pantz.org banner
OpenVPN with Private Internet Access and port forwarding
Posted on 11-11-2017 03:50:03 UTC | Updated on 11-11-2017 04:20:29 UTC
Section: /software/openvpn/ | Permanent Link

Intro

This post will show my setup using PIA (Private Internet Access) with OpenVPN on a Linux machine. Specifically, where only certain applications will utilize the VPN and the rest of the traffic will go out the normal ISP's default route. It will also show how to access the PIA API via a shell script, to open a forwarding port for inbound traffic. Lastly, I will show how to take all of the OpenVPN and PIA information and feed it to programs like aria2c or curl. The examples below were done on Ubuntu 16.04.

Packages and PIA Setup

Go signup for a PIA account.

# Install the packages you need, example uses apt-get
sudo apt-get install openvpn curl unzip

# make dir for PIA files and scripts
sudo mkdir -p /etc/openvpn/pia
cd /usr/local/etc/openvpn

# grab PIA openvpn files and unzip
url='https://www.privateinternetaccess.com/openvpn/openvpn.zip'
sudo curl -o openvpn.zip $url && sudo unzip openvpn.zip

OpenVPN password file

Now that we have PIA login info lets make password file so we don't have to put in a password every time we start OpenVPN. We just need to make a file with the PIA username on one line and the PIA password on the second line. So just use you favorite text editor and do this. The file should be called "pass" and put in the "/etc/openvpn/pia" directory. The scripts that are used later depend on this file being called "pass" and put in this specific directory. An example of what the file looks like is below.

piausername
piapassword123

Change permission on this file so only root can read it

sudo chmod 600 /etc/openvpn/pia/pass

OpenVPN config file

This is the OpenVPN config file that works with PIA, and that also utilizes the scripts that will be talked about further down in the page. Use your favorite editor and copy and paste this text to a file called "pia.conf" and put in the "/etc/openvpn/pia" directory.

# PIA OpenVPN client config file 
client
dev tun

# make sure the correct protocol is used
proto udp

# use the vpn server of your choice
# only use one server at a time
# the ip addresses can change, so use dns names not ip's
# find more server names in .ovpn files
# only certain gateways support port forwarding
#remote us-east.privateinternetaccess.com 1198
#remote us-newyorkcity.privateinternetaccess.com 1198
#remote aus.privateinternetaccess.com 1198
#remote us-west.privateinternetaccess.com 1198
remote ca-toronto.privateinternetaccess.com 1198

resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1

# ca.crt and pem files from openvpn.zip downloaded from pia
ca /etc/openvpn/pia/ca.rsa.2048.crt
crl-verify /etc/openvpn/pia/crl.rsa.2048.pem

tls-client
remote-cert-tls server

# path to password file so you don't have to input pass on startup
# file format is username on one line password on second line
# make it only readable by root with: chmod 600 pass
auth-user-pass /etc/openvpn/pia/pass

# this suppresses the caching of the password and user name
auth-nocache

comp-lzo
verb 1
reneg-sec 0
disable-occ

# allows the ability to run user-defined script
script-security 2

# Don't add or remove routes automatically, pass env vars to route-up
route-noexec

# run our script to make routes
route-up "/etc/openvpn/pia/openvpn-route.sh up"

OpenVPN route script

This is the script that the OpenVPN client will run at the end of startup. The magic happens in this script. Without this script OpenVPN will start the client and make the default route for the box the vpn connection. If you want that then go into the pia.conf file and comment out the "script-security 2", "route-noexec", and "route up ..." lines, and just fire up the client "sudo openvpn --config /etc/openvpn/pia/pia.conf" and your done.

If you don't want the vpn to take over your default route then let's keep going. Now that you have left those lines in the pia.conf file, the following script will be run when the client starts, and it will set up a route that does not take over the default gateway, but just adds secondary vpn gateway for programs to use. Open your favorite text editor and copy in the script below into the file "/etc/openvpn/pia/openvpn-route.sh".

#!/bin/sh
# script used by OpenVPN to setup a route on Linux.
# used in conjunction with OpenVPN config file options
# script-security 2, route-noexec, route-up 
# script also requires route table rt2
# sudo bash -c 'echo "1 rt2" >> /etc/iproute2/rt_tables

# openvpn variables passed in via env vars
rtname="rt2"
ovpnpia="/etc/openvpn/pia"
int=$dev
iplocal=$ifconfig_local
ipremote=$ifconfig_remote
gw=$route_vpn_gateway

if [ -z $int ] || [ -z $iplocal ] || [ -z $ipremote ] || [ -z $gw ]; then
  echo "No env vars found. Use this script with an OpenVPN config file "
  exit 1
fi

help() {
  echo "For setting OpenVPN routes on Linux."
  echo "Usage: $0 up or down"
}

down() {
  # delete vpn route if found
  ip route flush table $rtname
  if [ $? -eq 0 ]; then
    echo "Successfully flushed route table $rtname"
  else
    echo "Failed to flush route table $rtname"
  fi    
}

up() {
  # using OpenVPN env vars that get set when it starts, see man page
  echo "Tunnel on interface $int. File /tmp/vpnint"
  echo $int > /tmp/vpnint
  echo "Local IP is         $iplocal. File /tmp/vpnip"
  echo $iplocal > /tmp/vpnip
  echo "Remote IP is        $ipremote"
  echo "Gateway is          $gw"

  down # remove any old routes

  ip route add default via $gw dev $int table $rtname
  if [ $? -eq 0 ]; then
    echo "Successfully added default route $gw"
  else
    echo "Failed to add default route for gateway $gw"
  fi
  ip rule add from $iplocal/32 table $rtname
  if [ $? -eq 0 ]; then
    echo "Successfully added local interface 'from' rule for $iplocal"
  else
    echo "Failed to add local interface 'from' rule for $iplocal"
  fi
  ip rule add to $gw/32 table $rtname
  if [ $? -eq 0 ]; then
    echo "Successfully added local interface 'to' rule for $gw"
  else
    echo "Failed to add local interface 'to' rule for $gw"
  fi

  # PIA port forwarding, only works with certain gateways
  # No US locations, closest US is Toronto and Montreal
  # no network traffic works during exec of this script
  # things like curl hang if not backgrounded
  $ovpnpia/pia_port_fw.sh &
}

case $1 in
  "up") up;;
  "down") down;;
  *) help;;
esac

# always flush route cache 
ip route flush cache

Now run some final commands to get the script ready to work

# make the new script executable
sudo chmod 755 /etc/openvpn/pia/openvpn-route.sh

# make a new route table rt2 in linux for the script to use
# this only has to be run once before you connect the first time
sudo bash -c 'echo "1 rt2" >> /etc/iproute2/rt_tables'

PIA port forward script

The following script is run by the openvpn-route.sh script. It will contact a PIA server and tell it to open a port for incoming traffic on your vpn connection. This is so people on the internet can contact your machine through the vpn connection. Just a important note that currently only a certain list of PIA gateways support port forwarding. See the PIA support article on this for more info. Now, open your favorite text editor and copy in the script below into the file "/etc/openvpn/pia/pia_port_fw.sh".

#!/bin/bash
# Get forward port info from PIA server

client_id=$(head -n 100 /dev/urandom | sha256sum | tr -d " -")
url="http://209.222.18.222:2000/?client_id=$client_id"

echo "Making port forward request..."

curl --interface $(cat /tmp/vpnint) $url 2>/dev/null > /tmp/vpnportfwhttp

if [ $? -eq 0 ]; then
  port_fw=$(grep -o '[0-9]\+' /tmp/vpnportfwhttp)
  [ -f /tmp/vpnportfw ] && rm /tmp/vpnportfw
  echo $port_fw > /tmp/vpnportfw
  echo "Forwarded port is $port_fw"
  echo "Forwarded port is in file /tmp/vpnportfw"
else
  echo "Curl failed to get forwarded PIA port in some way"
fi
# make the new script executable
sudo chmod 755 /etc/openvpn/pia/pia_port_fw.sh

Starting OpenVPN

Finally we can start OpenVPN to connect with PIA. To do this run the the following command. It will keep the connection in the foreground so you can watch the output.

sudo openvpn --config /etc/openvpn/pia/pia.conf

During startup the OpenVPN client and both of the scripts we made will report on the screen data about the connection and if there were any errors. The output will look like the following example.

Fri Nov 10 19:40:50 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Fri Nov 10 19:40:50 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Fri Nov 10 19:40:50 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Nov 10 19:40:50 2017 UDPv4 link local: [undef]
Fri Nov 10 19:40:50 2017 UDPv4 link remote: [AF_INET]172.98.67.111:1198
Fri Nov 10 19:40:50 2017 [dbacd7b38d135021a698ed95e8fec612] Peer Connection Initiated with [AF_INET]172.98.67.111:1198
Fri Nov 10 19:40:53 2017 TUN/TAP device tun0 opened
Fri Nov 10 19:40:53 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Nov 10 19:40:53 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Nov 10 19:40:53 2017 /sbin/ip addr add dev tun0 local 10.24.10.10 peer 10.24.10.9
Tunnel on interface tun0. File /tmp/vpnint
Local IP is         10.24.10.10. File /tmp/vpnip
Remote IP is        10.24.10.9
Gateway is          10.24.10.9
Successfully flushed route table rt2
Successfully added default route 10.24.10.9
Successfully added local interface 'from' rule for 10.24.10.10
Successfully added local interface 'to' rule for 10.24.10.9
Fri Nov 10 19:40:53 2017 Initialization Sequence Completed
Making port forward request...
Forwarded port is 40074
Forwarded port is in file /tmp/vpnportfw

Using the vpn connection

When the vpn started it dropped some files in /tmp. These files have the ip and port info we need to give to different programs when the startup. The scripts created the following files.

Now you can use this info when you start certain programs. Here are some examples.

# get vpn incomming port
pt=$(cat /tmp/vpnportfw)

# get vpn ip
ip=$(cat /tmp/vpnip)

# get vpn interface
int=$(cat /tmp/vpnint)

# wget a file via vpn
wget --bind-address=$ip https://ipchicken.com

# curl a file via vpn
curl --interface $int https://ipchicken.com

# ssh to server via vpn
ssh -b $ip 

# rtorrent 
/usr/bin/rtorrent -b $ip -p $pt-$pt -d /tmp

# start aria2c and background. use aria2 WebUI to connect download files
aria2c --interface=$ip --listen-port=$pt --dht-listen-port=$pt > /dev/null 2>&1 &

Final notes and warnings

If you start any programs and don't specifically bind them to the vpn interface or its ip address their connection will go out the default interface for the machine. Please remember this setup only sends specific traffic through the vpn so things like DNS requests still go through the non-vpn default gateway.

Remember only certain PIA gateways support port forwarding so if it is not working, try another PIA gateway.

PIA has a Linux vpn client that you can download and use if you are into GUI's.

Del.icio.us! | Digg Me! | Reddit!

Related stories


RSS Feed RSS feed logo
About


3com
3ware
alsa
alsactl
alsamixer
amd
android
apache
areca
arm
ati
auditd
awk
badblocks
bash
bind
bios
bonnie
cable
carp
cat5
cdrom
cellphone
centos
chart
chrome
cifs
cisco
cloudera
comcast
commands
comodo
compiz-fusion
corsair
cpufreq
cpufrequtils
cpuspeed
cron
crontab
crossover
cu
cups
cvs
database
dbus
dd
dd_rescue
ddclient
debian
decimal
dhclient
dhcp
diagnostic
diskexplorer
disks
dkim
dns
dos
dovecot
drac
dsniff
dvdauthor
e-mail
echo
editor
emerald
ethernet
expect
ext3
ext4
fat32
fedora
fetchmail
fiber
filesystems
firefox
firewall
flac
flexlm
floppy
flowtools
fonts
format
freebsd
ftp
gdm
gmail
gnome
greasemonkey
greylisting
growisofs
grub
hacking
hadoop
harddrive
hba
hex
hfsc
html
html5
http
https
idl
ie
ilo
intel
ios
iperf
ipmi
iptables
ipv6
irix
javascript
kde
kernel
kickstart
kmail
kprinter
krecord
kubuntu
kvm
lame
ldap
linux
logfile
lp
lpq
lpr
maradns
matlab
memory
mencoder
mhdd
mkinitrd
mkisofs
moinmoin
motherboard
mouse
movemail
mplayer
multitail
mutt
myodbc
mysql
mythtv
nagios
nameserver
netflix
netflow
nginx
nic
ntfs
ntp
nvidia
odbc
openbsd
openntpd
openoffice
openssh
openssl
openvpn
opteron
parted
partimage
patch
perl
pf
pfflowd
pfsync
photorec
php
pop3
pop3s
ports
postfix
power
procmail
proftpd
proxy
pulseaudio
putty
pxe
python
qemu
r-studio
raid
recovery
redhat
router
rpc
rsync
ruby
saltstack
samba
schedule
screen
scsi
seagate
seatools
sed
sendmail
sgi
shell
siw
smtp
snort
solaris
soundcard
sox
spam
spamd
spf
sql
sqlite
squid
srs
ssh
ssh.com
ssl
su
subnet
subversion
sudo
sun
supermicro
switches
symbols
syslinux
syslog
systemrescuecd
t1
tcpip
tcpwrappers
telnet
terminal
testdisk
tftp
thttpd
thunderbird
timezone
ting
tls
tools
tr
trac
tuning
tunnel
ubuntu
unbound
vi
vpn
wget
wiki
windows
windowsxp
wireless
wpa_supplicant
x
xauth
xfree86
xfs
xinearama
xmms
youtube
zdump
zeromq
zic
zlib