No server access via VPN

Plex Media Server Remote Access
1

Server Version#: 1.40.2.8395 (FreeBSD)
Player Version#: Android 10.14.0.541

Player doesn’t play via OpenVPN running on same box as Plex server. Plays fine on local network.

I have read and performed relevant actions in “https://support.plex.tv/articles/204604227-why-can-t-the-plex-app-find-or-connect-to-my-plex-media-server/” and am as sure as I can be that my router/port forwarding/firewall settings are correct. Remote access is enabled.

I have monkeyed with all of the player and server “secure connection” settings, and played with
the manual connections knob.

I think the player is connecting, but the server log contains
“CERT: incomplete TLS handshake from 10.7.0.3:38370: stream truncated” messages (10.7.0.3 is
the VPN address of the client), I have enabled the 10.7.0.0/24 network in
‘List of IP addresses and networks that are allowed without auth’.
I also put 127.0.0.1 here since I sometimes see the TLS handshake errror with this address as
well.

I’m going a bit nuts trying to figure this out.

TIA
D

1 Like
2

[OP here]
Well, plug my cornhole; I got it working by disabling remote access in the server settings. This seems a bit counter-intuitive, but is actually preferable for my desired setup.

D

3

Plex does not play well with VPNs because:

  1. PMS looks at the IP address AT THE MODEM/ROUTER.
  2. When you have the VPN active, it’s captive and no traffic can enter via the modem/router:Plex_port to work.

You would need a split-VPN configuration.

4

@ChuckPA:
This (IP address at ROUTER) does not appear to be what I’m seeing in the PMS log; I can see the Plex player/VPN client connect:
DEBUG - Auth: authenticated user 1 as Dirk Bonebrake
DEBUG - Request: [10.7.0.3:40614 (Allowed Network (Subnet))] GET /media/providers?includePreferences=1 (6 live) #50b GZIP Signed-in Token (Dirk Bonebrake) (Q-1045G)
and a bunch of other stuff in the log, and then
DEBUG - CERT: incomplete TLS handshake from 10.7.0.3:48926: stream truncated

And it did work ONCE after I disabled remote access (and yes, I’m sure that the test was in fact
going through the VPN).

Thanks for your feedback,
D

5

To clarify the VPN setup::
The VPN is on the same machine as PMS (not the router). The client connects to the VPN server, which knows how to route to the PMS.

Assuming the routing is correct, what is the source of the TLS handshake error and how do I eliminate it?

Thanks,
D

6

Let’s try to look at the TLS first.

  1. Clocks in NTP time sync?
  2. Proxy involved anywhere?
  3. Do you have your own cert anywhere?
  4. All machines involved are SSLv3-capable? SSL 1.1.1 is obsolete (meaning many Centos boxes aren’t compliant)
7

Did you really mean SSLv3?

Running ‘openssl s_client -connect PMS_IP:32400’ outputs, amongst other things:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256

NTP client runs every night, time usually within 1 second.
No proxies.
No certs, except within VPN subsystem.

Thanks,
D

8

Sorry OpenSSL v3.

Here’s my writeup at the time.

9

The message is direct. It’s telling you the handshake info (so it could setup the encryption) provided in the message was cut off (truncated) somehow. It was expecting more than it got.

What’s between the server IP and client IP? follow the equipment path
if just a switch then there must be a software / config compatibility in the host which is off.

10

Thank you for the clarification; I interpreted the message to mean that since the handshake was incomplete then PMS truncated the stream.

I’ll look into what could be causing the truncation.

Thanks,
D

11

Yes. It couldn’t complete the handshake. The message was therefore truncated which is obviously detrimental.

12

I think the VPN has an MTU problem/mismatch. I reconfigured it to use TCP and the connection seems stable (ie, Android Plex player is (reliably?) connecting through VPN and streaming TV). I may revisit this in the future and reinstitute UDP (or not, if it continues to stream well). I have some remote Rokus w/Plex that I yet need to test.

In summary, this VPN/Plex configuration appears to work. Whatever communication is necessary with plex.tv occurs outside of the VPN (gatewayed by the PM/VPN server on my local network <=> my router) . I have disabled remote access on the PMS, so all remote access needs to go through the VPN which is what I ultimately desired.

@ChuckPa, thanks for your help.

Cheers,
D

13

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.