port.
Make a loop to check every 60 seconds or so and if altered kill transmission and start again with the new port.
Can be done with a few lines of code.
If you get it working please publish it for further use
(state your NAS)
I am not at home so cannot test anything but I have a QNAP 453 Pro which can use scripts like this without a problem
You right! I also have a Qnap 269L, but I removed Qnap system and I installed debian
So for now, till @eibgrad find a better solution (if exist), when transmission in on another machine one extra step is needed, so I make this little sh script to check and change the actual transmission port, according to the pia one.
WHAT DO THIS SCRIPT?
The purpose of this script is to run on a remote machine that hold transmission-daemon so it simply checks if transmission is active then check the pia port from the router and if different stop transmission, change the port, then restart transmission
REQUISITE:
jq (apt install jq)
transmission start/stop with systemd
some linux basi skills
if systemctl is-active --quiet $SERVICE; then # service active
[[ "$LOG_ENABLE" == "1" ]] && echo "service is active ..." >> "$LOG_PATH/${0##*/}.log"
PIA_PORT=$(curl -sf $PIA_EXT_PORT | grep -o '[0-9]*' | tail -n1) # get the pia port
if [[ ! -z $PIA_PORT ]] && [[ ! -w "$TMP_LOCK_FILE" ]]; then # I get the pia port
ACTUAL_TRANSMISSION_PORT=$(cat $TRANSMISSION_SETTINGS | jq '."peer-port"') # get the actual transmission port
if [[ $ACTUAL_TRANSMISSION_PORT == $PIA_PORT ]]; then # pia port is the same that that the transmission port
[[ "$LOG_ENABLE" == "1" ]] && echo "Transmission port is already the good one, nothing to do, see you later!" >> "$LOG_PATH/${0##*/}.log"
else # transmission use a different port
[[ "$LOG_ENABLE" == "1" ]] && echo "Transmission port is not the right one, I'll change it" >> "$LOG_PATH/${0##*/}.log"
touch "$TMP_LOCK_FILE"
systemctl stop $SERVICE # stop the service
sleep 1
jq --arg NEW_PORT "$PIA_PORT" '."peer-port" = $NEW_PORT' "$TRANSMISSION_SETTINGS" > tmp.$$.json && mv tmp.$$.json "$TRANSMISSION_SETTINGS" # change the port inside the settings.json file
systemctl start $SERVICE
sleep 1
rm "$TMP_LOCK_FILE"
fi
else # I can't find the pia port
[[ "$LOG_ENABLE" == "1" ]] && echo "I can't find the PIA port from $PIA_EXT_PORT make sure that exist and is reachable" >> "$LOG_PATH/${0##*/}.log"
fi
else
[[ "$LOG_ENABLE" == "1" ]] && echo "service is not active" >> "$LOG_PATH/${0##*/}.log"
fi
Before start this script please:
1. Specify the correct SERVICE, in my case is "transmission-daemon.service"
2. Set the right PIA_EXT_PORT, in my case the dd-wrt router is under 10.0.0.1
3. Set the right TRANSMISSION_SETTINGS, where is the settings.json of transmission?
4. In you need log set LOG_ENABLE to 1 and adjust LOG_PATH with your desired path
5. So, download the script, make it executable and place wherever you prefer
6. Cronize this script in order to execute every minute or so
This is a very basic script, I'm not a programmer so maybe can be improved! Any suggestion is appreciate
Like I always said I'm not so expert, maybe what I gonna say make no sense, so tell me if my thought are wrong.
1. Can be a simple kong's firmware bug?
2. To me seems that there's a missing connection from pia port to transmission port. But seems quite strange even to me that I'm not expert, because I see this situation:
Router -> open all connection from this ip:port piapublicip:piaport to this internal pc nasip:port
Sound to me good, and maybe there's a problem here! Can be?
Maybe if I disable the kill-switch? But I disable it how can I be sure that all traffic go over vpn?
But one thing I can't understand:
If I need to forward a port to use a service like transmission:
a. I use UPnP (never had problem with it). I disabled it (egc suggestion)
b. I manually go to port forwarding and add a rule (I already tried in past)
I can try to another client for testing purpose, like deluge or qbittorrent or others, just to try if the problem is my machine or whatever. Do you want me to try another client on the nas?
Do you think that I can try to:
Modify your script and bypass all this: