NAS Synology VPN Bypass Plex

Hi guys,

After several attempts, I finally got my dream setup to work – and the solution is quite simple!

What this guide will do:

• All traffic from Synology Download Station will be through VPN.
• Direct connections, like Synology WEB GUI, SSH, Plex etc. will go through your regular WAN.
• All traffic will be Letencrypt SSL certified HTTPS

Make sure you have access to your NAS locally before switching on your VPN.
Also, make sure these ports are forwarded from your home Router to your NAS:

• 5001 (Synology Web GUI, HTTPS)
• 32400 (Plex)
• 80 (for Let’s Encrypt verification)

Let’s go

1. Connect your VPN connection from Network > Network Interface > i.e. “VPN - VyprVPN”
2. Check ON this bad ass mf option: Network > General > Advanced Settings (Gateway): Enable Multiple Gateways
3. Confirm that your Download Station is downloading with the correct VPN IP using this tool

Cool, eh?

Now, like me, you probably already have a domain set up to your dedicated ISP IP, say example.com.
So, heading over to https://example.com:5000 should be available to you, even if the NAS is connected to VPN.

Plex on the other hand is trying to AutoDiscover your VPN IP, which is why your Plex Media server won’t be available through the Plex services. Though, you could access your Plex directly through https://example.com:32400

If you don’t have SSL activated for your domain yet, let’s do that first!

On your NAS:

1. Security > Certificate > Add
2. Next (Add a new certificate)
3. Next (Get a certificate from Let’s Encrypt)
4. Download your certificate files.
5. Now, press Configure (within Security > Certificate) and set your fresh Letsencrypt certificate as Default.

To make Plex available by autodiscover and all your friends, do the following.

1. At your Plex Server settings, make sure you’ve specified ur public port manually (Server > Remote Access) to i.e. 32400.
2. Dont worry about Plex not reaching your server at this page. It never will as long as it tries to autodiscover your VPN IP.
3. Now, go to Server > Network. We’re going to fill example.com into the “Custom certificate domain”.

You also need to specify a value for “Custom certificate location”.

1. Connect to your NAS via SSH
2. Open i.e. /volume1/Plex (wherever you’ve installed Plex)
3. Create a folder i.e. certificate
4. Using your File Station app at your NAS GUI, upload the certificate files you downloaded earlier directly to this folder.
5. Back into your shell, generate the pfx by writing the following:
   openssl pkcs12 -export -out domain.pfx -in cert.pem -inkey privkey.pem -certfile chain.pem -name "domain"
6. Head back over to your Plex > Server > Network and type in your complete pfx path
   ie. /volume1/Plex/certificate/domain.pfx
7. If you typed in any keyphrase, enter this into the “Custom certificate encryption key” field.
8. Further down on the same page, you’ll see “Custom server access URLs”. Add your domain https://example.com
9. Save changes.

Now, this should do the trick.

UPDATE

Even though the server is visible and accessible externally via app.plex.tv, streaming videos gets interrupted.
I suspect the “Custom server access URLs” are not working as intended.

I found this Plex forums thread: (Feature Request) Manually Enter Public IP Address

~~There is one small fix to this. I’ll test it out for a couple of days and if it work I’ll make a automatic script for it.

1. Using dig, you could dig A plex.tv
2. We’re going to use all the IP addresses in the ;; ANSWER SECTION
3. SSH to your NAS and make a script.sh in your home directory.
4. Type route
5. Find your local network, i.e. 192.168.1.x and locate its Interface, i.e. ovs_eth1
6. Go into your script file vi script.sh (press i to start typing) and add a line for each IP from the ANSWER SECTION
7. ip route add X.X.X.0/24 via 192.168.1.1 dev ovs_eth1 (see example below)
8. Save your file (press esc, then : then wq then enter)
9. Confirm that traffic goes through correct interface traceroute -n -m 1 plex.tv
10. Double confirm that Plex discoveres the correct IP in Plex Server > Remote Access
11. Next to the manually specified port, press Retry to re-index your public IP.

Example of script.sh
ip route add 52.19.30.0/24 via 192.168.1.1 dev ovs_eth1
ip route add 34.253.32.0/24 via 192.168.1.1 dev ovs_eth1
ip route add 52.212.88.0/24 via 192.168.1.1 dev ovs_eth1
ip route add 34.241.247.0/24 via 192.168.1.1 dev ovs_eth1
ip route add 52.30.224.0/24 via 192.168.1.1 dev ovs_eth1
ip route add 54.171.211.0/24 via 192.168.1.1 dev ovs_eth1~~

UPDATE

I’ve made a simple script doing all the above for you.

1. Copy link of “Download Repository” for the bitbucket.org/shrty/plex-vpn-bypass/downloads/
2. wget the link to your NAS via SSH
3. Use 7z x file.zip to extract the repository
4. sh plex.sh inside the directory to generate routes. Follow the instructions. Feel free to check out the source

Run script at startup
Just place the generated routes.sh file in the following directory.

cp routes.sh /usr/local/etc/rc.d/

If you have remarks to this tutorial, please let me know in the comments so I can update it.

Does this work with my dyndns adress ? ex. my ISP IP —> dyndns adress

@Tommy-Cederlund said:
Does this work with my dyndns adress ? ex. my ISP IP —> dyndns adress

Yes, it will!

Just wanted to say thanks for this post! This has been a huge help!

Any chance you have the steps for setting this to run at startup? I’m learning, but still a novice at linux.

Many thanks for this!

I would like to have a short tutorial in how to use the script at startup. Could you provide this to us too?

Many thanks!

Thanks so much for posting this! Is there any chance this would work using NZBget in a docker container?

Worked like a charm! thanks!!

What if I do not have a domain set up to a dedicated ISP IP? I have Verizon FiOS and my IP is dynamic not static. I also do not use Let’s Encrypt verification

Then you can use your IP. If you have dynamic IP you should consider setting up dyndns.org for dynamic DNS.

You don’t have to use letsencrypt, but it’s kinda included in your Synology and it’s free to use.

I have a DDNS setup with Synology.me that I used to use. Can I use that?

Yeah, updated the op @apocalyps3 @merdian.dennis_gmail.com

Hi, sorry to bother you but i receive this error when i lunch the command wget

Resolving bitbucket.org… failed: Temporary failure in name resolution.

wget: unable to resolve host address ‘bitbucket.org’

Can you please help me? Thank you

thanks for the guide as I had the same issue.

but most of the steps where not even needed

1. Use Multiple Gateways

2. lookup DNS

https://www.dnswatch.info/dns/dnslookup?la=en&host=plex.tv&type=A&submit=Resolve

3. add routes on gui

image.png1254×536 29.8 KB

And all fine

image.jpg987×447 148 KB

WOW! This seems to have done the trick! That DNSWatch site worked like magic. I should point out to others that I had my VPN turned on the Synology when I first tried. I had to delete those entries out and try again with the VPN turned off and those IP entries worked. Tested it with VPN off and on and it works both ways now!

Excellent. This is the solution.

Hi!
Thank you for this thread, I manage to get Plex to work externally while downloading on VPN.
However, I caused another issues, e.g. I cannot access my Synology using its private IP, I need to use the domain name, and, other issue is that I cannot access any other services like CouchP or SickR. meaning I will have to open their ports on my Firewall, which it’s not my favourite security practice.
How can I log in into my Synology using its private IP? am I missing something?
thanks
Chris

EDIT: I solved this by delegating all routing responsibility to my firewall, my Synology remains as usual with all services working, and remote access for Plex.

Update: Works great. Thanks

Hi, can I just clarify that with your solution of adding in the static routes you still needed to configure the custom certificate in Plex network configuration as the original poster did?

Cheers,

Jays

Be careful when messing with your Network setting in Synology. I connected another ethernet-cable and created a Bond between the two, unknowingly destroying the routes-script it seems. After going back to the situation without the Bond the Remote Access remained broken. Now that I ran the script again it seems back to normal.

Excellent tips in this tread.
I got it working in no time.

Just wondering if the domain.pfx survives Let’s encrypt updates?

Thanks, works great to me.