gluetun
gluetun copied to clipboard
qdm12
PrivateVPN native port forwarding
I am sorry for my english level, maybe i cant express what i mean accurately. I hope that the app can be support native port forwarding for PrivateVPN.
For this, I got the port forwarding API method and found out it by sending emails to official support team.
Some openvpn config: https://ovpnstorage.privatevpn.com/
Port forwarding api:
https://connect.pvdatanet.com/v3/Api/port?ip[]=<vpn_local_ip_here>
that will return a json format result
When connecting to a Dedicated IP server it will be port forwarded to all the ports, else it will provide a port randomly.
I was able to get the port open with FIREWALL=off env setting.
And set the port setting in transmission with above provided port forwarding api url.
I am able to reach this port (from another device) via my isp directly or while connected to other vpn service, but unable when connected to PrivateVPN. Maybe this has something to do with private vpn blocking access due to their ip-leak-vulnerability-when-using-port-forward but not certain
Also not really sure if this brings any security concerns.
Edit 06-May-2024:
FIREWALL=off does bring security concerns since it disables firewall, this means your other containers in the same gluetun network will be able to access internet or be reached directly e.g. through eth0 interface instead of tun0 (vpn).
To workaround this issue you'll need to get your open port from above mentioned link https://connect.pvdatanet.com/v3/Api/port?ip[]=<vpn_local_ip_here> and set it in the gluetun container via iptables, e.g. if port is 12345:
docker exec gluetun /sbin/iptables -A INPUT -i tun0 -p tcp --dport 12345 -j ACCEPT
docker exec gluetun /sbin/iptables -A INPUT -i tun0 -p udp --dport 12345 -j ACCEPT
to check if port was added
docker exec gluetun /sbin/iptables -L -v
This can be automated (similarly to Private Internet Access and ProtonVPN port forwarding). Please try image qmcgaw/gluetun:pr-2285 😉 and set VPN_PORT_FORWARDING=on.
Also, what's the response you get when requesting from a "Dedicated IP server"? I'm especially curious about what the status gives? Because for now Gluetun searches for the specific port in the status text, but I'm not sure how to handle "all ports" responses.
this is good news actually, thank you :)
here are responses:
dedicated ip response: {"status":"ALL","supported":true}
standard response: {"status":"Port 61593 UDP\/TCP","supported":true}
unfortunately currently i don't have a chance to test this out
This can be automated (similarly to Private Internet Access and ProtonVPN port forwarding). Please try image
qmcgaw/gluetun:pr-2285😉 and setVPN_PORT_FORWARDING=on.
I just tried this, but unfortunately it doesn't work. I get this error:
ERROR [vpn] port forwarding for the first time: port forwarding not supported: for server IP X.X.X.X
X.X.X.X being the public IP I get on the VPN. I'm assuming that this is the IP sent to the pvdatanet.com API endpoint. The IP that needs to be used in that URL however is the internal address assigned to the tun0 interface, not the public address.
Anyway, in case it may be helpful, I'm sharing how I've made this sort of work using a cronjob that runs a script every 5 minutes. The script just checks if the port has changed since last time it was run, and adds the firewall rules as well as updates the forwarded port in Transmission. Method shamelessly nicked from here: https://github.com/haugene/vpn-configs-contrib/blob/main/openvpn/privatevpn/update-port.sh
#!/bin/bash
source /path/to/envfile # Only necessary for Transmission if using authentication, must contain the variable TR_AUTH=username:password (or just change $TR_AUTH to username:password in the docker exec-command below if you're comfortable with putting auth-info in a script)
PORTFILE=/path/to/portfile.txt # A textfile to store the forwarded port
if [ ! -f $PORTFILE ]; then
echo 0 > $PORTFILE
fi
LAST_PORT=$(cat $PORTFILE)
TUN_ADDR=$(docker exec gluetun ip address show dev tun0 | grep 'inet\b' | awk '{print $2}' | cut -d/ -f1)
PORT_RESPONSE=$(curl -s -f "https://connect.pvdatanet.com/v3/Api/port?ip%5B%5D=$TUN_ADDR")
CURRENT_PORT=$(echo "$PORT_RESPONSE" | grep -oe 'Port [0-9]*' | awk '{print $2}' | cut -d/ -f1)
if [ $LAST_PORT != $CURRENT_PORT ]; then
# Store the new port
echo $CURRENT_PORT > $PORTFILE
# Remove the old port firewall rules (if they exist, otherwise this will print errors, but I don't care)
docker exec gluetun /sbin/iptables-legacy -D INPUT -i tun0 -p tcp --dport $LAST_PORT -j ACCEPT
docker exec gluetun /sbin/iptables-legacy -D INPUT -i tun0 -p udp --dport $LAST_PORT -j ACCEPT
# Add the new port to the firewall
docker exec gluetun /sbin/iptables-legacy -A INPUT -i tun0 -p tcp --dport $CURRENT_PORT -j ACCEPT
docker exec gluetun /sbin/iptables-legacy -A INPUT -i tun0 -p udp --dport $CURRENT_PORT -j ACCEPT
# Update the port in Transmission (just remove "-n $TR_AUTH" if not using authentication)
docker exec transmission transmission-remote localhost:9091 -n $TR_AUTH -p $CURRENT_PORT
fi
It's not pretty, but it gets the job done until a more streamlined solution is possible ;)
I'm assuming that this is the IP sent to the pvdatanet.com API endpoint. The IP that needs to be used in that URL however is the internal address assigned to the tun0 interface, not the public address.
Correct, and yes that was the mistake! Changed in 5cc29a7fe04a6c023a94a8e21ee59ce8c6f71cc4 to use the internal vpn ip address. Can you please re-pull the image and see if it works now?
as well as updates the forwarded port in Transmission
That is definitely something I'm starting to think would be a great addition for torrent clients built-in Gluetun, to update their port. Deluge, transmission, qbittorent to name a few.
Im using this via docker, is there a build I can help test with? Im really keen to get this up and running.
