Feature request -- IP address blocklist

[rkershenbaum]

I may be the only one in the world who needs this, but:

When my router reboots, or the cron job runs with "changesever", I sometimes lose access to my IPTV streams. Apparently, the IPTV provider is blocking several PIA server IP addresses within the region I'm using. I can fix it by running the script manually with "changeserver", so that it selects a different PIA server within the same region.

However, it would be nice if the script would accept a blocklist of specific server IP addresses to bypass, perhaps in the json file.

Or...is there a way to accomplish this with the existing script?

[FingerlessGlov3s]

Interesting idea but PIA's API doesn't give you a big list of servers to connect too they give you "the best" server to connect too, at that point in time for each region. It can return the same servers concurrent requests.

I feel a better way to resolve your problem would be to create your own script that pings or curls a URL that you need to work then ask my script to change server. This would also remove the problem of needing to update a blacklisted IPs as well. You can either delete the /tmp/wg{instancenumber}_router file which will then get my script to do a changeserver, or call changeserver directly to the script.

You could run the script on a server or directly on the firewall if coded correctly.

[rkershenbaum]

Thanks for the quick reply! My coding skills are pretty rusty, but I may give that a shot.

(Or, if someone reading this feels energetic, and would prepare a sample script, that would be great.)

[EeroV]

well. please give ip list that are not working? simple solution is run script from cron. Eero su 4. helmik. 2024 klo 17.07 Richard Kershenbaum ***@***.***) kirjoitti:

…

I may be the only one in the world who needs this, but: When my router reboots, or the cron job runs with "changesever", I sometimes lose access to my IPTV streams. Apparently, the IPTV provider is blocking several PIA server IP addresses within the region I'm using. I can fix it by running the script manually with "changeserver", so that it selects a different PIA server within the same region. However, it would be nice if the script would accept a blocklist of specific server IP addresses to bypass, perhaps in the json file. Or...is there a way to accomplish this with the existing script? — Reply to this email directly, view it on GitHub <#56>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC23RN6E7PPIGDHTE6VPTGTYR6P4TAVCNFSM6AAAAABCY5XRK6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGEYTOMJUGM2TGNY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[rkershenbaum]

These are some of the IPs that aren't working with my IPTV provider:

212.102.52.2
212.102.52.6
212.102.53.86
212.102.53.83

Probably anything in the 212.102.x.x range. The ones in the 138.199.30.x range seem to work.

[bedub1]

Bing Copilot wrote this for me. No idea if it'll work.

import requests
import subprocess
import time

def check_google_url():
    url = "https://www.google.com"
    while True:
        try:
            response = requests.get(url)
            if response.status_code == 200:
                print("Google is accessible (200 OK). Exiting loop.")
                break
            else:
                print(f"Received status code {response.status_code}. Retrying...")
        except requests.ConnectionError:
            print("Connection error. Retrying...")

def run_command():
    command = "/conf/PIAWireguard.py --debug --changeserver instancename"
    subprocess.run(command, shell=True)
    print("Command executed. Waiting for 30 seconds...")

if __name__ == "__main__":
    while True:
        check_google_url()
        run_command()
        time.sleep(30)

[rkershenbaum]

Wow, thanks, bedub1! That looks like what I need. I'll give it a try later today and report back.

[rkershenbaum]

Ok...thinking about this... If I run this script on the Opnsense router, it would need it to send the http request out on a specific Wireguard tunnel in order to test if the url works thru that tunnel. Maybe that could be done with a firewall rule. Short of that , I guess the request would go out on the normal WAN interface.

And if I ran it on a client machine, it wouldn't have access to the PIAWireguard script, in order to issue the "changeserver".

[FingerlessGlov3s]

Yeah you'd need a firewall rule or add a static route to the destination network to use the PIA gateway.

If the IPTV is using their own ASN, you can probably just add the main IP range as static route.

[rkershenbaum]

I'm probably getting in a bit over my head here. Can someone describe how to create a firewall rule to route only the request from this script through a specific gateway (without affecting anything else)?