Remote access keeps getting disabled

Not to brag but they are wonderfull!

Yep, I’ve seen it go both ways. Some VPN clients allow inbound traffic to the naked interface to flow through normally, some do not. I agree with @Volts statement down-thread that this likely isn’t worth fighting with. Getting your VPN client to except Plex’s traffic is probably your best path forward, if you’d like to continue using your NAS for the server and keep your VPN on.

Yeah, I think we figured this out on another thread some time back. It was with regard to another remote access issue with a VPN involved. And in that case, I’m almost positive the VPN client did allow traffic to the naked IP/interface to pass unmolested.

Maybe you figured it out earlier! I might be dumb, but at least I’m also slow. I don’t think I realized Plex/myPlex was massaging the Custom server access URLs until I saw the list of URLs back from myPlex just now.

I don’t think there was a VPN in the other thread, at least not the one I’m thinking of. There were multiple public IP addresses, and the inbound port forwarding was on a different address from outbound traffic, so Plex’s Public Address detection and myPlex’s reachability test were failing. But no VPN, and just one router, so traffic wasn’t taking an asymmetrical path.

And in that case I would also have sworn that we tried a bare IP address in the Custom server access URL first, and it didn’t work. But I’ve been wrong several times already today, and it shows no sign of slowing down.

Oh, it’s quite possible I’m mis-remembering. My memory is not what it used to be.

I remember having better memory, but how can I trust that? After all, I’m pretty sure my memory is worse now.

OK, Synology responds to my ticket:

Support ticket #2668618 has been updated by Synology Technical Support. Please go to your Synology Account to respond to this ticket or receive further assistance. A preview of the updated ticket is shown below:

Hi Andrew,

For configuring spilt tunneling, that would be a specific guideline on the VPN protocol rather than DSM for it to configure. We don’t have a specific guide on setting it up, but there are some unofficial guides that may help, one we help posted below.

OpenVPN Split Tunnel on Synology Diskstation | Trinkets, Odds, and Ends

If you are using OpenVPN this link below may help. Because spilt tunneling on DSM is handled purely through the VPN protocol configuration, the OpenVPN support team or community will likely have more information on how to configure and setup spilt tunneling.

Here’s where I can use your help. Could you read through that and explain it to me? Because I get confused with a VPN server and a VPN client. It seems to me that installing the VPN Server app on Synology and setting it up should allow me to connect to Synology from outside my house. I mean even the stated purpose of that link above says “Remote access to home network supporting choice of split/full tunnel”. And AFAICT that’s not what I’m trying to accomplish. I want it set up such that processes running on Synology that reach out to the Internet do so using the PIA VPN and to split tunnel that so that processes named “Plex” running on the Synology don’t use the PIA VPN at all.

Another statement there says " VPN Server on Synology Diskstation: Supports PPTP, L2TP, and OpenVPN, with various user authentication options - Radius, LDAP, internal user base (which uses Radius as a backend anyway, as a plugin)" which I think again implies that I’m a user outside the home LAN trying to get in.

Yet another statement says “OpenVPN seems like the obvious choice – the only downside being Synology can either be VPN Server or VPN Client but not both”. This seems to imply that the Synology can act as a VPN Client. Does that mean that processes running on the Synology can use the VPN. Further, it describes VPN clients in terms of macOS, iOS, and Windows but not Linux. Correct me if I’m wrong but the Synology is running Linux right?

It then describes how to make changes to the config files that you export from the VPN Server App on Synology and says “Deploy both profiles” but doesn’t tell me exactly how to deploy them.

Yes, the article referenced does appear to be specific to setting up the OpenVPN server and is not relevant in your case. Unfortunately I have no specific experience here to share. This may be a topic better addressed to the PIA forums as I believe the do officially support OpenVPN clients.

Sorry I couldn’t be of more help.

Thanks for confirming my suspicions. So what you are really saying is that the response from Synology is totally off base. I just can’t get them to understand that I’m not trying to get into my Synology from the outside world through a VPN rather I’m trying to insure the processes running on my Synology are using the VPN ('cept Plex). Everybody’s trying to get into their house from outside by using a VPN… It’s popular. But it’s not what I’m asking for so it’s back to Synology to explain they didn’t answer the question and to try to get them to answer it correctly.

So far PIA has not answered the support question I asked them. The PIA forums is a good suggestion. I will pursue that too.

FYI On Synology, there are two different things relating to the VPN. One is to install the app called VPN Server and configure it to run. AFAICT you install and use this if you want to get into your Synology from the outside world.

Then there’s a VPN configuration that’s under their Control Panel > Network > Network Interface. You create a VPN Connection Method. There are 3 options - PPTP, OpenVPN (via importing a .ovpn file) and L2TP/IPSec. I’ve created several connection methods for various access points from PIA. Then you simply connect one of those connections methods. I’ve been using this since I got the Synology and as we have tested, all traffic seems to be going through the VPN. When I asked Synology if this config ensures that traffic is going through the VPN they said

Exactly, when you are creating the VPN profile, or editing the already created VPN profile, one of the options listed will force traffic to go through the VPN gateway. it will be the (use default gateway on remote network) option. This will force all traffic from the NAS through the VPN.

Seeing as how this is using OpenVPN and how there seem to be configuration settings that you can tweak to do split tunneling, I have hope that I might be able to split off Plex traffic.

I don’t think OpenVPN itself can do this.

OpenVPN can configure normal destination-based routes, such as “send traffic destined for 192.168.8.0/24 to the VPN”.

You want to exclude the traffic coming from your Plex server. That needs a different routing policy.

If this was a normal Linux box, I’d consider one of these approaches, depending on the age of the system and available tools.

1. Use a uidrange ip rule ... to associate Plex traffic with a second routing table
2. Use iptables to mark traffic from the plex user for a second routing table
3. Create a virtual network interface for Plex with a different ip netns namespace.

(Actually I would fight to move my VPN client into the Docker container that needs it, instead of running it at the system level. )

But I’m not familiar enough with Syno. I wouldn’t expect any of that to be available in the GUI of a NAS.

Is Synology not a normal Linux box? I say that to mean “Let’s assume it is normal Linux” until we are proven otherwise…

Secondly, I don’t think I’m asking to “exclude traffic coming from my Plex server” is rational; my PMS server asked for none of this, rather random Internet users (AKA my friends) have asked for a connection to my Plex server. So there is no traffic from my Plex server to my friends rather my users are asking my Plex server for service.

I don’t understand “use uidrange ip rule” as when I type uidrange it says “command not found”.

Also, I have no idea how to “Create a virtual network interface for Plex with a different ip netns namespace”.

I’m all for moving my VPN clients into the Docker container… I just had problems in the past getting that configured and working. And I also want to worry about the process . Is it best to run under a VPN or do I not have to worry about ? I’m just saying run everything under the VPN unless it can’t be run under the VPN.

No?

The distinction I’m making is that it’s built on Linux, but it’s an appliance. You are expected to interact with it through the provided GUI and configuration tools.

A Chromebook or Kindle Fire aren’t “normal Linux” either. On all of these, instead of the normal Linux toolset, there’s a minimal collection of just what’s necessary for the appliance’s functionality.

If you want to do “Linux Stuff” (whatever that is) on the Synology you’re expected to use a VM or a container. That’s a good thing, and the trade-off is that you have a more reliable appliance.

It’s also possible that Synology has the necessary support built in and that there’s a graceful way to configure it without interfering with anything else. I dunno.

At an IP level, your friends send some packets to your server, and your server sends some packets to your friends, and those are unrelated things. The packets don’t know about each other or have any memory. The packets from your server to your friends don’t go “backwards” to retrace the route, they figure out their own path.

A good analogy is letters in the mail. The people writing the letters know that it is an established, back-and-forth conversation. But the envelopes don’t know what’s in the letters, nor the mailman, and the mailman doesn’t retrace his steps.

Higher layers have “connections” and “order” and “requests” and “responses”. But down lower, at the IP layer, the packets themselves are completely ignorant of all that.

Most routing is performed at the IP packet layer, based on destination address. This includes the default route for the VPN.

To exclude Plex from the VPN, you need to route the IP packets based on additional information. (This is frequently called policy routing)

Individual packets aren’t aware of their purpose, but the server’s Linux kernel knows which application sent them. It can look at each packet and apply a rule based on the userID of the sending application. That’s how #1 or #2 would work.

#3 would work a bit differently, kinda like moving Plex into a different checkout lane.

Your suggestion to route based on “the response to a request” hints at another approach. Packets belonging to an established TCP connection, where the local port is :32400, could be routed differently. The connection establishment packets would need to be matched too.

That approach has a big advantage - it’s at the TCP layer, and doesn’t require information from the Linux kernel. If your Plex server and the VPN server and router were on different systems that would still be a viable approach.

But I think you also want to exclude packets from Plex to the myPlex cloud, and that’s easier to do with one of the methods I suggested.

I’ll find a couple good recipes for how #1 and #2 would look to implement, if you’re going to try them.

Here’s a clear example of a uidrange-based approach. It’s certainly more legible than the iptables way, below.

• https://unix.stackexchange.com/a/564196

Here’s a reasonably simple example with iptables matching a userid.

• https://unix.stackexchange.com/a/589605

In both of those examples they’re filtering the traffic to pass to the VPN. You’re trying to do the opposite, and would only need one route in the alternate routing table: a default route to your current LAN gateway/router address.

When I read all that stuff it seems excessively complicated and I get lost as to what I need to do. Hopefully, PIA support will respond with how I can accomplish what I want to accomplish. Based on the articles I’ve read it is possible to do split tunneling on Synology using OpenVPN, I just need to somehow limit it to just Plex traffic. And while I understand just a little bit about networking, packets, and the like I do know that initially packets and the “request” for service from my Plex server start from the outside going in. I just need to somehow separate Plex traffic outside of the VPN.

As for normal Linux and doing Linux stuff, all I know is that Linux is just a kernel and it’s more properly termed GNU/Linux as the shells and most of the userland is provided by GNU, and when I can ssh to a machine, type uname -a and it reports back that it’s a Linux kernel then to me, this is Linux.

The following response was made to my Synology ticket:

Looking into your last message I can see that you meant this inquiry is regarding redirecting services such as PLEX from NOT going into the VPN gateway while everything else not specified stays within the VPN.
In that case that is not a supported feature on the NAS products. Some third party routers, as well as our Synology routers support this kind of setup, but the NAS does not have a feature to spilt these services to a specified gateway, this is why there wasn’t a guide on addressing splitting services going out of the Synology NAS itself. It is currently not supported on DSM at this time.
If you have a Synology router, let us know and we can help specify, but if its third party, you will want to look with the router’s manufacturer on doing so (if they support it).

To this I questioned:

Question: If “Use gateway on remote network” is toggled on then all traffic flows through the VPN. OK. But what happens if that’s toggled off? What traffic then flows through the VPN? If no traffic will flow through then it seems to me that this setting is useless and should by default always be turned on. If you really want no traffic flowing through the VPN then you could simply disconnect the VPN profile, right?
Or, if with this setting toggled off then some of the traffic flows through the VPN, how do you determine which traffic uses the VPN and which traffic doesn’t?

If it’s on then the VPN replaces your gateway, and all traffic flows through the VPN.

If it’s off then it doesn’t replace your gateway, and only specified routes are pointed to the VPN. This is what OpenVPN does support and what most of the OpenVPN Split Tunneling documentation covers.

If it was a corporate VPN, they could specify the corporate networks. Traffic going to corporate would use the VPN, other traffic wouldn’t.

Your use case is just different.

That’s true for streaming sessions from remote users. (You might also want to exclude the requests that originate from Plex itself.)

And many firewalls DO work at those higher layers, looking at ports and sessions and the end-to-end application conversation. They watch the session (open the envelopes, read the letters, from my analogy). In a firewall it’s normal to say “allow connections from the Internet to my service, and then allow the responses to go out, and watch the conversation to make sure it follows the rules”.

Routing usually happens at a lower level and isn’t aware of sessions, connections, etc. - just packets. OpenVPN and simple “route” statements are examples of this.

So, if it’s off and OpenVPN supports split tunneling then how do I point specified routes to use the VPN? Is that uidrange IP rule (or IP tables and/or IP netns) are for? If so can you give me baby step instructions on how to do this?

I mean let’s take Deluge as an example. I have it running in a Docker container. Assuming I toggle off that use gateway on the remote network, what do I need to do to get Deluge to flow through the VPN?

Sorry if I’m being dense here. I was never good at networking/routing and that kind of stuff and you’ve been so helpful and patient with me.

That’s not a bad idea at all. That might be a really good idea!

• Turn off the system-wide VPN Default gateway
• Configure each Docker to use the VPN interface as gateway

When you look at the Docker settings, what are the networking and routing options?

You might not be able to specify an interface; a lot of software requires you to specify an IP address. That might ruin this.

If you connect and disconnect from the VPN a couple of times, does your VPN IP address, and the VPN gateway IP address, change.

I had seen either some Docker images that had VPN built in. This was early on and I wasn’t able to get the VPN in them working so I gave up and instead used the Docker images without VPN built in and then got the PIA VPN configured at what I guess we could call the gateway level. Looking at the Docker images again I see several Deluge Docker images with VPN:

docker798×626 50.7 KB

I’m currently using all “linuxserver” stuff well because I’m a Linux guy. The idea of using Docker images is dual purpose as I wanted to gain more experience with Docker for my professional career.

I should spend some time trying to take out the linuxserver/deluge and installing one of the other ones that have OpenVPN included.