port_forwarding.sh

#!/usr/bin/env bash
	#
	# Enable port forwarding when using Private Internet Access
	#
	# Usage:
#  ./port_forwarding.sh

error( )
{
	echo "$@" 1>&2
	exit 1
}

error_and_usage( )
{
	echo "$@" 1>&2
	usage_and_exit 1
}

usage( )
{
	echo "Usage: `dirname $0`/$PROGRAM"
}

usage_and_exit( )
{
	usage
	exit $1
}

version( )
{
	echo "$PROGRAM version $VERSION"
}


port_forward_assignment( )
{
	sleep 30
	
	CONFFILE=/usr/syno/etc/packages/DownloadStation/settings.conf
	
	echo 'Loading port forward assignment information...'
	if [ "$(uname)" == "Linux" ]; then
    client_id=`head -n 100 /dev/urandom | sha256sum | tr -d " -"`
	fi
	if [ "$(uname)" == "Darwin" ]; then
    client_id=`head -n 100 /dev/urandom | shasum -a 256 | tr -d " -"`
	fi
	
	json=`curl "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null`
	if [ "$json" == "" ]; then
    json='Port forwarding is already activated on this connection, has expired, or you are not connected to a PIA region that supports port forwarding'
	fi
	
	# Trim VPN forwarded port from JSON
	PORT=$(echo $json | awk 'BEGIN{r=1;FS="[{}\":]+"} /port/{r=0; print $3} END{exit r}')
	
	len=${#PORT}
	
	# Some error detection. If PORT is longer than 15 characters, we know that
	# An error has been returned. We log it to syslog, and exit.
	if [ $len -gt 15 ]; then
	/usr/syno/bin/synologset1 sys err 0x11100000 "pia-port: $json"
	echo "pia-port: $json"
	exit 0
	fi
	
	# If port number is empty, then we know that VPN must be down, or that the
	# curl command to retrieve port has failed somehow. Log it, and exit.
	if [ $len -eq 0 ]; then
	/usr/syno/bin/synologset1 sys err 0x11100000 "pia-port: $json"
	echo "pia-port: $json"
	exit 0
	fi
	
	/usr/syno/bin/synologset1 sys info 0x11100000 "pia-port: Port number acquired: $PORT"
	echo "pia-port: Port number acquired: $PORT"
	
	# Change Download Station port on the fly
	# Get current NAT port number using xmlstarlet to parse the config file.
	CURPORT=`cat $CONFFILE | grep download_start_port | cut -d\" -f2`
	
	# The port mapping doesn't always change.
	# We don't want to force Download Station to re-read it's config if we don't need to.
	if [ "$CURPORT" = "$PORT" ]; then
	/usr/syno/bin/synologset1 sys info 0x11100000 "pia-port: Current Port: $CURPORT, PIA Port: $PORT - Download Station Port not changed. Exiting"
	echo "pia-port: Current Port: $CURPORT, PIA Port: $PORT - Download Station Port not changed. Exiting"
	exit 0
	fi
	
	# Port forward has changed, so we update the rules in the config file.
	sed -i.bak 's/^\(download_start_port=\).*/\1'\"$PORT\"'/' $CONFFILE
	
	# restart download station to use new port
	/var/packages/DownloadStation/scripts/start-stop-status stop
	sleep 5
	/var/packages/DownloadStation/scripts/start-stop-status start
}

EXITCODE=0
PROGRAM=`basename $0`
VERSION=2.1

while test $# -gt 0
do
case $1 in
--usage | --help | -h )
usage_and_exit 0
;;
--version | -v )
version
exit 0
;;
*)
error_and_usage "Unrecognized option: $1"
;;
esac
shift
done

port_forward_assignment

exit 0

Thanks for posting this! Are you running the script? Does it still work?
Also, this is built on the default DSM OpenVPN interface, right?
How does the script know which port to forward?

A lot of questions at once, I know. I'm new to VPN on Synology and everything..

Thanks for posting this! Are you running the script? Does it still work?
Also, this is built on the default DSM OpenVPN interface, right?
How does the script know which port to forward?

A lot of questions at once, I know. I'm new to VPN on Synology and everything..

Sorry, did not see your comment before... not sure if you still have issues or questions, but just let me know if you do.

Also have a look at https://community.synology.com/enu/forum/17/post/53791?reply=202011