Joined: 18 Mar 2014 Posts: 12839 Location: Netherlands
Posted: Mon Jul 01, 2019 10:54 Post subject:
Just my take:
With a normal port forward you know what port is open because you set it yourself.
So for transmission you set a port forward in your router i.e. 54321, then that port is open and in transmission you set this port.
Transmission advertises this port to the outside world and it is working because that is the port which is open.
But with PIA you do not know the port which is opened for you that is the problem IMHO.
Luckily @eibgrads script publishes the external port to the routers webpage and @Chryses can retrieve it from there.
I am strugling with the more or less the same problem I want to connect to my VPN server via my PIA VPN client (I have to because I am behind a residential gateway)
To connect to my VPN server via the PIA VPN I have to know the port which PIA has opened for me, the script translates the open port to my VPN servers 1194, but if I do not know the open port (and the external IP address of course) I can not reach the VPN server.
So as far as I know I must have the external IP address, that is already done by DDNS and I have to know the external port which is opened for me.
I am contemplating using two DDNS accounts, one for the external IP and one for the external port.
I have created two accounts on no-ip.com, one to update the external IP an one to update the external PIA port.
Unfortunately it will only accept IP addresses so I must update my no-ip.com by disguising the PIA port as IP address with (PIA always sets a 5 figure port number):
My question is:
Why the script's port forwarding won't work if client is on another device?
Must have to works! Directly connect the pia port to a ip:port over the lan.
Later I'll try to bypass all iptable rules from script and make a manual port forward from the gui, I want to see if works
For now the solution to get the port from the router page is quite good, maybe not the best and elegant one, but for now do the trick!
The first one is just how to retrieve the port number and the second article how to start transmission with this retrieved external port number exactly as @Chryses is doing now.
I am using PIA and there is no mention of the forwarded port if I login to my account, but I will look further and report.
4.
I only stopped transmission then I changed the transmission port to 43876 but is always closed because the default iptables is set to 54321, is basically the same test like 3
5.
This's a strange test!
I just realized that my actual script, can't works if pia change the port during a reboot, because of
In this way I always redirect the same port
I think for now, in junction with the script that scrape the html from router (waiting) json data, this's a not elegant solution to have transmission outside the router
The first one is just how to retrieve the port number and the second article how to start transmission with this retrieved external port number exactly as @Chryses is doing now.
I am using PIA and there is no mention of the forwarded port if I login to my account, but I will look further and report.
Thanks for all your work, but if someone is up to the challenge it is you
Just saw your comment!
I love the fact that in the second script the port can be changed without restart transmission, on the fly!
But I think is always the same situation, pia vpn must be on the same device with transmission.
I don't have yet tried with qbittorrent or deluge, I will, maybe the problem is transmission. I'll make a test with original @eibgrad script
Joined: 18 Mar 2014 Posts: 12839 Location: Netherlands
Posted: Mon Jul 01, 2019 19:08 Post subject:
@Chryses, as far as I can tell you are on the right track the external and internal port should be the same and that is the port Transmission has to use.
Mmm, I really don't know any about split-tunneling, I've to learn this!
So:
If script and client are on the same device, no adjustment are needed.
If script and client are on different devices must be opened the same port and the client on remote machine have to grab the correct port from the router.
Like you said there's a big problem, what if the port change without any re-connection? The only good solution is to constantly check the port from pia every minute, so can be done on the router (actually your script check only if the pid of clientvpn change, not the port itself (am I right?)) but this must be done on the remote machine too, right? The port must be changed because otherwise the client don't use the same port that is configured on the router. The pia script can work too, without scrape the router page, give null results if 2min is passed, so I think can be managed in a way similar to my roughly script
Joined: 18 Mar 2014 Posts: 12839 Location: Netherlands
Posted: Tue Jul 02, 2019 14:41 Post subject:
eibgrad wrote:
If having VPN port forwarding support ends up w/ all these limitations and unpredictable behavior, including an ever changing external port, it's just not worth it (imo). You'd at least think they'd publish the external port somewhere on their website, once you've logged into your account. Otherwise, it's impractical to use.
There are still VPN providers offering a more sane approach to port forwarding, but they make you pay for it too (e.g., PureVPN).
These are the same guys I reported on a couple years ago who used to leave their end of the VPN tunnel wide-open, then charged you to secure it w/ a firewall.
They've since reversed course, installed a firewall, and now charge you to port forward. Looks to me you get both a fixed public and your own port management, so none of this other nonsense you see from PIA.
Fortunately PIA's forwarded port does not change randomly but it can change on reconnection although it tends to be the same.
And yes there are VPN providers where you can get a fixed port (when you pay) and also a lot that do not do any port forwarding, so PIA is not that bad.
And the script you provided is working great, I just tested with a VPN server runing on my router with a DDNS to no-ip and that is working without problems.
Of course I still have to know the port number
Unfortunately I have no other options, I think, here in my summer residence I am behind a residential gateway which does not port forward.
One question to @eibgrad when updating DDNS I can not use curl it gives :
root@EA6900:~#
It is a two minute window because that is when it quits the request to open the port, if it is not used at that time, it will not assign you it.
The port will not be changed during a connection, but you may not get the same port on a reconnect.
Please don't hesitate to let me know if you have any questions or concerns.
Regards
Thomas W.
Customer Support Agent
So, good to know that the port won't change during a connection!
At this point, to me, the best option is:
1. Modify the eibgrad script in order to execute one custom command/script after a connection (for example I can ssh to my nas and change the port on the fly (I've only to find how)). The second modification is to make difference if the device that need the port opened is on the same router or on remote machine.
2. Modify my systemctl in order to execute one time only a scrape to the route during a start, so I'll first scrape the url, then I start transmission with the port that I find (I don't know yet if is better to call a script or to do all the works inside the systemctl)
In this way I can avoid a continue scrape to the router!
I think is the way, good idea make a callback script!
Why I need to scrape the port? Simple, what about if the remote device start after the pia connection or if reboot?
But it can be easily done with a remote call, so when program run on a remote machine it tell to your script on the router to execute the callback script, sounds simple to me. Maybe you need an extra argument to only call the callback
Joined: 18 Mar 2014 Posts: 12839 Location: Netherlands
Posted: Tue Jul 02, 2019 19:59 Post subject:
eibgrad wrote:
So given all the feedback and good suggestions, here's what I'm thinking.
1. Add the ability to specify "--port *" to signal that the internal port assignment should equal the external port assignment by PIA.
2. Add code to execute a callback script (ddwrt-pia-port-forward.callback ??) if present in the same directory as the ddwrt-pia-port-forward.sh script. I'll pass the VPN public IP and external port as arguments.
I'm thinking you could then use the opportunity to reconfigure either a local process, or remote process on the LAN w/ ssh. You could also use it to publish the information wherever you like, beit your own website, pastebin, send yourself an email or text message, etc. Then perhaps you guys can publish your own callback scripts on pastebin so that others can benefit. It gets me out of the business of having to make special code for every possible new situation that could arise. I call the callback, you then take responsibility to do whatever you need/want.
Btw, I don't think it makes sense to scrap the ip/port off the webpage if you can avoid it. While I don't anticipate any changes to the webpage, like anything based on parsing a string, if it does change, it will likely break your code. And I don't want to be hindered from making changes down the road because someone is scraping the webpage. You do so at your own risk!
I'll probably make a few other minor unrelated changes while I'm at it.
I await your feedback before proceeding.
Excellent plan
I just finished hacking your script to update one of my no-ip hostnames with the external ip address and an other hostname with the external port, works quite well, but always difficult to hack another ones script.
So with a callback script we can do a better job.
Have been considering SNMP but I read somewhere BS has removed it, so I did not research it any further.
Anyway with a call back script we could do all sort of things and publish it for further use.
Looking forward to it.
Will also check why curl is not working I have @ in username will try with replacing %40
curl: (3) Port number ended with 'p'
root@EA6900:~#
Just a guess, but do you perhaps have any special chars in your username, password, or host (esp. single and double quotes)? Because it sounds like a parsing error, and special chars can cause it w/ some utilities.
my username is my email address so it has an @ in it.
curl does not encode that correctly, if I replace @ with %40, it does work.
Strangely further on this line there is another @ which is not causing trouble.
curl: (3) Port number ended with 'p'
root@EA6900:~#
Just a guess, but do you perhaps have any special chars in your username, password, or host (esp. single and double quotes)? Because it sounds like a parsing error, and special chars can cause it w/ some utilities.
my username is my email address so it has an @ in it.
curl does not encode that correctly, if I replace @ with %40, it does work.
Strangely further on this line there is another @ which is not causing trouble.
Weird.
Now looking for grep or sed command to change @ in %40
Tried with
curl -Lk 'https://"$DDNS_USER":"$DDNS_PASS"@dynupdate.no-ip.com/nic/update?hostname="$DDNS_
HOST"&myip="${vpn_public_ip}"'
?