How to use Openvpn & ipfw in a jail so it only connects to the VPN

[Maq]

Why not let it check for the exact address connected and just allow that one instead of the whole wide subnet?

Just seemed simpler to leave the whole subnet in (don't see a downside for it). For rule 1006, you have to, unless you want two rules.

 

[denist]

these rules are over my head i have tried various but this pia keeps changing its ip address.

as it uses a server.

now is there a way to write a script to start openvpn then do say a

wget http://smart-ip.net/myip -O - -q ; echo

copy this value which is the ip address of openvpn

then it creates rule for ipfw_rules

then once saved start ipfw service

and for this to start at startup or boot.

i would love to write a script like this maybe i could but it will take time and copy and pasting other scripts...

maybe someone can give me a basis on how to create the start service then runs the above command copies the ip address that pia gives and can use it as a reference point

then i can add all the rules. into the script.

Denis

 

[Rilo Ravestein]

There are a lot of people in this forum(thread) using PIA, there must be something missing in your setup I guess, since others got it to work obviously. I'm not on PIA, but using NordVPN. But as far as I can see, it's the same procedure. Why is it not working? Do you get any error messages on startup? Can you post the output of "tail /var/log/messages" (inside the jail) after a restart of the jail here (put it in a CODE tag)?

 

[denist]

The Pia rules work but the Pia when openvpn reconnects I get a new IP address and i do not have that address in the rules that's the issue I have. And u have added 11 address already. I just thought there. The Python script aviv does not work it's say it's missing the first 3 items.

I'll keep working at it.


Sent from my iPhone using Tapatalk

 

[Rilo Ravestein]

I don't see the problem. You don't need to do anything with the external IP address you are given by PIA. I told you this on the other thread too. You only need to allow the IP address of THEIR server which OpenVPN is connecting with. You do also need to allow the internal/local VPN IP addresess, which can indeed change. These are the addresses in the 10.x range from the tun interface, which you can allow by allowing the whole 10. subnet in your rules.

 

[Maq]

these rules are over my head i have tried various but this pia keeps changing its ip address.

as it uses a server.

now is there a way to write a script to start openvpn then do say a

wget http://smart-ip.net/myip -O - -q ; echo

copy this value which is the ip address of openvpn

then it creates rule for ipfw_rules

then once saved start ipfw service

and for this to start at startup or boot.

i would love to write a script like this maybe i could but it will take time and copy and pasting other scripts...

maybe someone can give me a basis on how to create the start service then runs the above command copies the ip address that pia gives and can use it as a reference point

then i can add all the rules. into the script.

Denis

I'm using the script I posted in #123 with PIA.

The script also checks for a connection to the specified hostname and regenerates the rules and restarts the services if it can't connect (if the IP has changed). I have this script running every 5 minutes using a cron.

 

[denist]

Yeah I tried it but the first 3 lines says can't find

Import Sys sub process and socket so script stops how did u get it to run also how did u setup to run from boot


Sent from my iPhone using Tapatalk

 

[Maq]

Yeah I tried it but the first 3 lines says can't find

Import Sys sub process and socket so script stops how did u get it to run also how did u setup to run from boot


Sent from my iPhone using Tapatalk

Make sure that

Code:

#!/usr/local/bin/python2.7

is the first line in the file.

Also, paste the error here if you're still having problems.

 

[denist]

I think my issue is path of Python need to check if it's there when I get home then I'll check then I think I will have no issue but I'll keep you guys posted.


Sent from my iPhone using Tapatalk

 

[denist]

this is the error when i try and run

pia.sh: import: not found
pia.sh: import: not found
pia.sh: import: not found
pia.sh: url: not found
pia.sh: try:: not found
pia.sh: 11: Syntax error: word unexpected (expecting ")")

 

[denist]

sorry wrong above

i created the script and named it pia.py

then when i want to run it i typed

python pia.py

says bash command not found

 

[denist]

ok got it to run but its not working dont know the error

now

i used python2.7 pia.sh to run it
and nothing

 

[denist]

this is the py script i have set

#!/usr/local/bin/python2.7
import sys
import socket
import subprocess


url = 'Sweden.privateinternetaccess.com'

try:
# Raise if it can't ping the server or openvpn isn't running
subprocess.check_output(['service', 'openvpn', 'status'])
subprocess.check_output(['ping', '-c', '1', url])
except subprocess.CalledProcessError:
pass
else:
sys.exit()


hostname, aliaslist, ipaddrlist = socket.gethostbyname_ex(url)

content = '''
add 01006 allow ip from 192.168.2.0/24 to 192.168.2.0/24 keep-state
'''

rule_number = 2001

for ip in ipaddrlist:
content += '''
add {} allow ip from 192.168.2.0/24 to {} keep-state
add {} allow ip from {} to 192.168.2.0/24 keep-state
'''.format(rule_number, ip, rule_number + 1, ip)
rule_number += 2

content += '''
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any
'''

# Stop ipfw
subprocess.call(['service', 'openvpn', 'stop'])
subprocess.call(['service', 'ipfw', 'stop'])

f = open('/sabnzbd/scripts/ipfw_rules', 'w')
f.write(content)
f.close()

# Start ipfw
subprocess.call(['service', 'ipfw', 'start'])

# Check if running
if 'ipfw' in subprocess.check_output(['service', '-e']):
subprocess.call(['service', 'openvpn', 'start'])

sys.exit()

 

[denist]

if you see anything wrong let me know

 

[denist]

its not writng the ipfw_rules file either

is there an error log for python once run.

 

[Maq]

its not writng the ipfw_rules file either

is there an error log for python once run.

If there are errors, they should be printed out.

Also, "/sabnzbd/scripts/ipfw_rules", you have the sabnzbd folder in the root directory? If you used the plugin to install it, then this isn't correct. It's best to use full paths.

 

[denist]

The sabnzbd is in the root directory of transmission jail I created that there.

It reads the rule files no problems but it's not writing the file?

I'll try writing it under etc like you did and see if there is any changes

But when I run the script it does not say anything it waits the the cursor comes back like it has completed it.


Sent from my iPhone using Tapatalk

 

[Maq]

The sabnzbd is in the root directory of transmission jail I created that there.

It reads the rule files no problems but it's not writing the file?

I'll try writing it under etc like you did and see if there is any changes

But when I run the script it does not say anything it waits the the cursor comes back like it has completed it.


Sent from my iPhone using Tapatalk

Try creating the file once yourself and fix the permissions.

 

[denist]

Yeah I'll give it a got and see what happens


Sent from my iPhone using Tapatalk

 

[Rilo Ravestein]

I wouldn't put them in an sabnzbd folder anyway. It has nothing to do with sab, it's a file for ipfw. Also, you might want to put it in a mounted/shared folder that you have access to with your own pc or laptop to make things easier to edit. This also avoids trouble (i.e. with permissions) when updating/upgrading or when something goes wrong with the jail.