How to add VPN port forwarding with Merlin?

[patrick sullivan]

I know that PIA offers port forwarding now with their desktop client, but how would I do that with my Asus 68U running Merlin?

 

[eibgrad]

AFAIK, you have to do it manually. And, last time I used PIA port forwarding, it required a special API, which only supported a single port, and other limitations. So even if the GUI supported it natively (which would be a cool feature), port forwarding w/ various VPN providers may come w/ other limitations that make it more complex than port forwarding over the WAN.

FWIW, I route a script some time ago for tomato (specifically, Shibby) that handles this PIA API for the user. I suspect it would work just as well w/ Merlin or most any other tomato variant.

https://pastebin.com/zkDfbTEJ

Yeah, PIA made it a bit complicated. And again, I don't know if this is still the case w/ PIA. I haven't dealt with them since I wrote it back in June of 2018.

 

[patrick sullivan]

Okay. Not sure where i would place this script in the 68U settings. Don't want to screw up my PIA VPN<>68U relationship that has worked perfectly for years. I just need one port (transmission bit client) opened.

Sent from my SM-G965U using Tapatalk

 

[eibgrad]

Since it's a startup/init script, and Merlin has his own event handling, you'll need to use his event handler to trigger the script.

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

So probably as a services-start script.

I'd happily experiment w/ the script on my own Merlin router and see if there are any Merlin-specific changes required. However, I don't have a PIA account at the moment. So I would try to see how far you get on your own and report any issues back here.

P.S. And if you do find it needs some changes, and you report them back, I'll post a Merlin version (along w/ current my tomato and dd-wrt versions) on PasteBin.

 

[patrick sullivan]

Okay, I'll see what I can do when I get home. I am not an IT dude. It took me a couple weeks to get my setup up and running by simply copying what others have done on this site (Yorgi). Thanks for the reply and help. Very much appreciated.

 

[eibgrad]

Okay, I'll see what I can do when I get home. I am not an IT dude. It took me a couple weeks to get my setup up and running by simply copying what others have done on this site. Thanks for the reply and help. Very much appreciated.

LOL, yeah, I hear ya, been there myself. But the script should at least be close to what you need. If you have questions, just ask.

 

[eibgrad]

P.S. What I may do is look over the script again (been a long time since I've even looked at it) and see if I can at least identify any Merlin-specific changes required. However, as I said, I can't test it since I don't have a PIA account anymore. So you'll have to be my tester.

I'd like to have a permanent version posted on PasteBin for Merlin users anyway.

 

[eibgrad]

Made some progress, although limited. Added a pastebin for the Merlin version of my script.

https://pastebin.com/DrwquEeT

Just beware, I reserve the right to update it w/o notice. It's still a WIP (work in progress).

I'm currently stuck at the point where the VPN is established, and I need to access the PIA server to obtain the allocated port. I first try to ping it, but it doesn't respond. And I assume that's because that particular server is only listening over the PIA tunnel provided by their service (I'm presently testing w/ a free VPN service called SecurityKISS).

But most of the code that executes after a successful ping of the PIA server is rather generic and not specific to any particular firmware. So I'm reasonably confident it would work as is. I'm mostly now just trying to update the instructions, deal w/ some finer details that could lead to failure, etc.

One of the complexities of dealing w/ the PIA port forwarding API is that it's NOT considered part of the OpenVPN connection/configuration process. It happens *outside* of this. IOW, once the OpenVPN client is connected to the OpenVPN server, my script has to access the tunnel as if it was any other client on the local network. I'm just another user of that tunnel and have no special privileges. You could, in fact, just like PIA's own app, create your own app on some Windows or Linux client and have a port allocated for port forwarding purposes, then configure the router manually w/ that information. My script is really nothing more than a convenience. I've also added a few other conveniences (which are optional), such as the ability to associate the public IP on the VPN to a DDNS domain name, and the addition of a webpage on the router so you can be informed of that public IP and the allocated port.

Frankly, we shouldn't have to go through all these machinations just to get a port forward established. And take heed of all the limitations I describe in the documentation. Those are all PIA limitations, NOT the router or my script! Again, I find it all rather ridiculous and unnecessarily complex. But I don't think PIA cares because they assume 99.44% of their customers will user their PIA app, which transparently adds this capability.

 

[eibgrad]

Btw, just a funny aside. When I started to make the modifications for Merlin, I noticed I had made a serious error in the tomato version (which I've since corrected, so I suppose it was worth the effort), that for all intents and purposes, made it useless. It didn't work. The dd-wrt version works (which is where I started), but not the tomato version. Yet, having been out there for nearly a year, I haven't heard a peep out of anyone about it not working! And ppl contact me all the time about my scripts for one reason or another. It gives you an idea just how few ppl are even using this PIA port forwarding feature, at least when it comes to the router.

 

[Xentrk]

Good guide in the Wiki:

Policy based Port routing (manual method)
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-Port-routing-(manual-method)

 

[patrick sullivan]

Thank you both...this is quite a bit over my head, but I'm trying to work through it....

 

[eibgrad]

Spent quite a bit of time making sure it works, at least up to the point it tries to query the PIA port forwarding server. By default, it will port forward to the router's IP on the LAN side and port 80, giving you remote access to the router's GUI.

For testing purposes, I would just get it installed and run it, just to prove it works. Then deal w/ specifying your preferred port forward settings later. I suspect getting it installed will prove the more difficult task, esp. if you've never worked w/ Merlin before. Having to manage both my script and the services-start script can be tricky for a Merlin newb.

 

[patrick sullivan]

Wondering if I could just specify a different port on my Transmission GUI? Is there a port that is already open via default within Merlin's VPN settings?

 

[eibgrad]

Wondering if I could just specify a different port on my Transmission GUI? Is there a port that is already open via default within Merlin's VPN settings?

Don't confuse the issue of port forwarding w/ Merlin (which only works over the WAN) vs. port forwarding over the VPN. AFAIK, there is nothing in the Merlin GUI that supports port forwarding over the VPN. You have to do that manually.

Now in this case, because PIA makes it so complicated to open a port on their end of the tunnel, my script has to do two things.

1. Once the OpenVPN client connection is made, I request a port allocation from the PIA port forwarding server.

2. With that port in hand, and knowing the public IP on the VPN, the ***script*** automatically creates a port forward on the OpenVPN client's network interface (e.g., tun11, if you're using client #1). It then publishes the public IP and port to the GUI's webserver at:

http://<router-ip>/user/pia/ext_port_forward.html

So the script does all the heavy lifting for you. All you have to do is get it installed and wait for that page to appear in the GUI.

 

[patrick sullivan]

Okay...I think I understand now..

 

[eibgrad]

P.S. By default, the script port forwards to the router's LAN ip and port 80, so make sure you have a strong password on the GUI!!!

Just quickly verify it works by seeing if you can access the GUI over the port forward, then shut the VPN down and work on changing the port forward to whatever you want.

 

[HarleyGorillason]

I've been playing with the script and it appears to be up and running, going to
http://<router-ip>/user/pia/ext_port_forward.html
presents me with a page that lists an ip : port as the external port forward (the ip is the ip of my vpn connection). But when I try and access that ip : port (from a connection outside of the vpn) it can't be reached.

I've left it as the default options so it should be presenting my router page. Is there something else I should be checking that would be refusing the connection/blocking it?

 

[leetwanker]

I've been playing with the script and it appears to be up and running, going to
http://<router-ip>/user/pia/ext_port_forward.html
presents me with a page that lists an ip : port as the external port forward (the ip is the ip of my vpn connection). But when I try and access that ip : port (from a connection outside of the vpn) it can't be reached.

I've left it as the default options so it should be presenting my router page. Is there something else I should be checking that would be refusing the connection/blocking it?

Did you ever resolve this? It always gives me port 23451, so I'm starting to suspect that there's been a API change that is breaking the script and giving the wrong forwarded port.

 

[HarleyGorillason]

Did you ever resolve this? It always gives me port 23451, so I'm starting to suspect that there's been a API change that is breaking the script and giving the wrong forwarded port.

No I could never get it to work unfortunately.