Plex outside of the OpenVPN tunnel

General Discussions
1

I’ve spent hours on this, thinking I was doing something wrong, but looks like I’m just missing some info.

I use the OpenVPN connection on my router (OpenWrt) and I have the routes set up in the OpenVPN config for:
route my.plexapp.com 255.255.255.255 [wan-ip]
route plexapp.com 255.255.255.255 [wan-ip]
route plex.tv 255.255.255.255 [wan-ip]
route app.plex.tv 255.255.255.255 [wan-ip]
route canyouseeme.org 255.255.255.255 [wan-ip]

I also have a static port forward set up which takes a port from my router and brings it to 32400 on my Plex Server. The static port forwarding works just fine until I start the openvpn service.

Now after I start the openvpn service, Plex is no longer “accessible outside my network”. My plex connects to the plex infrastructure correctly thru my ISP and not VPN and canyouseeme.org still sees the port open which leads me to believe that I’m missing another route – maybe check for the open port happens from a different IP/domain.

If I add the whole Amazon AWS IP range into routes (~550 entries), plex works, but I do not want:

  1. so many extra routes in the config file
  2. so many extra routes in the system
  3. so many extra IP addresses which will bypass VPN

Can you guys find out from developers (or maybe you already know) the CIDR or ip address ranges, better yet – domain names which plex infrastructure checks for open ports from to make the server “accessible from outside the network”?

Thanks!

2

By trial and error I figured the below is enough:
route 52.0.0.0 255.0.0.0 [wan-ip]
route 54.0.0.0 255.0.0.0 [wan-ip]
route 50.18.0.0 255.255.0.0 [wan-ip]

Ideally I’d like to shorten the ranges. Can devs please comment?

3

Here is a script that will allow you to just that…

4

Jason, thanks for your reply. I’ve modified your DD-WRT script slightly and here’s what I ended up doing on OpenWrt:

uci add_list dhcp.@dnsmasq[-1].ipset='/plex.tv/my.plexapp.com/google.com/maps.google.com/youtube.com/vpnbypass'
cat << 'EOF' > /etc/hotplug.d/iface/95-wanipupdate
#!/bin/sh
[ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] || exit 0
[ -f /etc/config/openvpn -a -d /etc/openvpn ] || exit 0
. /lib/functions/network.sh; network_get_ipaddr wanip wan
( TID="200"; FW_MARK="0x88"; IPSET="vpnbypass"
( ip rule del fwmark $FW_MARK table $TID; iptables -t mangle -F; ipset -F $IPSET; ipset -X $IPSET
ip route flush table $TID; ip route flush cache
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
sleep 3 ) > /dev/null 2>&1
! ip route show | egrep -qm1 'tun[0-9]' && exit 0
ip route show | egrep -v '^default|^0.0.0.0/1|^128.0.0.0/1' | while read route; do ip route add $route table $TID; done
ip route add default via $wanip table $TID; ip route flush cache
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done
(modprobe xt_set || modprobe ip_set) 2> /dev/null
insmod ip_set_hash_ip; ipset -N $IPSET iphash -q; ipset -F $IPSET; 
iptables -t mangle -A PREROUTING -p tcp -m multiport --sport 3000,8085,32400 -j MARK --set-mark $FW_MARK
iptables -t mangle -A PREROUTING -m set --match-set $IPSET dst -j MARK --set-mark $FW_MARK
ip rule add fwmark $FW_MARK table $TID ) 2>&1 | logger -t "vpnbypass[$$]"
exit 0
EOF
5

@stangri said:
Jason, thanks for your reply. I’ve modified your DD-WRT script slightly and here’s what I ended up doing on OpenWrt:

Hope it works for you!

As a side note, and TOTALLY unrelated to the script at hand, it appears that routing netflix.com is still not ‘enough’ to utilize the service as it still complains about being behind a proxy. It would seem that netflix.com ip’s are not enough to route around the vpn, as the ‘check’ for proxies/vpn’ still complain.

6

Lucky for me I don’t use netflix. :wink: