PIA Portforwarding

[MrYoDa]

Hello
JFYI i am using Freenas 11.1 U5

I did Transmission with PIA, Openvpn firewall rules and got it all working and running from boot.
Its great, but now i am moving onto the Port forwarding part of the whole process and here is where i hit a problem lol
how do you get the portforwarding.sh script to run at boot ?
if i run it manually from within my jail just after boot it works and the transmission port opens fine.

I have portforwarding.sh located in (Jail) /usr/local/etc/openvpn/
along with my openvpn.conf like i said a manual ./portforwarding.sh works but for the life of me can't
figure out how to get it to run just after (within 2 mins, PIA specify this) openvpn.

Can anyone help as i have been at this for 2 days and a total of about 16 hours
Thanks.

 

[fracai]

Read through this similar question and answer:
https://unix.stackexchange.com/ques...mmand-after-my-openvpn-client-connects/398191

Looks like there is an option to specify a command to run after the connection has been made. And an option that enables the script to run with the necessary privileges.

 

[MrYoDa]

Thanks for that, i will go and take a look...

 

[MrYoDa]

That didn't work
as soon as i modify the openvpn.conf with "up" i get this
Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

Oh well back to the drawing board

 

[fracai]

I didn't see it on the link I posted, but I think I remember seeing something something about running the script with a delay and in the background. Basically, the script tries to open the port before the VPN connection is fully established, fails, returns a bad exit status to OpenVPN, and the VPN shuts down. This can be avoided by having your script call a second script in the background (&). The second script delays for 30 seconds to give the connection a chance to complete and then opens the port. That could lead to an issue where the connection still hasn't come up and the port fails, but you could put a retry loop in the port script.

 

[MrYoDa]

I have tried a delay in the port forwarding script and it works 100%
It seems that any up command i add to my openvpn.conf stops openvpn running at all here is my .conf file

client
dev tun
proto udp
remote sweden.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass pass.txt
comp-lzo no
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ
script-security 2


like i said anything i add here after script-security 2
stops openvpn working

Its not a massive issue to get this running automatically
but it would be nice to finish the job.
Thanks for the reply.

 

[fracai]

are you also running your script in the background?
the script called from "up" should just call your second script as a background task:
/path/to/script.sh &

I think this is what I remember reading: https://www.reddit.com/r/freenas/comments/7liuce/transmission_port_forwarding_using_pia_vpn/

 

[MrYoDa]

Yes that exactly how i tried it, as well as other ways.
But then openvpn wont start with any "up" command i add or any path added after it

 

[MrYoDa]

I was wondering if openvpn would need permission to open
the portforwarding script that belongs to root ?

 

[fracai]

I would think that the openvpn process is also running as root.
So at this point you have your config with "script-security 2" and "up /path/to/background.sh", background.sh calls "open-port.sh &", open-port.sh includes a 30 or so second delay before doing anything and then makes the request to open a port. The "*.sh" files are executable and readable.

If you remove the "up" call, openvpn starts fine.
If you then call "background.sh" or "open-port.sh" the port is indeed opened.
If you stop openvpn, add "up", and start openvpn, it fails to start with "WARNING: failed to start openvpn".

Is all that correct?

Try increasing the verbosity of openvpn (start with "--verb 4" and move up to 11)

 

[MrYoDa]

Yes everything happens as you wrote it.

OK will do and thanks again.
This will have to be done tomorrow now, busy tonight.

 

[MrYoDa]

It seems everything runs ok until it's gets to the up command

This what it reports if run by hand ./port.sh

Loading port forward assignment information...
server returned {"port":40255}
if successful, trimmed port is:40255
localhost:9091/transmission/rpc/ responded: "success"
remember to run no longer than 2 mins after reconnecting/connecting to vpn server.

=======================================


Aug 30 22:06:04 transmission_1 openvpn[93880]: Current Parameter Settings:
Aug 30 22:06:04 transmission_1 openvpn[93880]: config = '/usr/local/etc/openvpn/openvpn.conf'
Aug 30 22:06:04 transmission_1 openvpn[93880]: mode = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: show_ciphers = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: show_digests = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: show_engines = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: genkey = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: key_pass_file = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: show_tls_ciphers = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: connect_retry_max = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: Connection profiles [0]:
Aug 30 22:06:04 transmission_1 openvpn[93880]: proto = udp
Aug 30 22:06:04 transmission_1 openvpn[93880]: local = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: local_port = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: remote = 'sweden.privateinternetaccess.com'
Aug 30 22:06:04 transmission_1 openvpn[93880]: remote_port = '1198'
Aug 30 22:06:04 transmission_1 openvpn[93880]: remote_float = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: bind_defined = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: bind_local = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: bind_ipv6_only = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: connect_retry_seconds = 5
Aug 30 22:06:04 transmission_1 openvpn[93880]: connect_timeout = 120
Aug 30 22:06:04 transmission_1 openvpn[93880]: socks_proxy_server = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: socks_proxy_port = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: tun_mtu = 1500
Aug 30 22:06:04 transmission_1 openvpn[93880]: tun_mtu_defined = ENABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: link_mtu = 1500
Aug 30 22:06:04 transmission_1 openvpn[93880]: link_mtu_defined = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: tun_mtu_extra = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: tun_mtu_extra_defined = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: mtu_discover_type = -1
Aug 30 22:06:04 transmission_1 openvpn[93880]: fragment = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: mssfix = 1450
Aug 30 22:06:04 transmission_1 openvpn[93880]: explicit_exit_notification = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: Connection profiles END
Aug 30 22:06:04 transmission_1 openvpn[93880]: remote_random = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: ipchange = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: dev = 'tun'
Aug 30 22:06:04 transmission_1 openvpn[93880]: dev_type = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: dev_node = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: lladdr = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: topology = 1
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_local = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_remote_netmask = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_noexec = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_nowarn = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_ipv6_local = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_ipv6_netbits = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_ipv6_remote = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: shaper = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: mtu_test = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: mlock = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: keepalive_ping = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: keepalive_timeout = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: inactivity_timeout = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: ping_send_timeout = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: ping_rec_timeout = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: ping_rec_timeout_action = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: ping_timer_remote = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: remap_sigusr1 = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: persist_tun = ENABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: persist_local_ip = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: persist_remote_ip = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: persist_key = ENABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: passtos = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: resolve_retry_seconds = 1000000000
Aug 30 22:06:04 transmission_1 openvpn[93880]: resolve_in_advance = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: username = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: groupname = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: chroot_dir = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: cd_dir = '/usr/local/etc/openvpn'
Aug 30 22:06:04 transmission_1 openvpn[93880]: writepid = '/var/run/openvpn.pid'
Aug 30 22:06:04 transmission_1 openvpn[93880]: up_script = '/usr/local/etc/openvpn/port.sh'
Aug 30 22:06:04 transmission_1 openvpn[93880]: down_script = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: down_pre = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: up_restart = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: up_delay = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: daemon = ENABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: inetd = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: log = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: suppress_timestamps = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: machine_readable_output = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: nice = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: verbosity = 4
Aug 30 22:06:04 transmission_1 openvpn[93880]: mute = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: gremlin = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: status_file = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: status_file_version = 1
Aug 30 22:06:04 transmission_1 openvpn[93880]: status_file_update_freq = 60
Aug 30 22:06:04 transmission_1 openvpn[93880]: occ = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: rcvbuf = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: sndbuf = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: sockflags = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: fast_io = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: comp.alg = 1
Aug 30 22:06:04 transmission_1 openvpn[93880]: comp.flags = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: route_script = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: route_default_gateway = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: route_default_metric = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: route_noexec = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: route_delay = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: route_delay_window = 30
Aug 30 22:06:04 transmission_1 openvpn[93880]: route_delay_defined = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: route_nopull = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: route_gateway_via_dhcp = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: allow_pull_fqdn = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: management_addr = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: management_port = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: management_user_pass = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: management_log_history_cache = 250
Aug 30 22:06:04 transmission_1 openvpn[93880]: management_echo_buffer_size = 100
Aug 30 22:06:04 transmission_1 openvpn[93880]: management_write_peer_info_file = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: management_client_user = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: management_client_group = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: management_flags = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: shared_secret_file = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: key_direction = not set
Aug 30 22:06:04 transmission_1 openvpn[93880]: ciphername = 'aes-128-cbc'
Aug 30 22:06:04 transmission_1 openvpn[93880]: ncp_enabled = ENABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Aug 30 22:06:04 transmission_1 openvpn[93880]: authname = 'sha1'
Aug 30 22:06:04 transmission_1 openvpn[93880]: prng_hash = 'SHA1'
Aug 30 22:06:04 transmission_1 openvpn[93880]: prng_nonce_secret_len = 16
Aug 30 22:06:04 transmission_1 openvpn[93880]: keysize = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: engine = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: replay = ENABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: mute_replay_warnings = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: replay_window = 64
Aug 30 22:06:04 transmission_1 openvpn[93880]: replay_time = 15
Aug 30 22:06:04 transmission_1 openvpn[93880]: packet_id_file = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: use_iv = ENABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: test_crypto = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: tls_server = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: tls_client = ENABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: key_method = 2
Aug 30 22:06:04 transmission_1 openvpn[93880]: ca_file = 'ca.rsa.2048.crt'
Aug 30 22:06:04 transmission_1 openvpn[93880]: ca_path = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: dh_file = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: cert_file = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: extra_certs_file = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: priv_key_file = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: pkcs12_file = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: cipher_list = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: tls_cert_profile = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: tls_verify = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: tls_export_cert = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: verify_x509_type = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: verify_x509_name = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: crl_file = 'crl.rsa.2048.pem'
Aug 30 22:06:04 transmission_1 openvpn[93880]: ns_cert_type = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: remote_cert_ku = 65535
Aug 30 22:06:04 transmission_1 openvpn[93880]: remote_cert_ku = 0
Aug 30 22:06:04 transmission_1 last message repeated 14 times
Aug 30 22:06:04 transmission_1 openvpn[93880]: remote_cert_eku = 'TLS Web Server Authentication'
Aug 30 22:06:04 transmission_1 openvpn[93880]: ssl_flags = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: tls_timeout = 2
Aug 30 22:06:04 transmission_1 openvpn[93880]: renegotiate_bytes = -1
Aug 30 22:06:04 transmission_1 openvpn[93880]: renegotiate_packets = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: renegotiate_seconds = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: handshake_window = 60
Aug 30 22:06:04 transmission_1 openvpn[93880]: transition_window = 3600
Aug 30 22:06:04 transmission_1 openvpn[93880]: single_session = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: push_peer_info = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: tls_exit = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: tls_auth_file = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: tls_crypt_file = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: server_network = 0.0.0.0
Aug 30 22:06:04 transmission_1 openvpn[93880]: server_netmask = 0.0.0.0
Aug 30 22:06:04 transmission_1 openvpn[93880]: server_network_ipv6 = ::
Aug 30 22:06:04 transmission_1 openvpn[93880]: server_netbits_ipv6 = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: server_bridge_ip = 0.0.0.0
Aug 30 22:06:04 transmission_1 openvpn[93880]: server_bridge_netmask = 0.0.0.0
Aug 30 22:06:04 transmission_1 openvpn[93880]: server_bridge_pool_start = 0.0.0.0
Aug 30 22:06:04 transmission_1 openvpn[93880]: server_bridge_pool_end = 0.0.0.0
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_pool_defined = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_pool_start = 0.0.0.0
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_pool_end = 0.0.0.0
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_pool_netmask = 0.0.0.0
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_pool_persist_filename = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_pool_persist_refresh_freq = 600
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_ipv6_pool_defined = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_ipv6_pool_base = ::
Aug 30 22:06:04 transmission_1 openvpn[93880]: ifconfig_ipv6_pool_netbits = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: n_bcast_buf = 256
Aug 30 22:06:04 transmission_1 openvpn[93880]: tcp_queue_limit = 64
Aug 30 22:06:04 transmission_1 openvpn[93880]: real_hash_size = 256
Aug 30 22:06:04 transmission_1 openvpn[93880]: virtual_hash_size = 256
Aug 30 22:06:04 transmission_1 openvpn[93880]: client_connect_script = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: learn_address_script = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: client_disconnect_script = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: client_config_dir = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: ccd_exclusive = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: tmp_dir = '/tmp'
Aug 30 22:06:04 transmission_1 openvpn[93880]: push_ifconfig_defined = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: push_ifconfig_local = 0.0.0.0
Aug 30 22:06:04 transmission_1 openvpn[93880]: push_ifconfig_remote_netmask = 0.0.0.0
Aug 30 22:06:04 transmission_1 openvpn[93880]: push_ifconfig_ipv6_defined = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: push_ifconfig_ipv6_local = ::/0
Aug 30 22:06:04 transmission_1 openvpn[93880]: push_ifconfig_ipv6_remote = ::
Aug 30 22:06:04 transmission_1 openvpn[93880]: enable_c2c = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: duplicate_cn = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: cf_max = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: cf_per = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: max_clients = 1024
Aug 30 22:06:04 transmission_1 openvpn[93880]: max_routes_per_client = 256
Aug 30 22:06:04 transmission_1 openvpn[93880]: auth_user_pass_verify_script = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: auth_user_pass_verify_script_via_file = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: auth_token_generate = DISABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: auth_token_lifetime = 0
Aug 30 22:06:04 transmission_1 openvpn[93880]: port_share_host = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: port_share_port = '[UNDEF]'
Aug 30 22:06:04 transmission_1 openvpn[93880]: client = ENABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: pull = ENABLED
Aug 30 22:06:04 transmission_1 openvpn[93880]: auth_user_pass_file = 'pass.txt'
Aug 30 22:06:04 transmission_1 openvpn[93880]: OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Aug 16 2018
Aug 30 22:06:04 transmission_1 openvpn[93880]: library versions: OpenSSL 1.0.2j-freebsd 26 Sep 2016, LZO 2.10
Aug 30 22:06:04 transmission_1 openvpn[93881]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 30 22:06:04 transmission_1 openvpn[93881]: Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Aug 30 22:06:04 transmission_1 openvpn[93881]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Aug 30 22:06:04 transmission_1 openvpn[93881]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Aug 30 22:06:04 transmission_1 openvpn[93881]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Aug 30 22:06:04 transmission_1 openvpn[93881]: TCP/UDP: Preserving recently used remote address: [AF_INET]46.246.123.58:1198
Aug 30 22:06:04 transmission_1 openvpn[93881]: Socket Buffers: R=[42080->42080] S=[9216->9216]
Aug 30 22:06:04 transmission_1 openvpn[93881]: UDP link local: (not bound)
Aug 30 22:06:04 transmission_1 openvpn[93881]: UDP link remote: [AF_INET]46.246.123.58:1198
Aug 30 22:06:04 transmission_1 openvpn[93881]: TLS: Initial packet from [AF_INET]46.246.123.58:1198, sid=beec242a 653ba08d
Aug 30 22:06:04 transmission_1 openvpn[93881]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Aug 30 22:06:04 transmission_1 openvpn[93881]: VERIFY KU OK
Aug 30 22:06:04 transmission_1 openvpn[93881]: Validating certificate extended key usage
Aug 30 22:06:04 transmission_1 openvpn[93881]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug 30 22:06:04 transmission_1 openvpn[93881]: VERIFY EKU OK
Aug 30 22:06:04 transmission_1 openvpn[93881]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=10cec587dfc4b6d251deb00c76e2e752, name=10cec587dfc4b6d251deb00c76e2e752
Aug 30 22:06:04 transmission_1 openvpn[93881]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Aug 30 22:06:04 transmission_1 openvpn[93881]: [10cec587dfc4b6d251deb00c76e2e752] Peer Connection Initiated with [AF_INET]46.246.123.58:1198
Aug 30 22:06:06 transmission_1 openvpn[93881]: SENT CONTROL [10cec587dfc4b6d251deb00c76e2e752]: 'PUSH_REQUEST' (status=1)
Aug 30 22:06:06 transmission_1 openvpn[93881]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.83.10.1,topology net30,ifconfig 10.83.10.10 10.83.10.9,auth-token'
Aug 30 22:06:06 transmission_1 openvpn[93881]: auth-token received, disabling auth-nocache for the authentication token
Aug 30 22:06:06 transmission_1 openvpn[93881]: OPTIONS IMPORT: timers and/or timeouts modified
Aug 30 22:06:06 transmission_1 openvpn[93881]: OPTIONS IMPORT: compression parms modified
Aug 30 22:06:06 transmission_1 openvpn[93881]: OPTIONS IMPORT: --ifconfig/up options modified
Aug 30 22:06:06 transmission_1 openvpn[93881]: OPTIONS IMPORT: route options modified
Aug 30 22:06:06 transmission_1 openvpn[93881]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug 30 22:06:06 transmission_1 openvpn[93881]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:406 ET:0 EL:3 ]
Aug 30 22:06:06 transmission_1 openvpn[93881]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug 30 22:06:06 transmission_1 openvpn[93881]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 30 22:06:06 transmission_1 openvpn[93881]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug 30 22:06:06 transmission_1 openvpn[93881]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 30 22:06:06 transmission_1 openvpn[93881]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=epair1b HWADDR=06:ed:6d:6f:c0:d2
Aug 30 22:06:06 transmission_1 openvpn[93881]: TUN/TAP device /dev/tun0 opened
Aug 30 22:06:06 transmission_1 openvpn[93881]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Aug 30 22:06:06 transmission_1 openvpn[93881]: /sbin/ifconfig tun0 10.83.10.10 10.83.10.9 mtu 1500 netmask 255.255.255.255 up
Aug 30 22:06:06 transmission_1 openvpn[93881]: /usr/local/etc/openvpn/port.sh tun0 1500 1558 10.83.10.10 10.83.10.9 init
Aug 30 22:06:26 transmission_1 openvpn[93881]: WARNING: Failed running command (--up/--down): external program exited with error status: 1
Aug 30 22:06:26 transmission_1 openvpn[93881]: Exiting due to fatal error

 

[fracai]

So the logs indicate that "port.sh" is exiting with an error status. That's not surprising if it tries to open the port too early. Can you post the contents of "port.sh" and the other scripts that it calls?

If "port.sh" just contains the one line that calls the other script in the background and that is somehow returning an error code, you could put a true call after the background call. But, calling a script in the background shouldn't return an error status. Even if that script isn't executable or has some error status the background call will still succeed and return 0.

 

[MrYoDa]

This is the port.sh script
i have been calling it directly as calling another script first gave the same error
==================================================

#!/usr/local/bin/bash
#
# Enable port forwarding when using Private Internet Access
# install curl first (pkg install curl)
# Usage:
# ./port_forwarding.sh

sleep 20

TRANSHOST=localhost

error( )
{
echo "$@" 1>&2
exit 1
}

error_and_usage( )
{
echo "$@" 1>&2
usage_and_exit 1
}

usage( )
{
echo "Usage: `dirname $0`/$PROGRAM"
}

usage_and_exit( )
{
usage
exit $1
}

version( )
{
echo "$PROGRAM version $VERSION"
}


port_forward_assignment( )
{
echo 'Loading port forward assignment information...'
if [ "$(uname)" == "Linux" ]; then
client_id=`head -n 100 /dev/urandom | sha256sum | tr -d " -"`
fi
if [ "$(uname)" == "FreeBSD" ]; then
client_id=`head -n 100 /dev/urandom | shasum -a 256 | tr -d " -"`
fi

json=`curl "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null`
if [ "$json" == "" ]; then
echo Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding
exit 0
fi

echo server returned $json

#trim VPN forwarded port from JSON
PORT=$(echo $json | awk 'BEGIN{r=1;FS="[{}\":]+"} /port/{r=0; print $3} END{exit r}')
echo if successful, trimmed port is:$PORT

#change transmission port on the fly

transmission-remote $TRANSHOST --auth $TRANSUSER:$TRANSPASS -p "$PORT"
echo remember to run no longer than 2 mins after reconnecting/connecting to vpn server.
}



EXITCODE=0
PROGRAM=`basename $0`
VERSION=2.1

while test $# -gt 0
do
case $1 in
--usage | --help | -h )
usage_and_exit 0
;;
--version | -v )
version
exit 0
;;
*)
error_and_usage "Unrecognized option: $1"
;;
esac
shift
done

port_forward_assignment

exit 0

 

[MrYoDa]

although thinking about it, maybe i should have put the "sleep" in the other script
so it delays the calling of "port.sh" not calling it then a delay ?

"EDIT"
using another script to start the port.sh runs with no errors
BUT the port won't open at all, weird

"start.sh"

#!/usr/local/bin/bash
sleep 30
/usr/local/etc/openvpn/port.sh &

"Message Log"

Aug 31 17:52:22 transmission_1 openvpn[48819]: /usr/local/etc/openvpn/start.sh tun0 1500 1558 10.36.10.10 10.36.10.9 init
Aug 31 17:52:52 transmission_1 openvpn[48819]: /sbin/route add -net 46.246.123.58 192.168.1.1 255.255.255.255
Aug 31 17:52:52 transmission_1 openvpn[48819]: /sbin/route add -net 0.0.0.0 10.36.10.9 128.0.0.0
Aug 31 17:52:52 transmission_1 openvpn[48819]: /sbin/route add -net 128.0.0.0 10.36.10.9 128.0.0.0
Aug 31 17:52:52 transmission_1 openvpn[48819]: /sbin/route add -net 10.36.10.1 10.36.10.9 255.255.255.255
Aug 31 17:52:52 transmission_1 openvpn[48819]: Initialization Sequence Completed

 

[MrYoDa]

ok found this online and it works, starts openvpn,
connects to PIA server and configures Transmissions port

Although i have to say i have no idea why this works lol
I changed it slightly to fit my /paths/
====================================

Script #1 is loaded by openvpn with the --up parameter:
----------------------------------------------------------------------

#!/usr/local/bin/bash
/usr/local/etc/openvpn/port_forwarding.sh &

Script #2 (port_forwarding.sh) opens the port and write its number in port.txt
------------------------------------------------------------------------------------------------

#!/usr/local/bin/bash
#
# Enable port forwarding when using Private Internet Access
# install curl first (pkg install curl)
# Usage:
# ./port_forwarding.sh

sleep 60

port_forward_assignment( )
{

client_id=`/usr/bin/head -n 100 /dev/urandom | /usr/local/bin/shasum -a 256 | tr -d " -"`

json=`/usr/local/bin/curl "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null`
echo $json>/tmp/json.txt #for debugging
if [ "$json" == "" ]; then
echo Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding
exit 0
fi

echo server returned $json

#trim VPN forwarded port from JSON
PORT=$(echo $json | /usr/bin/awk 'BEGIN{r=1;FS="[{}\":]+"} /port/{r=0; print $3} END{exit r}')
echo if successful, trimmed port is:$PORT
echo $PORT>/usr/local/etc/openvpn/port.txt

}


port_forward_assignment

su -l root -c /usr/local/etc/openvpn/port.sh &

exit 0

Script #3 (port.sh) reads the port number from port.txt and passes it to transmission.
---------------------------------------------------------------------------------------------------------

#!/usr/local/bin/bash

TRANSUSER=user
TRANSPASS=pass
TRANSHOST=localhost

file="/usr/local/etc/openvpn/port.txt" #the file where you keep your string name

read -d $'\x04' PORT < "$file" #the content of $file is redirected to stdin from where it is read out into the $PORT variable

echo $PORT>/usr/local/etc/openvpn/port2.txt #test

/usr/local/bin/transmission-remote $TRANSHOST --auth $TRANSUSER:$TRANSPASS -p "$PORT"

exit 0

 

[fracai]

So, what you found that works is what I was advocating for.

"up" calls "script 1"
"script 1" calls "port_forwarding.sh" in the background via "&" and exits with an exit status of zero.
"port_forwarding.sh" delays for some amount of time to allow the connection to complete and then opens the port. There shouldn't really be a need to separate the port_forwarding.sh and port.sh scripts, but there's no need to keep them linked either.

It looks like your previous attempts were directly calling the "port.sh" script. That script would delay, but the connection hasn't completed so the port can't be opened and the script returns an error status which causes the connection to fail.

Glad you got it worked out.

 

[MrYoDa]

Well it was your advice that made me look at things differently and learn more about
some of the commands and what they actually do,
I had read that page a few times over the past week and didn't understand it.
so thanks Fracai for that :)

 

[Binary Buddha]

Hello
JFYI i am using Freenas 11.1 U5

I did Transmission with PIA, Openvpn firewall rules and got it all working and running from boot.
Its great, but now i am moving onto the Port forwarding part of the whole process and here is where i hit a problem lol
how do you get the portforwarding.sh script to run at boot ?
if i run it manually from within my jail just after boot it works and the transmission port opens fine.

I have portforwarding.sh located in (Jail) /usr/local/etc/openvpn/
along with my openvpn.conf like i said a manual ./portforwarding.sh works but for the life of me can't
figure out how to get it to run just after (within 2 mins, PIA specify this) openvpn.

Can anyone help as i have been at this for 2 days and a total of about 16 hours
Thanks.

Yeah, I tried that too once. It was complicated. So, I cheated. I have a CentOS system stood up and configured to connect to PIA via OpenVPN. Then I configured FirewallD to act like a router and stated to use the CentOS as the default gateway for the jail. It's been working for over a year now with no real issues. And if I ever want to VPN anything else I just point it to the CentOS as the default gateway. All the ports and all the protocols are now VPN'd.

If you don't have the hardware, you could create a jail on the FreeNAS to do it. (Yeah, I never got around to it. Making FreeBSD jails is complicated.) Or, you could put a minimal CentOS VM in the VirtualBox.