Bash script to change the listen_ports
-
- Member
- Posts: 17
- Joined: Tue Jul 09, 2019 11:20 pm
Re: Bash script to change the listen_ports
Ok, I really appreciate the effort you have gone to. I will have a mess about at some point and report back!
Thanks again!
Thanks again!
Re: Bash script to change the listen_ports
You're welcome just wanted quickly to add that my last attempts then I could see from the log that it tried to run deluge but exited because it couldn't find profile folder. That makes sense since it's run as root I believe, so I added preceding '/usr/bin/sudo -u martin' and also added an '-E' as read that helped but still the same. Before that error it stated ''resource unavailable' when trying run deluge. Anyway just a quick update on progress and good luck fixing this in the future
Re: Bash script to change the listen_ports
Okay, several hours of testing and I now finally got it working, atleast on my end
The systemd service file, I don't know if supplied by upstream, or specific to my distro(arch-linux), but there where some options that interfered and needing amending, so instead of editing the unit-file directly, I made a drop-in for it instead(so it will continue work when updated also):
Make the dir and file: /etc/systemd/system/openvpn-client@.service.d/override.conf:
To reinitialize the changes run:
Then in your 'up' script, you make sure there are full path's to everything i.e. '/usr/bin/python /usr/bin/deluge-console' etc. Also, the script is run as root, so you need to precede the deluge-console command with the username you normally run deluge under and have your deluge profile-dir under i.e in my case '/usr/bin/sudo -u martin /usr/bin/python /usr/bin/deluge-console xxxxxxxx'. I read that scripts run from 'up' didn't allow sending packets out from the VPN as a security-meassure, and that was also what I experienced when testing, so I followed the recommended solution of forking off to another script, as the next script does have access to traffic over the VPN, so if your first script you run under 'up' is e.g. named 'delu1', then in that you just add:
And then you name the actual script 'delu2' and again remember full path and use 'sudo -u' to change user of the deluge-console command and make script executable etc.
Of course first check if there are any path differences between our setups also.
Good luck
The systemd service file, I don't know if supplied by upstream, or specific to my distro(arch-linux), but there where some options that interfered and needing amending, so instead of editing the unit-file directly, I made a drop-in for it instead(so it will continue work when updated also):
Make the dir and file: /etc/systemd/system/openvpn-client@.service.d/override.conf:
Code: Select all
[Service]
PrivateTmp=
PrivateTmp=off
LimitNPROC=
LimitNPROC=infinity
ProtectSystem=
ProtectSystem=off
ProtectHome=
ProtectHome=off
Code: Select all
sudo systemctl daemon-reload
Code: Select all
#!/usr/bin/bash
exec /etc/openvpn/client/delu2 &
Of course first check if there are any path differences between our setups also.
Good luck
-
- Member
- Posts: 17
- Joined: Tue Jul 09, 2019 11:20 pm
Re: Bash script to change the listen_ports
Wow! I'm impressed how much work you have put into this! There's no way I would have been able to work this out for myself! I really appreciate it!
I will give it a go when I get home from work. Just a quick question though, I'm a bit wary about turning of things with protect in the name in the config override, what is the purpose of these?
I will give it a go when I get home from work. Just a quick question though, I'm a bit wary about turning of things with protect in the name in the config override, what is the purpose of these?
Re: Bash script to change the listen_ports
You're welcome
I couldn't get it working without overriding those options as they mask certain dirs including your /home partition(for added security) and so deluge-console wouldn't run as couldn't connect with deluge. I understand your precautions but it won't work without i'm afraid, though this is also new options from systemd which people have run without for years in previous init-systems(sysV etc.) and currently do in non-systemd distros like Slackware, gentoo and void-Linux etc. They don't change openvpn security and is "only" added security added by the init-system(systemd). I run openvpn directly from a script, without using systemd, so I have never used that extra protection either.
I couldn't get it working without overriding those options as they mask certain dirs including your /home partition(for added security) and so deluge-console wouldn't run as couldn't connect with deluge. I understand your precautions but it won't work without i'm afraid, though this is also new options from systemd which people have run without for years in previous init-systems(sysV etc.) and currently do in non-systemd distros like Slackware, gentoo and void-Linux etc. They don't change openvpn security and is "only" added security added by the init-system(systemd). I run openvpn directly from a script, without using systemd, so I have never used that extra protection either.
-
- Member
- Posts: 17
- Joined: Tue Jul 09, 2019 11:20 pm
Re: Bash script to change the listen_ports
Hey Can you post the working version of your script please?
Im not sure I understand about the deluge profile and paths i need to put in.
Thanks
Im not sure I understand about the deluge profile and paths i need to put in.
Thanks
Re: Bash script to change the listen_ports
We have different VPNs, so I cannot test your script, and you cannot test mine, but as I don't need this setup for myself and it was just a challenge to get working, then I tested with another simple script, but if that script works, which it does for me, then the portforwarding should also work if not having any errors in the script. Anyway, even my test script wouldn't run properly before making several changes, but these are described below, and of course switch username and paths accordingly and try my test-script first also, instead of your own. Also, have deluged running.
/etc/openvpn/client/pia.conf:
/etc/openvpn/client/delu1:
/etc/openvpn/client/delu2:
/etc/systemd/system/openvpn-client@.service.d/override.conf: (You need to make both dir and file)
Run:
Now, check if you can see those above lines(from override.conf) at the bottom when running:
If you can, then the override is picked up correctly.
Then when testing, then start your vpn with:
There should now after some secs be a file in your homedir named iptest.txt with the IP in it of your VPN and deluge should now been set to use port 10050. You can run this, to check it went well:
Then stop the VPN again with:
Delete iptest.txt, and now that you know the setup is working, then you can add another working script instead as '/etc/openvpn/client/delu2'.
If not doing this test, then it's harder to know if it's the script or the "setup" that's still wrong.
Good luck
Edit: I deleted some lines from this posts '/etc/systemd/system/openvpn-client@.service.d/override.conf', as I found that some was redundant(won't hurt to include, just unneeded). Of the remaining two options I override, then the first limits the amount of processes you can run which your script would exhaust and hence fail. The second shields your /home partition, which won't work since that's where your profile dir is stored and hence makes deluge-console error out. There's also full of errors and issues posted on the net, where people get tripped up over these default settings in openvpn's systemd-unit.
/etc/openvpn/client/pia.conf:
Code: Select all
[...]
script-security 2
up /etc/openvpn/client/delu1
Code: Select all
#!/usr/bin/bash
/etc/openvpn/client/delu2 &
Code: Select all
#!/usr/bin/bash
/usr/bin/curl ifconfig.co > /home/martin/iptest.txt
/usr/bin/sudo -u martin /usr/bin/python /usr/bin/deluge-console "config -s listen_ports (10050,10050)"
Code: Select all
[Service]
LimitNPROC=
LimitNPROC=infinity
ProtectHome=
ProtectHome=off
Code: Select all
sudo systemctl daemon-reload
Code: Select all
sudo systemctl cat openvpn-client@.service
Then when testing, then start your vpn with:
Code: Select all
sudo systemctl start openvpn-client@pia
Code: Select all
sudo systemctl status openvpn-client@pia
Code: Select all
sudo systemctl stop openvpn-client@pia
If not doing this test, then it's harder to know if it's the script or the "setup" that's still wrong.
Good luck
Edit: I deleted some lines from this posts '/etc/systemd/system/openvpn-client@.service.d/override.conf', as I found that some was redundant(won't hurt to include, just unneeded). Of the remaining two options I override, then the first limits the amount of processes you can run which your script would exhaust and hence fail. The second shields your /home partition, which won't work since that's where your profile dir is stored and hence makes deluge-console error out. There's also full of errors and issues posted on the net, where people get tripped up over these default settings in openvpn's systemd-unit.
Last edited by mhertz on Fri Jul 12, 2019 12:43 am, edited 1 time in total.
-
- Member
- Posts: 17
- Joined: Tue Jul 09, 2019 11:20 pm
Re: Bash script to change the listen_ports
Thanks so much! this works great!
Although, to begin with it was hit and miss wether it did work. It appeared to be running the script which was one step forward! however, sometimes it would refuse connection to the deluge daemon (127.0.0.1:58846) after running the script.
As it was working sometimes I could only assume it was down to how long it took to run the script? so I changed the 'up' to 'route-up' and set a delay of 10 seconds and it seems to have worked every time so far! hope fully it will continue to do so!
I owe you a pint! xD
Although, to begin with it was hit and miss wether it did work. It appeared to be running the script which was one step forward! however, sometimes it would refuse connection to the deluge daemon (127.0.0.1:58846) after running the script.
As it was working sometimes I could only assume it was down to how long it took to run the script? so I changed the 'up' to 'route-up' and set a delay of 10 seconds and it seems to have worked every time so far! hope fully it will continue to do so!
I owe you a pint! xD
Re: Bash script to change the listen_ports
Lol, thanks mate, and well done finding a solution also
Btw, you probably already know, but just in case then remember 'random_port' also should be 'false' in deluge in addition to setting 'listen_ports' appropriately - this initially threw me off as deluge never respected 'listen_ports' with same number twice, without that setting also, which defaults to 'true'.
Lastly, it doesn't matter, but you can delete the 'exec ' in 'delu1'. (I checked it needs a '&' at the end for it to work, which would be redundant when using 'exec', but as it's needed, then the 'exec' is redundant) I edited the previous post to suit.
Btw, you probably already know, but just in case then remember 'random_port' also should be 'false' in deluge in addition to setting 'listen_ports' appropriately - this initially threw me off as deluge never respected 'listen_ports' with same number twice, without that setting also, which defaults to 'true'.
Lastly, it doesn't matter, but you can delete the 'exec ' in 'delu1'. (I checked it needs a '&' at the end for it to work, which would be redundant when using 'exec', but as it's needed, then the 'exec' is redundant) I edited the previous post to suit.