freenas_transmission_openvpn.md

modified from https://github.com/haugene/docker-transmission-openvpn/blob/master/transmission/updatePort.sh

if we do it all in one big file like that I get a whole bunch of seg faults on the transmission commands, who knows.

install transmission freenas plugin

touch pia_client_id
touch pia_port
pkg install openvpn bash

add to crontab -e

* * * * * cd /usr/local/etc/openvpn/ && ./update_port.sh > /usr/local/etc/openvpn/update_port.log 2>&1

get_port.sh

#!/usr/local/bin/bash

echo "Wait for tunnel to be fully initialized and PIA is ready to give us a port"
sleep 15

pia_client_id_file=./pia_client_id
pia_port_file=./pia_port

#
# First get a port from PIA
#

new_client_id() {
    head -n 100 /dev/urandom | shasum -a 256 | tr -d " -" | tee $pia_client_id_file
}

pia_client_id="$(cat $pia_client_id_file 2>/dev/null)"
if [ -z "${pia_client_id}" ]; then
   echo "Generating new client id for PIA"
   pia_client_id=$(new_client_id)
fi

# Get the port
port_assignment_url="http://209.222.18.222:2000/?client_id=$pia_client_id"
pia_response=$(curl -s -f "$port_assignment_url")
pia_curl_exit_code=$?

if [ -z "$pia_response" ]; then
    echo "Port forwarding is already activated on this connection, has expired, or you are
not connected to a PIA region that supports port forwarding"
fi

# Check for curl error (curl will fail on HTTP errors with -f flag)
if [ $pia_curl_exit_code -ne 0 ]; then
   echo "curl encountered an error looking up new port: $pia_curl_exit_code"
   exit
fi

# Check for errors in PIA response
error=$(echo "$pia_response" | grep -oE "\"error\".*\"")
if [ ! -z "$error" ]; then
   echo "PIA returned an error: $error"
   exit
fi

# Get new port, check if empty
new_port=$(echo "$pia_response" | grep -oE "[0-9]+")
if [ -z "$new_port" ]; then
    echo "Could not find new port from PIA"
    exit
fi
echo "Got new port $new_port from PIA"

echo $new_port > $pia_port_file

openvpn.conf

client
dev tun
proto udp
remote ca-toronto.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

dhcp-option 8.8.8.8
dhcp-option 8.8.4.4

auth-user-pass pass.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ

mute-replay-warnings
inactive 3600
ping 10
ping-exit 60

script-security 2
up-delay
up "start.sh"

start.sh

#!/usr/local/bin/bash

bash ./get_port.sh &

update_port.sh

#!/usr/local/bin/bash

transmission_username="transmission"
transmission_passwd="<REDACTED>"
transmission_settings_file=/var/db/transmission/settings.json
pia_port_file=./pia_port

new_port="$(cat $pia_port_file 2>/dev/null)"

#
# Now, set port in Transmission
#

# Check if transmission remote is set up with authentication
auth_enabled=$(grep 'rpc-authentication-required\"' "$transmission_settings_file" \
                   | grep -oE 'true|false')
if [ "true" = "$auth_enabled" ]
  then
  echo "transmission auth required"
  myauth="127.0.0.1:9091 --auth $transmission_username:$transmission_passwd"
else
    echo "transmission auth not required"
    myauth=""
fi

# get current listening port
transmission_peer_port=$(transmission-remote $myauth -si | grep Listenport | grep -oE '[0-9]+')

echo "Current port: $transmission_peer_port"

if [ "$new_port" != "$transmission_peer_port" ]; then
  if [ "true" = "$ENABLE_UFW" ]; then
    echo "Update UFW rules before changing port in Transmission"

    echo "denying access to $transmission_peer_port"
    ufw deny "$transmission_peer_port"

    echo "allowing $new_port through the firewall"
    ufw allow "$new_port"
  fi

  transmission-remote $myauth -p "$new_port"

  echo "Checking port..."
  sleep 10
  transmission-remote $myauth -pt
else
    echo "No action needed, port hasn't changed"
fi