Fix/improve port forwarding handling

Dockerfile

@@ -30,6 +30,7 @@ ENV USER= \
     BLOCK_NSA=off \
     UNBLOCK= \
     EXTRA_SUBNETS= \
+    PORT_FORWARDING=false \
     PROXY=on \
     PROXY_LOG_LEVEL=Critical \
     PROXY_PORT=8888 \
@@ -38,7 +39,7 @@ ENV USER= \
 ENTRYPOINT /entrypoint.sh
 EXPOSE 8888
 HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
-RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip tinyproxy && \
+RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip tinyproxy jq && \
     wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \
     https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \
     https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \

README.md

@@ -154,6 +154,7 @@ docker run --rm --network=container:pia alpine:3.10 wget -qO- https://ipinfo.io
 | `BLOCK_NSA` | `off` | `on` or `off`, blocks NSA hostnames |
 | `UNBLOCK` | | comma separated string (i.e. `web.com,web2.ca`) to unblock hostnames |
 | `EXTRA_SUBNETS` | | comma separated subnets allowed in the container firewall (i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28`) |
+| `PORT_FORWARDING` | | Set to `true` to read the forwarded port |
 | `PROXY` | `on` | `on` or `off`, to switch the internal HTTP proxy |
 | `PROXY_LOG_LEVEL` | `Critical` | `Info`, `Warning`, `Error` or `Critical` |
 | `PROXY_PORT` | `8888` | `1024` to `65535` internal port for HTTP proxy |
@@ -236,7 +237,11 @@ There are various ways to achieve this, depending on your use case.
 
 ## Port forwarding
 
-On a running PIA container, say `pia`, simply run:
+By setting `PORT_FORWARDING` environment variable to `true`, the forwarded port will be read and written to `/forwarded_port`.
+
+You can mount this file as a volume to read it from other containers.
+
+On a running PIA container, say `pia`, you can also run the script manually:
 
 ```sh
 docker exec -it pia /portforward.sh

entrypoint.sh

@@ -266,8 +266,6 @@ fi
 # Note: TUN device re-opening will restart the container due to permissions
 printf "DONE\n"
 
-
-
 ############################################
 # NETWORKING
 ############################################
@@ -395,6 +393,14 @@ if [ "$PROXY" == "on" ]; then
   printf "DONE\n"
 fi
 
+############################################
+# READ FORWARDED PORT
+############################################
+
+if [ "$PORT_FORWARDING" == "true" ]; then
+  sleep 10 && /portforward.sh &
+fi
+
 ############################################
 # OPENVPN LAUNCH
 ############################################

portforward.sh

@@ -11,6 +11,7 @@ exitOnError(){
   fi
 }
 
+printf "[INFO] Reading forwarded port\n"
 client_id=`head -n 100 /dev/urandom | sha256sum | tr -d " -"`
 exitOnError $?
 json=`wget -qO- "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null`
@@ -19,16 +20,20 @@ if [ "$json" == "" ]; then
     printf "Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding\n"
     exit 1
 fi
-port=`echo $json | grep -Eo [0-9]{3,5}`
+port=`echo $json | jq .port`
+port_file="/forwarded_port"
+echo "$port" > $port_file
+printf " * Written forwarded port to $port_file\n"
 ip=`wget -qO- https://diagnostic.opendns.com/myip`
 exitOnError $?
-printf "Forwarded port for IP $ip is: $port\n"
-printf "Detecting target VPN interface..."
+printf " * Forwarded port for IP $ip is: $port\n"
+printf " * Detecting target VPN interface..."
 TARGET_PATH="/openvpn/target"
 vpn_device=$(cat $TARGET_PATH/config.ovpn | grep 'dev ' | cut -d" " -f 2)0
 exitOnError $?
 printf "$vpn_device\n"
-printf "Accepting input traffic through $vpn_device to port $port..."
-iptables -A INPUT -i $vpn_device --dport $PORT -j ACCEPT
+printf " * Accepting input traffic through $vpn_device to port $port..."
+iptables -A INPUT -i $vpn_device -p tcp --dport $port -j ACCEPT
+iptables -A INPUT -i $vpn_device -p udp --dport $port -j ACCEPT
 exitOnError $?
 printf "DONE\n"