Ok, I have spent several hours trying about everything I can think of with no success. But I have learned some about jffs and opt.
Are there any variables in either of the two methods that need changed for my specific setup?
I have tried jffs and opt, I have changed internal ip and internal port to about all possible combinations.
I tried the scripts in /opt/etc/init.d as something I read says it will look there anyway.
I tried the sha256sum method @egc was suggesting.
I probably did not understand that well enough.
I am able to get the new pia port forward api to return a port# although I am guessing these scripts make this unnecessary.
I quit screwing around in jffs after it became unwriteable and I got that fixed.
I have enabled and disabled port forwarding in nat>port forwarding and dmz. (enabling kills internet connection with vpn client enabled until router is rebooted. Not sure if this is a bug.)
As a side note I have come to the conclusion that vpn providers probably don't want this setup to work as it enables all clients to use the vpn and bypasses their device limits thereby reducing income. Can't say that I blame them.
Joined: 18 Mar 2014 Posts: 5920 Location: Netherlands
Posted: Mon Feb 12, 2018 17:14 Post subject:
Just wait till @Eibgrad finished his updated script. For that you do not need sha256sum.
You also do not need /jffs or /opt.
The script has to be placed in Administration/Commands Save as startup.
When the router starts everything is created.
I think that the description in the first lines is referring to an older build?
When I read the script I assumed it had to be placed in Administration/Commands and Saved as Startup and that is what I did and it worked
Joined: 18 Mar 2014 Posts: 5920 Location: Netherlands
Posted: Tue Feb 13, 2018 13:45 Post subject:
Many thanks, It is working.
One question, what exactly is the sed doing at the end of the script?
One remark, I used notepad++ for windows but that introduced <CR> and that played havoc to the script. That was probably the reason I could not call it from the startup command, just pasting it in the startup command worked because that seemded to strip the <CR>
Joined: 18 Mar 2014 Posts: 5920 Location: Netherlands
Posted: Tue Feb 13, 2018 14:49 Post subject:
As you've probably already noted, the script is actually two scripts. An outer script that creates the inner script. IOW, a script within a script. When executed, the outer script configures the inner script before placing it in /tmp/pia. The outer script then just falls away.
Notice the variables INTERNAL_IP and INTERNAL_PORT are defined in the outer script, when in fact they are used by the inner script. I do that so I can place those variables near the top, where the end-user would expect them, thus making them obvious and easy to modify. But that means I have to use sed at the end of the outer script to modified the inner script where those variables are actually used.
If I didn't do it this way, INTERNAL_IP and INTERNAL_PORT would be buried deep into the inner script, and the end-user would have to search for them.
It's just a design choice on my part to permit me to keep all end-user configuration changes in one place, near the top.
As far as notepad++, being a Windows app, I assume it default to Windows EOL chars. But that's incompatible w/ Linux. You need to make sure the current format in notepad++ is Unix/Linux before uploading the file.
Pasting to the startup script doesn't have this problem because the router is taking care of this for you.
FWIW, you can achieve similar results using Putty. Open a shell (telnet/ssh), then type "cat > /jffs/ddwrt-pia-port-forward.sh" (no quotes). The cursor will move to the far left, waiting for you to either type into the file, or paste. If you copy the file contents locally into the clipboard, you can either right-click or Shift-Insert to paste into the file. Then type Ctrl-C to close the file. Finally, mark it executable (chmod +x /jffs/ddwrt-pia-port-forward.sh). If you need to make minor changes on the router, use the vi editor (it pays to learn a few basic vi commands).
Got it going today after struggling yesterday with intermittent results. Think it had to do with entware on usb. I unplugged that and learned some vi and it took off here on my home setup (Kubuntu).
Tried it at the shop (which is where port forwarding is actually going to be needed on Ubuntu pc) this evening using Windows pc with no luck. I struggle with Windows. I had vnc connection for a few minutes then it quit and would not reconnect no matter what.I will switch to Ubuntu tomorrow and see what happens.
eibgrad: You have gone above and beyond with this. Be glad to send some dollars for your efforts. (I may not be done)
This post relates to PIA privateinternetaccess, DDWRT, transmission , portwoarding and OPENVPN
I am fairly new to this level of linux. It has taken me a while to work this all out from various snippets around the net. Interestingly the PIA forum was quite helpful and I was going to reply there but it's closed ! wow just one more hurdle. Linux and open source now seem immensely complicated but also immensely powerful. It seems you could do just about anything with it, and there is an infinite amount of ways to do things... anyway here is what I did and solved.
First the problems I solved.
-Simple Kill Switch
-Grabbing a forwarded port from PIA
-Insert the port into Transmission
-Limiting just Transmission to VPN while using PBR in OPENVPN, and get rest of net openwithout VPN.
Some problems I had to deal with.
-non persistent parts of DDWRT file system.
-OPENVPN not allowing traffic over the tunnel from directly run scripts from the OPENVPN binary
-peculiarities about the use of Captials in some things.
-stupid 2 minute limit to get a port with PIA
-complexity of Linux
-outdated documentation for some linux commands.
Overall, it was quite a nightmare to deal with. Anyway here is what I did hopefully it helps someone else.
I will add comments inside ## #as i go along#
#you should delete them when making scripts#
#if any of the /paths are different you will need to change them also, any missing binaries you will need to install with opkg with the relevant packages#
#I entered an ip address in the 'policy based routing' or PBR section of /services/openvpn tab. This put the vpn setup into that mode. Which limits just the vpn to that IP but we can add to it later#
#I have both JFFS and OPT setup. For some reason running stuff from opt at openvpn launch seemed to not work, but from jffs on router flash was fine.#
#I made a copy of /tmp/openvpncl/ to /jffs/openvpncl/.
use the cmd#
cp -a /tmp/openvpncl/* /jffs/openvpncl/
#i made a script at /jffs/portforward.sh it contained#
cp -a /jffs/openvpncl/* /tmp/openvpncl/
# this copies back the files to tmp. I added#
#to an empty line in "additional config" in /services/vpn tab at openvpn. This will execute that script when openvpn starts and makes tun1 it's tunnel dev#
#I edit the scipts in /jffs/openvpncl/. First the route-up.sh script. It ends up containing this#
# the particular lines I add to that are 'ip rule add from $ifconfig_local table 10' which makes the vpn local ip address routable via the vpn. Also 'sed -i 's/.*bind-address-ipv4.*/ "bind-address-ipv4": "'$ifconfig_local'",/' /tmp/mnt/sdb1/torrents/config/settings.json' which adds the local vpn ip to the bind address in transmissions config. Note transmission should be stopped for this. What this does is restrict transmission to the local vpn address, which is then restricted to the vpn. If the vpn goes down it has no where to go. If the vpn address changes and transmission remains confiqured to the wrong address it also has no where to go. There is a slight risk with this that somehow the address could be bound to nothing which would then allow transmission to traverse over the regular net. Adding an if statement or instead configuring for fix address could fix that. But I also use other things to killswitch transmission#
#lastly I add '/jffs/portforward1.sh' to execute the next script which somehow separates it from the openvn process allowing it to pass packets over the tunnel#
#I also add to route-down.sh which looks like this#
# the bottom 2 lines I added. The first 'killall transmission-daemon' kills transmission. The second 'sed -i 's/.*bind-address-ipv4.*/ "bind-address-ipv4": "192.168.168.168",/' /mnt/sdb1/torrents/config/settings.json' which writes a defunct address to transmission bind address. This all is kind of an extra killswitch, but you also need transmission stopped before the vpn restarts and runs all scripts again.#
#next script /jffs/portforward1.sh, simple I think this further separates from openvpn process. here it is.#
#next script /jffs/portforward2.sh, this is the business#
#line one loads transmission with -g for the config we have been editing and --paused so no torrents are going, extra safe if somehow script stuffs something and it can get to regular net. line 2 is a 15 second pause to allow open vpn to finish and pia servers to get ready to give a port.....Third line gets you a port and stores it in $port as just it's number. NOTE you will need to add your sha256sum where I say there you ain't getting mine or you could use a command as found elsewhere to generate one... I like it more simple well in my head it is.Forth(third) line is actual part of the third line ,posting edited it like that... Fifth(forth) line is just for testing the port is gotten by sending it to a text file because with the fifth line I had heaps of trouble. I tried using the sed command to alter the transmission setting file, but for some reason I just couldn't get it to work in the script, very weird. I had the transmission starting after it ran of course, with delays and I tried many different things.. none worked. in the end you have the fifth line which changes the port on a running transmission-daemon, hence it is started earlier. If you have an user pass set in transmission you will need to add that to line five.#
#Wow long and complicated but hopefully that helps someone#
#As said, this gives killswitch for transmission, just vpn to transmission and well actually any address you put in PBR but not sure about killswitch for them. Port is all working when transmission is bound on the local vpn ip, so port open test from remote will work fine. Torrents will seed and upload fine! Overall I am quite happy and most important it works. Enjoy!#
So, I'm new in PIA (just started, so I want to see if can works for me, I've 7days of try)
I'm trying to do this working (not yet reboot the router but I'll)
My actual configuration is:
Client running on router with suggested settings from pia
I redirect all vpn traffic only to one ip (NAS) I use egc's pbr script for this plus his dns leking prevenction
The NAS running transmission client and all others programs
Now I've some question about this script, because I think I not fully understand the script itself
I installed it like the pastebin say, run the command, but now I'm pretty confused
After a reboot, when the vpn connection is made, I'll find the port to the http://<router-ip>/user/pia/ext_port_forward.html, but I've to set this port inside transmission in my nas?
Reading the help seems that the port is used to make a forward from the pia port to the port I chose, so for example if I chose 12345 I "connect" the forward pia port to 12345, then I only need to set transmission to 12345 port. Am I right or I miss some?
I saw that pia use a more "intelligent" server selection, I only select the region. I think in this way if the server I'm connected go down, a new one from the same region came up, but what about the port? I've to do some?
And what about if the connection go down (a modem problem) then came up again, so the router have to make a new pia connection, I've to use a watchdog script or there's a constant check to see if the forward port is right?
Sorry for this questions, is pretty new for me this, I want to understand what I've to do.
Transmission is over another pc, and Transmission is set to use UPnP.
Tried with 54321 port inside transmission:
Then, without restart transmission, I only changed the port to 80
The image is not english but is pretty clear, with 54321 give error, and with 80 the port is open
Here some settings from the router gui
With suggestion of egc, I disabled the UPnP but same results
This's my actual firewall rules inside the dd-wrt gui:
iptables -I FORWARD -s 10.0.0.100/32 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE
Can be here the problem?
When you use the defaults for the local port forward (no --ip argument, no --port argument), can you access the router's GUI? If so, that means at least the port forward works, in general.
Do you mean to edit the ddwrt-pia-port-forward.startup and modify this
/jffs/etc/config/ddwrt-pia-port-forward.sh --ip 10.0.0.100 --port 54321 --debug
Sorry if I don't know much about iptables and routin.