Anyone have DD-WRT, PIA openvpn, and port forwarding working

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5920
Location: Netherlands

PostPosted: Mon Jul 01, 2019 10:54    Post subject: Reply with quote
Just my take:

With a normal port forward you know what port is open because you set it yourself.

So for transmission you set a port forward in your router i.e. 54321, then that port is open and in transmission you set this port.

Transmission advertises this port to the outside world and it is working because that is the port which is open.

But with PIA you do not know the port which is opened for you that is the problem IMHO.

Luckily @eibgrads script publishes the external port to the routers webpage and @Chryses can retrieve it from there.

I am strugling with the more or less the same problem I want to connect to my VPN server via my PIA VPN client (I have to because I am behind a residential gateway)

To connect to my VPN server via the PIA VPN I have to know the port which PIA has opened for me, the script translates the open port to my VPN servers 1194, but if I do not know the open port (and the external IP address of course) I can not reach the VPN server.

So as far as I know I must have the external IP address, that is already done by DDNS and I have to know the external port which is opened for me.

I am contemplating using two DDNS accounts, one for the external IP and one for the external port.

I have created two accounts on no-ip.com, one to update the external IP an one to update the external PIA port.

Unfortunately it will only accept IP addresses so I must update my no-ip.com by disguising the PIA port as IP address with (PIA always sets a 5 figure port number):
Code:
PIAPORT_IP="${PIAPORT:0:2}.${PIAPORT:2:2}.${PIAPORT:4:4}.0"


and extract the port number from the IP with:
Code:
PIAPORT2=$(echo ${PIAPORT_IP//.} | awk '{print substr ($0, 0, 5)}')


Question to you:
Am I on the right track?
Is this feasible?
Any other suggestions, is no-ip.com a good DDNS provider?

At home I use afraid.org, is this better?

@eibgrad before I am starting to ruin your script with my feeble coding attempt can you (will you) make this a more general solution (advertising the external port)?
Or pherhaps you can come up with a better plan?

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Mon Jul 01, 2019 11:26    Post subject: Reply with quote
My question is:
Why the script's port forwarding won't work if client is on another device?
Must have to works! Directly connect the pia port to a ip:port over the lan.

Later I'll try to bypass all iptable rules from script and make a manual port forward from the gui, I want to see if works

For now the solution to get the port from the router page is quite good, maybe not the best and elegant one, but for now do the trick!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5920
Location: Netherlands

PostPosted: Mon Jul 01, 2019 16:58    Post subject: Reply with quote
@eibgrad thanks for your excellent assessment of this situation.

I will have a look at the PIA wbesite again, a quick search only gives these links:

https://www.privateinternetaccess.com/helpdesk/kb/articles/can-i-use-port-forwarding-without-using-the-pia-client

https://www.htpcguides.com/configure-auto-port-forward-pia-vpn-for-transmission/

The first one is just how to retrieve the port number and the second article how to start transmission with this retrieved external port number exactly as @Chryses is doing now.

I am using PIA and there is no mention of the forwarded port if I login to my account, but I will look further and report.

Thanks for all your work, but if someone is up to the challenge it is you Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Mon Jul 01, 2019 17:04    Post subject: Reply with quote
I made some test!
The configuration is always the same
Router -> 10.0.0.1
Nas -> 10.0.0.100
PIA port -> 43876

1.
UPnP -> Enabled
eibgrad script -> Disabled
Transmission port 43876 -> Closed
Results:
Code:
root@DD-WRT:~# iptables -t nat -vnL PREROUTING && iptables -vnL FORWARD | head -n20
Chain PREROUTING (policy ACCEPT 3365 packets, 312K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            192.168.1.50        udp dpt:51413 to:10.0.0.100:51413
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.50        tcp dpt:51413 to:10.0.0.100:51413
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            192.168.1.50        udp dpt:43876 to:10.0.0.100:43876
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.50        tcp dpt:43876 to:10.0.0.100:43876
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            192.168.1.50        to:10.0.0.1
  102 13625 TRIGGER    0    --  *      *       0.0.0.0/0            192.168.1.50        TRIGGER type:dnat match:0 relate:0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   10  2927 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.100          udp dpt:51413
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.100          tcp dpt:51413
26515   33M ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.100          udp dpt:43876
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.100          tcp dpt:43876
23446 1941K ACCEPT     0    --  *      tun1    0.0.0.0/0            0.0.0.0/0
 8850 5910K ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0
  123  8562 REJECT     0    --  *      eth0    10.0.0.100           0.0.0.0/0           state NEW reject-with icmp-port-unreachable
82072  105M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  *      eth0    10.0.0.0/24          0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      eth0    10.0.0.0/24          0.0.0.0/0           tcp dpt:1723
    0     0 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      tun2    0.0.0.0/0            0.0.0.0/0
 1536  366K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0
  832  213K ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    0    --  eth0   br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
  704  153K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    0    --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  eth1   *       0.0.0.0/0            0.0.0.0/0


Notes:
Port 51413 is always from transmission, I don't know why, but via UPnP transmission ask also this port, at least in this test

2.
UPnP -> Enabled
eibgrad script -> Disabled
Transmission port 6666 -> Timeout, no connection, seems that the kill-switch block
Results:
Code:
root@DD-WRT:~# iptables -t nat -vnL PREROUTING && iptables -vnL FORWARD | head -n20
Chain PREROUTING (policy ACCEPT 4077 packets, 287K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            192.168.1.50        udp dpt:6666 to:10.0.0.100:6666
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.50        tcp dpt:6666 to:10.0.0.100:6666
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            192.168.1.50        to:10.0.0.1
   41  1894 TRIGGER    0    --  *      *       0.0.0.0/0            192.168.1.50        TRIGGER type:dnat match:0 relate:0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.100          udp dpt:6666
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.100          tcp dpt:6666
    0     0 REJECT     0    --  *      eth0    10.0.0.100           0.0.0.0/0           state NEW reject-with icmp-port-unreachable
93733  123M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  *      eth0    10.0.0.0/24          0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      eth0    10.0.0.0/24          0.0.0.0/0           tcp dpt:1723
    0     0 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      tun2    0.0.0.0/0            0.0.0.0/0
 8870  741K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0
  556  162K ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    0    --  eth0   br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
 8314  579K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    0    --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  eth1   *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 TRIGGER    0    --  eth0   ath0    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  ath0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  ath0   *       0.0.0.0/0            0.0.0.0/0           state NEW


3.
UPnP -> Disabled
eibgrad script -> Enabled on 54321
Transmission port 54321 -> Closed
Results:
Code:
root@DD-WRT:~# iptables -t nat -vnL PREROUTING && iptables -vnL FORWARD | head -n20
Chain PREROUTING (policy ACCEPT 3236 packets, 272K bytes)
 pkts bytes target     prot opt in     out     source               destination
   10   572 DNAT       tcp  --  tun1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:43876 to:10.0.0.100:54321
   13  1286 DNAT       udp  --  tun1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:43876 to:10.0.0.100:54321
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            192.168.1.50        to:10.0.0.1
   87 16609 TRIGGER    0    --  *      *       0.0.0.0/0            192.168.1.50        TRIGGER type:dnat match:0 relate:0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   26  2258 ACCEPT     tcp  --  tun1   *       0.0.0.0/0            10.0.0.100          tcp dpt:54321
12992   17M ACCEPT     udp  --  tun1   *       0.0.0.0/0            10.0.0.100          udp dpt:54321
16186 1314K ACCEPT     0    --  *      tun1    0.0.0.0/0            0.0.0.0/0
 8439 5553K ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0
  150 10328 REJECT     0    --  *      eth0    10.0.0.100           0.0.0.0/0           state NEW reject-with icmp-port-unreachable
51547   63M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  *      eth0    10.0.0.0/24          0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      eth0    10.0.0.0/24          0.0.0.0/0           tcp dpt:1723
    0     0 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      tun2    0.0.0.0/0            0.0.0.0/0
 1628  323K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0
  986  243K ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    0    --  eth0   br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
  642 79787 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    0    --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  eth1   *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 TRIGGER    0    --  eth0   ath0    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0


4.
I only stopped transmission then I changed the transmission port to 43876 but is always closed because the default iptables is set to 54321, is basically the same test like 3

5.
This's a strange test!
I just realized that my actual script, can't works if pia change the port during a reboot, because of
Code:
/jffs/etc/config/ddwrt-pia-port-forward.sh --ip 10.0.0.100 --port 43876 --debug

the port during the start will always over 43876, so I modified the eibgrad script, from:
Code:
    # create internal ports forwards (udp and tcp)
    _ipt -t nat -I PREROUTING -i tun1 -p udp --dport $ext_port \
        -j DNAT --to $INTERNAL_IP:$INTERNAL_PORT
    _ipt -I FORWARD -i tun1 -p udp -d $INTERNAL_IP \
        --dport $INTERNAL_PORT -j ACCEPT
    _ipt -t nat -I PREROUTING -i tun1 -p tcp --dport $ext_port \
        -j DNAT --to $INTERNAL_IP:$INTERNAL_PORT
    _ipt -I FORWARD -i tun1 -p tcp -d $INTERNAL_IP \
        --dport $INTERNAL_PORT -j ACCEPT

to:
Code:
    # create internal ports forwards (udp and tcp)
    _ipt -t nat -I PREROUTING -i tun1 -p udp --dport $ext_port \
        -j DNAT --to $INTERNAL_IP:$ext_port
    _ipt -I FORWARD -i tun1 -p udp -d $INTERNAL_IP \
        --dport $ext_port -j ACCEPT
    _ipt -t nat -I PREROUTING -i tun1 -p tcp --dport $ext_port \
        -j DNAT --to $INTERNAL_IP:$ext_port
    _ipt -I FORWARD -i tun1 -p tcp -d $INTERNAL_IP \
        --dport $ext_port -j ACCEPT

In this way I always redirect the same port
I think for now, in junction with the script that scrape the html from router (waiting) json data, this's a not elegant solution to have transmission outside the router

I do some wrong or can works?
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Mon Jul 01, 2019 17:27    Post subject: Reply with quote
egc wrote:
@eibgrad thanks for your excellent assessment of this situation.

I will have a look at the PIA wbesite again, a quick search only gives these links:

https://www.privateinternetaccess.com/helpdesk/kb/articles/can-i-use-port-forwarding-without-using-the-pia-client

https://www.htpcguides.com/configure-auto-port-forward-pia-vpn-for-transmission/

The first one is just how to retrieve the port number and the second article how to start transmission with this retrieved external port number exactly as @Chryses is doing now.

I am using PIA and there is no mention of the forwarded port if I login to my account, but I will look further and report.

Thanks for all your work, but if someone is up to the challenge it is you Smile

Just saw your comment!
I love the fact that in the second script the port can be changed without restart transmission, on the fly!
But I think is always the same situation, pia vpn must be on the same device with transmission.
I don't have yet tried with qbittorrent or deluge, I will, maybe the problem is transmission. I'll make a test with original @eibgrad script
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5920
Location: Netherlands

PostPosted: Mon Jul 01, 2019 19:08    Post subject: Reply with quote
@Chryses, as far as I can tell you are on the right track the external and internal port should be the same and that is the port Transmission has to use.

Take note the $ext_port is defined as local but the iptables rule are in the same function so it sould work, but @eibgrad knows more about this
(I could be talking rubbish as the wife frequently tells me Smile )

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Mon Jul 01, 2019 21:52    Post subject: Reply with quote
Mmm, I really don't know any about split-tunneling, I've to learn this!

So:
If script and client are on the same device, no adjustment are needed.
If script and client are on different devices must be opened the same port and the client on remote machine have to grab the correct port from the router.

Like you said there's a big problem, what if the port change without any re-connection? The only good solution is to constantly check the port from pia every minute, so can be done on the router (actually your script check only if the pid of clientvpn change, not the port itself (am I right?)) but this must be done on the remote machine too, right? The port must be changed because otherwise the client don't use the same port that is configured on the router. The pia script can work too, without scrape the router page, give null results if 2min is passed, so I think can be managed in a way similar to my roughly script

I like your idea
Code:
ddwrt-pia-port-forward.sh --ip 192.168.1.100 --port *


Other vpn? Maybe can be a solution for future decision/people, but I think is too late for me Very Happy

I miss some?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5920
Location: Netherlands

PostPosted: Tue Jul 02, 2019 14:41    Post subject: Reply with quote
eibgrad wrote:
If having VPN port forwarding support ends up w/ all these limitations and unpredictable behavior, including an ever changing external port, it's just not worth it (imo). You'd at least think they'd publish the external port somewhere on their website, once you've logged into your account. Otherwise, it's impractical to use.

There are still VPN providers offering a more sane approach to port forwarding, but they make you pay for it too (e.g., PureVPN).

https://www.purevpn.com/port-forwarding?utm_source=wipf_blog&utm_medium=cta&utm_campaign=PF

These are the same guys I reported on a couple years ago who used to leave their end of the VPN tunnel wide-open, then charged you to secure it w/ a firewall.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=307445

They've since reversed course, installed a firewall, and now charge you to port forward. Looks to me you get both a fixed public and your own port management, so none of this other nonsense you see from PIA.


Fortunately PIA's forwarded port does not change randomly but it can change on reconnection although it tends to be the same.
And yes there are VPN providers where you can get a fixed port (when you pay) and also a lot that do not do any port forwarding, so PIA is not that bad.

And the script you provided is working great, I just tested with a VPN server runing on my router with a DDNS to no-ip and that is working without problems.

Of course I still have to know the port number Sad

Unfortunately I have no other options, I think, here in my summer residence I am behind a residential gateway which does not port forward.

One question to @eibgrad when updating DDNS I can not use curl it gives :
root@EA6900:~#
Code:
curl -Lk  "https://$DDNS_USER:$DDNS_PASS@dynupdate.no-ip.com/nic/update?hostname=$DDNS_
HOST&myip=${vpn_public_ip}"

curl: (3) Port number ended with 'p'
root@EA6900:~#

while wget does work:
root@EA6900:~#
Code:
wget -qO -  "http://$DDNS_USER:$DDNS_PASS@dynupdate.no-ip.com/nic/update?hostname=$DDNS
_HOST&myip=${vpn_public_ip}"

good 1.3.5.2
root@EA6900:~#

Not a big problem but frustrating that I can not get curl to work, @eibgrad any thoughts or quick fix for this?

Next step is that I will make a second DDNS where I update my external port number so that I can grab it from there.

To be continued and open to any suggestion Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
oudebelle
DD-WRT Novice


Joined: 05 Apr 2019
Posts: 1

PostPosted: Tue Jul 02, 2019 14:46    Post subject: Reply with quote
TunnelBear used to save my ass when I was having troubles with using paid VPN. https://cooltechzone.com/sitemap here are many services availiable.
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Tue Jul 02, 2019 16:35    Post subject: Reply with quote
I just got a reply from PIA Support:
Quote:
Thank you for contacting PIA Support.

It is a two minute window because that is when it quits the request to open the port, if it is not used at that time, it will not assign you it.

The port will not be changed during a connection, but you may not get the same port on a reconnect.

Please don't hesitate to let me know if you have any questions or concerns.

Regards

Thomas W.
Customer Support Agent

So, good to know that the port won't change during a connection!

At this point, to me, the best option is:
1. Modify the eibgrad script in order to execute one custom command/script after a connection (for example I can ssh to my nas and change the port on the fly (I've only to find how)). The second modification is to make difference if the device that need the port opened is on the same router or on remote machine.
2. Modify my systemctl in order to execute one time only a scrape to the route during a start, so I'll first scrape the url, then I start transmission with the port that I find (I don't know yet if is better to call a script or to do all the works inside the systemctl)

In this way I can avoid a continue scrape to the router!

Any better idea?
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Tue Jul 02, 2019 19:22    Post subject: Reply with quote
Thanks eibgrad.

I think is the way, good idea make a callback script!

Why I need to scrape the port? Simple, what about if the remote device start after the pia connection or if reboot?
But it can be easily done with a remote call, so when program run on a remote machine it tell to your script on the router to execute the callback script, sounds simple to me. Maybe you need an extra argument to only call the callback

Can works?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5920
Location: Netherlands

PostPosted: Tue Jul 02, 2019 19:59    Post subject: Reply with quote
eibgrad wrote:
So given all the feedback and good suggestions, here's what I'm thinking.

1. Add the ability to specify "--port *" to signal that the internal port assignment should equal the external port assignment by PIA.

2. Add code to execute a callback script (ddwrt-pia-port-forward.callback ??) if present in the same directory as the ddwrt-pia-port-forward.sh script. I'll pass the VPN public IP and external port as arguments.

I'm thinking you could then use the opportunity to reconfigure either a local process, or remote process on the LAN w/ ssh. You could also use it to publish the information wherever you like, beit your own website, pastebin, send yourself an email or text message, etc. Then perhaps you guys can publish your own callback scripts on pastebin so that others can benefit. It gets me out of the business of having to make special code for every possible new situation that could arise. I call the callback, you then take responsibility to do whatever you need/want.

Btw, I don't think it makes sense to scrap the ip/port off the webpage if you can avoid it. While I don't anticipate any changes to the webpage, like anything based on parsing a string, if it does change, it will likely break your code. And I don't want to be hindered from making changes down the road because someone is scraping the webpage. You do so at your own risk!

I'll probably make a few other minor unrelated changes while I'm at it.

I await your feedback before proceeding.


Excellent plan

I just finished hacking your script to update one of my no-ip hostnames with the external ip address and an other hostname with the external port, works quite well, but always difficult to hack another ones script.

So with a callback script we can do a better job.

Have been considering SNMP but I read somewhere BS has removed it, so I did not research it any further.

Anyway with a call back script we could do all sort of things and publish it for further use.

Looking forward to it.

Will also check why curl is not working I have @ in username will try with replacing %40

But also saw a commit by Kong regarding curl

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5920
Location: Netherlands

PostPosted: Wed Jul 03, 2019 10:12    Post subject: Reply with quote
eibgrad wrote:
egc wrote:
One question to @eibgrad when updating DDNS I can not use curl it gives :
root@EA6900:~#
Code:
curl -Lk  "https://$DDNS_USER:$DDNS_PASS@dynupdate.no-ip.com/nic/update?hostname=$DDNS_
HOST&myip=${vpn_public_ip}"

curl: (3) Port number ended with 'p'
root@EA6900:~#


Just a guess, but do you perhaps have any special chars in your username, password, or host (esp. single and double quotes)? Because it sounds like a parsing error, and special chars can cause it w/ some utilities.


my username is my email address so it has an @ in it.
curl does not encode that correctly, if I replace @ with %40, it does work.

Strangely further on this line there is another @ which is not causing trouble.

Weird.

Now looking for grep or sed command to change @ in %40 Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Chryses
DD-WRT User


Joined: 27 Jun 2018
Posts: 99

PostPosted: Wed Jul 03, 2019 11:18    Post subject: Reply with quote
egc wrote:
eibgrad wrote:
egc wrote:
One question to @eibgrad when updating DDNS I can not use curl it gives :
root@EA6900:~#
Code:
curl -Lk  "https://$DDNS_USER:$DDNS_PASS@dynupdate.no-ip.com/nic/update?hostname=$DDNS_
HOST&myip=${vpn_public_ip}"

curl: (3) Port number ended with 'p'
root@EA6900:~#


Just a guess, but do you perhaps have any special chars in your username, password, or host (esp. single and double quotes)? Because it sounds like a parsing error, and special chars can cause it w/ some utilities.


my username is my email address so it has an @ in it.
curl does not encode that correctly, if I replace @ with %40, it does work.

Strangely further on this line there is another @ which is not causing trouble.

Weird.

Now looking for grep or sed command to change @ in %40 Smile


Tried with
curl -Lk 'https://"$DDNS_USER":"$DDNS_PASS"@dynupdate.no-ip.com/nic/update?hostname="$DDNS_
HOST"&myip="${vpn_public_ip}"'
?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5920
Location: Netherlands

PostPosted: Thu Jul 04, 2019 10:18    Post subject: Reply with quote
Excellent plan

There must be a magic combination of single and double quotes which maybe works, in the meantime this works:
Code:
DDNS_USER="${DDNS_USER/@/%40}"

this replaces the @ with %40 which is the url encoding of @

But looking forward to using the callback script

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 4 of 6
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum