Port forwarding request during "up" script

[lumps]

My VPN provider requires an HTTP call to retrieve a port for port forwarding. This request needs to be done during the first 2 minutes after connecting. I am running a clear linux server and have been attempting to add this to the up.sh script (via my openvpn.conf file).

The script itself seems to work correctly if I call it manually after starting the openvpn service. but when the script runs as the UP script, the HTTP call seems to happen before the vpn connection is established. I have confirmed this by adding a call to ifconfig.co/city and always see my city and not my VPN's city.

I have attempted to use ipchange and up with the same results. when I try route-up, it seems to never actually connect to VPN.

is there an event I can use that triggers after the VPN is really connected? Am I using this incorrectly?

Thanks!
David

[TinCanTech]

As a security measure, openvpn will not pass data over the VPN during script execution.
I don't know for sure but this may also effect "outside" connections ...

Use tcpdump or something to find out if your script sends data when run by openvpn.

[lumps]

Thanks you for your help!

Here is the code. this started as code from PIA's forum that I modified to update my qbittorent config. The Curl statement was added to check to see if I was connected to VPN when this script runs. so far I have not received anything other than my home city in response.

Maybe that's why it works "runs" during UP and IPCHANGE but hangs during route-up?

Code: Select all

#!/usr/bin/env bash
#
# Enable port forwarding when using Private Internet Access
#
# Usage:
#  ./port_forwarding.sh

# set -x

port_forward_assignment( )
{
        client_id=`head -n 100 /dev/urandom | sha256sum | tr -d " -"`

        port=`curl -s "http://209.222.18.222:2000/?client_id=$client_id" | jq -r '.port' 2>/dev/null`
	curl -s "http://ifconfig.co/city" > /etc/openvpn/client/nope

        if [ "$port" == "" ]; then
                port='Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding'
        else
                sed -i "s/\(PortRangeMin *= *\).*/\1$port/" /home/user/.config/qBittorrent/qBittorrent.conf
        fi
}


port_forward_assignment
systemctl start qbittorrent-nox@user

[TinCanTech]

I don't support 3rd party scripts for free.

But for a fee I'll take a look ..

[lumps]

HA! i get your point. let me change my question a little to remove reference to other's

up.sh:

Code: Select all

#!/usr/bin/env bash

curl -s "http://ifconfig.co/city" > /etc/openvpn/client/nope

Is there a way to make this script run within 2 minutes of openVPN actually connecting? right now in UP its running before the vpn connection is really active. or can you think of a different mechanism then during openvpn's events?

thanks!

[TinCanTech]

As ever, try the documentation first .........

https://community.openvpn.net/openvpn/w ... nPage#lbAT

[lumps]

thank you for the link. I had previously reviewed this and tried all of them until they start being part of the shut down process:

UP, tls-verify and ipchange give me the wrong city (ie before I am actually routing through vpn). I thought route-up looked most promising but when I use this, VPN won't connect and the server can no longer access the network (tested via ping and curl). maybe this is the security constraints you previously referenced? not sure

[TinCanTech]

My VPN provider requires an HTTP call to retrieve a port for port forwarding. This request needs to be done during the first 2 minutes after connecting.

You need to report this issue to the provider.

[lumps]

This behavior is by design. IS there a way to call a script after the VPN connection is fully established?

[TinCanTech]

This behavior is by design.

Not designed by OpenVPN, which is why I suggest you report it to the admins who expect it.

IS there a way to call a script after the VPN connection is fully established?

Yes, manually, which is obviously what the admins above expect.

[plasticassius]

Take a look at my script at viewtopic.php?f=15&t=30114#p91647 . Specifically, I set a "flag" in route-up:

Code: Select all

echo '#up' >>$serv_start

which I then test for in the separate start process. This avoids sending traffic through the tunnel during the call back, and it makes the other process wait until the tunnel is up.

[davi1td]

Hi, here's my 2 cents ...
You must use --route-up, not --up or whatever else.
So in your config use:

Code: Select all

--route-up "/usr/local/whatever/somescript.sh"

in "/usr/local/whatever/somescript.sh" :

Code: Select all

#!/bin/sh
#You won't ever get access from here, give up and spawn a background process for that ...
/usr/local/whatever/ovpn-up.sh &
exit 0

in "/usr/local/whatever/ovpn-up.sh" you have 2 options, sleep 15 or more, or ping till ya get out! like below:

Code: Select all

#!/bin/sh
#So here we are in a loop waiting for 2 things, ovpnc3(or whatever interface) to have an IP, and succesful ping out to the inet!
#sleep 15 or .... :

VPNIP=`ifconfig ovpnc3 |awk '$1 == "inet" { print $2 }'`
while ! ping -S "$VPNIP" -c 1 8.8.8.8; do
    #echo "Waiting for VPNIP : "$VPNIP" - network interface might be down..."
    sleep 2
	VPNIP=`ifconfig ovpnc3 |awk '$1 == "inet" { print $2 }'`
done
#any code after here should work

exit 0

Good luck !
-TD