From 62f4cc56b43f746b7c850c7ecc0b55a42d8fec8e Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Wed, 26 Jun 2019 17:24:10 +0200
Subject: [PATCH] Added port forwarding, fixes #14

---
 Dockerfile     |  4 ++--
 README.md      | 14 +++++++++++++-
 portforward.sh | 11 +++++++++++
 3 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100644 portforward.sh

diff --git a/Dockerfile b/Dockerfile
index adc451ef..28994dd0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -57,9 +57,9 @@ RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptab
     tar -cjf /etc/unbound/blocks-nsa.bz2 blocks-nsa.conf && \
     rm -f /tmp/*
 COPY unbound.conf /etc/unbound/unbound.conf
-COPY entrypoint.sh healthcheck.sh /
+COPY entrypoint.sh healthcheck.sh portforward.sh /
 RUN chown nonrootuser -R /etc/unbound && \
     chmod 700 /etc/unbound && \
     chmod 600 /etc/unbound/unbound.conf && \
-    chmod 500 /entrypoint.sh /healthcheck.sh && \
+    chmod 500 /entrypoint.sh /healthcheck.sh /portforward.sh && \
     chmod 400 /etc/unbound/root.hints /etc/unbound/root.key /etc/unbound/*.bz2
diff --git a/README.md b/README.md
index 07829d7e..4cd9c025 100644
--- a/README.md
+++ b/README.md
@@ -54,6 +54,7 @@
 - Unbound DNS runs *without root*
 - OpenVPN can run *without root* but this disallows OpenVPN reconnecting, it can be set with `NONROOT=yes`
 - **ARM** compatible
+- Port forwarding
 
 ## Setup
 
@@ -332,6 +333,18 @@ There are various ways to achieve this, depending on your use case.
 
     </p></details>
 
+## Port forwarding
+
+On a running PIA container, say `pia`, simply run:
+
+```sh
+docker exec -it pia /portforward.sh
+```
+
+And it will indicate you the port forwarded for your current public IP address.
+
+Note that not all regions support port forwarding.
+
 ## For the paranoids
 
 - You can review the code which essential consists in the [Dockerfile](https://github.com/qdm12/private-internet-access-docker/blob/master/Dockerfile) and [entrypoint.sh](https://github.com/qdm12/private-internet-access-docker/blob/master/entrypoint.sh)
@@ -349,7 +362,6 @@ There are various ways to achieve this, depending on your use case.
 ## TODOs
 
 - [ ] Tiny proxy for LAN devices to use the container
-- [ ] Port forwarding
 
 ## License
 
diff --git a/portforward.sh b/portforward.sh
new file mode 100644
index 00000000..ca723b41
--- /dev/null
+++ b/portforward.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+client_id=`head -n 100 /dev/urandom | sha256sum | tr -d " -"`
+json=`wget -qO- "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null`
+if [ "$json" == "" ]; then
+    printf "Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding\n"
+    exit 1
+fi
+port=`echo $json | grep -Eo [0-9]{3,5}`
+ip=`wget -qO- https://diagnostic.opendns.com/myip`
+printf "Forwarded port for IP $ip is: $port\n"