From 536f19bb6f204c737400b10c40c4ef4c36e5e297 Mon Sep 17 00:00:00 2001
From: binhex <megalith01@gmail.com>
Date: Mon, 26 Jun 2017 13:15:27 +0100
Subject: [PATCH] check for new env var for port fwd

---
 run/root/getvpnport.sh | 67 ++++++++++++++++++++++++++----------------
 run/root/openvpn.sh    |  6 ++--
 2 files changed, 43 insertions(+), 30 deletions(-)

diff --git a/run/root/getvpnport.sh b/run/root/getvpnport.sh
index baac6d5..263b553 100644
--- a/run/root/getvpnport.sh
+++ b/run/root/getvpnport.sh
@@ -11,49 +11,64 @@ rm -f /home/nobody/vpn_incoming_port.txt
 # check we are provider pia (note this env var is passed through to up script via openvpn --sentenv option)
 if [[ "${VPN_PROV}" == "pia" ]]; then
 
-	# remove temp file from previous run
-	rm -f /tmp/VPN_INCOMING_PORT
+	if [[ "${STRICT_PORT_FORWARD}" == "no" ]]; then
 
-	# create pia client id (randomly generated)
-	client_id=$(head -n 100 /dev/urandom | sha256sum | tr -d " -")
+		if [[ "${DEBUG}" == "true" ]]; then
+			echo "[debug] Port forwarding disabled, skipping incoming port detection"
+		fi
 
-	# get an assigned incoming port from pia's api using curl
-	curly.sh -rc 12 -rw 10 -of /tmp/VPN_INCOMING_PORT -url "${pia_api_url}/?client_id=${client_id}"
-	exit_code=$?
+		# create empty incoming port file (read by downloader script)
+		touch /home/nobody/vpn_incoming_port.txt
 
-	if [[ "${exit_code}" != 0 ]]; then
+	else
 
-		echo "[warn] Unable to assign incoming port (PIA API down or endpoint doesn't support incoming port?)"
+		# remove temp file from previous run
+		rm -f /tmp/VPN_INCOMING_PORT
 
-		echo "[info] Terminating OpenVPN process to force retry for incoming port..."
-		kill -2 $(cat /root/openvpn.pid)
-		exit 1
+		# create pia client id (randomly generated)
+		client_id=$(head -n 100 /dev/urandom | sha256sum | tr -d " -")
 
-	else
+		# get an assigned incoming port from pia's api using curl
+		curly.sh -rc 12 -rw 10 -of /tmp/VPN_INCOMING_PORT -url "${pia_api_url}/?client_id=${client_id}"
+		exit_code=$?
 
-		VPN_INCOMING_PORT=$(cat /tmp/VPN_INCOMING_PORT | jq -r '.port')
+		if [[ "${exit_code}" != 0 ]]; then
 
-		if [[ "${VPN_INCOMING_PORT}" =~ ^-?[0-9]+$ ]]; then
+			echo "[warn] Unable to assign incoming port, PIA API down and/or endpoint doesn't support port forwarding"
+			echo "[info] Terminating OpenVPN process to force retry for incoming port..."
 
-			echo "[debug] Successfully assigned incoming port ${VPN_INCOMING_PORT}"
-			
-			# write port number to text file (read by downloader script)
-			echo "${VPN_INCOMING_PORT}" > /home/nobody/vpn_incoming_port.txt
+			kill -2 $(cat /root/openvpn.pid)
+			exit 1
 
 		else
 
-			echo "[warn] PIA incoming port malformed"
+			VPN_INCOMING_PORT=$(cat /tmp/VPN_INCOMING_PORT | jq -r '.port')
 
-			echo "[info] Terminating OpenVPN process to force retry for incoming port..."
-			kill -2 $(cat /root/openvpn.pid)
-			exit 1
+			if [[ "${VPN_INCOMING_PORT}" =~ ^-?[0-9]+$ ]]; then
 
-		fi
+				if [[ "${DEBUG}" == "true" ]]; then
+					echo "[debug] Successfully assigned incoming port ${VPN_INCOMING_PORT}"
+				fi
 
-	fi
+				# write port number to text file (read by downloader script)
+				echo "${VPN_INCOMING_PORT}" > /home/nobody/vpn_incoming_port.txt
+
+			else
+
+				echo "[warn] PIA incoming port malformed"
+				echo "[info] Terminating OpenVPN process to force retry for incoming port..."
+
+				kill -2 $(cat /root/openvpn.pid)
+				exit 1
+
+			fi
+
+		fi
 
 else
 
-	echo "[debug] VPN provider ${VPN_PROV} is != pia, skipping incoming port detection"
+	if [[ "${DEBUG}" == "true" ]]; then
+		echo "[debug] VPN provider ${VPN_PROV} is != pia, skipping incoming port detection"
+	fi
 
 fi
diff --git a/run/root/openvpn.sh b/run/root/openvpn.sh
index 414aa76..4059fba 100644
--- a/run/root/openvpn.sh
+++ b/run/root/openvpn.sh
@@ -1,12 +1,12 @@
 #!/bin/bash
 
 # define common command lne parameters for openvpn
-openvpn_cli="/usr/bin/openvpn --cd /config/openvpn --config ${VPN_CONFIG} --daemon --dev ${VPN_DEVICE_TYPE}0 --remote ${VPN_REMOTE} ${VPN_PORT} --proto ${VPN_PROTOCOL} --reneg-sec 0 --mute-replay-warnings --auth-nocache --keepalive 10 60 --setenv VPN_PROV ${VPN_PROV} --script-security 2 --up /root/openvpnup.sh --up-delay --up-restart --writepid /root/openvpn.pid"
+openvpn_cli="/usr/bin/openvpn --cd /config/openvpn --config ${VPN_CONFIG} --daemon --dev ${VPN_DEVICE_TYPE}0 --remote ${VPN_REMOTE} ${VPN_PORT} --proto ${VPN_PROTOCOL} --reneg-sec 0 --mute-replay-warnings --auth-nocache --keepalive 10 60 --setenv VPN_PROV ${VPN_PROV} --setenv DEBUG ${DEBUG} --script-security 2 --up /root/openvpnup.sh --up-delay --up-restart --writepid /root/openvpn.pid"
 
 if [[ "${VPN_PROV}" == "pia" ]]; then
 
 	# add additional flags to pass credentials and ignore local-remote warnings
-	openvpn_cli="${openvpn_cli} --auth-user-pass credentials.conf --disable-occ --remap-usr1 SIGHUP"
+	openvpn_cli="${openvpn_cli} --setenv STRICT_PORT_FORWARD ${STRICT_PORT_FORWARD} --auth-user-pass credentials.conf --disable-occ --remap-usr1 SIGHUP --log-append /config/supervisord.log"
 
 fi
 
@@ -26,8 +26,6 @@ fi
 
 if [[ "${DEBUG}" == "true" ]]; then
 
-	# add additional flag to append to log file stdout/stderr from up scripts
-	openvpn_cli="${openvpn_cli} --log-append /config/supervisord.log"
 	echo "[debug] OpenVPN command line '${openvpn_cli}'"
 
 fi