Anyone have DD-WRT, PIA openvpn, and port forwarding working

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3988
Location: Netherlands

PostPosted: Mon Feb 12, 2018 17:14    Post subject: Reply with quote
Just wait till @Eibgrad finished his updated script. For that you do not need sha256sum.
You also do not need /jffs or /opt.
The script has to be placed in Administration/Commands Save as startup.
When the router starts everything is created.
I think that the description in the first lines is referring to an older build?
When I read the script I assumed it had to be placed in Administration/Commands and Saved as Startup and that is what I did and it worked Smile

Be sure to enable syslog

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon Feb 12, 2018 18:26    Post subject: Reply with quote
Changes w/ v0.2.0:

https://pastebin.com/P9nmpyxh

- You no longer need sha256sum, therefore optware/entware is NOT required if only for the reason of obtaining access to the sha256sum executable.

- Once a 256 bit hash it created for the client_id, it's made persistent using nvram. So unless you manually delete it for some reason, you'll use the same hash/token indefinitely. And that may make things easier because so far the same hash/token seems to make the external port persistent as well. But so far I've been getting the same VPN public IP. Not sure if will be the same port should I get a different VPN public IP. That's why I publish the external public IP and port to the webserver.

- By default, w/ no script changes at all, just executed as-is, it will port forward to your router over ssl/tls (port 443). That's only going to work, of course, if you enable HTTPS on the LAN side of the router. But as always, you can change it to anything you like.

The script should normally be *saved* to /jffs, then *called* from /jffs by adding the following to the startup script.

Code:
/jffs/ddwrt-pia-port-forward.sh


If you *want* to place the entire script into the startup script, you can, provided there's enough nvram. As a rule, however, because I'm leery about putting large amounts of code into nvram, I recommend you don't. If you should exceed available nvram space, it either won't save it, may truncate it, or in the worst case, reset your router to factory defaults and reboot the router (rare, but I have seen it happen, to me).

If you're the experimental type, you can compress the script before adding to /jffs or directly to the startup script using the following script.

https://pastebin.com/vXfWLnPe

While it does cut down the size of the script dramatically, it's also very difficult to read at that point, and therefore to edit. So always maintain a copy of the UNcompressed version.

As always, make sure to read the instructions in the script. I place them there to avoid not so obvious problems if you do things incorrectly. For example, the port forward can't be accessed from the same public IP as the public IP that established the OpenVPN client connection to PIA in the first place. You have to be outside your WAN, perhaps on the cellular network w/ a smartphone, a neighbor's wifi, etc.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue Feb 13, 2018 3:03    Post subject: Reply with quote
P.S. I opened a PIA account just to get this working, but plan to close it on Friday to get my money back. If you have any issues, concerns, enhancement requests, whatever, NOW is the time to ask!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3988
Location: Netherlands

PostPosted: Tue Feb 13, 2018 13:45    Post subject: Reply with quote
Many thanks, It is working.
One question, what exactly is the sed doing at the end of the script?

One remark, I used notepad++ for windows but that introduced <CR> and that played havoc to the script. That was probably the reason I could not call it from the startup command, just pasting it in the startup command worked because that seemded to strip the <CR>

Again many thanks learned a lot from it

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue Feb 13, 2018 14:18    Post subject: Reply with quote
As you've probably already noted, the script is actually two scripts. An outer script that creates the inner script. IOW, a script within a script. When executed, the outer script configures the inner script before placing it in /tmp/pia. The outer script then just falls away.

Notice the variables INTERNAL_IP and INTERNAL_PORT are defined in the outer script, when in fact they are used by the inner script. I do that so I can place those variables near the top, where the end-user would expect them, thus making them obvious and easy to modify. But that means I have to use sed at the end of the outer script to modified the inner script where those variables are actually used.

If I didn't do it this way, INTERNAL_IP and INTERNAL_PORT would be buried deep into the inner script, and the end-user would have to search for them.

It's just a design choice on my part to permit me to keep all end-user configuration changes in one place, near the top.

As far as notepad++, being a Windows app, I assume it default to Windows EOL chars. But that's incompatible w/ Linux. You need to make sure the current format in notepad++ is Unix/Linux before uploading the file.

Pasting to the startup script doesn't have this problem because the router is taking care of this for you.

FWIW, you can achieve similar results using Putty. Open a shell (telnet/ssh), then type "cat > /jffs/ddwrt-pia-port-forward.sh" (no quotes). The cursor will move to the far left, waiting for you to either type into the file, or paste. If you copy the file contents locally into the clipboard, you can either right-click or Shift-Insert to paste into the file. Then type Ctrl-C to close the file. Finally, mark it executable (chmod +x /jffs/ddwrt-pia-port-forward.sh). If you need to make minor changes on the router, use the vi editor (it pays to learn a few basic vi commands).
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3988
Location: Netherlands

PostPosted: Tue Feb 13, 2018 14:49    Post subject: Reply with quote
eibgrad wrote:
As you've probably already noted, the script is actually two scripts. An outer script that creates the inner script. IOW, a script within a script. When executed, the outer script configures the inner script before placing it in /tmp/pia. The outer script then just falls away.

Notice the variables INTERNAL_IP and INTERNAL_PORT are defined in the outer script, when in fact they are used by the inner script. I do that so I can place those variables near the top, where the end-user would expect them, thus making them obvious and easy to modify. But that means I have to use sed at the end of the outer script to modified the inner script where those variables are actually used.

If I didn't do it this way, INTERNAL_IP and INTERNAL_PORT would be buried deep into the inner script, and the end-user would have to search for them.

It's just a design choice on my part to permit me to keep all end-user configuration changes in one place, near the top.

As far as notepad++, being a Windows app, I assume it default to Windows EOL chars. But that's incompatible w/ Linux. You need to make sure the current format in notepad++ is Unix/Linux before uploading the file.

Pasting to the startup script doesn't have this problem because the router is taking care of this for you.

FWIW, you can achieve similar results using Putty. Open a shell (telnet/ssh), then type "cat > /jffs/ddwrt-pia-port-forward.sh" (no quotes). The cursor will move to the far left, waiting for you to either type into the file, or paste. If you copy the file contents locally into the clipboard, you can either right-click or Shift-Insert to paste into the file. Then type Ctrl-C to close the file. Finally, mark it executable (chmod +x /jffs/ddwrt-pia-port-forward.sh). If you need to make minor changes on the router, use the vi editor (it pays to learn a few basic vi commands).


Thanks that clears it up great job.

I found out that Winscp can also be used to make a file and edit it without the Windows trouble, can also be used to make it executable Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1182
Location: Indiana

PostPosted: Wed Feb 14, 2018 1:42    Post subject: Reply with quote
Give a monkey a crayon and he will eventually draw a picture!
Regarding:
Got it going today after struggling yesterday with intermittent results. Think it had to do with entware on usb. I unplugged that and learned some vi and it took off here on my home setup (Kubuntu).
Tried it at the shop (which is where port forwarding is actually going to be needed on Ubuntu pc) this evening using Windows pc Sad with no luck. I struggle with Windows. I had vnc connection for a few minutes then it quit and would not reconnect no matter what.I will switch to Ubuntu tomorrow and see what happens.

eibgrad: You have gone above and beyond with this. Be glad to send some dollars for your efforts. (I may not be done)

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT thread STUBBY install guide
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 BS std WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP

DDWRT Policy Based Routing guide by egc
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Feb 14, 2018 2:00    Post subject: Reply with quote
Knowing I only had a limited time to access PIA, I decided to create a Tomato version as well.

https://pastebin.com/zkDfbTEJ

The two environments are similar enough that it wasn't too tough. Biggest difference is that Tomato supports *two* OpenVPN clients, so I had to add extra code to detect which client was PIA, and make some adjustments.

I figure eventually someone over in the Tomato forum ( http://linksysinfo.org/index.php?forums/tomato-firmware.33/ ) will ask for it. So now is the time.

I may fiddle a bit here and there w/ both scripts until Friday when I close the PIA account.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Feb 14, 2018 4:03    Post subject: Reply with quote
bushant wrote:
Give a monkey a crayon and he will eventually draw a picture!
Regarding:
Got it going today after struggling yesterday with intermittent results. Think it had to do with entware on usb. I unplugged that and learned some vi and it took off here on my home setup (Kubuntu).
Tried it at the shop (which is where port forwarding is actually going to be needed on Ubuntu pc) this evening using Windows pc Sad with no luck. I struggle with Windows. I had vnc connection for a few minutes then it quit and would not reconnect no matter what.I will switch to Ubuntu tomorrow and see what happens.

eibgrad: You have gone above and beyond with this. Be glad to send some dollars for your efforts. (I may not be done)


I don't understand why you're having so much trouble. All the action takes place on the router. As long as it's running w/o errors, it should just work, irrespective of the particular client.

Now it may be that PIA's end of the tunnel isn't very stable, or perhaps bandwidth limited. When I tested my RealVNC client, the best I saw was a measly 188Kbps! Often much less. At least as measured by RealVNC. So even if it works, I'm not sure it's a good long-term solution. The WAN may prove to be more realistic.
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 59

PostPosted: Sat Oct 20, 2018 15:20    Post subject: Reply with quote
This post relates to PIA privateinternetaccess, DDWRT, transmission , portwoarding and OPENVPN

I am fairly new to this level of linux. It has taken me a while to work this all out from various snippets around the net. Interestingly the PIA forum was quite helpful and I was going to reply there but it's closed ! wow just one more hurdle. Linux and open source now seem immensely complicated but also immensely powerful. It seems you could do just about anything with it, and there is an infinite amount of ways to do things... anyway here is what I did and solved.

First the problems I solved.

-Simple Kill Switch
-Grabbing a forwarded port from PIA
-Insert the port into Transmission
-Limiting just Transmission to VPN while using PBR in OPENVPN, and get rest of net openwithout VPN.

Some problems I had to deal with.
-non persistent parts of DDWRT file system.
-OPENVPN not allowing traffic over the tunnel from directly run scripts from the OPENVPN binary
-peculiarities about the use of Captials in some things.
-stupid 2 minute limit to get a port with PIA
-complexity of Linux
-missing binaries
-outdated documentation for some linux commands.

Overall, it was quite a nightmare to deal with. Anyway here is what I did hopefully it helps someone else.

I will add comments inside ## #as i go along#
#you should delete them when making scripts#
#if any of the /paths are different you will need to change them also, any missing binaries you will need to install with opkg with the relevant packages#

#I entered an ip address in the 'policy based routing' or PBR section of /services/openvpn tab. This put the vpn setup into that mode. Which limits just the vpn to that IP but we can add to it later#

#I have both JFFS and OPT setup. For some reason running stuff from opt at openvpn launch seemed to not work, but from jffs on router flash was fine.#

#I made a copy of /tmp/openvpncl/ to /jffs/openvpncl/.
use the cmd#

Code:
cp -a  /tmp/openvpncl/* /jffs/openvpncl/


#i made a script at /jffs/portforward.sh it contained#

Code:

#!/bin/sh
cp -a  /jffs/openvpncl/* /tmp/openvpncl/


# this copies back the files to tmp. I added#

Code:

up /jffs/portforward.sh


#to an empty line in "additional config" in /services/vpn tab at openvpn. This will execute that script when openvpn starts and makes tun1 it's tunnel dev#

#I edit the scipts in /jffs/openvpncl/. First the route-up.sh script. It ends up containing this#

Code:
#!/bin/sh
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -D INPUT -i tun1 -j ACCEPT
iptables -D FORWARD -i tun1 -j ACCEPT
iptables -D FORWARD -o tun1 -j ACCEPT
iptables -I INPUT -i tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -j ACCEPT
iptables -I FORWARD -o tun1 -j ACCEPT
for IP in `cat /tmp/openvpncl/policy_ips` ; do
    ip rule add from $IP table 10
done
ip rule add from $ifconfig_local table 10
ip route add default via $route_vpn_gateway table 10
ip route flush cache
echo $ifconfig_remote >>/tmp/gateway.txt
echo $route_vpn_gateway >>/tmp/gateway.txt
echo $ifconfig_local >>/tmp/gateway.txt
sed -i 's/.*bind-address-ipv4.*/    "bind-address-ipv4": "'$ifconfig_local'",/' /tmp/mnt/sdb1/torrents/config/settings.json
stopservice dnsmasq -f
startservice dnsmasq -f
cat /tmp/resolv.dnsmasq > /tmp/resolv.dnsmasq_isp
env | grep 'dhcp-option DNS' | awk '{ print "nameserver " $3 }' > /tmp/resolv.dnsmasq
cat /tmp/resolv.dnsmasq_isp >> /tmp/resolv.dnsmasq
sleep 2
touch /tmp/resolv.dnsmasq
/jffs/portforward1.sh


# the particular lines I add to that are 'ip rule add from $ifconfig_local table 10' which makes the vpn local ip address routable via the vpn. Also 'sed -i 's/.*bind-address-ipv4.*/ "bind-address-ipv4": "'$ifconfig_local'",/' /tmp/mnt/sdb1/torrents/config/settings.json' which adds the local vpn ip to the bind address in transmissions config. Note transmission should be stopped for this. What this does is restrict transmission to the local vpn address, which is then restricted to the vpn. If the vpn goes down it has no where to go. If the vpn address changes and transmission remains confiqured to the wrong address it also has no where to go. There is a slight risk with this that somehow the address could be bound to nothing which would then allow transmission to traverse over the regular net. Adding an if statement or instead configuring for fix address could fix that. But I also use other things to killswitch transmission#

#lastly I add '/jffs/portforward1.sh' to execute the next script which somehow separates it from the openvn process allowing it to pass packets over the tunnel#

#I also add to route-down.sh which looks like this#

Code:

#!/bin/sh
iptables -D INPUT -i tun1 -j ACCEPT
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
ip route flush table 10
killall transmission-daemon
sed -i 's/.*bind-address-ipv4.*/    "bind-address-ipv4": "192.168.168.168",/' /mnt/sdb1/torrents/config/settings.json


# the bottom 2 lines I added. The first 'killall transmission-daemon' kills transmission. The second 'sed -i 's/.*bind-address-ipv4.*/ "bind-address-ipv4": "192.168.168.168",/' /mnt/sdb1/torrents/config/settings.json' which writes a defunct address to transmission bind address. This all is kind of an extra killswitch, but you also need transmission stopped before the vpn restarts and runs all scripts again.#

#next script /jffs/portforward1.sh, simple I think this further separates from openvpn process. here it is.#

Code:
#!/bin/sh

/jffs/portforward2.sh &

exit 0



#next script /jffs/portforward2.sh, this is the business#

Code:

#!/bin/sh

/opt/bin/transmission-daemon --paused -g /tmp/mnt/sdb1/torrents/config
sleep 15
port=$(curl --interface tun1 "http://209.222.18.222:2000/?client_id=#insertyour sha256sum from calc here#" 2>/dev/null | awk -F ':' '{ print $2 }'| awk -F '}' '{ print $1 }')
echo $port>/tmp/port.txt
/opt/bin/transmission-remote 192.168.3.1 -p "$port"


#https://pastebin.com/zaiv6Fks careful the port= line is very long and my post splits it into 2 so use pastebin"

#line one loads transmission with -g for the config we have been editing and --paused so no torrents are going, extra safe if somehow script stuffs something and it can get to regular net. line 2 is a 15 second pause to allow open vpn to finish and pia servers to get ready to give a port.....Third line gets you a port and stores it in $port as just it's number. NOTE you will need to add your sha256sum where I say there you ain't getting mine Smile or you could use a command as found elsewhere to generate one... I like it more simple well in my head it is.Forth(third) line is actual part of the third line ,posting edited it like that... Fifth(forth) line is just for testing the port is gotten by sending it to a text file because with the fifth line I had heaps of trouble. I tried using the sed command to alter the transmission setting file, but for some reason I just couldn't get it to work in the script, very weird. I had the transmission starting after it ran of course, with delays and I tried many different things.. none worked. in the end you have the fifth line which changes the port on a running transmission-daemon, hence it is started earlier. If you have an user pass set in transmission you will need to add that to line five.#


#Wow long and complicated but hopefully that helps someone#

#As said, this gives killswitch for transmission, just vpn to transmission and well actually any address you put in PBR but not sure about killswitch for them. Port is all working when transmission is bound on the local vpn ip, so port open test from remote will work fine. Torrents will seed and upload fine! Overall I am quite happy and most important it works. Enjoy!#

Sorry for so long Sad
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Wed Jun 26, 2019 21:01    Post subject: Reply with quote
Hi, I discovered this thanks to egc!

So, I'm new in PIA (just started, so I want to see if can works for me, I've 7days of try)

I'm trying to do this working (not yet reboot the router but I'll)

My actual configuration is:
Client running on router with suggested settings from pia
I redirect all vpn traffic only to one ip (NAS) I use egc's pbr script for this plus his dns leking prevenction
The NAS running transmission client and all others programs

Now I've some question about this script, because I think I not fully understand the script itself

I installed it like the pastebin say, run the command, but now I'm pretty confused

After a reboot, when the vpn connection is made, I'll find the port to the http://<router-ip>/user/pia/ext_port_forward.html, but I've to set this port inside transmission in my nas?
Reading the help seems that the port is used to make a forward from the pia port to the port I chose, so for example if I chose 12345 I "connect" the forward pia port to 12345, then I only need to set transmission to 12345 port. Am I right or I miss some?

I saw that pia use a more "intelligent" server selection, I only select the region. I think in this way if the server I'm connected go down, a new one from the same region came up, but what about the port? I've to do some?

And what about if the connection go down (a modem problem) then came up again, so the router have to make a new pia connection, I've to use a watchdog script or there's a constant check to see if the forward port is right?

Sorry for this questions, is pretty new for me this, I want to understand what I've to do.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Jun 26, 2019 22:57    Post subject: Reply with quote
Chryses wrote:
I installed it like the pastebin say, run the command, but now I'm pretty confused

After a reboot, when the vpn connection is made, I'll find the port to the http://<router-ip>/user/pia/ext_port_forward.html, but I've to set this port inside transmission in my nas?
Reading the help seems that the port is used to make a forward from the pia port to the port I chose, so for example if I chose 12345 I "connect" the forward pia port to 12345, then I only need to set transmission to 12345 port. Am I right or I miss some?


Yes. Just like establishing a port forward on the WAN using the GUI, you have to tell it what's the local IP and local port to which the port forward (via the external port over the VPN provided by PIA) needs to be directed. That's completely up to you and the needs of your application. By default, and mostly for demonstration purposes, the script defaults to the router and the GUI (port 80).

Quote:
I saw that pia use a more "intelligent" server selection, I only select the region. I think in this way if the server I'm connected go down, a new one from the same region came up, but what about the port? I've to do some?

And what about if the connection go down (a modem problem) then came up again, so the router have to make a new pia connection, I've to use a watchdog script or there's a constant check to see if the forward port is right?

Sorry for this questions, is pretty new for me this, I want to understand what I've to do.


PIA has made this ridiculously complex. And even *I* can't tell you the answer to all these *good* questions. They limit the port forward to specific servers, and don't tell you if you will consistently get the same external port number, esp. if you change servers. Again, all good questions, but PIA doesn't provide any information in this regard, as far as I know.

All I can tell you is anecdotal. During testing, as long as I used the same token (and the script saves the token it generates on your behalf to nvram), I always got the same external port. However, I don't recall what happens if the server changes, and you use the same token. That's something you'll just have to try and find out.

Again, the whole thing is ridiculous and needlessly complex, which then creates all these good questions, which only PIA can answer. As the script developer, I can't test every scenario, and every what-if. Esp. when I don't even have a PIA account (I only opened up a trial version for 30 days during development). But if you find any problems, let me know, and if I can change the script to make it work better, I will.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Thu Jun 27, 2019 13:32    Post subject: Reply with quote
Ok thanks. I tried but I think I do some bad configuration.

My router is 10.0.0.1 and my nas is 10.0.0.100
Transmission is configured with port 54321

So I configured ddwrt-pia-port-forward.startup to have
/jffs/etc/config/ddwrt-pia-port-forward.sh --ip 10.0.0.100 --port 54321 --debug

But if I test the port from transmission, I got error, port closed

I've made no change to ddwrt-pia-port-forward.sh
to any BEGIN OPTIONS available, so internal port is
INTERNAL_PORT="80"

The funny is that if I put port 80 inside transmission (without reboot any) I got the port open

Ps, I don't have to put the script in Startup field on the router, right?

What I miss?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Jun 27, 2019 14:08    Post subject: Reply with quote
Chryses wrote:
Ok thanks. I tried but I think I do some bad configuration.

My router is 10.0.0.1 and my nas is 10.0.0.100
Transmission is configured with port 54321

So I configured ddwrt-pia-port-forward.startup to have
/jffs/etc/config/ddwrt-pia-port-forward.sh --ip 10.0.0.100 --port 54321 --debug

But if I test the port from transmission, I got error, port closed

I've made no change to ddwrt-pia-port-forward.sh
to any BEGIN OPTIONS available, so internal port is
INTERNAL_PORT="80"

The funny is that if I put port 80 inside transmission (without reboot any) I got the port open


Sounds correct. The settings in the Options section are just defaults that get overridden by anything on the command line passed as arguments.

Quote:
Ps, I don't have to put the script in Startup field on the router, right?


Correct. The whole point of providing the outside/wrapper script w/ the extension .startup is to have the router automatically start the script upon reboot, which then calls the inner/wrapped script (.sh) w/ your preferred arguments.

What you can do is enable debugging mode (--debug), which it seems you've already down, reboot, then post the syslog (filtered by grep to keep it manageable) to pastebin so I can see what happened.

Code:
cat /var/log/messages | grep ddwrt-pia

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Thu Jun 27, 2019 16:32    Post subject: Reply with quote
Yep, all clear.

So to me seems all ok, but take a look to yourself.
The log is here https://pastebin.com/jwJ8FWPh

Consider that:
Transmission is over another pc, and Transmission is set to use UPnP.
Tried with 54321 port inside transmission:


Then, without restart transmission, I only changed the port to 80

The image is not english but is pretty clear, with 54321 give error, and with 80 the port is open

Here some settings from the router gui





Thanks, Jo

UPDATE:
With suggestion of egc, I disabled the UPnP but same results

This's my actual firewall rules inside the dd-wrt gui:
iptables -I FORWARD -s 10.0.0.100/32 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE
Can be here the problem?

Code:
root@DD-WRT:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 7172 packets, 702K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  tun1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:45993 to:10.0.0.100:54321
    0     0 DNAT       udp  --  tun1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:45993 to:10.0.0.100:54321
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            192.168.1.50        to:10.0.0.1
  608 49300 TRIGGER    0    --  *      *       0.0.0.0/0            192.168.1.50        TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 989 packets, 66203 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 634 packets, 44852 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 191 packets, 31340 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3588  262K MASQUERADE  0    --  *      tun1    0.0.0.0/0            0.0.0.0/0
 1018  202K SNAT       0    --  *      eth0    10.0.0.0/24          0.0.0.0/0           to:192.168.1.50
    0     0 MASQUERADE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x80000000/0x80000000
  603 40241 MASQUERADE  0    --  *      eth0    0.0.0.0/0            0.0.0.0/0
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next Display posts from previous:    Page 3 of 10
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum