HELP! Plex showing Public IP address through VPN

Server Version#: Version 1.18.5.2309
Player Version#:

I have a Synology DS1821. I have configured an OpenVPN connection through PIA using a self-made config file that works just fine through DSM 6.2.4.

At this point, REMOTE ACCESS in PLEX shows my VPN for my public address, however, the connection is not accessible because I haven’t routed PLEX DNS over WAN Routes.

When I attempt to route, Plex is fully accessible outside my network, however, it now lists my IP address (and no longer VPN) for my public address.

I have all ports properly routed including Plex on 32400 and a separate VPN port with an external port of 32322, which I manually specify as my public port in Plex.

I want to have Plex accessible outside my network but running through my VPN. I successfully had this setup for years, until a few weeks ago.

Any suggestions?

Can you draw a picture?

If Plex Remote Access is detecting the public/WAN address, that means outbound packets from Plex aren’t taking the VPN connection.

What does “routed PLEX DNS over WAN Routes” mean? And where are “all ports properly routed”? Can you show these configurations?

If the goal is for Plex traffic to (only) use the VPN, it shouldn’t be necessary to configure port forwarding at the LAN/WAN router.

Thanks for your response.
In order for Plex to work through a VPN in Synology, you must static route the Plex domain DNS’s.
By doing so, it allows for Plex to be “fully accessible outside your network.”

My issue is, this alone used to be enough for Plex to recognize my Public address as my VPN IP. For some reason, last month, that changed and now it only recognizes my actual IP.

Ahh, I understand.

That sounds like a recipe for inconsistency and breakage, which I guess is what’s happening.

Plex uses multiple cloud services with changing IP addresses.

How do you know which hostnames Plex needs to communicate with? How do you keep the routes for those changing IP addresses up to date?

I wrote my OPENVPN config to reflect the DNS domain rather than the IP address’s:

route plex.tv 255.255.255.255 192.168.1.1

route app.plex.tv 255.255.255.255 192.168.1.1

route my.plexapp.com 255.255.255.255 192.168.1.1

route myplex.tv 255.255.255.255 [192.168.1.1]

You were right in the sense that it was a recipe for inconsistency, but only about 2x per year. Im hoping by writing the DNS domains directly into the config, it eliminates the need to keep up with Plexs’ changing IP’s

But … OK, hold on. Step back, walk me through this.

You want remote clients to be able to connect to your Plex server.

You’ve got a VPN provider that allows you to configure port forwarding. You want to advertise the Plex server through the VPN provider.

From the perspective of a remote client, they’re connecting to an IP address:port that belongs to the VPN provider.

Then that comes to your Plex server over the VPN connection.

And responses from the Plex server to the client should go back out through the VPN connection?

Actually, that’s 100% accurate.

I guess the question is, in Plex when it lists your Public IP, is that the IP that the remote clients are connecting to?
If that is the case, then I can only assume that Plex is not connecting through VPN at all.

If that is not the case, and the remote client is connecting to an IP address:port that belongs to the VPN provider, then I should be ok because that would mean my IP is only going out to the VPN provider?

OK, thanks! It just won’t work.

If a Plex client with address 198.18.17.16 connects to you, you won’t have a “via the VPN” route for 198.18.17.16. Response packets from Plex will take the default route via the LAN/WAN router, where they won’t match a firewall table entry, and they’ll be dropped.

It’s important for ALL Plex traffic, or none of it, to be routed through the VPN.

I’m not a Syno expert, but I doubt it’s possible to route “all Plex traffic, but just Plex traffic” through the VPN.

I guess the question is, in Plex when it lists your Public IP, is that the IP that the remote clients are connecting to?
If that is the case, then I can only assume that Plex is not connecting through VPN at all.

If that is not the case, and the remote client is connecting to an IP address:port that belongs to the VPN provider, then I should be ok because that would mean my IP is only going out to the VPN provider?

Im just confused as to why this worked for me for about 2 years, before it now doesnt.

I thank you for your time BTW

That’s the address that the Plex Cloud detects when connections come FROM the Plex server.

Most of the time that’s also the IP address that clients can connect to for Remote Access. So it’s a clever way for Plex to figure out what address to publish for Remote Access.

Trying to add selective routing makes this hard.

It’s easy enough to publish the address you want clients to connect to, and they’ll connect to it.

But with the VPN and selective routing, you need to be able to send packets back to them over the VPN too.

And there’s no way to do that. What IP addresses will remote clients have, that should route through the VPN?

An easy solution is to run Plex & the VPN on a standalone system, or in a container or VM, so that ALL traffic can be routed through the VPN.

I believe this is what I am doing, as my Synology is my standalone server constantly running through a VPN. Plex Server is also running through the Synology.

You are way more advanced in this stuff than I am, so forgive me if I am incorrect.

The problem happens when some Plex traffic is sent out the VPN, but some Plex traffic isn’t. That asymmetric routing breaks things.

I’m not familiar with the Synology, but I’m pretty sure there’s no way to say "send all Plex traffic (but only Plex traffic) out the VPN.

If “send ALL traffic out the VPN” (for the whole Syno) is an option, perhaps that will work.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.