Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PIA: Port forwarding obtaining signature payload timeout #2048

Open
MillsyBot opened this issue Jan 16, 2024 · 10 comments · May be fixed by #2254
Open

PIA: Port forwarding obtaining signature payload timeout #2048

MillsyBot opened this issue Jan 16, 2024 · 10 comments · May be fixed by #2254
Labels
Category: VPN port forwarding 📥 ☁️ PIA Priority: 🚨 Urgent Status: 🗯️ Waiting for feedback

Comments

@MillsyBot
Copy link

Hello!

First off: thanks for making such a cool product!

Now to business: I have been using PIA (sans port forwarding) for sometime and have really enjoyed it. I am attempting now to add the port forwarding feature for a current use case that I have. I believe that I have configured things properly, however it is quite possible that I missed something. Here are the relevant environment variables

VPN_PORT_FORWARDING=on
FIREWALL_VPN_INPUT_PORTS=
VPN_ENDPOINT_PORT=
VPN_PORT_FORWARDING_PROVIDER=private internet access
FIREWALL_INPUT_PORTS=
VPN_PORT_FORWARDING_STATUS_FILE=/gluetun/forwarded_port
VPN_PORT_FORWARDING_LISTENING_PORT=0

And here are the logs that I am getting.

2024-01-15T21:18:34-07:00 INFO [vpn] You are running on the bleeding edge of latest!
2024-01-15T21:18:34-07:00 INFO [port forwarding] starting
2024-01-15T21:19:04-07:00 ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: obtaining signature payload: Get "https://10.31.110.1:19999/getSignature?token=<token>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

I have verified on a few locations that claim they support port forwarding, however the results are the same. I attempted to reach the 10.31.110.1 port 19999 from inside the gluetun container, and that was also a bust.

Thanks in advance for any help. Sorry if this one is too obvious!
@qdm12 qdm12 changed the title PIA Port Forwarding Woes PIA: Port forwarding obtaining signature payload timeout Jan 19, 2024
@qdm12
Copy link
Owner

qdm12 commented Jan 19, 2024
edited

Hi there! I am not sure, I was going to say this VPN server probably doesn't support port forwarding... What server hostname/ip are you using, just to double check? If anyone else has the same issue, please chime in as well, thanks!

@MillsyBot
Copy link
Author

Hey! Thanks for the response.

SERVER_NAMES=vancouver433
SERVER_HOSTNAMES=ca-vancouver.privacy.network
SERVER_REGIONS=CA Vancouver

I have been using Vancouver to make the attempts, however I have cycled a few different servers in various regions (Venezuela, Mexico, Norway).

Is there a preferred or recommended order of preference on these variables? like only use SERVER_NAMES or use all three or use only one?

@komachi komachi mentioned this issue Jan 23, 2024
Merged
@ZulliB
Copy link

ZulliB commented Jan 29, 2024
edited by qdm12

I have been dealing with the same issue for a while and here is the error I get:

gluetun-public  | 2024-01-29T12:14:05-08:00 WARN [port forwarding] Forwarded port data expired on Wed, 10 Jan 2024 16:56:07 UTC, getting another one
gluetun-public  | 2024-01-29T12:14:06-08:00 ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: obtaining signature payload: Get "https://10.27.110.1:19999/getSignature?token=<token>": dial tcp 10.27.110.1:19999: connect: connection refused

I assume the token is actually being passed and the token isn't literal. here is my relevant options: (running the latest version)

      - VPN_TYPE=openvpn
      - OPENVPN_PROCESS_USER=root
      - VPN_SERVICE_PROVIDER=private internet access
      - SERVER_REGIONS=CA Vancouver
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER=private internet access
      - PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET=strong
      - FIREWALL=on

Hope some of this helps. Thank you for a great application.

@anorth2
Copy link

anorth2 commented Jan 30, 2024
edited

+1 with connection refused . I confirmed I am using a server with port forwarding by manually testing in the PIA UI and receiving a forwarded port.

@anorth2
Copy link

anorth2 commented Jan 30, 2024
edited

This could be related @qdm12 :

https://www.reddit.com/r/PrivateInternetAccess/comments/p0n7ge/cant_get_signature_for_port_forwarding_connection/
https://github.com/triffid/pia-wg/blob/master/pia-portforward.sh#L70-L72

@ZulliB
Copy link

ZulliB commented Jan 30, 2024

This could be related @qdm12 :

https://www.reddit.com/r/PrivateInternetAccess/comments/p0n7ge/cant_get_signature_for_port_forwarding_connection/ https://github.com/triffid/pia-wg/blob/master/pia-portforward.sh#L70-L72

Nice find. One thing I noticed is that gluetun is trying to get the signature from the gateway, which makes sense according to PIA's comments here.
Although, in the actual request they use PF_HOSTNAME and not PF_GATEWAY here.
Even in the scripts you linked to appear to be using the domain name of the region server i.e. ca-vancouver.privacy.network

Hopefully it's not a red herring.

@anorth2 anorth2 mentioned this issue Jan 31, 2024
Closed
@qdm12
Copy link
Owner

qdm12 commented May 2, 2024

@MillsyBot your error was Client.Timeout exceeded while awaiting headers so not connection refused, is this resolved now?

@anorth2 @ZulliB Your issue connection refused might be different from the original issue. If PIA port forwarding would be broken in Gluetun, I would expect more people to ask about it 🤔 Plus it was working before.
Since the gateway is 10.27.110.1, would you be using 10.0.0.0/8 as your local Docker bridge network for example? These can conflict with the gateway.

@ZulliB The curl command they have

curl -s -m 5 \
    --connect-to "$PF_HOSTNAME::$PF_GATEWAY:" \
    --cacert "ca.rsa.4096.crt" \
    -G --data-urlencode "token=${PIA_TOKEN}" \
    "https://${PF_HOSTNAME}:19999/getSignature"

Actually connects to PF_GATEWAY (see --connect-to), PF_HOSTNAME is just used as an alias and to validate the TLS name.

Anyway, I also changed code so it communicates with the public VPN server IP address instead of the local gateway for PIA, in image qmcgaw/gluetun:pr-2254 can you try it? Thanks!

@qdm12 qdm12 linked a pull request May 2, 2024 that will close this issue
Draft
@MillsyBot
Copy link
Author

MillsyBot commented May 7, 2024
edited

I pulled the image with the changes and it looks like it is getting "further" than before

2024-05-07T11:21:40-06:00 ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: obtaining signature payload: Get "https://208.78.42.180:19999/getSignature?token=<token>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

root@doctor-ddos:/home/amills/htpc# docker exec -it gluetun sh
/ # wget https://208.78.42.180:19999/
--2024-05-07 11:24:29--  https://208.78.42.180:19999/
Connecting to 208.78.42.180:19999... ^C
/ # wget https://ca-vancouver.privacy.network:19999
--2024-05-07 11:24:59--  https://ca-vancouver.privacy.network:19999/
Resolving ca-vancouver.privacy.network (ca-vancouver.privacy.network)... 208.78.42.215, 89.149.52.23, 208.78.42.213
Connecting to ca-vancouver.privacy.network (ca-vancouver.privacy.network)|208.78.42.215|:19999... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-05-07 11:25:00 ERROR 404: Not Found.

/ # wget https://208.78.42.180:19999/
--2024-05-07 11:25:07--  https://208.78.42.180:19999/
Connecting to 208.78.42.180:19999... ^C
/ # wget https://ca-vancouver.privacy.network:19999/getSignature?token=
--2024-05-07 11:25:27--  https://ca-vancouver.privacy.network:19999/getSignature?token=
Resolving ca-vancouver.privacy.network (ca-vancouver.privacy.network)... 208.78.42.213, 208.78.42.215, 89.149.52.23
Connecting to ca-vancouver.privacy.network (ca-vancouver.privacy.network)|208.78.42.213|:19999... connected.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.
/ #

From inside the container I attempted to use the host name and the original IP. Seems like the host name properly resolves the endpoint.

Am I passing the wrong variables as env settings?

@qdm12
Copy link
Owner

qdm12 commented May 18, 2024

Can you try pulling qmcgaw/gluetun:pr-2254 and check if it works now? It's now using the server hostname to get the signature and bind the port. I'm not sure why resolving ca-vancouver.privacy.network gives IP addresses different than the ones given by PIA's API https://serverlist.piaservers.net/vpninfo/servers/v5 but using the hostname should fix at least the /getSignature part I think.

@MillsyBot
Copy link
Author

2024-05-23T21:06:15-06:00 INFO [ip getter] Public IP address is 208.78.42.180 (Canada, British Columbia, Coquitlam) 2024-05-23T21:06:15-06:00 INFO [vpn] There is a new release v3.38.0 (v3.38.0) created 59 days ago 2024-05-23T21:06:15-06:00 INFO [port forwarding] starting 2024-05-23T21:06:16-06:00 ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: HTTP status code is not OK: https://ca-vancouver.privacy.network:19999/getSignature?token=<token>: 401 401 Unauthorized: response received: { "status": "ERROR", "message": "Unauthorized client"}

Almost there. I literally posted the log line, so is literally being output. Does the logging agent obfuscate the token?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Category: VPN port forwarding 📥 ☁️ PIA Priority: 🚨 Urgent Status: 🗯️ Waiting for feedback
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(pia): port forward using server IP instead of gateway ip qdm12/gluetun
4 participants
@ZulliB @anorth2 @MillsyBot @qdm12