Anyone have DD-WRT, PIA openvpn, and port forwarding working

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Fri Jun 28, 2019 7:14    Post subject: Reply with quote
So, after a lot of reboot, I changed server to germany and I let it go overnight
Code:
root@DD-WRT:~# iptables -t nat -vnL PREROUTING && iptables -vnL FORWARD | head -n20
Chain PREROUTING (policy ACCEPT 93436 packets, 7420K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  tun1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:43876 to:10.0.0.100:54321
    0     0 DNAT       udp  --  tun1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:43876 to:10.0.0.100:54321
    1    40 DNAT       tcp  --  tun1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:45993 to:10.0.0.100:54321
    0     0 DNAT       udp  --  tun1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:45993 to:10.0.0.100:54321
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            192.168.1.50        to:10.0.0.1
 2286  185K TRIGGER    0    --  *      *       0.0.0.0/0            192.168.1.50        TRIGGER type:dnat match:0 relate:0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  tun1   *       0.0.0.0/0            10.0.0.100          tcp dpt:54321
6740K 5124M ACCEPT     udp  --  tun1   *       0.0.0.0/0            10.0.0.100          udp dpt:54321
2498K  215M ACCEPT     0    --  *      tun1    0.0.0.0/0            0.0.0.0/0
 690K  680M ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0
    2    84 ACCEPT     tcp  --  tun1   *       0.0.0.0/0            10.0.0.100          tcp dpt:54321
 194K  153M ACCEPT     udp  --  tun1   *       0.0.0.0/0            10.0.0.100          udp dpt:54321
  517 44613 REJECT     0    --  *      eth0    10.0.0.100           0.0.0.0/0           state NEW reject-with icmp-port-unreachable
2298K 3212M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  *      eth0    10.0.0.0/24          0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      eth0    10.0.0.0/24          0.0.0.0/0           tcp dpt:1723
  451  110K ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      tun2    0.0.0.0/0            0.0.0.0/0
37373 5892K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0
16667 3405K ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    0    --  eth0   br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
20706 2487K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    0    --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  eth1   *       0.0.0.0/0            0.0.0.0/0


There's packets going through udp this time, but when I do a port check is always closed
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6154
Location: Netherlands

PostPosted: Fri Jun 28, 2019 8:27    Post subject: Reply with quote
Just a thought:
(disclaimer I do not use transmission)
Could it be that transmission advertises its port you entered? That port is not open, it is the external PIA port which is open.

If you get the same PIA port after connecting (when using the same hash) maybe you should enter that in transmission (and in the script) so that the port number is not changed but only forwarded?

BTW the duplicate entries are strange, although it indicates the script rerun (unfortunately with a different external port).
I know @eibgrad always takes great care in removing earlier entries if the script reruns.
Not a big problem the script will work but it is not up to @eibgrad's usual standard Smile

For port scanning use: https://www.ipfingerprints.com/portscan.php

Edit: when I have some more time later this week I will setup port forwarding from PIA, I have an account, but at the moment I am in the summer residence, so busy doing nothing Very Happy

EDIT 2:
Once the option is set, please connect to one of the following port forwarding enabled gateways:

CA Toronto
CA Montreal
CA Vancouver
Czech Republic
DE Berlin
DE Frankfurt
France
Israel
Romania
Spain
Switzerland
Sweden

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Fri Jun 28, 2019 9:44    Post subject: Reply with quote
All is possible. With https://www.ipfingerprints.com/portscan.php I've to check the piaaddress right?

See here, the port is 43876 (from ipfingerprints)

Code:
Host is up (0.015s latency).

PORT      STATE         SERVICE
43876/tcp open          unknown
43876/udp open|filtered unknown


Yep, I'm under DE right now!

This's my future test, let me know if make sense:

1. No port or ip inside the startup, so if I point to piavpnaddress I've to land to router main page. Right?

2. I want to use my laptop ip inside the startup, so I want to try to install transmission on laptop to see if some change
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6154
Location: Netherlands

PostPosted: Fri Jun 28, 2019 10:26    Post subject: Reply with quote
Chryses wrote:
All is possible. With https://www.ipfingerprints.com/portscan.php I've to check the piaaddress right?

See here, the port is 43876 (from ipfingerprints)

Code:
Host is up (0.015s latency).

PORT      STATE         SERVICE
43876/tcp open          unknown
43876/udp open|filtered unknown


Yep, I'm under DE right now!

This's my future test, let me know if make sense:

1. No port or ip inside the startup, so if I point to piavpnaddress I've to land to router main page. Right?

2. I want to use my laptop ip inside the startup, so I want to try to install transmission on laptop to see if some change


Port appears open.
If you do not enter anything the external port is forwarded to 192.168.1.1:80 so you should get to your routers GUI.

One more thing disable SFE on stup page there have been problems with forwarding UDP

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6154
Location: Netherlands

PostPosted: Fri Jun 28, 2019 11:57    Post subject: Reply with quote
I just tested with PIA Roemenia.

Used the script without anything so basically forwarding external port to 192.168.1.1:80

AND: ..... got my login page and could enter the routers GUI from PIA IP Roemnia:80.

I am at the moment behind a residential gateway without any means for port forwarding and was going to use this to get to my VPN server and to the camera's on my network.

Next step is to get DDNS working

I did disable SFE, There are problems with SFE forwarding UDP traffic, I have run some test for @quarkysg and @BS and it should work in the last BS build, I am still on a Kong build which does not have the commit yet

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Fri Jun 28, 2019 13:02    Post subject: Reply with quote
Later I'll make more test but for now I only did this

PIA client on my pc, then connected to swiss server, with port forward enabled, then I installed transmission on pc and configured the port that pia say, cheched the status and port open!

Like I say later I'll do some more test.

Btw, I disabled SFE even if on pia guide is enabled, I'm on the latest kong for R7800
This's my dns settings


And this's the basic setup


And additional config for openvpn client
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6154
Location: Netherlands

PostPosted: Fri Jun 28, 2019 13:55    Post subject: Reply with quote
As this router is in gateway mode you better keep the gateway and local DNS on setup page empty (0.0.0.0).
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Fri Jun 28, 2019 15:35    Post subject: Reply with quote
I'm on latest transmission, I can compile the old one not a problem. What do you suggest for a client? I use radarr and sonarr so not all clients are good, with transmission I can set seeding time and ratio from radarr or sonarr.
I can try another client and see what happens.

BTW transmission use the port I indicate like other P2P client, if opened is better
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6154
Location: Netherlands

PostPosted: Fri Jun 28, 2019 16:15    Post subject: Reply with quote
What you can try:
Look at the external port number you get from PIA.
Set that port number in the script.
Set that port number in transmission.

So you are using the same external and internal port number.

I am counting on the fact that you get the same external port every time you connect.

Transmission is in this case advertising and using the external port.

Maybe it will work then?

Normally Transmission is running on the router and you can in that case start Transmission with the external port number

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Fri Jun 28, 2019 19:48    Post subject: Reply with quote
eibgrad wrote:
Is transmission itself on the VPN? IOW, it is configured to use the VPN for initiating outbound connections? If not, then perhaps it's using the WAN, then advertising its remote access as WAN_IP + PIA external port, which would be incorrect.


The nas is under 10.0.0.100 and all connection is only over vpn with this firewall rules on dd-wrt:
Code:
iptables -I FORWARD -s 10.0.0.100/32 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE

So from nas ssh:
Code:
$ curl ipinfo.io/ip
185.220.70.134

This's the actual ext_port_forward.html
Code:
Fri Jun 28 20:32:18 CEST 2019: PIA external port forward: 185.220.70.134 : 43876


After this I've to say that
[quote=egc]What you can try:
Look at the external port number you get from PIA.
Set that port number in the script.
Set that port number in transmission. [/quote]
Do the trick, see now:
Code:
root@DD-WRT:~# iptables -t nat -vnL PREROUTING && iptables -vnL FORWARD | head -n20
Chain PREROUTING (policy ACCEPT 7261 packets, 592K bytes)
 pkts bytes target     prot opt in     out     source               destination
  194 11024 DNAT       tcp  --  tun1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:43876 to:10.0.0.100:43876
   89  9008 DNAT       udp  --  tun1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:43876 to:10.0.0.100:43876
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            192.168.1.50        to:10.0.0.1
  161 14185 TRIGGER    0    --  *      *       0.0.0.0/0            192.168.1.50        TRIGGER type:dnat match:0 relate:0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 768K  846M ACCEPT     tcp  --  tun1   *       0.0.0.0/0            10.0.0.100          tcp dpt:43876
  405 27636 ACCEPT     udp  --  tun1   *       0.0.0.0/0            10.0.0.100          udp dpt:43876
 467K  442M ACCEPT     0    --  *      tun1    0.0.0.0/0            0.0.0.0/0
 101K  131M ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0
 1074 87045 REJECT     0    --  *      eth0    10.0.0.100           0.0.0.0/0           state NEW reject-with icmp-port-unreachable
 462K  574M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  *      eth0    10.0.0.0/24          0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      eth0    10.0.0.0/24          0.0.0.0/0           tcp dpt:1723
    0     0 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      tun2    0.0.0.0/0            0.0.0.0/0
 4795  789K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0
 2750  550K ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    0    --  eth0   br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
 2045  239K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    0    --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  eth1   *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 TRIGGER    0    --  eth0   ath0    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0

I'm not expert at all, to me seems that now the 2 "same" port are in communication and before even if the port was the same was like they are on 2 different "universe" Razz
The only I can add is that on my nas I've this rule inside the /etc/network/interfaces
Code:
## static ip config START ##
        up /sbin/ip route add 10.8.0.0/24 via 10.0.0.1 dev bond0
        down /sbin/ip route delete 10.8.0.0/24 via 10.0.0.1 dev bond0
## static ip config END ##


Any idea about this?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6154
Location: Netherlands

PostPosted: Sat Jun 29, 2019 16:37    Post subject: Reply with quote
It looks like there is activity on the PIA external port, is transmission working?

About the static route on your NAS, I am not sure what that could be for.
Just a theory:
You have a VPN server runing on your router with 10.8.0.0/24 and if you want to reach your NAS via the VPN server and you have a VPN client running on your NAS, you might need that static route otherwise the packets coming from the VPN server on your router will be routed out via the VPN client on the NAS and that will not work, hence the necessary static route.

Just a theory, you are not running a VPN client on your NAS?

The firewall rules on your router are the kill switch for the NAS and the routing of the VPN server connections out via the internet. Looks good to me Smile

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Sat Jun 29, 2019 20:05    Post subject: Reply with quote
egc wrote:
It looks like there is activity on the PIA external port, is transmission working?

About the static route on your NAS, I am not sure what that could be for.
Just a theory:
You have a VPN server runing on your router with 10.8.0.0/24 and if you want to reach your NAS via the VPN server and you have a VPN client running on your NAS, you might need that static route otherwise the packets coming from the VPN server on your router will be routed out via the VPN client on the NAS and that will not work, hence the necessary static route.

Just a theory, you are not running a VPN client on your NAS?

The firewall rules on your router are the kill switch for the NAS and the routing of the VPN server connections out via the internet. Looks good to me Smile


All correct! I've a client and server on router, and when I connect from outside to the server I want to access to the NAS that is the only under PIA vpn.

Glad to ear that the rule are right, in part is thanks to you!

Any idea why I've to put the same port for forwarding?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6154
Location: Netherlands

PostPosted: Sun Jun 30, 2019 11:53    Post subject: Reply with quote
I do not use transmission but I guess it is advertising its port to the internet but this is a different port from what PIA gives you and hence it will not work because the port transmission advertises is not open.

Luckily PIA gives you the same port when using the same client id, so once you know it you enter that port in transmission.

But not a fool proof solution.

What you can do is on your NAS which is Linux based (regarding your static rule) you can make a script which queries the html page on the router with the port PIA has opened for you (as defined by the script from @eibgrad) and then start Transmission from the CLI of your router with this port.

Make a loop to check every 60 seconds or so and if altered kill transmission and start again with the new port.

Can be done with a few lines of code.

If you get it working please publish it for further use Smile
(state your NAS)

I am not at home so cannot test anything but I have a QNAP 453 Pro which can use scripts like this without a problem

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Sun Jun 30, 2019 16:52    Post subject: Reply with quote
egc wrote:
I do not use transmission but I guess it is advertising its port to the internet but this is a different port from what PIA gives you and hence it will not work because the port transmission advertises is not open.

Luckily PIA gives you the same port when using the same client id, so once you know it you enter that port in transmission.

But not a fool proof solution.

What you can do is on your NAS which is Linux based (regarding your static rule) you can make a script which queries the html page on the router with the port PIA has opened for you (as defined by the script from @eibgrad) and then start Transmission from the CLI of your router with this port.

Make a loop to check every 60 seconds or so and if altered kill transmission and start again with the new port.

Can be done with a few lines of code.

If you get it working please publish it for further use Smile
(state your NAS)

I am not at home so cannot test anything but I have a QNAP 453 Pro which can use scripts like this without a problem


You right! I also have a Qnap 269L, but I removed Qnap system and I installed debian Cool

So for now, till @eibgrad find a better solution (if exist), when transmission in on another machine one extra step is needed, so I make this little sh script to check and change the actual transmission port, according to the pia one.

WHAT DO THIS SCRIPT?
The purpose of this script is to run on a remote machine that hold transmission-daemon so it simply checks if transmission is active then check the pia port from the router and if different stop transmission, change the port, then restart transmission

REQUISITE:
jq (apt install jq)
transmission start/stop with systemd
some linux basi skills

SCRIPT:
Code:
#!/bin/bash

SERVICE="transmission-daemon.service"
PIA_EXT_PORT="http://10.0.0.1/user/pia/ext_port_forward.html"
TRANSMISSION_SETTINGS="/home/muletto/.config/transmission-daemon/settings.json"

TMP_PATH="/tmp"
TMP_LOCK_FILE="$TMP_PATH/${0##*/}.lock"

LOG_PATH="/var/log/nas-script"
LOG_ENABLE=0

if [[ "$LOG_ENABLE" == "1" ]]; then
   if [[ ! -w "$LOG_PATH/${0##*/}.log" ]]; then
      touch "$LOG_PATH/${0##*/}.log"
   fi
fi

[[ "$LOG_ENABLE" == "1" ]] && echo "########## $(date) ##########" >> "$LOG_PATH/${0##*/}.log"

if systemctl is-active --quiet $SERVICE; then # service active
   [[ "$LOG_ENABLE" == "1" ]] && echo "service is active ..." >> "$LOG_PATH/${0##*/}.log"

   PIA_PORT=$(curl -sf $PIA_EXT_PORT | grep -o '[0-9]*' | tail -n1) # get the pia port

   if [[ ! -z $PIA_PORT ]] && [[ ! -w "$TMP_LOCK_FILE" ]]; then # I get the pia port
      ACTUAL_TRANSMISSION_PORT=$(cat $TRANSMISSION_SETTINGS | jq '."peer-port"') # get the actual transmission port

      if [[ $ACTUAL_TRANSMISSION_PORT == $PIA_PORT ]]; then # pia port is the same that that the transmission port
         [[ "$LOG_ENABLE" == "1" ]] && echo "Transmission port is already the good one, nothing to do, see you later!" >> "$LOG_PATH/${0##*/}.log"
      else # transmission use a different port
         [[ "$LOG_ENABLE" == "1" ]] && echo "Transmission port is not the right one, I'll change it" >> "$LOG_PATH/${0##*/}.log"
         touch "$TMP_LOCK_FILE"
         systemctl stop $SERVICE # stop the service
         sleep 1
         jq --arg NEW_PORT "$PIA_PORT" '."peer-port" = $NEW_PORT' "$TRANSMISSION_SETTINGS" > tmp.$$.json && mv tmp.$$.json "$TRANSMISSION_SETTINGS" # change the port inside the settings.json file
         systemctl start $SERVICE
         sleep 1
         rm "$TMP_LOCK_FILE"
      fi
   else # I can't find the pia port
      [[ "$LOG_ENABLE" == "1" ]] && echo "I can't find the PIA port from $PIA_EXT_PORT make sure that exist and is reachable" >> "$LOG_PATH/${0##*/}.log"
   fi
else
   [[ "$LOG_ENABLE" == "1" ]] && echo "service is not active" >> "$LOG_PATH/${0##*/}.log"
fi


Before start this script please:
1. Specify the correct SERVICE, in my case is "transmission-daemon.service"
2. Set the right PIA_EXT_PORT, in my case the dd-wrt router is under 10.0.0.1
3. Set the right TRANSMISSION_SETTINGS, where is the settings.json of transmission?
4. In you need log set LOG_ENABLE to 1 and adjust LOG_PATH with your desired path
5. So, download the script, make it executable and place wherever you prefer
6. Cronize this script in order to execute every minute or so

This is a very basic script, I'm not a programmer so maybe can be improved! Any suggestion is appreciate
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Sun Jun 30, 2019 20:18    Post subject: Reply with quote
Like I always said I'm not so expert, maybe what I gonna say make no sense, so tell me if my thought are wrong.

1. Can be a simple kong's firmware bug?

2. To me seems that there's a missing connection from pia port to transmission port. But seems quite strange even to me that I'm not expert, because I see this situation:
Router -> open all connection from this ip:port piapublicip:piaport to this internal pc nasip:port
Sound to me good, and maybe there's a problem here! Can be?
Maybe if I disable the kill-switch? But I disable it how can I be sure that all traffic go over vpn?
But one thing I can't understand:
If I need to forward a port to use a service like transmission:
a. I use UPnP (never had problem with it). I disabled it (egc suggestion)
b. I manually go to port forwarding and add a rule (I already tried in past)

I can try to another client for testing purpose, like deluge or qbittorrent or others, just to try if the problem is my machine or whatever. Do you want me to try another client on the nas?
Do you think that I can try to:
Modify your script and bypass all this:
Code:
    # create internal ports forwards (udp and tcp)
    _ipt -t nat -I PREROUTING -i tun1 -p udp --dport $ext_port \
        -j DNAT --to $INTERNAL_IP:$INTERNAL_PORT
    _ipt -I FORWARD -i tun1 -p udp -d $INTERNAL_IP \
        --dport $INTERNAL_PORT -j ACCEPT
    _ipt -t nat -I PREROUTING -i tun1 -p tcp --dport $ext_port \
        -j DNAT --to $INTERNAL_IP:$INTERNAL_PORT
    _ipt -I FORWARD -i tun1 -p tcp -d $INTERNAL_IP \
        --dport $INTERNAL_PORT -j ACCEPT

Then I take the pia port and I manually add a port-forward rule from pia port to nas:port?

But in this way, how can I force the "tun1"???

Any other ideas?
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 3 of 6
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum