Enumerating and excluding all of the IP addresses that Plex will contact doesn’t work. You can’t predict the IP addresses of any mobile or remote Plex clients.
There’s a “big hammer” way to get independent network namespaces -
-
Run the VPN and any “special routing” apps in a Docker/Container/Jail/VM
-
Run Plex in a different Docker/Container/Jail/VM (or computer)
