What's new

Need help with openvpn-event script

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Psykotik

New Around Here
I am having trouble getting a port forwarding script I am working on to run correctly. I have saved it as openvpn-event, Done the chmod shown in the wiki to make it executable and enabled JFFS in the UI. System log does show the script being called when the VPN client connects.

Code:
Jan 17 15:36:46 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1557 10.42.11.6 10.42.11.5)
Jan 17 15:36:46 user: setting path
Jan 17 15:36:46 user: Setting oldport
Jan 17 15:37:01 user: Got PIA Port 27068

Shown above I have inserted some logger commands to make sure it is going through the commands.

When I run it from SSH using ./jffs/scripts/openvpn-event it works perfectly as expected. Gets a new port and sets the iptables rules. I have tried using a sleep 60 but that didn't change anything.

Script is as follows :

Code:
#!/bin/sh
 logger "setting path"
 PATH=${PATH}:/jffs/bin

logger "Setting oldport"
# Get old port and store value
  oldport=$(grep -o '[0-9]*' /jffs/scripts/oldpiaport)
  echo oldport is $oldport

port_forward_assignment( )
{
  echo 'Loading port forward assignment information...'
  if [ "$(uname)" == "Linux" ]; then
    client_id=`head -n 100 /dev/urandom | sha256sum | tr -d " -"`
  fi
  if [ "$(uname)" == "Darwin" ]; then
    client_id=`head -n 100 /dev/urandom | shasum -a 256 | tr -d " -"`
  fi

  json=`curl "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null`
  if [ "$json" == "" ]; then
   json=$oldport
  fi

logger "Got PIA Port $json"

# Delete old rules if they exist

  iptables -D INPUT -i tun11 -p tcp --dport $oldport -j ACCEPT
  iptables -D INPUT -i tun11 -p udp --dport $oldport -j ACCEPT
  iptables -t nat -D PREROUTING -p tcp --dport $oldport -j DNAT --to-destination 192.168.0.20:45885
  iptables -t nat -D PREROUTING -p udp --dport $oldport -j DNAT --to-destination 192.168.0.20:45885

# Write new port value and convert

  echo $json > /jffs/scripts/oldpiaport
  piaport=$(grep -o '[0-9]*' /jffs/scripts/oldpiaport)
  echo piaport is $piaport

# Create new rules for forward

  iptables -I INPUT -i tun11 -p tcp --dport $piaport -j ACCEPT
  iptables -I INPUT -i tun11 -p udp --dport $piaport -j ACCEPT
  iptables -t nat -I PREROUTING -p tcp --dport $piaport -j DNAT --to-destination 192.168.0.20:45885
  iptables -t nat -I PREROUTING -p udp --dport $piaport -j DNAT --to-destination 192.168.0.20:45885

}

port_forward_assignment

exit 0

The PATH command is there as I used the following post so I could use the shasum command :

https://www.snbforums.com/threads/cryptographic-hash-script.59988/#post-524178

Can anyone assist with figuring out why this works manually but not when run automatically when the VPN client up/down event occurs?
 
So... I figured out why it didn't work. The curl command would never return a proper value because :
1) The PIA port forwarding API requires that the request go through the VPN tunnel
2)The openvpn client won't allow traffic through the tunnel until fully connected
3) The openvpn client won't complete the connection until any scripts that were called during the connection process complete.

So after many many hours of googling and furiously trying to think outside the box, I found a very simple solution.

I changed the openvpn-event script to simply be :

Code:
#!/bin/sh

exec /jffs/scripts/port_forwarding.sh &

and put my script above in port_forwarding.sh while adding a sleep 30. The & causes openvpn-event to exit after calling port_forwarding.sh, allowing the openvpn client to complete the initialization. Then 30 seconds later it sets up the port forward and firewall rules. So far it is working like a charm.

I will write up a full walkthrough at some point as I have seen many people wanting to setup PIA automatic port forwarding on Merlin. But now to go have a beer in celebration :)
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top