New PIA pfSense (Private Internet Access) port forwarding API script for next gen servers. Tested on pfSense 2.5.2-RELEASE (amd64) and qBittorrent v4.3.6.
Before starting make sure to have configured PIA on your pfSense according to this guide: https://blog.networkprofile.org/private-internet-access-vpn-on-pfsense/
For a list of nextgen servers supporting port forwarding: https://github.com/SeaMonkey82/PIA-NextGen-PortForwarding/blob/master/nextgen-portforward-servers.txt
The scripts have variables that you must change in order for the script to work, make sure to read the scripts before running them.
Your pfSense needs the following packages: xmlstarlet jq
Now you can follow this guide:
1.Enable SSH on pfSense
System -> Advanced => tick "Enable Secure Shell"
2.Create custom user
-Go to System -> User manager -> Add
-Fill Username, password
-Add "admins" group
-Grant "WebCfg - All pages" and "User - System: Shell account access" priviledges
-(Optional) generate SSH keys for your custom user
3.Install SUDO package
-Go to System -> Package Manager => install SUDO package
-Go to System -> sudo => create user permissions as bellow
4.Create Alias for port forward
-Go to Firewall -> Aliases -> Ports
-Create new port with name "PIAPort"
-Give it the current port (if you have it) or non-zero value
5.Create NAT rule for port-forward using the ALIAS instead of specific port
-Go to Firewall -> NAT
-Create new rule like bellow (some values could be different depending on your current VPN configuration)
6.Create custom devd config file
-Still under root user from previous step do
mkdir /usr/local/etc/devd
cd /usr/local/etc/devd
vi piaport.conf
-paste following code and save ( :wq )- This will start the service when the PIA interface is up and stop it when down
notify 0 {
match "system" "IFNET";
match "subsystem" "(ovpnc1)";
match "type" "LINK_UP";
action "logger $subsystem is UP";
action "service piaportforwarding start";
};
notify 0 {
match "system" "IFNET";
match "subsystem" "(ovpnc1)";
match "type" "LINK_DOWN";
action "logger $subsystem is DOWN";
action "service piaportforwarding stop";
};
-Restart devd to properly parse the new definition
service devd restart
Note: The "ovpnc1" is a technical name of the OpenVPN interface from within the pfSense UI
9.Create the custom port-update script
-Still under root user from previous step do
mkdir -p /home/custom/piaportforward
cd /home/custom/piaportforward
touch pia-pfSense.sh
chmod u+x pia-pfSense.sh
vi pia-pfSense.sh
-Paste the code from https://github.com/SeaMonkey82/PIA-NextGen-PortForwarding/blob/master/pia-pfSense.sh OR just download it and chmod +x it.
!!! Some customization is necessary. Please read the script. It will need at minimum your PIA credentials and the qBittorrent WebUI host details and credentials !!!
Put https://github.com/SeaMonkey82/PIA-NextGen-PortForwarding/blob/master/pia-portforwarding-rc in /usr/local/etc/rc.d (rename to piaportforwarding) and chmod +x it or just:
touch /usr/local/etc/rc.d/piaportforwarding
chmod +x /usr/local/etc/rc.d/piaportforwarding
vi /usr/local/etc/rc.d/piaportforwarding
And paste the following in it:
#!/bin/sh
# REQUIRE: LOGIN
. /etc/rc.subr
name="piaportforwarding"
rcvar="${name}_enable"
command="/home/custom/piaportforward/pia-pfSense.sh"
command_interpreter="/bin/sh"
pf_user=root
start_cmd="/usr/sbin/daemon -f -u $pf_user $command"
load_rc_config $name
run_rc_command "$1"
Then:
touch /etc/rc.conf.local
vi /etc/rc.conf.local
And paste the following: piaportforwarding_enable="YES"
-Disconnect form pfSense
-(Optional) Disable SSH via WebUI under System -> Advanced => un-tick "Enable Secure Shell"
Configure Tools:Options:WebUI to your liking. As the pia-pfSense.sh script states, using ssl certificates generated by a local certificate authority will require you to add the contents of the CA certificate to /etc/ssl/cert.pem on your pfSense config to work. Even if the CA being used exists on pfSense, it is not trusted by default when running commands from the shell.
2.Restart OpenVPN in pfSense
-Wait for ~15secs and check Status -> System logs to see results
