PIA with port forwarding and auto firewall rules

Uncategorized 2 Minutes

This is a work in progress – opnsense doesn’t provide CLI access or I haven’t found the way to do it. Perhaps calling those php files from bash and parsing args to them ??

Original pfSense script.
Help to configure openvpn on pfSense, for reference.

This is my work log for configuring Opnsense with PIA and enabling port forwarding.

Necessity :
ssh access to opnsense

Install packages :

pkg install xmlstarlet bash curl

“There is one other requirement, which is that you must have already configured a port forward that points at your internal target system. You do this under Firewall -> NAT -> Port forward. ” From Bagpuss

Current script :

#!/usr/local/bin/bash
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin"

#Must parse interface of the VPN
if [ "$1" == ""]; then
 logger -i -t openvpn "PIA : No interface specified, abording."
 exit 0
else
 logger -i -t openvpn "PIA : Interface UP for openvpn device $1" 
fi

###############################################################################
#Get port forwarding from PIA
###############################################################################
PIA_GW=`ifconfig $1 | grep "inet " | awk '{print $4}' `

route add -host 209.222.18.222 $PIA_GW 
logger -i -t openvpn "PIA : Route to 209.222.18.222 set to $PIA_GW" 

client_id=`head -n 100 /dev/urandom | sha256 | tr -d " -"` 
json=`curl "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null` 

PORTNUM=`echo $json | grep -o '[0-9]\+'`
len=`expr $PORTNUM : '.*'`
#Check if lengt is ok
if [ $len -gt 5 ]; then
    logger -i -t openvpn "PIA : Got invalid port from PIA $PORTNUM"
    exit 0
else
    logger -i -t openvpn "PIA : Port forwarding is set to $PORTNUM"
fi


if [ "$json" == "" ]; then 
    logger -i -t openvpn "PIA : Port forwarding couldn't be initialised." 
else 
    logger -i -t openvpn "PIA : Port forwarding is set to $PORTNUM)" 
fi 

#Put this on a webpage to update destination host if needed.
echo $PORTNUM > /usr/local/www/pia_${1}_forward.txt


logger -i -t openvpn "PIA : Route to 209.222.18.222 will be removed." 
route del -host 209.222.18.222 $PIA_GW 
logger -i -t openvpn "PIA : Route to 209.222.18.222 removed." 

###############################################################################
#Configuring the firewall
###############################################################################
#Must have a NAT rule created before ! Go Firewall->NAT->Port Forward
#Description must be "ovpnc1 port forward rule"
#Create a rule for every openvpn client (ovpnc2...)

#Get curent local forwarded port 
CUR_PORTNUM=`xml sel -t -v '///rule[descr="'$VPN_IF' port forward rule"]/destination/port' /conf/config.xml`

#Check if firewall rule was created
if [ "$CUR_PORTNUM" == "" ]; then
 logger -i -t openvpn "PIA : Firewall rule doesn't exist, abording."
 exit 0
fi

if [ "$CUR_PORTNUM" != "$PORTNUM" ]; then
    #Update
    #TODO - FIXME !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    #Run ssh cmd ?
    logger -i -t openvpn "PIA : Firewall rule was updated to new port $PORTNUM"
else
    logger -i -t openvpn "PIA : Firewall rule was already in place."
fi

logger -i -t openvpn "PIA : Finished configuration"

 

Advertisement

Published by riux

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s