Bash script to change the listen_ports

[Ouroboruss]

Ok, I really appreciate the effort you have gone to. I will have a mess about at some point and report back!

Thanks again!

[mhertz]

You're welcome just wanted quickly to add that my last attempts then I could see from the log that it tried to run deluge but exited because it couldn't find profile folder. That makes sense since it's run as root I believe, so I added preceding '/usr/bin/sudo -u martin' and also added an '-E' as read that helped but still the same. Before that error it stated ''resource unavailable' when trying run deluge. Anyway just a quick update on progress and good luck fixing this in the future

[mhertz]

Okay, several hours of testing and I now finally got it working, atleast on my end

The systemd service file, I don't know if supplied by upstream, or specific to my distro(arch-linux), but there where some options that interfered and needing amending, so instead of editing the unit-file directly, I made a drop-in for it instead(so it will continue work when updated also):

Make the dir and file: /etc/systemd/system/openvpn-client@.service.d/override.conf:

Code: Select all

[Service]
PrivateTmp=
PrivateTmp=off
LimitNPROC=
LimitNPROC=infinity
ProtectSystem=
ProtectSystem=off
ProtectHome=
ProtectHome=off

To reinitialize the changes run:

Code: Select all

sudo systemctl daemon-reload

Then in your 'up' script, you make sure there are full path's to everything i.e. '/usr/bin/python /usr/bin/deluge-console' etc. Also, the script is run as root, so you need to precede the deluge-console command with the username you normally run deluge under and have your deluge profile-dir under i.e in my case '/usr/bin/sudo -u martin /usr/bin/python /usr/bin/deluge-console xxxxxxxx'. I read that scripts run from 'up' didn't allow sending packets out from the VPN as a security-meassure, and that was also what I experienced when testing, so I followed the recommended solution of forking off to another script, as the next script does have access to traffic over the VPN, so if your first script you run under 'up' is e.g. named 'delu1', then in that you just add:

Code: Select all

#!/usr/bin/bash

exec /etc/openvpn/client/delu2 &

And then you name the actual script 'delu2' and again remember full path and use 'sudo -u' to change user of the deluge-console command and make script executable etc.

Of course first check if there are any path differences between our setups also.

Good luck

[Ouroboruss]

Wow! I'm impressed how much work you have put into this! There's no way I would have been able to work this out for myself! I really appreciate it!

I will give it a go when I get home from work. Just a quick question though, I'm a bit wary about turning of things with protect in the name in the config override, what is the purpose of these?

[mhertz]

You're welcome

I couldn't get it working without overriding those options as they mask certain dirs including your /home partition(for added security) and so deluge-console wouldn't run as couldn't connect with deluge. I understand your precautions but it won't work without i'm afraid, though this is also new options from systemd which people have run without for years in previous init-systems(sysV etc.) and currently do in non-systemd distros like Slackware, gentoo and void-Linux etc. They don't change openvpn security and is "only" added security added by the init-system(systemd). I run openvpn directly from a script, without using systemd, so I have never used that extra protection either.

[Ouroboruss]

Hey Can you post the working version of your script please?

Im not sure I understand about the deluge profile and paths i need to put in.

Thanks

[mhertz]

We have different VPNs, so I cannot test your script, and you cannot test mine, but as I don't need this setup for myself and it was just a challenge to get working, then I tested with another simple script, but if that script works, which it does for me, then the portforwarding should also work if not having any errors in the script. Anyway, even my test script wouldn't run properly before making several changes, but these are described below, and of course switch username and paths accordingly and try my test-script first also, instead of your own. Also, have deluged running.

/etc/openvpn/client/pia.conf:

Code: Select all

[...]
script-security 2
up /etc/openvpn/client/delu1

/etc/openvpn/client/delu1:

Code: Select all

#!/usr/bin/bash

/etc/openvpn/client/delu2 &

/etc/openvpn/client/delu2:

Code: Select all

#!/usr/bin/bash

/usr/bin/curl ifconfig.co > /home/martin/iptest.txt
/usr/bin/sudo -u martin /usr/bin/python /usr/bin/deluge-console "config -s listen_ports (10050,10050)"

/etc/systemd/system/openvpn-client@.service.d/override.conf: (You need to make both dir and file)

Code: Select all

[Service]
LimitNPROC=
LimitNPROC=infinity
ProtectHome=
ProtectHome=off

Run:

Code: Select all

sudo systemctl daemon-reload

Now, check if you can see those above lines(from override.conf) at the bottom when running:

Code: Select all

sudo systemctl cat openvpn-client@.service

If you can, then the override is picked up correctly.

Then when testing, then start your vpn with:

Code: Select all

sudo systemctl start openvpn-client@pia

There should now after some secs be a file in your homedir named iptest.txt with the IP in it of your VPN and deluge should now been set to use port 10050. You can run this, to check it went well:

Code: Select all

sudo systemctl status openvpn-client@pia

Then stop the VPN again with:

Code: Select all

sudo systemctl stop openvpn-client@pia

Delete iptest.txt, and now that you know the setup is working, then you can add another working script instead as '/etc/openvpn/client/delu2'.

If not doing this test, then it's harder to know if it's the script or the "setup" that's still wrong.

Good luck

Edit: I deleted some lines from this posts '/etc/systemd/system/openvpn-client@.service.d/override.conf', as I found that some was redundant(won't hurt to include, just unneeded). Of the remaining two options I override, then the first limits the amount of processes you can run which your script would exhaust and hence fail. The second shields your /home partition, which won't work since that's where your profile dir is stored and hence makes deluge-console error out. There's also full of errors and issues posted on the net, where people get tripped up over these default settings in openvpn's systemd-unit.

[Ouroboruss]

Thanks so much! this works great!

Although, to begin with it was hit and miss wether it did work. It appeared to be running the script which was one step forward! however, sometimes it would refuse connection to the deluge daemon (127.0.0.1:58846) after running the script.

As it was working sometimes I could only assume it was down to how long it took to run the script? so I changed the 'up' to 'route-up' and set a delay of 10 seconds and it seems to have worked every time so far! hope fully it will continue to do so!

I owe you a pint! xD

[mhertz]

Lol, thanks mate, and well done finding a solution also

Btw, you probably already know, but just in case then remember 'random_port' also should be 'false' in deluge in addition to setting 'listen_ports' appropriately - this initially threw me off as deluge never respected 'listen_ports' with same number twice, without that setting also, which defaults to 'true'.

Lastly, it doesn't matter, but you can delete the 'exec ' in 'delu1'. (I checked it needs a '&' at the end for it to work, which would be redundant when using 'exec', but as it's needed, then the 'exec' is redundant) I edited the previous post to suit.