Messages

That is not likely to happen

Proton does allow opening a randomized port but it is very difficult to set up and the port can change any time. 

I have a tool that will manage the port from Proton and sync it to OPNsense. It will optionally manage the forwarded port in qBittorrent, too. I've been running various iterations of it for two years without issue. https://github.com/clajiness/qbop

Hey, all. I'm not sure if this meets your needs, but I wrote a little script that grabs the forwarded port from protonvpn and syncs it with OPNsense and qBittorrent. It's been keeping everything running perfectly for me for over a year. Hope it helps! https://github.com/clajiness/qbop

What are you trying to modify, specifically? If you're trying to update the forwarded port (which seems the likely case), set an alias and update that.

Here's some Ruby code I wrote a while back to get the job done. This class can grab the UUID of the alias, find the value, set it to whatever you like, and then apply it.

Good luck!

Code Select Expand


module Service
  class Opnsense
    def get_alias_uuid(config)
      uri = URI("#{config['opnsense_interface_addr']}/api/firewall/alias/getAliasUUID/#{config['opnsense_alias_name']}")

      # Create client
      http = Net::HTTP.new(uri.host, uri.port)
      http.use_ssl = true
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE

      # Create Request
      req =  Net::HTTP::Get.new(uri)
      req.basic_auth config["opnsense_api_key"], config["opnsense_api_secret"]

      # Fetch Request
      res = http.request(req)
      JSON.parse(res.body)["uuid"]
    rescue StandardError => e
      @logger.error("get_alias_uuid - HTTP Request failed - (#{e.message})")
    end

    def get_alias_value(config, uuid)
      uri = URI("#{config['opnsense_interface_addr']}/api/firewall/alias/get")

      # Create client
      http = Net::HTTP.new(uri.host, uri.port)
      http.use_ssl = true
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE

      # Create Request
      req =  Net::HTTP::Get.new(uri)
      req.basic_auth config["opnsense_api_key"], config["opnsense_api_secret"]

      # Fetch Request
      res = http.request(req)

      alias_content = JSON.parse(res.body).dig("alias", "aliases", "alias", uuid, "content")
      alias_content.values[0]["value"].to_i
    rescue StandardError => e
      @logger.error("get_alias_value - HTTP Request failed - (#{e.message})")
    end

    def set_alias_value(config, forwarded_port, uuid)
      uri = URI("#{config['opnsense_interface_addr']}/api/firewall/alias/setItem/#{uuid}")

      # Create client
      http = Net::HTTP.new(uri.host, uri.port)
      http.use_ssl = true
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
      body = {"alias": {"content": forwarded_port}}.to_json

      # Create Request
      req =  Net::HTTP::Post.new(uri)
      # Add headers
      req.basic_auth config["opnsense_api_key"], config["opnsense_api_secret"]
      # Add headers
      req.add_field "Content-Type", "application/json; charset=utf-8"
      # Set body
      req.body = body

      # Fetch Request
      http.request(req)
    rescue StandardError => e
      @logger.error("set_alias_value - HTTP Request failed - (#{e.message})")
    end

    def apply_changes(config)
      uri = URI("#{config['opnsense_interface_addr']}/api/firewall/alias/reconfigure")

      # Create client
      http = Net::HTTP.new(uri.host, uri.port)
      http.use_ssl = true
      http.verify_mode = OpenSSL::SSL::VERIFY_NONE

      # Create Request
      req =  Net::HTTP::Post.new(uri)
      # Add headers
      req.basic_auth config["opnsense_api_key"], config["opnsense_api_secret"]

      # Fetch Request
      http.request(req)
    rescue StandardError => e
      @logger.error("apply_changes - HTTP Request failed - (#{e.message})")
    end
  end
end


For the sake of having another data point, I figured I'd report back. I ran the opnsense-revert command, restarted the service, and everything works perfectly.

Thanks much for everything! It's much appreciated.

Will the updated code be included in 24.1.9? Also, thank you!

Disregard. A user on reddit showed me this issue: https://github.com/opnsense/plugins/issues/3831.

Thanks much!

I've confirmed that this is the case for both my xbox and ps5. The ps5 definitely used to clear its entry when it shut down. Now both device's entries pile up and require manual removal.

No big deal, I assume, but it'd be nice if the table reflected the actual state of UPnP.

I've scanned the port, and it doesn't seem to be open. Then again, it doesn't seem to be open even when the xbox is on. I guess I'm more curious as to why the rows aren't removed anymore when the port is closed.

Hi, all. I noticed that in the UPnP status table, my previous sessions are not being cleared. I know this used to happen, but I haven't checked in a while, so I'm not sure when this current behavior began.

Could this possibly mean that the port is not being closed when the XBOX is turned off?

Anyone else seeing the the same or similar behavior?

For reference, I'm on 24.1.5_3.

Thanks much!

+1, I noticed the same issue.

Add me to the list, too. Preemptive thanks to whomever figures out a fix!

Glad you're up and running. The fact that you're using a 3rd party script would be useful info next time. :)

Did you use the FingerlessGlov3s script to set up your tunnel? If so, it looks like the maintainer released an update to support a change made in 23.7.8.

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard/releases/tag/23.7.8-1

PIA absolutely supports port forwarding outside of the app. https://helpdesk.privateinternetaccess.com/kb/articles/manual-connection-and-port-forwarding-scripts-for-linux

If you want a better alternative (imo), I'm currently using ProtonVPN via WireGuard, and port forwarding works perfectly. I wrote a little script to handle natpmpc, but it's really straightforward otherwise. https://protonvpn.com/support/port-forwarding-manual-setup/

So ya, I used this (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html) with the info above, and my proton connection has been rock solid.

Good luck!

I think this best explains why we still see "direct" under Configuration -> Dispatch policy: https://forum.opnsense.org/index.php?topic=24409.msg118244#msg118244