internal/provider/piav3.go

package provider

import (
	"context"
	"encoding/hex"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"math/rand"
	"net"
	"net/http"

	"github.com/qdm12/gluetun/internal/constants"
	"github.com/qdm12/gluetun/internal/firewall"
	"github.com/qdm12/gluetun/internal/models"
	"github.com/qdm12/golibs/files"
	"github.com/qdm12/golibs/logging"
	"golang.org/x/net/context/ctxhttp"
)

type piaV3 struct {
	servers    []models.PIAOldServer
	randSource rand.Source
}

func newPrivateInternetAccessV3(servers []models.PIAOldServer, timeNow timeNowFunc) *piaV3 {
	return &piaV3{
		servers:    servers,
		randSource: rand.NewSource(timeNow().UnixNano()),
	}
}

func (p *piaV3) GetOpenVPNConnection(selection models.ServerSelection) (connection models.OpenVPNConnection, err error) {
	var port uint16
	switch selection.Protocol {
	case constants.TCP:
		switch selection.EncryptionPreset {
		case constants.PIAEncryptionPresetNormal:
			port = 502
		case constants.PIAEncryptionPresetStrong:
			port = 501
		}
	case constants.UDP:
		switch selection.EncryptionPreset {
		case constants.PIAEncryptionPresetNormal:
			port = 1198
		case constants.PIAEncryptionPresetStrong:
			port = 1197
		}
	}
	if port == 0 {
		return connection, fmt.Errorf("combination of protocol %q and encryption %q does not yield any port number", selection.Protocol, selection.EncryptionPreset)
	}

	if selection.TargetIP != nil {
		return models.OpenVPNConnection{IP: selection.TargetIP, Port: port, Protocol: selection.Protocol}, nil
	}

	servers := filterPIAOldServers(p.servers, selection.Regions)
	if len(servers) == 0 {
		return connection, fmt.Errorf("no server found for regions %s", commaJoin(selection.Regions))
	}

	var connections []models.OpenVPNConnection
	for _, server := range servers {
		for _, IP := range server.IPs {
			connections = append(connections, models.OpenVPNConnection{IP: IP, Port: port, Protocol: selection.Protocol})
		}
	}

	return pickRandomConnection(connections, p.randSource), nil
}

func (p *piaV3) BuildConf(connection models.OpenVPNConnection, verbosity, uid, gid int, root bool, cipher, auth string, extras models.ExtraConfigOptions) (lines []string) {
	return buildPIAConf(connection, verbosity, root, cipher, auth, extras)
}

func (p *piaV3) PortForward(ctx context.Context, client *http.Client,
	fileManager files.FileManager, pfLogger logging.Logger, gateway net.IP, fw firewall.Configurator,
	syncState func(port uint16) (pfFilepath models.Filepath)) {
	b := make([]byte, 32)
	n, err := rand.New(p.randSource).Read(b) //nolint:gosec
	if err != nil {
		pfLogger.Error(err)
		return
	} else if n != 32 {
		pfLogger.Error("only read %d bytes instead of 32", n)
		return
	}
	clientID := hex.EncodeToString(b)
	url := fmt.Sprintf("%s/?client_id=%s", constants.PIAPortForwardURL, clientID)
	response, err := ctxhttp.Get(ctx, client, url)
	if err != nil {
		pfLogger.Error(err)
		return
	}
	defer response.Body.Close()
	if response.StatusCode != http.StatusOK {
		pfLogger.Error(fmt.Errorf("%s for %s; does your PIA server support port forwarding?", response.Status, url))
		return
	}
	b, err = ioutil.ReadAll(response.Body)
	if err != nil {
		pfLogger.Error(err)
		return
	} else if len(b) == 0 {
		pfLogger.Error(fmt.Errorf("port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding"))
		return
	}
	body := struct {
		Port uint16 `json:"port"`
	}{}
	if err := json.Unmarshal(b, &body); err != nil {
		pfLogger.Error(fmt.Errorf("port forwarding response: %w", err))
		return
	}
	port := body.Port

	filepath := syncState(port)
	pfLogger.Info("Writing port to %s", filepath)
	if err := fileManager.WriteToFile(
		string(filepath), []byte(fmt.Sprintf("%d", port)),
		files.Permissions(0666),
	); err != nil {
		pfLogger.Error(err)
	}

	if err := fw.SetAllowedPort(ctx, port, string(constants.TUN)); err != nil {
		pfLogger.Error(err)
	}

	<-ctx.Done()
	if err := fw.RemoveAllowedPort(ctx, port); err != nil {
		pfLogger.Error(err)
	}
}

func filterPIAOldServers(servers []models.PIAOldServer, regions []string) (filtered []models.PIAOldServer) {
	for _, server := range servers {
		switch {
		case filterByPossibilities(server.Region, regions):
		default:
			filtered = append(filtered, server)
		}
	}
	return filtered
}
PIA nextgen portforward (#242) * Split provider/pia.go in piav3.go and piav4.go * Change port forwarding signature * Enable port forwarding parameter for PIA v4 * Fix VPN gateway IP obtention * Setup HTTP client for TLS with custom cert * Error message for regions not supporting pf 2020-10-12 10:55:08 -04:00			`package provider`

			`import (`
			`"context"`
			`"encoding/hex"`
			`"encoding/json"`
			`"fmt"`
			`"io/ioutil"`
Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`"math/rand"`
PIA nextgen portforward (#242) * Split provider/pia.go in piav3.go and piav4.go * Change port forwarding signature * Enable port forwarding parameter for PIA v4 * Fix VPN gateway IP obtention * Setup HTTP client for TLS with custom cert * Error message for regions not supporting pf 2020-10-12 10:55:08 -04:00			`"net"`
			`"net/http"`

			`"github.com/qdm12/gluetun/internal/constants"`
			`"github.com/qdm12/gluetun/internal/firewall"`
			`"github.com/qdm12/gluetun/internal/models"`
			`"github.com/qdm12/golibs/files"`
			`"github.com/qdm12/golibs/logging"`
Using context for HTTP requests 2020-10-17 21:54:09 +00:00			`"golang.org/x/net/context/ctxhttp"`
PIA nextgen portforward (#242) * Split provider/pia.go in piav3.go and piav4.go * Change port forwarding signature * Enable port forwarding parameter for PIA v4 * Fix VPN gateway IP obtention * Setup HTTP client for TLS with custom cert * Error message for regions not supporting pf 2020-10-12 10:55:08 -04:00			`)`

			`type piaV3 struct {`
Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`servers []models.PIAOldServer`
			`randSource rand.Source`
PIA nextgen portforward (#242) * Split provider/pia.go in piav3.go and piav4.go * Change port forwarding signature * Enable port forwarding parameter for PIA v4 * Fix VPN gateway IP obtention * Setup HTTP client for TLS with custom cert * Error message for regions not supporting pf 2020-10-12 10:55:08 -04:00			`}`

Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`func newPrivateInternetAccessV3(servers []models.PIAOldServer, timeNow timeNowFunc) *piaV3 {`
PIA nextgen portforward (#242) * Split provider/pia.go in piav3.go and piav4.go * Change port forwarding signature * Enable port forwarding parameter for PIA v4 * Fix VPN gateway IP obtention * Setup HTTP client for TLS with custom cert * Error message for regions not supporting pf 2020-10-12 10:55:08 -04:00			`return &piaV3{`
Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`servers: servers,`
			`randSource: rand.NewSource(timeNow().UnixNano()),`
PIA nextgen portforward (#242) * Split provider/pia.go in piav3.go and piav4.go * Change port forwarding signature * Enable port forwarding parameter for PIA v4 * Fix VPN gateway IP obtention * Setup HTTP client for TLS with custom cert * Error message for regions not supporting pf 2020-10-12 10:55:08 -04:00			`}`
			`}`

Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`func (p *piaV3) GetOpenVPNConnection(selection models.ServerSelection) (connection models.OpenVPNConnection, err error) {`
			`var port uint16`
			`switch selection.Protocol {`
			`case constants.TCP:`
			`switch selection.EncryptionPreset {`
			`case constants.PIAEncryptionPresetNormal:`
			`port = 502`
			`case constants.PIAEncryptionPresetStrong:`
			`port = 501`
			`}`
			`case constants.UDP:`
			`switch selection.EncryptionPreset {`
			`case constants.PIAEncryptionPresetNormal:`
			`port = 1198`
			`case constants.PIAEncryptionPresetStrong:`
			`port = 1197`
			`}`
			`}`
			`if port == 0 {`
			`return connection, fmt.Errorf("combination of protocol %q and encryption %q does not yield any port number", selection.Protocol, selection.EncryptionPreset)`
			`}`

Repurpose OPENVPN_TARGET_IP for #229 2020-10-12 20:21:26 +00:00			`if selection.TargetIP != nil {`
			`return models.OpenVPNConnection{IP: selection.TargetIP, Port: port, Protocol: selection.Protocol}, nil`
			`}`

Multi options filters, fixes #231 (#262) * OWNED environment variable for Mullvad * CSV are now accepted for all servers filtering environment variables 2020-10-18 17:15:42 -04:00			`servers := filterPIAOldServers(p.servers, selection.Regions)`
Repurpose OPENVPN_TARGET_IP for #229 2020-10-12 20:21:26 +00:00			`if len(servers) == 0 {`
Multi options filters, fixes #231 (#262) * OWNED environment variable for Mullvad * CSV are now accepted for all servers filtering environment variables 2020-10-18 17:15:42 -04:00			`return connection, fmt.Errorf("no server found for regions %s", commaJoin(selection.Regions))`
Repurpose OPENVPN_TARGET_IP for #229 2020-10-12 20:21:26 +00:00			`}`

Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`var connections []models.OpenVPNConnection`
			`for _, server := range servers {`
			`for _, IP := range server.IPs {`
Repurpose OPENVPN_TARGET_IP for #229 2020-10-12 20:21:26 +00:00			`connections = append(connections, models.OpenVPNConnection{IP: IP, Port: port, Protocol: selection.Protocol})`
Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`}`
			`}`

			`return pickRandomConnection(connections, p.randSource), nil`
PIA nextgen portforward (#242) * Split provider/pia.go in piav3.go and piav4.go * Change port forwarding signature * Enable port forwarding parameter for PIA v4 * Fix VPN gateway IP obtention * Setup HTTP client for TLS with custom cert * Error message for regions not supporting pf 2020-10-12 10:55:08 -04:00			`}`

Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`func (p *piaV3) BuildConf(connection models.OpenVPNConnection, verbosity, uid, gid int, root bool, cipher, auth string, extras models.ExtraConfigOptions) (lines []string) {`
			`return buildPIAConf(connection, verbosity, root, cipher, auth, extras)`
PIA nextgen portforward (#242) * Split provider/pia.go in piav3.go and piav4.go * Change port forwarding signature * Enable port forwarding parameter for PIA v4 * Fix VPN gateway IP obtention * Setup HTTP client for TLS with custom cert * Error message for regions not supporting pf 2020-10-12 10:55:08 -04:00			`}`

			`func (p piaV3) PortForward(ctx context.Context, client http.Client,`
			`fileManager files.FileManager, pfLogger logging.Logger, gateway net.IP, fw firewall.Configurator,`
			`syncState func(port uint16) (pfFilepath models.Filepath)) {`
Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`b := make([]byte, 32)`
			`n, err := rand.New(p.randSource).Read(b) //nolint:gosec`
PIA nextgen portforward (#242) * Split provider/pia.go in piav3.go and piav4.go * Change port forwarding signature * Enable port forwarding parameter for PIA v4 * Fix VPN gateway IP obtention * Setup HTTP client for TLS with custom cert * Error message for regions not supporting pf 2020-10-12 10:55:08 -04:00			`if err != nil {`
			`pfLogger.Error(err)`
			`return`
Single connection written to openvpn configuration (#258) - From now only a single OpenVPN connection is written to the OpenVPN configuration file - If multiple connections are matched given the user parameters (i.e. city, region), it is picked at pseudo random using the current time as the pseudo random seed. - Not relying on Openvpn picking a random remote address, may refer to #229 - Program is aware of which connection is to be used, in order to use its matching CN for port forwarding TLS verification with PIA v4 servers, see #236 - Simplified firewall mechanisms 2020-10-12 15:29:58 -04:00			`} else if n != 32 {`
			`pfLogger.Error("only read %d bytes instead of 32", n)`
			`return`
PIA nextgen portforward (#242) * Split provider/pia.go in piav3.go and piav4.go * Change port forwarding signature * Enable port forwarding parameter for PIA v4 * Fix VPN gateway IP obtention * Setup HTTP client for TLS with custom cert * Error message for regions not supporting pf 2020-10-12 10:55:08 -04:00			`}`
			`clientID := hex.EncodeToString(b)`
			`url := fmt.Sprintf("%s/?client_id=%s", constants.PIAPortForwardURL, clientID)`
Using context for HTTP requests 2020-10-17 21:54:09 +00:00			`response, err := ctxhttp.Get(ctx, client, url)`
PIA nextgen portforward (#242) * Split provider/pia.go in piav3.go and piav4.go * Change port forwarding signature * Enable port forwarding parameter for PIA v4 * Fix VPN gateway IP obtention * Setup HTTP client for TLS with custom cert * Error message for regions not supporting pf 2020-10-12 10:55:08 -04:00			`if err != nil {`
			`pfLogger.Error(err)`
			`return`
			`}`
			`defer response.Body.Close()`
			`if response.StatusCode != http.StatusOK {`
			`pfLogger.Error(fmt.Errorf("%s for %s; does your PIA server support port forwarding?", response.Status, url))`
			`return`
			`}`
			`b, err = ioutil.ReadAll(response.Body)`
			`if err != nil {`
			`pfLogger.Error(err)`
			`return`
			`} else if len(b) == 0 {`
			`pfLogger.Error(fmt.Errorf("port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding"))`
			`return`
			`}`
			`body := struct {`
			Port uint16 `json:"port"`
			`}{}`
			`if err := json.Unmarshal(b, &body); err != nil {`
			`pfLogger.Error(fmt.Errorf("port forwarding response: %w", err))`
			`return`
			`}`
			`port := body.Port`

			`filepath := syncState(port)`
			`pfLogger.Info("Writing port to %s", filepath)`
			`if err := fileManager.WriteToFile(`
			`string(filepath), []byte(fmt.Sprintf("%d", port)),`
			`files.Permissions(0666),`
			`); err != nil {`
			`pfLogger.Error(err)`
			`}`

			`if err := fw.SetAllowedPort(ctx, port, string(constants.TUN)); err != nil {`
			`pfLogger.Error(err)`
			`}`

			`<-ctx.Done()`
			`if err := fw.RemoveAllowedPort(ctx, port); err != nil {`
			`pfLogger.Error(err)`
			`}`
			`}`
Obtain PIA v4 server information from API (#257) - Obtain CN for port forwarding https verification - Obtain for each server if they support port forwarding - Obtain for each server their IP address for openvpn UDP and openvpn TCP (one for each) - Updater program updated to use API - Hardcoded values updated for PIA v3 and v4 servers - Clearer separation between pia v3 and v4 - Fixes #250 2020-10-12 13:57:45 -04:00
Multi options filters, fixes #231 (#262) * OWNED environment variable for Mullvad * CSV are now accepted for all servers filtering environment variables 2020-10-18 17:15:42 -04:00			`func filterPIAOldServers(servers []models.PIAOldServer, regions []string) (filtered []models.PIAOldServer) {`
Obtain PIA v4 server information from API (#257) - Obtain CN for port forwarding https verification - Obtain for each server if they support port forwarding - Obtain for each server their IP address for openvpn UDP and openvpn TCP (one for each) - Updater program updated to use API - Hardcoded values updated for PIA v3 and v4 servers - Clearer separation between pia v3 and v4 - Fixes #250 2020-10-12 13:57:45 -04:00			`for _, server := range servers {`
Multi options filters, fixes #231 (#262) * OWNED environment variable for Mullvad * CSV are now accepted for all servers filtering environment variables 2020-10-18 17:15:42 -04:00			`switch {`
			`case filterByPossibilities(server.Region, regions):`
			`default:`
Fix servers filtering for PIA 2020-10-18 23:44:16 +00:00			`filtered = append(filtered, server)`
Obtain PIA v4 server information from API (#257) - Obtain CN for port forwarding https verification - Obtain for each server if they support port forwarding - Obtain for each server their IP address for openvpn UDP and openvpn TCP (one for each) - Updater program updated to use API - Hardcoded values updated for PIA v3 and v4 servers - Clearer separation between pia v3 and v4 - Fixes #250 2020-10-12 13:57:45 -04:00			`}`
			`}`
Fix servers filtering for PIA 2020-10-18 23:44:16 +00:00			`return filtered`
Obtain PIA v4 server information from API (#257) - Obtain CN for port forwarding https verification - Obtain for each server if they support port forwarding - Obtain for each server their IP address for openvpn UDP and openvpn TCP (one for each) - Updater program updated to use API - Hardcoded values updated for PIA v3 and v4 servers - Clearer separation between pia v3 and v4 - Fixes #250 2020-10-12 13:57:45 -04:00			`}`