port_forwarding.sh curl gives "Unauthorized client" error

[jvs3]

I'm running the scripts in this order:

get_region.sh
IA_USER=(user removed) PIA_PASS=(password removed) ./get_region.sh

This gives a list of latencies and the following output:

A list of servers and connection details, ordered by latency can be
found in at : /opt/piavpn-manual/latencyList

The lowest latency region is Netherlands.

The script found the best servers from the region you selected.
When connecting to an IP (no matter which protocol), please verify
the SSL/TLS certificate actually contains the hostname so that you
are sure you are connecting to a secure server, validated by the
PIA authority. Please find below the list of best IPs and matching
hostnames for each protocol:
Meta Services 195.78.54.5 - amsterdam429
WireGuard 195.78.54.168 - amsterdam429
OpenVPN TCP 195.78.54.161 - amsterdam429
OpenVPN UDP 195.78.54.209 - amsterdam429

Checking login credentials...OK!

PIA_TOKEN=(token removed)

This token will expire in 24 hours, on Wed Aug 17 01:05:53 2022.

port_forwarding.sh
I then execute port_forwarding.sh using the output from get_region.sh

PF_GATEWAY=195.78.54.209 PF_HOSTNAME=amsterdam429 PIA_TOKEN=(token removed) ./port_forwarding.sh

This gives the output:

Getting new signature... The payload_and_signature variable does not contain an OK status.

If I remove the 'payload_and_signature="$(' and ')"' on line 86 en 90 and change -s to -v on line 86 I get two possible outputs depending on the PF_GATEWAY and PF_HOSTNAME used. Some servers give output 1 and some servers give output 2, a server will always give the same output.

Output 1

• Connecting to hostname: 195.78.54.161
• Trying 195.78.54.161:19999...
• Connected to 195.78.54.161 (195.78.54.161) port 19999 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: ca.rsa.4096.crt
• CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
• ALPN, server accepted to use h2
• Server certificate:
• subject: C=US; ST=CA; L=LosAngeles; O=Private Internet Access; OU=Private Internet Access; CN=amsterdam429; name=amsterdam429
• start date: Jul 19 08:15:40 2022 GMT
• expire date: Jan 15 08:15:40 2023 GMT
• subjectAltName: host "amsterdam429" matched cert's "amsterdam429"
• issuer: C=US; ST=CA; L=LosAngeles; O=Private Internet Access; OU=Private Internet Access; CN=Private Internet Access; name=Private Internet Access; emailAddress=secure@privateinternetaccess.com
• SSL certificate verify ok.
• Using HTTP2, server supports multi-use
• Connection state changed (HTTP/2 confirmed)
• Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
• Using Stream ID: 1 (easy handle 0x55776a7ea990)

GET /getSignature?token=ahFmGZzJVcJTApdAj3CN%2BMiFTDzbB2iwzOuwxtpGYmyVmP8mAuPO4TJ%2BEHWgbD5xWqGT68hX4JUiAIfvepZCB2Bjcr19pQsXRmkfDbj1565vw06NoMhZw8SqSbw%3D HTTP/2
Host: amsterdam429:19999
user-agent: curl/7.74.0
accept: /

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
  < HTTP/2 401
  < content-type: text/plain; charset=utf-8
  < x-content-type-options: nosniff
  < content-length: 64
  < date: Mon, 15 Aug 2022 22:34:20 GMT
  <
  {
  "status": "ERROR",
  "message": "Unauthorized client"
  }

Output 2

• Connecting to hostname: 37.19.197.211
• Trying 37.19.197.211:19999...
• connect to 37.19.197.211 port 19999 failed: Connection refused
• Failed to connect to 37.19.197.211 port 19999: Connection refused
• Closing connection 0
  curl: (7) Failed to connect to 37.19.197.211 port 19999: Connection refused

[tcurdt]

I am seeing the same thing like this:

VPN_LOCALIP=$(ip addr show tun0| grep -Po 'inet \K[\d.]+')

export PF_GATEWAY=$VPN_LOCALIP
export PF_HOSTNAME="stockholm406"
export PIA_TOKEN=38***

Getting new signature... The payload_and_signature variable does not contain an OK status.

But I am utterly confused by the docs on the parameters PF_GATEWAY and PF_HOSTNAME.
I also tried the listed IPs.

PF_GATEWAY=46.246.3.245
PF_HOSTNAME=stockholm406
PIA_TOKEN=38***

Getting new signature... The payload_and_signature variable does not contain an OK status.

PF_GATEWAY=46.246.3.225
PF_HOSTNAME=stockholm406
PIA_TOKEN=38***

Getting new signature... The payload_and_signature variable does not contain an OK status.

Did you find any way around this, @jvs3 ?

[tcurdt]

Where this

curl -s -m 5 --connect-to stockholm406::46.246.3.225: --cacert ca.rsa.4096.crt -G --data-urlencode token=e66*** https://stockholm406:19999/getSignature

then results in

{
    "status": "ERROR",
    "message": "Unauthorized client"
}

[theflyingsquirrel88]

I am still getting this unauthorized client error. Any update on how you fixed it?

[tcurdt]

@theflyingsquirrel88 using the scripts as is seems to work for some reason.
That does not help in my case though. And the support was utterly useless.
"These scripts are the only supported way, sorry!"

[tcurdt]

Holy smokes. I got it working now.

    "status": "OK",
    "payload": "eyJ0b<...>",
    "signature": "ro56AWM/<...>"
}
* Connection #0 to host 10.32.112.1 left intact
OK!

Signature 3cyeDFjcVVOGYg0MmY9G9fA<...>
Payload   eyJ0b2tlbiI6IjUwMmE3M2Fj<..>

--> The port is 22219 and it will expire on 2023-11-08T14:20:08.551108225Z. <--

Trying to bind the port... OK!
Forwarded port	22319
Refreshed on	Thu  7 Sep 03:20:09 BST 2023
Expires on	Wed  8 Nov 14:20:08 GMT 2023

This script will need to remain active to use port forwarding, and will refresh every 15 minutes.

The trick was that the PF_HOSTNAME needs to match the PF_GATEWAY (which must be the gateway of the local route of the tun interface). For some reason "get_region" did not print the correct hostname. The correct hostname can be found in the TLS subjectAltName.

HTH

[fholzer]

Seems like the port forwarding request needs to be sent to the internal IP of the servers, not the external. You can get that IP from the payload of the call in the respective connect_*.sh. For wireguard I created a PR to fix this via #185

[tcurdt]

@fholzer uh! you got this working with wireguard?

I was told wireguard is not supported for manual connections last time I tried.
Great there is support now.

[ericloyd]

Wait, help me out and give me something I can copy/paste, because I used to be using wireguard and the FOSS manual connect scripts with no problem until a month or two ago and now all I get is the "Unauthorized Client" message.

Wireguard isn't supported anymore? Or is it? I guess I can go back to OpenVPN but WG is so much prefered.

[sirskills]

@tcurdt and @fholzer Any chance you could share you enhanced scripts that we can use please? I don't quite understand how to match the PF_HOSTNAME and PF_GATEWAY and I tried extracting the server_vip from the response payload in connect_to_wireguard_with_token.sh and passing it to port_forwarding.sh as PF_GATEWAY but I still get an error with the signature.

Thanks in advance!!

[tcurdt]

@sirskills I am sorry but for me it's back to not working (with OpenVPN). So I don't think I can help.

Getting new signature... * Expire in 0 ms for 6 (transfer 0xb1c960)
* Expire in 5000 ms for 8 (transfer 0xb1c960)
* Connecting to hostname: 10.12.112.17
*   Trying 10.12.112.17...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xb1c960)
* connect to 10.12.112.17 port 19999 failed: Connection refused
* Failed to connect to 10.12.112.17 port 19999: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 10.12.112.17 port 19999: Connection refused
The payload_and_signature variable does not contain an OK status.

I am really tired of PIA. Seems like they do not maintain any of this and give a flying f... about this repo.

Does anyone have a recommendation for a better VPN?
Where wireguard and port forwarding also works from linux? with the standard clients?

[sirskills]

@tcurdt if you find one that supports wireguard and port forwarding via script for raspberry pi let me know and I'll do the same.

It works fine with openvpn, but they drop that connection on me pretty randomly after a couple of days.

[ericloyd]

Somewhere along the lines, the IP had to be changed to VIP to get it to work with latest round of PIA for port forwarding. I'll see if I can find my notes.

[tcurdt]

It works fine with openvpn, but they drop that connection on me pretty randomly after a couple of days.

The openvpn connection itself works fine for me.
It's just the support for the port forwarding that is giving troubles (for me).

[sirskills]

The port forwarding for openvpn works for me. I'm using an older version of the script though I believe.

[jboctor]

Did anyone here manage to get this working with WireGuard? I'm attempting to set up port forwarding now and I am getting the The payload_and_signature variable does not contain an OK status. error.