Anyone have DD-WRT, PIA openvpn, and port forwarding working

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next
Author Message
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1144
Location: Indiana

PostPosted: Sat Feb 03, 2018 15:37    Post subject: Anyone have DD-WRT, PIA openvpn, and port forwarding working Reply with quote
I have Pia vpn and port forwarding working on a windows Sad pc. I would rather have it on the router. Pia support gave me a script to try and said it probably wouldn't work. They were right. There is a pretty confusing mixed up bunch of posts on Pia forums. I tried a bunch of things to no avail. Searching here has not helped me yet. The question is, has anyone been able to get port forwarding working on openvpn client dd-wrt router using pia openvpn?
_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 kongat WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sat Feb 03, 2018 17:09    Post subject: Reply with quote
You might want to read the following thread.

https://www.dd-wrt.com/forum/viewtopic.php?t=313210

The OP's problem in that thread is that he can't access his local devices remotely (over the WAN) whenever the OpenVPN client back home is active. And one way to correct the problem is to remotely access those devices over the VPN instead. So the mid to later posts of that thread describe how to port forward dd-wrt's end of the tunnel. And it should be the same technique regardless of VPN provider.

However, you'll have to following the VPN provider's instructions when it come to their end of the tunnel. For those few that do offer port forwarding, they all tend to handle it a bit differently. Some are wide open, while others provide a user interface on the VPN provider's website to manage the port forwarding.

If you still can't get it to work, then post exactly what they told you to do, what you did, etc.
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1144
Location: Indiana

PostPosted: Sat Feb 03, 2018 21:08    Post subject: Reply with quote
In a nutshell getting which port to forward is the first problem. Pia says to
Code:
How to use it:
1. wget https://www.privateinternetaccess.com/installer/port_forward.sh
2. chmod +x port_forward.sh
3. Make sure you are connected in one of the gateways that supports port forwarding
3. ./port_forward.sh <user> <password>

It should return something like: { "port": 23423 }

You can then enter this port into your software.



This returns
Code:
root@DD-WRT:~#  wget https://www.privateinternetaccess.com/installer/port_forward.sh

wget: not an http or ftp url: https://www.privateinternetaccess.com/installer/port_forward.sh


Entering the script alone
Code:
root@DD-WRT:~# #! /bin/bash
#
# Enable port forwarding
#
# Requirements:
#   your Private Internet Access user and password as arguments
#
# Usage:
#  ./port_forward.sh <user> <password>

error( )
{
  echo "$@" 1>&2
  exit 1
}

error_and_usage( )
{
  echo "$@" 1>&2
  usage_and_exit 1
}

usage( )
{
  echo "Usage: `dirname $0`/$PROGRAM <user> <password>

>"
}

usage_and_exit( )
{
  usage
  exit $1
}

version( )
{
  echo "$PROGRAM version $VERSION"
}


port_forward_assignment( )
{
  echo 'Loading port forward assignment information..'
  if [ "$(uname)" == "Linux" ]; then
    local_ip=`ifconfig tun0|grep -oE "inet addr: *10\.[0-9]+\.[0-9]+\.[0-9]+"|tr -d "a-z :"|tee /tmp/vpn_ip`
    client_id=`head -n 100 /dev/urandom | md5sum | tr -d " -"`
  fi
  if [ "$(uname)" == "Darwin" ]; then
    local_ip=`ifconfig tun0 | grep "inet " | cut -d\  -f2|tee /tmp/vpn_ip`
    client_id=`head -n 100 /dev/urandom | md5 -r | tr -d " -"`
  fi
  json=`wget -q --post-data="user=$???????&pass=$??????????&client_id=$client_id&local_ip=$local_ip" -O - 'https://www.privateinternetaccess.com/vpninfo/port_forward_assignment' | head -1`
  echo $json
}

EXITCODE=0
PROGRAM=`basename $0`
VERSION=1.0
USER=$1
PASSWORD=$2

while test $# -lt 2
do
  case $1 in
  --usage | --help | -h )
    usage_and_exit 0
    ;;
  --version | -v )
    version
    exit 0
    ;;
  *)
    error_and_usage "Unrecognized option: $1"
    ;;
  esac
  shift
done

port_forward_assignment

exit 0


returns
Code:
root@DD-WRT:~# #! /bin/bash
root@DD-WRT:~# #
root@DD-WRT:~# # Enable port forwarding
root@DD-WRT:~# #
root@DD-WRT:~# # Requirements:
root@DD-WRT:~# #   your Private Internet Access user and password as arguments
root@DD-WRT:~# #
root@DD-WRT:~# # Usage:
root@DD-WRT:~# #  ./port_forward.sh <user> <password>
root@DD-WRT:~#
root@DD-WRT:~# error( )
> {
>   echo "$@" 1>&2
>   exit 1
> }
root@DD-WRT:~#
root@DD-WRT:~# error_and_usage( )
> {
>   echo "$@" 1>&2
>   usage_and_exit 1
> }
root@DD-WRT:~#
root@DD-WRT:~# usage( )
> {
>   echo "Usage: `dirname $0`/$PROGRAM <user> <password>
>
> >"
> }
root@DD-WRT:~#
root@DD-WRT:~# usage_and_exit( )
> {
>   usage
>   exit $1
> }
root@DD-WRT:~#
root@DD-WRT:~# version( )
> {
>   echo "$PROGRAM version $VERSION"
> }
root@DD-WRT:~#
root@DD-WRT:~#
root@DD-WRT:~# port_forward_assignment( )
> {
>   echo 'Loading port forward assignment information..'
>   if [ "$(uname)" == "Linux" ]; then
>     local_ip=`ifconfig tun0|grep -oE "inet addr: *10\.[0-9]+\.[0-9]+\.[0-9]+"|tr
-d "a-z :"|tee /tmp/vpn_ip`
>     client_id=`head -n 100 /dev/urandom | md5sum | tr -d " -"`
>   fi
>   if [ "$(uname)" == "Darwin" ]; then
>     local_ip=`ifconfig tun0 | grep "inet " | cut -d\  -f2|tee /tmp/vpn_ip`
>     client_id=`head -n 100 /dev/urandom | md5 -r | tr -d " -"`
>   fi
>   json=`wget -q --post-data="user=$???????&pass=$??????????&client_id=$client_id&
local_ip=$local_ip" -O - 'https://www.privateinternetaccess.com/vpninfo/port_forwar
d_assignment' | head -1`
>   echo $json
> }
root@DD-WRT:~#
root@DD-WRT:~# EXITCODE=0
root@DD-WRT:~# PROGRAM=`basename $0`
root@DD-WRT:~# VERSION=1.0
root@DD-WRT:~# USER=$1
root@DD-WRT:~# PASSWORD=$2
root@DD-WRT:~#
root@DD-WRT:~# while test $# -lt 2
> do
>   case $1 in
>   --usage | --help | -h )
>     usage_and_exit 0
>     ;;
>   --version | -v )
>     version
>     exit 0
>     ;;
>   *)
>     error_and_usage "Unrecognized option: $1"
>     ;;
>   esac
>   shift
> done
Unrecognized option:
Usage: ./-sh <user> <password>

>
Connection closed by foreign host.

JUst running those instructions on Ubuntu PC

Code:
pw@pw-MP8708:~$ wget https://www.privateinternetaccess.com/installer/port_forward.sh
--2018-02-03 14:08:22--  https://www.privateinternetaccess.com/installer/port_forward.sh
Resolving www.privateinternetaccess.com (www.privateinternetaccess.com)... 23.208.44.232
Connecting to www.privateinternetaccess.com (www.privateinternetaccess.com)|23.208.44.232|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1431 (1.4K) [text/x-sh]
Saving to: ‘port_forward.sh.4’

port_forward.sh.4    100%[=====================>]   1.40K  --.-KB/s    in 0s     

2018-02-03 14:08:22 (163 MB/s) - ‘port_forward.sh.4’ saved [1431/1431]

pw@pw-MP8708:~$ chmod +x port_forward.sh
pw@pw-MP8708:~$ ./port_forward.sh ????????? ????????
Loading port forward assignment information..
tun0: error fetching interface information: Device not found
{"error":"Invalid parameter: local_ip "}

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 kongat WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sat Feb 03, 2018 21:56    Post subject: Reply with quote
OMG, forget all the crapola from them. I got lost after just a few lines. All you should need on the dd-wrt side is a couple of firewall rules for the port forward, as illustrated in that link I provided. In fact, if you're only trying to reach router services (e.g., the GUI), you don't need any at all! That's one of the dangers I found in using PureVPN, and discussed in the following thread.

https://www.dd-wrt.com/phpBB2/viewtopic.php?t=307445
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 759

PostPosted: Sat Feb 03, 2018 23:26    Post subject: Reply with quote
Personally what I do in this situation. Since I also use PIA and I run my own email and web server at home.

The IP of my host running the email and web server is excluded from the policy based routing. These services are still accessible at my real WAN IP. And I just have port forwards setup like you would do for any typical server setup without the VPN

This seemed like the most logical solution for me. Since my real WAN IP barely changes and when it does change the DDNS updater in DDWRT can still handle updating my DNS records at DynDNS. AFAIK the DDNS client will not auto update your Dynamic DNS provider every time the VPN reestablishes connection and your IP changes. The DDNS client only does updates on router bootup and at whatever manual interval you specify which can be a small as once per day. Also some dynamic DNS services like DynDNS limit the number of updates per day, so if your VPN disconnects several times per day for some reason, you could find your DynDNS account being locked out for updating too frequently
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1144
Location: Indiana

PostPosted: Sun Feb 04, 2018 0:53    Post subject: Reply with quote
    eibgrad wrote:

Quote:
That's one of the dangers I found in using PureVPN, and discussed in the following thread.

https://www.dd-wrt.com/phpBB2/viewtopic.php?t=307445


after reading your reply 4th post down here: https://www.dd-wrt.com/phpBB2/viewtopic.php?t=313501&highlight= I scrapped PUREVPN and went with PIA.


d0ug wrote:

The IP of my host running the email and web server is excluded from the policy based routing.


so this means all traffic to and from that machine is over the wan? If so that is what I was trying to avoid. The script from PIA support is meant to give the port to forward (or not). Not able to get that to happen and what I have going on on the windows machine is working. I just do not like using windows.

So, thanks for the help guys / gals and I will continue as I am.

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 kongat WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 759

PostPosted: Sun Feb 04, 2018 2:52    Post subject: Reply with quote
bushant wrote:
    eibgrad wrote:

Quote:
That's one of the dangers I found in using PureVPN, and discussed in the following thread.

https://www.dd-wrt.com/phpBB2/viewtopic.php?t=307445


after reading your reply 4th post down here: https://www.dd-wrt.com/phpBB2/viewtopic.php?t=313501&highlight= I scrapped PUREVPN and went with PIA.


d0ug wrote:

The IP of my host running the email and web server is excluded from the policy based routing.


so this means all traffic to and from that machine is over the wan? If so that is what I was trying to avoid. The script from PIA support is meant to give the port to forward (or not). Not able to get that to happen and what I have going on on the windows machine is working. I just do not like using windows.

So, thanks for the help guys / gals and I will continue as I am.


I guess it all depends on your use case. If you are just setting up services that you access privately it shouldn't be an issue. But if you are running services for the public to access like web and email. Each re-connection to your VPN is going to result in a new IP, and an update needing to be done to your DNS, and minutes to hours of outage while that DNS change propagates across the internet.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3795
Location: Netherlands

PostPosted: Wed Feb 07, 2018 14:01    Post subject: Reply with quote
Pia has a new port forwarding API: https://www.privateinternetaccess.com/forum/discussion/23431/new-pia-port-forwarding-api

However you need sha256sum for it to work, I just installed it via Entware ng: opkg install coreutils-sha256sum
and lo and behold it actually works. Mind you if you are using PBR you have to route their server adress: http://209.222.18.222 through the VPN
Also it only works the first 2 minutes the VPN is up!

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Feb 07, 2018 16:40    Post subject: Reply with quote
egc wrote:
Pia has a new port forwarding API: https://www.privateinternetaccess.com/forum/discussion/23431/new-pia-port-forwarding-api

However you need sha256sum for it to work, I just installed it via Entware ng: opkg install coreutils-sha256sum
and lo and behold it actually works. Mind you if you are using PBR you have to route their server adress: http://209.222.18.222 through the VPN
Also it only works the first 2 minutes the VPN is up!


Thanx, that's very helpful. And news to me.

This is the new, simplified API? Never had any experience with the old one. Must have been a mess. Now I understand the complexity of the script.

It's going to be major hassle for users if you now need entware to implement it. It might be simple for you and I, but it complicates matters considerably for the average user. Any explanation from our end will contain a lot ifs, ands, and buts.

This might benefit from a wiki or tutorial. In fact, the whole "port forwarding a VPN" issue could use a wiki tutorial given all the difference and issues. Maybe I can put something together.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3795
Location: Netherlands

PostPosted: Wed Feb 07, 2018 16:48    Post subject: Reply with quote
Yes I agree it is not for the faint of hearted Sad

Besides the new API will get you the port number but from there on you have to write a script for port forwarding that particular port to your destined port I guess.
(If I ever need such a script I know where to find you Smile )

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1144
Location: Indiana

PostPosted: Wed Feb 07, 2018 19:14    Post subject: Reply with quote
Count me among the faint of hearted average user but I am willing to try anything. I had tried the new APi and knew about the 2 minute thing without success. Must have missed the part about sha256sum. Time for me to get to googling that and entware. I installed entware a few days ago on a flash drive I think but really didn't know what I was doing.
_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 kongat WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1144
Location: Indiana

PostPosted: Wed Feb 07, 2018 23:02    Post subject: Reply with quote
egc wrote:
Quote:
Pia has a new port forwarding API: https://www.privateinternetaccess.com/forum/discussion/23431/new-pia-port-forwarding-api

However you need sha256sum for it to work, I just installed it via Entware ng: opkg install coreutils-sha256sum
and lo and behold it actually works. Mind you if you are using PBR you have to route their server adress: http://209.222.18.222 through the VPN
Also it only works the first 2 minutes the VPN is up!


I installed entware on usb. I believe I installed sha256sum, not sure how to know that worked.
Ran the install script from Pia.
    https://www.privateinternetaccess.com/forum/discussion/23431/new-pia-port-forwarding-api
Code:
 pw@pw-MP8708:~$ ./port_forwarding.sh
Loading port forward assignment information...
Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding

I read on PIA comments on that page a lot of people were getting this message. Didn't read anything I understood about what to do about it. Any ideas?
BTW: not using PBR
BTW2: thanks egc for the help

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 kongat WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Feb 08, 2018 0:27    Post subject: Reply with quote
Now that I've taken a closer look at it, there's not much to that script. All it really does is generate a random client id, pass it to their server via curl, and get returned a port #. So if it's not working, that doesn't speak well to its reliability.

And the fact you can only have one port forward is probably going to prove to be a significant limitation. It would just be easier to port forwarding over the WAN, as usual, using my own PBR scripts. No fuss, no muss.

I just think it's not practical to use the PIA approach. A lot of work for the sake of getting one port forward. And probably not reliable either.
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1144
Location: Indiana

PostPosted: Thu Feb 08, 2018 0:46    Post subject: Reply with quote
I assume you are talking about the script found here:
    https://pastebin.com/EnscrGbH


Tried that before, I will give it another shot. Is there anything needs changing for my individual settings? openvpn is set using port 502 tcp. IP of PC is 192.168.1.145. Thanks

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 kongat WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Feb 08, 2018 1:02    Post subject: Reply with quote
Before I end up sounding like just a naysayer on this project, let me explain something.

The whole reason for suggesting that users port forwarded over the VPN is because when a given local client is forced over the VPN (either because the default gateway on the router has been changed to the VPN, or due to PBR), any attempt to port forward to that same client via a GUI port forward (i.e., WAN) will fail, since the replies will be routed out over the VPN. That's a violation of the stateful firewall, which requires that for any given connection, packets in and out of the router must use the same network interface. So one way to deal with it is to port forward over the VPN instead.

IOW, for any client OFF the VPN, the port forward required is WAN in, WAN out. For any client ON the VPN, the port forward required is VPN in, VPN out. And of course since the GUI can't port forward over the VPN, we have to do it manually via iptables and scripting.

However, in most cases, configuring the VPN for port forwarding on the dd-wrt end of the tunnel is trivial. It's usually no more than a couple of lines of code, just firewall rules. And if you have multiple port forwards, you just repeat the process. No big deal. And easy to explain to a end-user.

But this approach by PIA, at least for me, if over the top. The idea that we're now going to get into optware/entware installation, making sure this script works, dealing w/ the constant complaints of only having one port available, etc., isn't worth it. The better approach is to use my advanced PBR script.

https://pastebin.com/nC27ETsp

What most ppl don't realize is that script is much more than it appears to be at first glance. Beside implementing PBR (and at a much finer level of granularity than the GUI), and fixing various bugs the developers refuse to fix, the script *automatically* fixes the above port forwarding problem. Any packets that enter via the WAN or VPN (makes no difference) are marked such that the reply packets are forced back out over the same network interface. I designed it that way on purpose.

IOW, simply installing my advanced PBR script (you don't even have to use it for PBR purposes) fixes the problem. So why bother w/ all this other nonsense? And you don't have silly limitations like a single port forward. And you can use the GUI exclusively for your port forwards.

The only reason I don't tout this capability is because I would prefer NOT to force users to use a script, esp. one as large as mine, when we have alternatives. And normally port forwarding over the VPN is straightforward. But PIA has made this far too complicated. At least for the typical user. There's no way I'm going to recommend port forwarding over the VPN using the PIA script. Not when it's just so much easier to use my advanced PBR script.

Now if someone still wants to use the PIA approach, more power to them. But just understand, you don't need it. And using my own script provides a lot more flexibility. It's brain-dead simple compared to PIA. You just disable the PBR features, install the script, and it works.

(at least it was working last time I tested it Smile )


Last edited by eibgrad on Thu Feb 08, 2018 2:26; edited 6 times in total
Goto page 1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next Display posts from previous:    Page 1 of 10
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum