1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Need help with openvpn-event script

Discussion in 'Asuswrt-Merlin' started by Psykotik, Jan 17, 2020.

  1. Psykotik

    Psykotik New Around Here

    Joined:
    Jan 17, 2020
    Messages:
    3
    I am having trouble getting a port forwarding script I am working on to run correctly. I have saved it as openvpn-event, Done the chmod shown in the wiki to make it executable and enabled JFFS in the UI. System log does show the script being called when the VPN client connects.

    Code:
    Jan 17 15:36:46 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1557 10.42.11.6 10.42.11.5)
    Jan 17 15:36:46 user: setting path
    Jan 17 15:36:46 user: Setting oldport
    Jan 17 15:37:01 user: Got PIA Port 27068
    Shown above I have inserted some logger commands to make sure it is going through the commands.

    When I run it from SSH using ./jffs/scripts/openvpn-event it works perfectly as expected. Gets a new port and sets the iptables rules. I have tried using a sleep 60 but that didn't change anything.

    Script is as follows :

    Code:
    #!/bin/sh
     logger "setting path"
     PATH=${PATH}:/jffs/bin
    
    logger "Setting oldport"
    # Get old port and store value
      oldport=$(grep -o '[0-9]*' /jffs/scripts/oldpiaport)
      echo oldport is $oldport
    
    port_forward_assignment( )
    {
      echo 'Loading port forward assignment information...'
      if [ "$(uname)" == "Linux" ]; then
        client_id=`head -n 100 /dev/urandom | sha256sum | tr -d " -"`
      fi
      if [ "$(uname)" == "Darwin" ]; then
        client_id=`head -n 100 /dev/urandom | shasum -a 256 | tr -d " -"`
      fi
    
      json=`curl "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null`
      if [ "$json" == "" ]; then
       json=$oldport
      fi
    
    logger "Got PIA Port $json"
    
    # Delete old rules if they exist
    
      iptables -D INPUT -i tun11 -p tcp --dport $oldport -j ACCEPT
      iptables -D INPUT -i tun11 -p udp --dport $oldport -j ACCEPT
      iptables -t nat -D PREROUTING -p tcp --dport $oldport -j DNAT --to-destination 192.168.0.20:45885
      iptables -t nat -D PREROUTING -p udp --dport $oldport -j DNAT --to-destination 192.168.0.20:45885
    
    # Write new port value and convert
    
      echo $json > /jffs/scripts/oldpiaport
      piaport=$(grep -o '[0-9]*' /jffs/scripts/oldpiaport)
      echo piaport is $piaport
    
    # Create new rules for forward
    
      iptables -I INPUT -i tun11 -p tcp --dport $piaport -j ACCEPT
      iptables -I INPUT -i tun11 -p udp --dport $piaport -j ACCEPT
      iptables -t nat -I PREROUTING -p tcp --dport $piaport -j DNAT --to-destination 192.168.0.20:45885
      iptables -t nat -I PREROUTING -p udp --dport $piaport -j DNAT --to-destination 192.168.0.20:45885
    
    }
    
    port_forward_assignment
    
    exit 0
    
    The PATH command is there as I used the following post so I could use the shasum command :

    https://www.snbforums.com/threads/cryptographic-hash-script.59988/#post-524178

    Can anyone assist with figuring out why this works manually but not when run automatically when the VPN client up/down event occurs?
     
  2. Psykotik

    Psykotik New Around Here

    Joined:
    Jan 17, 2020
    Messages:
    3
    So... I figured out why it didn't work. The curl command would never return a proper value because :
    1) The PIA port forwarding API requires that the request go through the VPN tunnel
    2)The openvpn client won't allow traffic through the tunnel until fully connected
    3) The openvpn client won't complete the connection until any scripts that were called during the connection process complete.

    So after many many hours of googling and furiously trying to think outside the box, I found a very simple solution.

    I changed the openvpn-event script to simply be :

    Code:
    #!/bin/sh
    
    exec /jffs/scripts/port_forwarding.sh &
    
    and put my script above in port_forwarding.sh while adding a sleep 30. The & causes openvpn-event to exit after calling port_forwarding.sh, allowing the openvpn client to complete the initialization. Then 30 seconds later it sets up the port forward and firewall rules. So far it is working like a charm.

    I will write up a full walkthrough at some point as I have seen many people wanting to setup PIA automatic port forwarding on Merlin. But now to go have a beer in celebration :)
     
    Last edited: Jan 17, 2020
    L&LD likes this.