Except for a few trivial changes, I hadn't updated the script since creating it. So I decided to use the opportunity to make several beyond those previously discussed.
1. Added two new options, --proto (tcp|udp|both) and --source (e.g., 199.199.0.0/16). The default for --proto is tcp, and source 0.0.0.0/0.
2. Given the increased ability to configure the script, I added some very rudimentary validation routines. They're not going to catch every error, just the most obvious ones.
3. Because the script could be rerun upon a change in the OpenVPN client connection, it now rolls back any previous changes to the firewall.
4. If you want the external PIA port used as the internal port, you can specify a hyphen ("-", quotes not necessary), or use an empty string, either single quotes ('') or double quotes ("").
5. If the script finds a file of the same basename w/ the extension .callback (i.e., ddwrt-pia-port-forward.callback), then once the external port is established and the firewall rules are applied, the callback script is called w/ two arguments. The first is the VPN public IP (note, if it can't determine it for some reason, it will be 0.0.0.0), and the second the external port (e.g., 12345).
The ddwrt-installer will automatically download and install a sample callback script. It will *never* overwrite this script, even if you reinstall the primary script(s). For safety reasons, if you want to pickup any future enhancements to the callback script, you'll have to first manually delete the existing callback script.
I just didn't have the time to add any real features, so it's very basic. All it does it echo the VPN public IP and external port to the syslog. In the future, I might add some functions that will hopefully prove reusable (e.g., send email). If you guys have any good ideas, or write something useful to others, let me know and perhaps we can incorporate them.
If you decide to roll-your-own, be sure to a) include the shebang (#!/bin/sh) at the top of the script and b) mark it executable (chmod +x </path/filename>). Also, remember that Linux can NOT read files saved in Windows/DOS format, only Linux formatted. Can't tell you how many times ppl make this last mistake, so don't let the next victim be YOU!
6. Publishing the port forward to the router's webserver is now optional w/ the --nopublish option. I figure if you're going to use the callback capabilities, there's a good chance you don't even need it, and if you don't, will probably find it more advantageous to publish it yourself to your preferred internet-accessible website.
7. I no longer specify the protocol w/ curl or wget. I just let the utilities sort it out. It *might* eliminate some failed updates where my assumptions about support for http/https might be incorrect.
8. Although mostly of interest to me (if you like delving into the details, you might find it interesting), the script is now fully reentrant. Although I generally discourage running the script from the cli/console, this was needed both to prevent multiple instances from clobbering each other when it comes to managing any firewall changes. That's why I added the (hidden, but now exposed) --exec option; to minimize the chance of someone accidentally running the script as they attempted to configure it w/ the -h|--help option.
I also updated the ddwrt-installer. It will now warn you "by name" of any intended file overwrites/deletions due to pre-existing files. It will also NOT overwrite/delete any *.callback files (something the previous version would have done).
Finally, realize that since I don't have a PIA account, I had to make and test these changes by jury-rigging the script. Anything that directly interfaces w/ PIA could not be tested. So I can't guarantee anything until someone tries it and reports back.
Thanks for the update!
So if I call
Code:
/jffs/etc/config/ddwrt-pia-port-forward.sh --ip 10.0.0.100 --port - --proto both --debug
I create a forward for ip 10.0.0.100 on both protocol, with same port internal and external. Am I right?
I don't know if I really need both protocol but I think is ok.
Only one request, is possible to add an extra argument, like force_callback, in order to force only the execute only the call back script? The only question is, if I run the script the callback script after some time how can I pass the right $vpn_public_ip $ext_port ? Maybe have to be in the nvram?
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Jul 05, 2019 7:44 Post subject:
I have made a callback script which updates my DDNS hostnames on NOIP.COM, one hostname with the external IP address and one hostname with the external port address (disguised as IP otherwise I can not upload it)
Tested if I could reach my VPN server from my phone with the retrieved IP and portnumber and BINGO success and working.
Have to polish the callback script and will make it available later.
One addition to the script:
in the usage maybe add the - option for internal = external port:
echo " --port PORT internal port of port forward (default=80), if internal port should be the same as external port use - "
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Jul 05, 2019 17:37 Post subject:
Yes I have seen the script running, I will do the test and can always kill with the PID.
I have had the client run for several hours and it did not restart and everything keeps working, but I will test with killing the process maybe tomorow.
Sleep 20 is perhaps a little bit on the fast side I have made it sleep 40.
Furthermore, now I am nitpicking, your installation instructions, in the first step, are to enable JFFS2. I am personally not a big fan of using jffs2, once bricked a router when updating and jffs2 enabled, and although the script is not writing much to the flash ram, I am not comfortable with it so I use a USB stick with automount jffs.
Granted if you can not do that jffs2 is invaluable, but my first choice would be to use a USB stick, consider adding something like that in the installation instructions?
This callback script is intended to use with transmission installed on a device inside the intranet. Use an HTTP connection, so make sure that your router have access to the remote transmission-daemon
This callback do:
-> Save the port to a /tmp so can be taken from the remote machine
-> Try to set the pia port to the remote transmission
What you have to do?
You've to configure the remote url the username and the password.
The script:
Code:
#!/bin/sh
#DEBUG=; set -x # comment/uncomment to disable/enable debug mode
# name: ddwrt-pia-port-forward.callback
# version: 1.2.0, 05-jul-2019, by chryses
# purpose: change the transmission port in order to open it
#
# argument $1 : vpn public ip (0.0.0.0 if unknown)
# argument $2 : pia assigned external port
{
############ CONFIGURATION ############
TRANSMISSION_REMOTE_HOST="10.0.0.100" # Where's transmission?
TRANSMISSION_USERNAME="admin" # Username for transmission remote
TRANSMISSION_PASSWORD="admin" # Password for transmission remote
TRANSMISSION_PORT="9091" # Port for transmission remote
############ CONFIGURATION ############
# verify pia port
if [ $2 -le 0 ] || [ -z $2 ]; then
echo "No valid port forwarded, maybe your're connected to one server that not offer port-forward or some goes wrong, please check!"
rm -rf /tmp/pia-port-forward
exit
fi
# Take the pia port
PIA_PORT="$2"
# Save the opened port to a file, this's needed to another script that have to be called on remote machine when transmission start in order to set the open port
echo "$PIA_PORT" > /tmp/pia-port-forward
# Change transmission port on the fly
CURLOUT=$(curl -u $TRANSMISSION_USERNAME:$TRANSMISSION_PASSWORD http://${TRANSMISSION_REMOTE_HOST}:$TRANSMISSION_PORT/transmission/rpc 2>/dev/null)
TRANSMISSION_SESSION_ID=$(echo $CURLOUT | sed -n "s/^.*X-Transmission-Session-Id\:\s*\(\w*\).*$/\1/p")
if [ -z $TRANSMISSION_SESSION_ID ]; then
echo "No transmission session id found, exiting"
exit 1
else
DATA='{"method": "session-set", "arguments": { "peer-port" :'$PIA_PORT' } }'
curl -u $TRANSMISSION_USERNAME:$TRANSMISSION_PASSWORD http://${TRANSMISSION_REMOTE_HOST}:$TRANSMISSION_PORT/transmission/rpc -d "$DATA" -H "X-Transmission-Session-Id: $TRANSMISSION_SESSION_ID"
fi
What you have to do?
You've to configure the remote url the username and the password, then you've to set the right position for the local settings.json of transmission
The script:
Code:
#!/bin/bash
############ CONFIGURATION ############
UNAME="root" # username to access to dd-wrt router
PWORD="admin" # password to access to dd-wrt router
IP_Addr="192.168.2.1" # dd-wrt router address
TRANSMISSION_SETTINGS="/home/muletto/.config/transmission-daemon/settings.json" # local transmission settings.json
if [[ ! -z $REMOTE_PIA_PORT ]]; then # I get the pia port
ACTUAL_TRANSMISSION_PORT=$(cat $TRANSMISSION_SETTINGS | jq '."peer-port"') # get the actual transmission port
if [[ $ACTUAL_TRANSMISSION_PORT == $REMOTE_PIA_PORT ]]; then # pia port is the same that that the transmission port
[[ "$LOG_ENABLE" == "1" ]] && echo "Transmission port is already the good one, nothing to do, see you later!" >> "$LOG_PATH/${0##*/}.log"
else # transmission use a different port
[[ "$LOG_ENABLE" == "1" ]] && echo "Transmission port is not the right one, I'll change it" >> "$LOG_PATH/${0##*/}.log"
sleep 1
jq --argjson NEW_PORT $REMOTE_PIA_PORT '."peer-port" = $NEW_PORT' "$TRANSMISSION_SETTINGS" > /tmp/tmp.$$.json && mv /tmp/tmp.$$.json "$TRANSMISSION_SETTINGS" # change the port inside the settings.json file
sleep 1
fi
else # I can't find the pia port
[[ "$LOG_ENABLE" == "1" ]] && echo "I can't find the PIA port from $PIA_EXT_PORT make sure that exist and is reachable" >> "$LOG_PATH/${0##*/}.log"
fi
J
Last edited by Chryses on Fri Jul 12, 2019 18:38; edited 6 times in total
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sat Jul 06, 2019 9:37 Post subject:
First draft of a working updater for NOIP.com
Will polish and check if update succeed, also have a retrieval script ready will publish later.
Updated with check for valid entriies
#!/bin/sh
#
# name: ddwrt-pia-port-forward.callback
# This must be used together with the PIA port forward scripts from @eibgrad:
# https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313661&postdays=0&postorder=asc&start=30
# https://pastebin.com/P9nmpyxh
# version: 1.0.3, 10-jul-2019, by egc
# purpose: update hostnames of DDNS service from noip.com with external vpn ip address and opened up port number
#
# argument $1 : vpn public ip (0.0.0.0 if unknown)
# argument $2 : pia assigned external port (always 5 digit port number, 0 if unknown)
#
# place file in same directory as ddwrt-pia-port-forward.sh and make executable with:
# chmod +x /jffs/etc/config/ddwrt-pia-port-forward.callback
# modify the settings in the SETTINGS section, make sure not to use Windows style line endings
# ------------------------------- BEGIN SETTINGS -------------------------------- #
DDNS_USER="put in your user name"
DDNS_PASS="put in your password"
DDNS_HOST_IP="put in hostname of host for vpn public ip address"
DDNS_HOST_PN="put in hostname of host for vpn port number"
# ------------------------------- END SETTINGS -------------------------------- #
DDNS_USER_C="${DDNS_USER/@/%40}" # Replace @ with URL encoding %40 otherwise parse error with curl
vpn_public_ip=$1
ext_port=$2
#Disguise external port as IP number
EXT_PORT_IP="${ext_port:0:2}.${ext_port:2:1}.${ext_port:3:1}.${ext_port:4:1}"
# try curl, fallback to wget
which curl > /dev/null 2>&1 && GET_URL="curl -sLk https://" || GET_URL="wget -qO - http://"
[ $vpn_public_ip != "0.0.0.0" ] && \
$GET_URL"$DDNS_USER_C:$DDNS_PASS@dynupdate.no-ip.com/nic/update?hostname=$DDNS_HOST_IP&myip=${vpn_public_ip}" || \
logger "$(basename $0) No valid external IP, No update done"
[ $ext_port -ne 0 ] && \
$GET_URL"$DDNS_USER_C:$DDNS_PASS@dynupdate.no-ip.com/nic/update?hostname=$DDNS_HOST_PN&myip=${EXT_PORT_IP}" || \
logger "$(basename $0) No valid port address, No update done"
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Tue Jul 09, 2019 19:17 Post subject:
Thanks will take a look tomorrow.
I have a new version of my call back script which is checking a valid IP address (0.0.0.0) and handle that.
But it is a clumsy if statement and I was looking for a more concise test option. I am slowly learning (ba)sh and admiring the [] && ||, the possibilities of the parameter expansion and the intricacies of regex
Long story short, I favor that the callback script will be passed two variables, the first the IP address, 0.0.0.0 when not valid and the second the 5 digit port address, 00000 when no port address can be obtained.
On a side note I have been trying to test:
kill -SIGUSR1 <process-id>
My VPN client is going down but does not reconnect at all I am stuck at TCP reconnecting.
Not sure what is going wrong, I am behind a residential gateway.
Will test it when I am home again but that is the end of July.
Have been using this setup for about 2 days, I have a watchdog because internet is crappy, in those two days the watch dog kicked in twice and your script and my callback script worked great got different port numbers on one occasion but that was updated correctly to my noip.com hostname.
Thanks for the update.
On my side I don't have any real check, the only check I can do is:
If the port is not a valid one (what I've to check? I know that have to be 5 digits long. What if a user chose a server that don't have a port-forwarding service? What number is returned? 0 or nothing?) I can skip the script execution and remove the pia file, then on remote device I can simply skip the port set-up inside transmission.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed Jul 10, 2019 9:17 Post subject:
I have updated my script with checks for 0.0.0.0 and 00000, could also perhaps send just 0 as invalid port number?
Edit:
Just checked your new script and you are returning a 0 if port can not be obtained. Excellent
Also did a quick test run with your new script and my own callback script updating my 2 hosts with noip.com with IP address and port number and that worked perfectly
I also update both script, the local and remote one, in order to not set the port if some go wrong.
Btw, I just found a "problem". Like @eibgrad said, if a soft-reset or some happen, the port is "lose" because is not used and/or requested within 2 minutes. So, is some that is just happen to me, maybe not the same situation but ... see here, from html page from script:
Quote:
Tue Jul 9 19:41:38 CEST 2019: PIA external port forward: 185.220.70.132 : 43876
# root @ Qnap in ~ [7:54:44]
$ transmission-remote -pt
Port is open: No
So in meantime, the ip is changed (without a real re-connection?) so the port was not requested and then the port is closed.
Am I correct?
What about add a control like that?:
if pid is the same ok, but is the ip is different, request again the port, all executed every 20 sec like always. I don't think a curl to ipinfo.io is necessary, I hope/think the ip is stored to some log file
But what about a log? Is not possible to log the openvpn process with some code to add to Additional Config field and extract the ip from it? Like grep with regex and take only the last found, if different from the one that I used to know my vpn ip, request the port-forward
Code:
Clientlog:
20190712 07:52:58 MANAGEMENT: Client disconnected
20190712 07:52:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 07:52:58 D MANAGEMENT: CMD 'state'
20190712 07:52:58 MANAGEMENT: Client disconnected
20190712 07:52:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 07:52:58 D MANAGEMENT: CMD 'status 2'
20190712 07:52:58 MANAGEMENT: Client disconnected
20190712 07:52:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 07:52:58 D MANAGEMENT: CMD 'log 500'
20190712 07:52:58 MANAGEMENT: Client disconnected
20190712 08:01:46 I [71ee5bec21c0b7819644079ff6c1acd9] Inactivity timeout (--ping-restart) restarting
20190712 08:01:46 I SIGUSR1[soft ping-restart] received process restarting
20190712 08:01:46 Restart pause 5 second(s)
20190712 08:01:51 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190712 08:01:51 I TCP/UDP: Preserving recently used remote address: [AF_INET]185.220.70.138:1198
20190712 08:01:51 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190712 08:01:51 I UDPv4 link local: (not bound)
20190712 08:01:51 I UDPv4 link remote: [AF_INET]185.220.70.138:1198
20190712 08:01:51 TLS: Initial packet from [AF_INET]185.220.70.138:1198 sid=4479f27a 9394c979
20190712 08:01:51 VERIFY OK: depth=1 C=US ST=CA L=LosAngeles O=Private Internet Access OU=Private Internet Access CN=Private Internet Access name=Private Internet Access emailAddress=secure@privateinternetaccess.com
20190712 08:01:51 VERIFY KU OK
20190712 08:01:51 NOTE: --mute triggered...
20190712 08:01:51 4 variation(s) on previous 3 message(s) suppressed by --mute
20190712 08:01:51 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1558' remote='link-mtu 1542'
20190712 08:01:51 W WARNING: 'cipher' is used inconsistently local='cipher AES-128-CBC' remote='cipher BF-CBC'
20190712 08:01:51 Control Channel: TLSv1.2 cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384 2048 bit RSA
20190712 08:01:51 I [71ee5bec21c0b7819644079ff6c1acd9] Peer Connection Initiated with [AF_INET]185.220.70.138:1198
20190712 08:01:52 SENT CONTROL [71ee5bec21c0b7819644079ff6c1acd9]: 'PUSH_REQUEST' (status=1)
20190712 08:01:57 SENT CONTROL [71ee5bec21c0b7819644079ff6c1acd9]: 'PUSH_REQUEST' (status=1)
20190712 08:01:57 AUTH: Received control message: AUTH_FAILED
20190712 08:01:57 I SIGUSR1[soft auth-failure (auth-token)] received process restarting
20190712 08:01:57 Restart pause 5 second(s)
20190712 08:02:02 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190712 08:02:02 I TCP/UDP: Preserving recently used remote address: [AF_INET]185.220.70.138:1198
20190712 08:02:02 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190712 08:02:02 I UDPv4 link local: (not bound)
20190712 08:02:02 I UDPv4 link remote: [AF_INET]185.220.70.138:1198
20190712 08:02:02 TLS: Initial packet from [AF_INET]185.220.70.138:1198 sid=eb8a65f7 f7e7c0fa
20190712 08:02:02 VERIFY OK: depth=1 C=US ST=CA L=LosAngeles O=Private Internet Access OU=Private Internet Access CN=Private Internet Access name=Private Internet Access emailAddress=secure@privateinternetaccess.com
20190712 08:02:02 VERIFY KU OK
20190712 08:02:02 NOTE: --mute triggered...
20190712 08:02:02 4 variation(s) on previous 3 message(s) suppressed by --mute
20190712 08:02:02 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1558' remote='link-mtu 1542'
20190712 08:02:02 W WARNING: 'cipher' is used inconsistently local='cipher AES-128-CBC' remote='cipher BF-CBC'
20190712 08:02:02 Control Channel: TLSv1.2 cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384 2048 bit RSA
20190712 08:02:02 I [71ee5bec21c0b7819644079ff6c1acd9] Peer Connection Initiated with [AF_INET]185.220.70.138:1198
20190712 08:02:03 SENT CONTROL [71ee5bec21c0b7819644079ff6c1acd9]: 'PUSH_REQUEST' (status=1)
20190712 08:02:08 SENT CONTROL [71ee5bec21c0b7819644079ff6c1acd9]: 'PUSH_REQUEST' (status=1)
20190712 08:02:08 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 209.222.18.222 dhcp-option DNS 209.222.18.218 ping 10 comp-lzo no route 10.57.10.1 topology net30 ifconfig 10.57.10.6 10.57.10.5 auth-token'
20190712 08:02:08 NOTE: --mute triggered...
20190712 08:02:08 7 variation(s) on previous 3 message(s) suppressed by --mute
20190712 08:02:08 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20190712 08:02:08 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
20190712 08:02:08 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20190712 08:02:08 NOTE: --mute triggered...
20190712 08:02:08 1 variation(s) on previous 3 message(s) suppressed by --mute
20190712 08:02:08 I Preserving previous TUN/TAP instance: tun1
20190712 08:02:08 I NOTE: Pulled options changed on restart will need to close and reopen TUN/TAP device.
20190712 08:02:08 I /tmp/openvpncl/route-down.sh tun1 1500 1558 10.25.10.6 10.25.10.5 init
20190712 08:02:08 /sbin/route del -net 10.25.10.1 netmask 255.255.255.255
20190712 08:02:08 Closing TUN/TAP interface
20190712 08:02:08 I /sbin/ifconfig tun1 0.0.0.0
20190712 08:02:09 I TUN/TAP device tun1 opened
20190712 08:02:09 TUN/TAP TX queue length set to 100
20190712 08:02:09 I /sbin/ifconfig tun1 10.57.10.6 pointopoint 10.57.10.5 mtu 1500
20190712 08:02:09 /sbin/route add -net 10.57.10.1 netmask 255.255.255.255 gw 10.57.10.5
20190712 08:02:09 I Initialization Sequence Completed
20190712 09:02:02 TLS: soft reset sec=0 bytes=17496705/-1 pkts=36445/0
20190712 09:02:02 VERIFY OK: depth=1 C=US ST=CA L=LosAngeles O=Private Internet Access OU=Private Internet Access CN=Private Internet Access name=Private Internet Access emailAddress=secure@privateinternetaccess.com
20190712 09:02:02 VERIFY KU OK
20190712 09:02:02 NOTE: --mute triggered...
20190712 09:02:02 4 variation(s) on previous 3 message(s) suppressed by --mute
20190712 09:02:02 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1558' remote='link-mtu 1542'
20190712 09:02:02 W WARNING: 'cipher' is used inconsistently local='cipher AES-128-CBC' remote='cipher BF-CBC'
20190712 09:02:02 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20190712 09:02:02 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
20190712 09:02:02 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20190712 09:02:02 NOTE: --mute triggered...
20190712 10:02:03 9 variation(s) on previous 3 message(s) suppressed by --mute
20190712 10:02:03 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1558' remote='link-mtu 1542'
20190712 10:02:03 W WARNING: 'cipher' is used inconsistently local='cipher AES-128-CBC' remote='cipher BF-CBC'
20190712 10:02:03 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20190712 10:02:03 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
20190712 10:02:03 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20190712 10:02:03 NOTE: --mute triggered...
20190712 10:14:15 2 variation(s) on previous 3 message(s) suppressed by --mute
20190712 10:14:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 10:14:15 D MANAGEMENT: CMD 'state'
20190712 10:14:15 MANAGEMENT: Client disconnected
20190712 10:14:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 10:14:15 D MANAGEMENT: CMD 'state'
20190712 10:14:15 MANAGEMENT: Client disconnected
20190712 10:14:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 10:14:15 D MANAGEMENT: CMD 'state'
20190712 10:14:15 MANAGEMENT: Client disconnected
20190712 10:14:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 10:14:15 D MANAGEMENT: CMD 'status 2'
20190712 10:14:15 MANAGEMENT: Client disconnected
20190712 10:14:15 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190712 10:14:15 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00
