Help: Is port forwarding still working on PIA? I have it configured to do so, but it's not returning a port-forward

[cloud-aware]

PORT-FORWARDING and PORT_FORWARDING_STATUS_FILE do not seem to be working since latest PIA update?

1. Is this urgent?

   • [ ] Yes
   • [x] No

2. What VPN service provider are you using?

   • [x] PIA
   • [ ] Mullvad
   • [ ] Windscribe
   • [ ] Surfshark
   • [ ] Cyberghost

3. What's the version of the program?

   Running latest as of September 8, 2020 - I did a docker-compose build yesterday

Running version unknown built on an unknown date (commit unknown) 📣 Persistent server IP addresses at /gluetun/servers.json, please BIND MOUNT 🔧 Need help? https://github.com/qdm12/gluetun/issues/new 💻 Email? quentin.mcgaw@gmail.com ☕ Slack? Join from the Slack button on Github 💸 Help me? https://github.com/sponsors/qdm12 2020-09-09T09:32:09.687-0400 INFO OpenVPN version: 2.4.9 2020-09-09T09:32:09.698-0400 INFO Unbound version: 1.10.1 2020-09-09T09:32:09.704-0400 INFO IPtables version: v1.8.4 2020-09-09T09:32:09.746-0400 INFO TinyProxy version: 1.10.0 2020-09-09T09:32:09.750-0400 INFO Settings summary below: OpenVPN settings: |--User: [redacted] |--Password: [redacted] |--Verbosity level: 1 |--Run as root: no |--Private Internet Access settings: |--Network protocol: udp |--Region: ca toronto |--Encryption preset: strong System settings: |--User ID: 1000 |--Group ID: 1000 |--Timezone: america/new_york |--IP Status filepath: /tmp/gluetun/ip DNS over TLS disabled, using plaintext DNS 1.1.1.1 Firewall settings: disabled TinyProxy settings: disabled ShadowSocks settings: disabled Public IP check period: 12h0m0s Version information: enabled

4. What are you using to run the container?

   • [ ] Docker run
   • [x] Docker Compose
   • [ ] Kubernetes
   • [ ] Docker stack
   • [ ] Docker swarm
   • [ ] Podman
   • [ ] Other:

5. Extra information

PIA connects fine, but does not port-forward or create the port-forward status file

Host OS:

Ubuntu 20.04

[qdm12]

You need to use VPNSP=private internet access old to use older servers as port forwarding on the new PIA servers is not supported so far. The code simply ignores port forwarding variables you set if you use the default new PIA servers. Sorry for the breaking change 😉

[cloud-aware]

@qdm12 Thank you sir, that worked brilliantly.

[willhowlett]

@qdm12 just to bring to your attention if of use - this user appears to have written a port forwarding script for the new PIA servers. I won't pretend I understand what it's doing https://www.reddit.com/r/PrivateInternetAccess/comments/iqt5aq/screw_you_pia/g4u4e1m/?utm_source=reddit&utm_medium=web2x&context=3

https://gist.github.com/triffid/da48f3c99f1ff334571ae49be80d591b#file-pia-portforward-sh

[qdm12]

@willhowlett wow thanks a ton. I know what my Saturday morning is going to look like now 😄 👍

[qdm12]

Sorry it's taking longer than expected. I'm 1/3 done, I'll continue during the week. Thanks for your patience 👍

[ZerNico]

VPNSP=private internet access old is not working for me.

I am using the latest build Running version latest built on 2020-08-08T16:28:15Z (commit 78323f0)

ERROR environment variable "VPNSP" value is "private internet access old" and can only be one of: pia, private internet access, mullvad, windscribe, surfshark, cyberghost, vyprvpn, nordvpn, purevpn

If it's too much of a hassle I can definitely wait for the PIA next-gen implementation of port forwarding.

[qdm12]

@ZerNico you need to repull latest with docker pull qmcgaw/private-internet-access, your version is from 8 August, there is one from yesterday I think 😉 I'll make a v3.3.0 release soon as well to simplify all that versioning.

[ZerNico]

@qdm12 ohhh yea that makes sense, if only I could read... Unraid didn't want to pull the latest image for some reason, thanks alot :D

[ZerNico]

https://github.com/fm407/PIA-NextGen-PortForwarding/blob/master/pia-nextgen-pf.sh

I found another script with next gen port forwarding, maybe that could be useful for you :)

[qdm12]

Thanks I was already using that one too actually 😄 Will try to get this done this weekend.

[SebastianBoyd]

Since you are so close to next gen port forwarding this isn't worth your time to debug but I thought I would mention it incase it is at all helpful. I'm connected to ca toronto on the old network and it cant bind to a port. The following error repeats continuously.

ERROR openvpn: Get "http://209.222.18.222:2000/?client_id=[my client id]": read tcp 10.80.12.6:50746->209.222.18.222:2000: read: connection reset by peer 2020-09-19T19:05:39.184Z INFO openvpn: retrying in 30 seconds

[qdm12]

@SebastianBoyd I would ideally like to maintain both PIA servers (v3 and v4) so good to know. However, the error you show is most likely just PIA unplugging port forwarding on v3 for some regions, I've seen similar complaints on Reddit.

[raph521]

Not sure if you need even more references, but PIA has just made a WIP solution available for port forwarding on their next-gen network:

https://www.reddit.com/r/PrivateInternetAccess/comments/itafwx/pias_nextgen_vpn_network_is_a_huge_deal_update_to/g64673l/

https://www.privateinternetaccess.com/helpdesk/kb/articles/next-generation-port-forwarding

[qdm12]

Thank you all for the links, that's definitely useful. I figured out how it works more or less but have been procrastinating on doing it as it requires not so easy changes to the codebase. But I'll get to it quite soon, especially since they just announced:

For the last few months, both the PIA Legacy and the PIA NextGen VPN networks have been running side by side but that will no longer be the case by the end of October 2020

So it will definitely be done before that 😉

[qdm12]

Another update, I tried to kill that beast the last - ehm - 4 hours 😄 PIA really pulled something over-complicated this time!

I should have something testable this week, although, because it is so complex (300 code lines vs 20 lines before) and because I'm no longer subscribed with them, I'll probably need some help testing and debugging 😅

Good news is you should more or less have the same port forwarded across container restarts.

What's done (a way to self-motivate too haha):

• [x] Get VPN server gateway IP address
• [x] Read persistent data from /gluetun/piaportforward.json the first time
• [x] Fetch token from PIA api if /gluetun/piaportforward.json does not exist or information read is expired
• [x] Fetch PIA port forwarding data if /gluetun/piaportforward.json does not exist or information read is expired
• [x] Persist data obtained (token, signature, port, expiration) to /gluetun/piaportforward.json
• [x] Call the PIA api bind port endpoint the first time
• [x] Call the PIA api bind port endpoint every 15 minutes (keep alive)
• [x] Re-fetch PIA token and port forwarding data if it expired
• [x] Communicate new forwarded port on expiry to upper layers to adapt the firewall and the state (hard)
• [x] Clean up method signatures so that PIA v4 fits the same interface as other VPN providers

[ZerNico]

@qdm12 I am ready to test when you need it Great job so far, keep that motivation up 👍 😄

[nviraj]

@qdm12

Happy to help test as well. Just getting started with this but I can run any changes you suggest on docker compose. Thank you for this great project.

[dolhop]

I can also test....would be nice to have port forwarding again....

[qdm12]

Hello all!

I just finished up a version that... well.... at least it compiles 😄

You can test it out with VPNSP="private internet access". You can also try with older servers VPNSP="private internet access old" as I had to modify that one too to fit the changes for v4. Although not a priority as they're going out of service in 3 weeks 😕

Note that I had a long day and it's 9PM so expect a high error rate 🤣 But I need the loooooggsss still 👍

Image is:

qmcgaw/private-internet-access:pia-nextgen-portforward

[Fabricio20]

Hey @qdm12,

Testing here it seems like it can connect to Next-Gen servers fine but didn't attempt to port-forward at all.

Log: https://pastebin.com/L4GyncVY Compose: https://pastebin.com/5qfhSE3v

I tried on Sweden and Switzerland, both of which are listed as Next-Gen on PIA's website.

[qdm12]

Hello @Fabricio20 Thanks for testing! I just pushed a fix, it was just not reading the parameter when using the new PIA servers 😕 Feel free to try the 'second alpha version' by repulling the image docker pull qmcgaw/private-internet-access:pia-nextgen-portforward.

Also you can follow up on latest commits (code changes) and Docker build status at the pull request page.

[Fabricio20]

Thanks for the quick update!

Looks like it now attempted to port-forward but received a connection refused.

gateway     | 2020-10-08T01:35:48.368Z  ERROR   port forwarding: Get "http://209.222.18.222:2000/?client_id=936ca<redacted>1e96fb": dial tcp 209.222.18.222:2000: connect: connection refused

This was during boot, right after dns over tls: DNS over TLS is ready, I'm assuming it doesn't try again?

I'm also following the pull-request, sadly I'm not that well-versed in Go 😅

[coreshift]

I'm getting this:

pia    | 2020-10-08T01:43:04.386Z       INFO    ip getter: Public IP address is 66.115.142.81
pia    | 2020-10-08T01:43:16.638Z       ERROR   port forwarding: Get "http://209.222.18.222:2000/?client_id=xx": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

[qdm12]

Hmm isn't that using the old PIA servers? New ones should use the VPN gateway with port 19999.

sadly I'm not that well-versed in Go

Yes don't worry, even if you're familiar with Go it's quite a bit of asynchronous gymnastics that you might not want to tackle 😄

I'll check tomorrow morning, maybe I'm mixing up v3 and v4 port forwarding somewhere. Thanks for your tests and patience!

[coreshift]

    environment:
      - VPNSP=private internet access

Isn't that right for the new servers?

[qdm12]

So silly tired me, I flipped around V3 and V4 in my code, it's now fixed; so using the VPNSP=private internet access should give you brand new port forwarding or brand new errors.

Anyway, from your findings, it seems like port forwarding on v3 servers doesn't work anymore 😢 Good to know as well.

[coreshift]

pia    | 2020-10-08T02:05:38.224Z       ERROR   port forwarding: VPN gateway IP address was not found, cannot do anything

You can fix it tomorrow. You need to get some sleep. Thank you for all the hard work.

[qdm12]

Alright the VPN gateway obtention is fixed 🎉 Onto the next error 😄 Also that's the only error where it doesn't retry, all the other errors will infinitely retry every 10 seconds.

[Fabricio20]

Awesome 😄

So that's issue is fixed by now, however now we have a 401 in loop 🤣

gateway     | 2020-10-08T12:28:18.624Z  ERROR   port forwarding: 401 Unauthorized
gateway     | 2020-10-08T12:28:18.624Z  INFO    port forwarding: Trying again in 10s
gateway     | 2020-10-08T12:28:29.193Z  ERROR   port forwarding: 401 Unauthorized
gateway     | 2020-10-08T12:28:29.193Z  INFO    port forwarding: Trying again in 10s
gateway     | 2020-10-08T12:28:39.768Z  ERROR   port forwarding: 401 Unauthorized
gateway     | 2020-10-08T12:28:39.768Z  INFO    port forwarding: Trying again in 10s
gateway     | 2020-10-08T12:28:50.337Z  ERROR   port forwarding: 401 Unauthorized
gateway     | 2020-10-08T12:28:50.337Z  INFO    port forwarding: Trying again in 10s

[coreshift]

Yup. Same here.

pia    | 2020-10-08T16:47:24.450Z       ERROR   port forwarding: 401 Unauthorized
pia    | 2020-10-08T16:47:24.450Z       INFO    port forwarding: Trying again in 10s
pia    | 2020-10-08T16:47:34.608Z       ERROR   port forwarding: 401 Unauthorized
pia    | 2020-10-08T16:47:34.608Z       INFO    port forwarding: Trying again in 10s

[raph521]

I did some digging in the closed issues of pia-foss/manual-connections and found this one that had some useful information: https://github.com/pia-foss/manual-connections/issues/7

I tried what was mentioned in one of the comments - using the IP of 10.0.0.1 when the session has already been established, and got back a token from within the container:

/ # curl -ks -u "$USER:$PASSWORD" https://10.0.0.1/authv3/generateToken
{
    "status": "OK",
    "token": "<long-string-of-chars>"
}

I was connected to the CA Toronto region, which I confirmed to support port forwarding on the nextgen network by getting a port via the desktop app.

[raph521]

Continuing along with what I found in that comment, I was able to get a payload and signature using the next curl command:

/ # export PIA_TOKEN="<long-string-of-chars-from-earlier>"
/ # curl -ks -m 5 -G --data-urlencode "token=${PIA_TOKEN}" "https://$(ip route |
 head -1 | grep tun | awk '{ print $3 }'):19999/getSignature"
{
    "status": "OK",
    "payload": "<another-long-string-of-chars>",
    "signature": "<slightly-shorter-long-string-of-chars>"
}

One thing I noticed, not sure if it's an issue, is that the Gateway VPN IP Address from the container log is NOT the same as the IP returned by ip route | head -1 | grep tun | awk '{ print $3 }'

Container log:

2020-10-09T09:54:57.835-0400    INFO    dns configurator: downloading root key from https://raw.githubusercontent.com/qdm12/files/master/root.key.updated,
2020-10-09T09:54:57.644-0400    INFO    Gateway VPN IP address: 66.X.X.X,
2020-10-09T09:54:57.644-0400    INFO    routing: default route found: interface eth0, gateway X.X.X.X

/ # ip route | head -1 | grep tun
0.0.0.0/1 via 10.X.X.X dev tun0

[raph521]

And lastly, I was able to "bind" the port, and refresh the timer from within the container:

"bind"

/ # export payload="<payload-from-earlier>"
/ # export signature="<signature-from-earlier>"
/ # curl -sGk --data-urlencode "payload=${payload}" --data-urlencode "signature=${signature}" https://$(ip route | head -1 | grep tun | awk '{ print $3 }'):19999/bindPort
{
    "status": "OK",
    "message": "port scheduled for add"
}

refresh

/ # curl -sGk --data-urlencode "payload=${payload}" --data-urlencode "signature=${signature}" https://$(ip route | head -1 | grep tun | awk '{ print $3 }'):19999/bindPort
{
    "status": "OK",
    "message": "timer refreshed"
}

Couldn't do more than that as I don't know how to expose this port through the container's firewall, or even find out what the port is because I can't figure out how to install jq in the container 😳

According to pia-foss/manual-connections/README.md, it would be the following (copying their example):

$ echo eyJ0b2tlbiI6Inh4eHh4eHh4eCIsInBvcnQiOjQ3MDQ3LCJjcmVhdGVkX2F0IjoiMjAyMC0wNC0zMFQyMjozMzo0NC4xMTQzNjk5MDZaIn0= | base64 -d | jq 
{
  "token": "xxxxxxxxx",
  "port": 47047,
  "expires_at": "2020-06-30T22:33:44.114369906Z"
}

Edit: figured out how to install jq, and tried decoding the payload - it worked:

/ # echo $payload | base64 -d | jq
{
  "token": "<long-string-of-chars>",
  "port": <port-num>,
  "expires_at": "2020-12-11T03:11:50.12628496Z"
}

[qdm12]

@Raph521 you're my savior!! Thank you so much for digging even further than I did :smile: I will patch up the code tonight and we should have everything working really soon!

[qdm12]

That image is now obtaining the port forward successfully, feel free to try it, please check

• if the port forwarded stays active for hours continuously and doesn't drop
• if the port forwarded gets through the firewall

Also if you bind mount /gluetun it stores the port forwarding data there so that you get the same port forwarded on a container restart. It will automagically renew a port to another port at start if not found in the file or if it's expired or when it expires during the container run time (after 60 days).

I have one last tiny bit to do: specify a custom TLS certificate using PIA's certificate to reach its local IP addresses over https (like https://10.0.0.1/v3/auth. For now it goes over https so it's encrypted but it doesn't check the host authenticity (which should be fine pretty much, but still).

Thanks for your patience!

[ZerNico]

@qdm12 I just pulled the latest port forwarding image Port forwarding seems to work just fine, I tested it with transmission and the port gets through the firewall and works as expected. When bind mounting /gluetun it picks up the old port again on restarts so that seems to work fine too!

I will keep the container running and report back if it works long-term.

Thanks a ton for your work, well done 😄

[coreshift]

Yup, it works.

It gives an error when you try to use a non-port forward PIA server and that might be confusing to some. Maybe a note if there's an error saying "Are you sure you're trying to connect to a port-forward capable server?" or something. I can imagine some people spending hours trying to figure out why it's not working. LOL It's a minor thing, though.

pia    | 2020-10-11T00:12:19.839Z       ERROR   port forwarding: cannot obtain port forwarding data: cannot obtain signature: Get "https://10.8.110.1:19999/getSignature?token=<redacted>": dial tcp 10.8.110.1:19999: connect: connection refused
pia    | 2020-10-11T00:12:19.839Z       INFO    port forwarding: Trying again in 10s

Great job. Thank you.

[qdm12]

Glad it's working correctly. I'll finish up that TLS thing tomorrow and merge it then.

It's a minor thing, though.

Yes but great idea! Minor things are usually quick to implement and can save an hour to possibly hundreds of people 😄 let's do it!

[qdm12]

• [x] Message added when you get connection refused
• [x] I added code to use PIA's custom TLS certificate for https cert verification...
• [ ] ... but I couldn't make the TLS certificate verification work as I don't know how to get the TLS hostname/how their thing work for this. I'm waiting on a reply.
• [ ] Waiting a few more days to see if it's stable for you

[raph521]

Thanks @qdm12!

Port forwarding is working on the new image for me, on both armhf and x86_64.

I'll also keep an eye on my containers and report back if they're unstable, but it looks like you've nailed it! Thanks for all the hard work!

[coreshift]

Working for me as well.

[cloud-aware]

Confirmed it is working for me as well on the nextgen servers. Thank you all for the great work!

[coreshift]

Just pulled the "latest" tag and it's still working. Seems good. Is there still a reason/plan to merge in static port forwarding?

[qdm12]

Yep it's merged in master. I also just merged #257 in order to obtain the port forwarding status (on or off) and server name for TLS verification for each of the PIA v4 servers. I'll now finish up the https verification and add a port forwarding enabled check to finally close this issue 😉

For the static port forwarding, it could still be useful as your port changes every 60 days and some other providers may not support a static port forwarded.

[coreshift]

Uhmm, how do we set the static port? I thought I read it was 9000 but that doesn't seem to be working. I did update my docker-compose to expose that port. Should there be some log message indicating that the static port was set?

EDIT: Just realized I'm probably getting ahead of you and the docker image isn't updated yet. No hurry. I'll wait for the announcement. :)

[dolhop]

https://www.privateinternetaccess.com/helpdesk/news/posts/the-full-release-of-port-forwarding-and-manual-connection-scripts

[qdm12]

Just realized I'm probably getting ahead of you and the docker image isn't updated yet.

Indeed 😄 Actually I updated my branch for that (didn't test it though), use the image with tag :static-port-forward to see if it works on port 9000.

@dolhop thanks for sharing. Although port forwarding is ready with the default docker image now. I just need a tiny fix for the TLS certificate validation when exchanging tokens/port forwarding data with PIA's servers. Although it's not really a big deal, it's encrypted already. That final pull request should close this issue (finally).

[coreshift]

Well, I tried static-port-forward and...

pia    | 2020-10-13T01:26:22.565Z       INFO    firewall: setting VPN port redirection from port 49254 to port 9000...

nc -zvw10 returns...

nc: connect to 172.98.71.x port 9000 (tcp) failed: Connection refused
nc: connect to 172.98.71.x port 49254 (tcp) timed out: Operation now in progress

[qdm12]

@coreshift thanks for trying it! Let's continue the conversation for that on #203 I have a question waiting for you 😉

[qdm12]

Finally done 🎉 I figured out how to do the TLS verification, and it's now merged in :latest.

For the curious:

• it has the maximum security level offered by PIA's TLS certificate
• PIA's TLS certificate does not have subject alternate names (SANs)
• SANs are required by Go 1.15 since 2020, which is used to build this container
• PIA is aware of the lack of SAN and will fix it in the future
• The container uses the environment variable GODEBUG=x509ignoreCN=0 in order to verify the certificate 'as before' and ignoring the fact that no SAN are present.
• Once PIA add SANs to their certificate, you could simply set GODEBUG="" in order to use TLS verification using their SAN