I have set PMS on a Raspberry Pi which is connected to the internet through ethernet (interface eth0 in Linux). Sometimes, I also run OpenVPN on it, which routes all the traffic through its new virtual interface. When connected to the VPN, I need to re-route the outgoing packets for some services in order to still be able to access them from outside (for example, ssh and deluge). To do so, I followed this post to set an iptable and specific routing rules that redirect the traffic of specific ports (the ones used by the services that i need) to the eth0 interface (instead of the VPN interface). This works perfectly with many services, including SSH and Deluge daemon: in fact, I am able to access them from remote even when using the VPN.
However, I cannot get PMS to be remotely accessible when using the VPN. The server is accessible when the VPN is down, but as soon as I start it, remote access breaks.
These are the set of rules that i set (thorugh a bash script) before starting the VPN:
ip rule add fwmark 65 table novpn
ip route add default via 192.168.1.1 dev eth0 table novpn
ip route flush cache
iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 65 # ssh
iptables -t mangle -A OUTPUT -p tcp --sport 8112 -j MARK --set-mark 65 # deluge-web
iptables -t mangle -A OUTPUT -p tcp --sport 32400 -j MARK --set-mark 65 # pms
iptables -t mangle -A OUTPUT -p udp --sport 32400 -j MARK --set-mark 65 # pms
iptables -t mangle -A OUTPUT -p tcp --sport 3XXXX -j MARK --set-mark 65 # pms_out
iptables -t mangle -A OUTPUT -p udp --sport 3XXXX -j MARK --set-mark 65 # pms_out
iptables -t mangle -A OUTPUT -p udp --sport 1900 -j MARK --set-mark 65 # pms_dlna
iptables -t mangle -A OUTPUT -p udp --sport 5353 -j MARK --set-mark 65 # pms_netdisc
iptables -t mangle -A OUTPUT -p udp --sport 32410:32414 -j MARK --set-mark 65 #pms
iptables -t mangle -A OUTPUT -p tcp --sport 32469 -j MARK --set-mark 65 # pms_dlna
(all the commands are executed with sudo. Port 3XXXX is my public port for PMS, which was censored for privacy. Ofc, proper port forwarding has been set on the router.)
Plex doesnât bind() in the traditional sense to an adapter.
This having been said, you would need rules to take any traffic destined for Plex.tv or other locations. Itâs usually better handled by setting specific route table entries on the host itself so you have control.
If youâve noticed, you can start the VPN and then, with the tun0 as the default for all traffic, all traffic will run through the VPN and PMS will work. Split operation is where itâs problematic. (PMS registration with plex.tv done asyncronous to VPN up/down status).
I would like to avoid sending all PMS traffic through the VPN because it would slow down the communication.
With my current rules, if i try to restart PMS after connecting to the VPN (with systemctl restart plexmediaserver.service) I am still not remotely accessible. Sometimes, it shows that It is accessible for 2 seconds and then it becomes red again. Do you know through which ports does PMS perform the registration to plex.tv at startup?
I just helped set up a system to do this for a friend. Your method looks about like what we did. Instead of marking traffic based on the port, we marked it based on the user. In the reverse, the user of openvpn (we defined it as âvpnâ) was marked with a 0x01 then any traffic with that mark went through the vpn. Other traffic could go out eth0.
I canât remember the exact guide but these have a lot of the good info. The term they use to describe what I did is âsplit tunnelâ. That search will return lots of results.
