Help: Is port forwarding still working on PIA? I have it configured to do so, but it's not returning a port-forward

[cloud-aware]

PORT-FORWARDING and PORT_FORWARDING_STATUS_FILE do not seem to be working since latest PIA update?

1. Is this urgent?

   • [ ] Yes
   • [x] No

2. What VPN service provider are you using?

   • [x] PIA
   • [ ] Mullvad
   • [ ] Windscribe
   • [ ] Surfshark
   • [ ] Cyberghost

3. What's the version of the program?

   Running latest as of September 8, 2020 - I did a docker-compose build yesterday

Running version unknown built on an unknown date (commit unknown) 📣 Persistent server IP addresses at /gluetun/servers.json, please BIND MOUNT 🔧 Need help? https://github.com/qdm12/gluetun/issues/new 💻 Email? quentin.mcgaw@gmail.com ☕ Slack? Join from the Slack button on Github 💸 Help me? https://github.com/sponsors/qdm12 2020-09-09T09:32:09.687-0400 INFO OpenVPN version: 2.4.9 2020-09-09T09:32:09.698-0400 INFO Unbound version: 1.10.1 2020-09-09T09:32:09.704-0400 INFO IPtables version: v1.8.4 2020-09-09T09:32:09.746-0400 INFO TinyProxy version: 1.10.0 2020-09-09T09:32:09.750-0400 INFO Settings summary below: OpenVPN settings: |--User: [redacted] |--Password: [redacted] |--Verbosity level: 1 |--Run as root: no |--Private Internet Access settings: |--Network protocol: udp |--Region: ca toronto |--Encryption preset: strong System settings: |--User ID: 1000 |--Group ID: 1000 |--Timezone: america/new_york |--IP Status filepath: /tmp/gluetun/ip DNS over TLS disabled, using plaintext DNS 1.1.1.1 Firewall settings: disabled TinyProxy settings: disabled ShadowSocks settings: disabled Public IP check period: 12h0m0s Version information: enabled

4. What are you using to run the container?

   • [ ] Docker run
   • [x] Docker Compose
   • [ ] Kubernetes
   • [ ] Docker stack
   • [ ] Docker swarm
   • [ ] Podman
   • [ ] Other:

5. Extra information

PIA connects fine, but does not port-forward or create the port-forward status file

Host OS:

Ubuntu 20.04

[qdm12]

thank you for confirming the modifications on SAN. I will push this modification on the master branch for the VPN servers at the end of this week, so rollout will start next month most probably. All servers should support SAN in February

From a PIA engineer who upgraded the certificate to contain SAN on a test server, helped him test it out 😉 So that added TLS security for port forwarding will start to get live in the coming months.

Have a good week!

[qdm12]

Hello everyone, thanks to @L11R (here), there might be an alternative to do TLS verification properly. I've implemented it in the container, on the Docker image with tag :pia-san-alternative can someone please try it with PORT_FORWARDING=on and see if it gives any error? Thanks!

[coreshift]

I'm not quite sure what part of the logs are relevant, but this seemed important:

pia    | 2020-10-21T02:30:03.515Z       INFO    dns configurator: downloading root key from https://raw.githubusercontent.com/qdm12/files/master/root.key.updated
pia    | 2020-10-21T02:30:03.749Z       INFO    dns configurator: generating Unbound configuration
pia    | 2020-10-21T02:30:05.489Z       INFO    dns configurator: 61358 hostnames blocked overall
pia    | 2020-10-21T02:30:05.489Z       INFO    dns configurator: 2581 IP addresses blocked overall
pia    | 2020-10-21T02:30:05.515Z       INFO    dns configurator: starting unbound
pia    | 2020-10-21T02:30:05.515Z       INFO    dns configurator: using DNS address 127.0.0.1 internally
pia    | 2020-10-21T02:30:05.515Z       INFO    dns configurator: using DNS address 127.0.0.1 system wide
pia    | 2020-10-21T02:30:05.658Z       INFO    unbound: init module 0: validator
pia    | 2020-10-21T02:30:05.658Z       INFO    unbound: init module 1: iterator
pia    | 2020-10-21T02:30:05.683Z       INFO    unbound: start of service (unbound 1.10.1).
pia    | 2020-10-21T02:30:06.631Z       INFO    unbound: generate keytag query _ta-4a5c-4f66. NULL IN
pia    | 2020-10-21T02:30:07.622Z       INFO    VPN gateway IP address: 10.60.110.1
pia    | panic: runtime error: invalid memory address or nil pointer dereference
pia    | [signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x593935]
pia    | 
pia    | goroutine 114 [running]:
pia    | crypto/x509.(*CertPool).AddCert(0x0, 0xc0003f3700)
pia    |        crypto/x509/cert_pool.go:115 +0x55
pia    | github.com/qdm12/gluetun/internal/provider.newPIAv4HTTPClient(0xc0003c0080, 0xc0003c0080, 0xc0003c0080)
pia    |        github.com/qdm12/gluetun/internal/provider/piav4.go:287 +0x314
pia    | github.com/qdm12/gluetun/internal/provider.(*piaV4).PortForward(0xc000116630, 0xb5c3e0, 0xc00040c380, 0xc000172600, 0xb60e40, 0xc00017f490, 0xb5e680, 0xc0004a7500, 0xc0003820d0, 0x4, ...)
pia    |        github.com/qdm12/gluetun/internal/provider/piav4.go:132 +0xa5
pia    | github.com/qdm12/gluetun/internal/openvpn.(*looper).portForward(0xc00013a800, 0xb5c3e0, 0xc00040c380, 0xc000314550, 0xb5b1e0, 0xc000116630, 0xc000172600, 0xc0003820d0, 0x4, 0x4)
pia    |        github.com/qdm12/gluetun/internal/openvpn/loop.go:232 +0x1b3
pia    | created by github.com/qdm12/gluetun/internal/openvpn.(*looper).Run.func1
pia    |        github.com/qdm12/gluetun/internal/openvpn/loop.go:171 +0x105

[qdm12]

Thanks for trying, can you please re-pull & re-try? I should had fixed that bug

docker pull qmcgaw/private-internet-access

Thanks!

[coreshift]

The :latest tag works fine. At least I don't see any error messages or failures. The :pia-san-alternative tag gives:

pia    | 2020-10-21T17:00:48.549Z       ERROR   port forwarding: cannot bind port: Get "https://montreal403:19999/bindPort?payload=<redacted>&signature=<redacted>: dial tcp: address 10.60.110.1: missing port in address

[qdm12]

Let's continue the conversation on #266

@coreshift I have pushed another commit which should address this error, we're definitely close 😉 Thanks again for the testing!