Hello -
I’ve read thru many threads on issues folks have had with Remote Access behind a VPN. I’m using NordVPN and Plex Media Server on Win10. I’ve created the below section within one of the openvpn configuration files and not having any luck with remote access functioning. Any help is appreciated.

PLEX over WAN routes

route 67.55.92.183 255.255.255.0 192.168.0.1
route 50.63.202.0 255.255.255.0 192.168.0.1

Log File:

Sat Dec 09 22:20:38 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jan 31 2017
Sat Dec 09 22:20:38 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Dec 09 22:20:38 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Enter Management Password:
Sat Dec 09 22:20:38 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25368
Sat Dec 09 22:20:38 2017 Need hold release from management interface, waiting…
Sat Dec 09 22:20:39 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25368
Sat Dec 09 22:20:39 2017 MANAGEMENT: CMD ‘state on’
Sat Dec 09 22:20:39 2017 MANAGEMENT: CMD ‘log all on’
Sat Dec 09 22:20:39 2017 MANAGEMENT: CMD ‘hold off’
Sat Dec 09 22:20:39 2017 MANAGEMENT: CMD ‘hold release’
Sat Dec 09 22:20:40 2017 MANAGEMENT: CMD ‘username “Auth” "jason.boehm@me.com"’
Sat Dec 09 22:20:40 2017 MANAGEMENT: CMD ‘password […]’
Sat Dec 09 22:20:40 2017 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sat Dec 09 22:20:40 2017 NOTE: --fast-io is disabled since we are running on Windows
Sat Dec 09 22:20:40 2017 Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Sat Dec 09 22:20:40 2017 Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Sat Dec 09 22:20:40 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]173.254.255.139:443
Sat Dec 09 22:20:40 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Dec 09 22:20:40 2017 Attempting to establish TCP connection with [AF_INET]173.254.255.139:443 [nonblock]
Sat Dec 09 22:20:40 2017 MANAGEMENT: >STATE:1512879640,TCP_CONNECT,
Sat Dec 09 22:20:41 2017 TCP connection established with [AF_INET]173.254.255.139:443
Sat Dec 09 22:20:41 2017 TCP_CLIENT link local: (not bound)
Sat Dec 09 22:20:41 2017 TCP_CLIENT link remote: [AF_INET]173.254.255.139:443
Sat Dec 09 22:20:41 2017 MANAGEMENT: >STATE:1512879641,WAIT,
Sat Dec 09 22:20:41 2017 MANAGEMENT: >STATE:1512879641,AUTH,
Sat Dec 09 22:20:41 2017 TLS: Initial packet from [AF_INET]173.254.255.139:443, sid=8f019e60 62594d67
Sat Dec 09 22:20:41 2017 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Sat Dec 09 22:20:41 2017 VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=us641.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Sat Dec 09 22:20:41 2017 Validating certificate key usage
Sat Dec 09 22:20:41 2017 ++ Certificate has key usage 00a0, expects 00a0
Sat Dec 09 22:20:41 2017 VERIFY KU OK
Sat Dec 09 22:20:41 2017 Validating certificate extended key usage
Sat Dec 09 22:20:41 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Dec 09 22:20:41 2017 VERIFY EKU OK
Sat Dec 09 22:20:41 2017 VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=us641.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Sat Dec 09 22:20:41 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Dec 09 22:20:41 2017 [us641.nordvpn.com] Peer Connection Initiated with [AF_INET]173.254.255.139:443
Sat Dec 09 22:20:42 2017 MANAGEMENT: >STATE:1512879642,GET_CONFIG,
Sat Dec 09 22:20:42 2017 SENT CONTROL [us641.nordvpn.com]: ‘PUSH_REQUEST’ (status=1)
Sat Dec 09 22:20:42 2017 PUSH: Received control message: ‘PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242.211.137,route-gateway 10.7.7.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.7.147 255.255.255.0,peer-id 0,cipher AES-256-GCM’
Sat Dec 09 22:20:42 2017 OPTIONS IMPORT: timers and/or timeouts modified
Sat Dec 09 22:20:42 2017 OPTIONS IMPORT: --sndbuf/–rcvbuf options modified
Sat Dec 09 22:20:42 2017 Socket Buffers: R=[65536->524288] S=[65536->524288]
Sat Dec 09 22:20:42 2017 OPTIONS IMPORT: --ifconfig/up options modified
Sat Dec 09 22:20:42 2017 OPTIONS IMPORT: route options modified
Sat Dec 09 22:20:42 2017 OPTIONS IMPORT: route-related options modified
Sat Dec 09 22:20:42 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Dec 09 22:20:42 2017 OPTIONS IMPORT: peer-id set
Sat Dec 09 22:20:42 2017 OPTIONS IMPORT: adjusting link_mtu to 1659
Sat Dec 09 22:20:42 2017 OPTIONS IMPORT: data channel crypto options modified
Sat Dec 09 22:20:42 2017 Data Channel Encrypt: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Sat Dec 09 22:20:42 2017 Data Channel Decrypt: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Sat Dec 09 22:20:42 2017 interactive service msg_channel=960
Sat Dec 09 22:20:42 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=12 HWADDR=38:d5:47:7d:27:2a
Sat Dec 09 22:20:42 2017 open_tun
Sat Dec 09 22:20:42 2017 TAP-WIN32 device [Ethernet 2] opened: \.\Global{5A3FAD7C-5FCE-4216-B0C7-4DC8EC63FA9D}.tap
Sat Dec 09 22:20:42 2017 TAP-Windows Driver Version 9.21
Sat Dec 09 22:20:42 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.7.7.0/10.7.7.147/255.255.255.0 [SUCCEEDED]
Sat Dec 09 22:20:42 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.7.7.147/255.255.255.0 on interface {5A3FAD7C-5FCE-4216-B0C7-4DC8EC63FA9D} [DHCP-serv: 10.7.7.254, lease-time: 31536000]
Sat Dec 09 22:20:42 2017 Successful ARP Flush on interface [11] {5A3FAD7C-5FCE-4216-B0C7-4DC8EC63FA9D}
Sat Dec 09 22:20:42 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Dec 09 22:20:42 2017 MANAGEMENT: >STATE:1512879642,ASSIGN_IP,10.7.7.147,
Sat Dec 09 22:20:47 2017 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=2 u/d=up
Sat Dec 09 22:20:47 2017 C:\WINDOWS\system32\route.exe ADD 173.254.255.139 MASK 255.255.255.255 192.168.0.1
Sat Dec 09 22:20:47 2017 Warning: route gateway is ambiguous: 192.168.0.1 (3 matches)
Sat Dec 09 22:20:47 2017 Route addition via service failed
Sat Dec 09 22:20:47 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.7.7.1
Sat Dec 09 22:20:47 2017 Route addition via service succeeded
Sat Dec 09 22:20:47 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.7.7.1
Sat Dec 09 22:20:47 2017 Route addition via service succeeded
Sat Dec 09 22:20:47 2017 MANAGEMENT: >STATE:1512879647,ADD_ROUTES,
Sat Dec 09 22:20:47 2017 C:\WINDOWS\system32\route.exe ADD 67.55.92.183 MASK 255.255.255.0 192.168.0.1
Sat Dec 09 22:20:47 2017 Warning: route gateway is ambiguous: 192.168.0.1 (3 matches)
Sat Dec 09 22:20:47 2017 Route addition via service failed
Sat Dec 09 22:20:47 2017 C:\WINDOWS\system32\route.exe ADD 50.63.202.0 MASK 255.255.255.0 192.168.0.1
Sat Dec 09 22:20:47 2017 Warning: route gateway is ambiguous: 192.168.0.1 (3 matches)
Sat Dec 09 22:20:47 2017 Route addition via service failed
Sat Dec 09 22:20:47 2017 Initialization Sequence Completed
Sat Dec 09 22:20:47 2017 MANAGEMENT: >STATE:1512879647,CONNECTED,SUCCESS,10.7.7.147,173.254.255.139,443,192.168.0.153,65019

No solution here but i’m also using Plex and Nord, it was previously working and just seemed to stop several days ago, coinciding with an update to the nord software (possibly related?). Previously I was using Xflaks routing solution but since Plex wont work through the VPN regardless of what I try. Really odd.

The trick is to Forward a Port - then tell your VPN Client what that port is.
This feat can be:
Easy
Hard
Dammed Impossible
Depending on what VPN you’re using and how you’re using it.

I’m using PIA and it was so easy my dumbest Cat did it for me in 10 seconds…
(I’ve got the smart one working on Warp Drive)

tah2dum3dvnb.jpg1168×461 212 KB

@Emerica4u said:
No solution here but i’m also using Plex and Nord, it was previously working and just seemed to stop several days ago, coinciding with an update to the nord software (possibly related?). Previously I was using Xflaks routing solution but since Plex wont work through the VPN regardless of what I try. Really odd.

Exactly - Shortly after the recent NordVPN update is when remote access stopped working for PMS.

I’ve been combing thru everything on the forums and trying different things. No luck yet.

@JuiceWSA said:
The trick is to Forward a Port - then tell your VPN Client what that port is.
This feat can be:
Easy
Hard
Dammed Impossible
Depending on what VPN you’re using and how you’re using it.

I’m using PIA and it was so easy my dumbest Cat did it for me in 10 seconds…
(I’ve got the smart one working on Warp Drive)

1168×461 212 KB

Thanks for your input. However, Nord doesn’t support port forwarding.

@tobiemack said:
Thanks for your input. However, Nord doesn’t support port forwarding.

Well, then… that’s gonna slow things down (to a screeching halt).

I went round and round with port forwarding and finally gave up. Put the PLEX server on a stand alone box and didn’t run it through the VPN. Worked great and no VPN bandwidth issues.

Will i still be safe and hide all my activity If you port forward ? or will my activity leak ?

Hello,
I’ve been having the the same issue since two Plex updates ago, up til then it was all running sweet and had no issues at all.
I’m currently with NordVPN and contacted them for a solution, they recommended to use OpenVPN and sent me the details to set it up using their servers, that didnt work. I then tried ExpressVPN and again I couldn’t get Plex to enable remote access.
Its very frustrating and I hoping the amazing team at Plex will sort this in a an update?? …Please!! Driving me nuts.

Same problem here with NordVPN. An update to NordVPN seems to be the culprit. I un-installed the latest NordVPN and reinstalled an older version of the NordVPN client, 6.1.6.0.

Now I can reach my Plex server again over NordVPN (granted indirectly, but it works). How long this will last until the client updates again, I’m not sure.

Anyone have any solutions to this yet? I just ordered my NordVPN as it seems to be pretty much the best one rated on the NON paid sites… Quite a few personnel recommendations for it as well from friends of mine that are in the internet security field…it’s the one they have all switched to for their own private use… Thus, hoping there will be a fix or work-a-round for this soon… Hate to be paying for PLEX and NordVPN and not be able to use PLEX outside my network… Totally defeats the purpose… I have obtained a private dedicated IP in NordVPN (as they recommended) but it still doesn’t work getting PLEX to register with the server.

Watching this as well, I HATE the thought of moving Plex to my FreeNAS box (slower processor to transcode)… so I am in for the fix as well

I have the same problem. If I knew the IP address(es) that the Plex server has to communicate with, I could write routes to forward that traffic through another NIC. But, it may be that this is easier said than done.

@tornadotj said:
I have the same problem. If I knew the IP address(es) that the Plex server has to communicate with, I could write routes to forward that traffic through another NIC. But, it may be that this is easier said than done.

It is much easier said than done. The IPs assigned to plex dot tv, which I believe are the only ones used to determine remote access change often. Sometimes every minute. I know because I wrote a script that would compare the current set of IPs with the previous, and if different, reload my firewall to keep routing them outside my VPN. Watching how often that happened made me re-think my approach. Now I use the Linux ip routing tables instead.

Cheers.

Split Tunnel routing is what you are looking for… Accessing specific sites over the WAN IP and others over your VPN IP.

Assuming you are accessing your VPN server through a client at a router level (the entire subnet would be protected…) you can use this script… The script is designed for the ‘tomato’ firmware (but can be altered…) and uses the ipset cmd to use DNS queries for the IP associated with Plex (and others…) to route around the VPN.

The older topic was here…

#!/bin/sh
export DEBUG= # uncomment/comment to enable/disable debug mode
 
#         name: tomato-ovpn-split-advanced.sh
#      version: 0.1.8 (beta), 27-feb-2018, by eibgrad
#      purpose: redirect specific traffic over the WAN|VPN
#  script type: openvpn (route-up, route-pre-down)
# instructions:
#   1. add/modify rules to/in script for rerouting purposes; alternatively,
#      rules may be imported from filesystem using extension .rule:
#        /jffs/myrules.rule
#        /jffs/myrules2.rule
#   2. copy modified script to /jffs (or external storage, e.g., usb)
#   3. make script executable:
#        chmod +x /jffs/tomato-ovpn-split-advanced.sh
#   4. create symbolic links:
#        ln -sf /jffs/tomato-ovpn-split-advanced.sh /jffs/route-up
#        ln -sf /jffs/tomato-ovpn-split-advanced.sh /jffs/route-pre-down
#   5. add the following to openvpn client custom configuration:
#        script-security 2
#        route-up /jffs/route-up
#        route-pre-down /jffs/route-pre-down
#   6. optional: to set/lockdown the default gateway to WAN/ISP and use
#      rules to reroute to VPN, add the following to openvpn client custom
#      configuration:
#        route-noexec
#   7. optional: add ipset directive(s) w/ your domains to dnsmasq custom
#      configuration:
#        ipset=/ipchicken.com/netflix.com/ovpn_split
#        ipset=/google.com/cnet.com/gov/ovpn_split
#   8. optional: add import files to /jffs (w/ extension .net); these files
#      contain hosts and networks (in cidr notation), one per line, you want
#      preloaded into ipset (ovpn_split):
#        /jffs/amazon.net
#        /jffs/netflix.net
#   9. disable policy based routing (vpn tunneling->openvpn client->
#      routing policy tab)
#  10. disable qos
#  11. enable syslog (status->logs->logging configuration->syslog)
#  12. (re)start openvpn client
#  limitations:
#    - due to a known bug ( http://bit.ly/2nXMSjx ), this script *might*
#      NOT be compatible w/ all versions of tomato
#    - this script is NOT compatible w/ the routing policy tab of the openvpn
#      client gui
#    - this script is NOT compatible w/ qos
#    - only one openvpn client can be active while using this script
 
(
[ ${DEBUG+x} ] && set -x
 
add_rules() {
 
# ----------------------------------- FYI ------------------------------------ #
# * the order of rules doesn't matter (there is no order of precedence)
# * if any rule matches, those packets bypass the current default gateway
# * remote access is already enabled; no additional rules are necessary
# ---------------------------------------------------------------------------- #
 
# ------------------------------- BEGIN RULES -------------------------------- #
add_rule -s 192.168.1.10
add_rule -p tcp -s 192.168.1.112 --dport 80
add_rule -p tcp -s 192.168.1.122 --dport 3000:3100
add_rule -i br1 # guest network
add_rule -i br2 # iot network
#add_rule -d amazon.com # domain names NOT recommended; use ipset in dnsmasq
# -------------------------------- END RULES --------------------------------- #
:;}
# ------------------------------ BEGIN OPTIONS ------------------------------- #
 
# include user-defined rules
INCLUDE_USER_DEFINED_RULES= # uncomment/comment to enable/disable
 
# route openvpn dns server(s) through tunnel
ROUTE_DNS_THRU_VPN= # uncomment/comment to enable/disable
 
# import additional hosts/networks (into ipset hash tables)
IMPORT_HOSTS_AND_NETWORKS= # uncomment/comment to enable/disable
 
# ------------------------------- END OPTIONS -------------------------------- #
 
# ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #
 
WORK_DIR="tomato_ovpn_split_advanced"
mkdir -p $WORK_DIR
 
IMPORT_DIR="$(dirname $0)"
IMPORT_RULE_FILESPEC="$IMPORT_DIR/*.rule"
IMPORT_NET_FILESPEC="$IMPORT_DIR/*.net"
 
CID="${dev:4:1}"
OVPN_CONF="/tmp/etc/openvpn/client${CID}/config.ovpn"
 
ENV_VARS="$WORK_DIR/env_vars"
RPF_VARS="$WORK_DIR/rpf_vars"
ADDED_ROUTES="$WORK_DIR/added_routes"
 
# initialize work files
if [ "$script_type" == "route-up" ]; then
    # make environment variables persistent across openvpn events
    env > $ENV_VARS
 
    > $RPF_VARS
    > $ADDED_ROUTES
fi
 
env_get() { echo $(grep -Em1 "^$1=" $ENV_VARS | cut -d = -f2); }
 
TID="200" # valid values: 1-255
WAN_GW="$(env_get route_net_gateway)"
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
VPN_GW="$(env_get route_vpn_gateway)"
VPN_IF="$(env_get dev)"
 
FW_CHAIN="ovpn_split"
FW_MARK=1
 
IPSET_HOST="ovpn_split" # must match ipset directive in dnsmasq
IPSET_NET="ovpn_split_net"
 
IPT_MAN="iptables -t mangle"
IPT_MARK_MATCHED="-j MARK --set-mark $FW_MARK"
IPT_MARK_NOMATCH="-j MARK --set-mark $((FW_MARK + 1))"
 
add_rule() {
    $IPT_MAN -D $FW_CHAIN "$@" $IPT_MARK_MATCHED 2> /dev/null
    $IPT_MAN -A $FW_CHAIN "$@" $IPT_MARK_MATCHED
}
 
verify_prerequisites() {
    local err_found=false
 
    # policy based routing must be disabled (ip rules conflict)
    if [ "$(nvram get vpn_client${CID}_route)" == "1" ]; then
        echo "fatal error: policy based routing must be disabled"
        err_found=true
    fi
 
    # qos must be disabled (packet marking conflict)
    if [ "$(nvram get qos_enable)" == "1" ]; then
        echo "fatal error: qos must be disabled"
        err_found=true
    fi
 
    # only one active openvpn client allowed (firewall conflict)
    if pidof vpnclient1 > /dev/null && pidof vpnclient2 > /dev/null; then
        echo "fatal error: only one active openvpn client allowed"
        err_found=true
    fi
 
    [[ $err_found == false ]] && return 0 || return 1
}
 
configure_ipset() {
    # verify DNSMasq supports ipset
    if ! dnsmasq -v | grep -Eq '^.*(^|[[:space:]]+)ipset([[:space:]]+|$)'; then
        echo "warning: installed version of DNSMasq does not support ipset"
        return 1
    fi
 
    # load ipset module
    modprobe ip_set 2> /dev/null || return 1
 
    # ipset sub-modules vary depending on ipset version; adjust accordingly
    if  modprobe ip_set_hash_ip  2> /dev/null; then
        # ipset protocol 6
        modprobe ip_set_hash_net
    else
        # ipset protocol 4
        modprobe ip_set_iphash
        modprobe ip_set_nethash
    fi
 
    # iptables "set" module varies depending on version; adjust accordingly
    modprobe ipt_set 2> /dev/null || modprobe xt_set
 
    # parse the iptables version # into subversions
    _subver() { awk -v v="$v" -v i="$1" 'BEGIN {split(v,a,"."); print a*}'; }
    local v="$(iptables --version | grep -o '[0-9\.]*')"
    local v1=$(_subver 1)
    local v2=$(_subver 2)
    local v3=$(_subver 3)
 
    # iptables v1.4.4 and above has deprecated --set in favor of --match-set
    if [[ $v1 -gt 1 || $v2 -gt 4 ]] || [[ $v2 -eq 4 && $v3 -ge 4 ]]; then
       MATCH_SET="--match-set"
    else
       MATCH_SET="--set"
    fi
 
    return 0
}
 
import_hosts_and_networks() {
    # import file naming format:
    #   *.net
    # example import files:
    #   /jffs/amazon.net
    #   /jffs/netflix.net
    # import file format (one per line):
    #   ip | network(cidr)
    # example import file contents:
    #   122.122.122.122
    #   212.212.212.0/24
 
    local MASK_COMMENT='^[[:space:]]*(#|$)'
    local MASK_HOST='^([0-9]{1,3}\.){3}[0-9]{1,3}$'
    local MASK_HOST_32='^([0-9]{1,3}\.){3}[0-9]{1,3}/32$'
    local MASK_NET='^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$'
 
    local ERR_MSG="$WORK_DIR/tmp.$$.err_msg"
 
    # ipset( set host|network )
    _ipset_add() {
        if ipset -A $1 $2 2> $ERR_MSG; then
            return
        elif grep -Eq 'already (added|in set)' $ERR_MSG; then
            echo "info: duplicate host|network; ignored: $2"
        else
            cat $ERR_MSG
            echo "error: cannot add host|network: $2"
        fi
    }
 
    # _add_hosts_and_networks( file )
    _add_hosts_and_networks() {
        local line
 
        while read line; do
            # skip comments and blank lines
            echo $line | grep -Eq $MASK_COMMENT && continue
 
            # isolate host|network (the rest is treated as comments)
            line="$(echo $line | awk '{print $1}')"
 
            # line may contain host/network; add to appropriate ipset hash table
            if echo $line | grep -Eq $MASK_HOST; then
                _ipset_add $IPSET_HOST $line
            elif echo $line | grep -Eq $MASK_HOST_32; then
                _ipset_add $IPSET_HOST $(echo $line | sed 's:/32::')
            elif echo $line | grep -Eq $MASK_NET; then
                _ipset_add $IPSET_NET $line
            else
                echo "error: unknown host|network: $line"
            fi
 
        done < $1
    }
 
    local files="$(echo $IMPORT_NET_FILESPEC)"
 
    if [ "$files" != "$IMPORT_NET_FILESPEC" ]; then
        local file
 
        # add hosts and networks from each host/network file to ipset
        for file in $files; do
            _add_hosts_and_networks $file
        done
    fi
 
    # cleanup
    rm -f $ERR_MSG
}
 
up() {
    [ ${DEBUG+x} ] && cat $ENV_VARS
 
    # add chain for user-defined rules
    $IPT_MAN -N $FW_CHAIN
    $IPT_MAN -A PREROUTING -j $FW_CHAIN
 
    # initialize chain for user-defined rules
    $IPT_MAN -A $FW_CHAIN -j CONNMARK --restore-mark
    $IPT_MAN -A $FW_CHAIN -m mark ! --mark 0 -j RETURN
 
    # add rule for remote access over WAN or VPN
    if [ "$(env_get redirect_gateway)" == "1" ]; then
        # enable all remote access over the WAN
        add_rule -i $WAN_IF
    else
        # enable all remote access over the VPN
        add_rule -i $VPN_IF
    fi
 
    # add user-defined rules to chain
    if [ ${INCLUDE_USER_DEFINED_RULES+x} ]; then
        local files="$(echo $IMPORT_RULE_FILESPEC)"
 
        if [ "$files" != "$IMPORT_RULE_FILESPEC" ]; then
            # import (source) rules from filesystem
            for file in $files; do . $file; done
        else
            # use embedded rules
            add_rules
        fi
    fi
 
    # create ipset hash tables
    if [ ${IPSET_SUPPORTED+x} ]; then
        ipset -N $IPSET_HOST iphash -q
        ipset -F $IPSET_HOST
        ipset -N $IPSET_NET nethash -q
        ipset -F $IPSET_NET
    fi
 
    # import additional hosts and networks into ipset hash tables
    if [[ ${IMPORT_HOSTS_AND_NETWORKS+x} && ${IPSET_SUPPORTED+x} ]]; then
        import_hosts_and_networks
    fi
 
    # add rules for ipset hash tables
    if [ ${IPSET_SUPPORTED+x} ]; then
        add_rule -m set $MATCH_SET $IPSET_HOST dst
        add_rule -m set $MATCH_SET $IPSET_NET  dst
    fi
 
    # finalize chain for user-defined rules
    $IPT_MAN -A $FW_CHAIN -m mark ! --mark $FW_MARK $IPT_MARK_NOMATCH
    $IPT_MAN -A $FW_CHAIN -j CONNMARK --save-mark
 
    # add rules (router only)
    $IPT_MAN -A OUTPUT -j CONNMARK --restore-mark
    if [ ${IPSET_SUPPORTED+x} ]; then
        $IPT_MAN -A OUTPUT -m mark --mark 0 \
            -m set $MATCH_SET $IPSET_HOST dst $IPT_MARK_MATCHED
        $IPT_MAN -A OUTPUT -m mark --mark 0 \
            -m set $MATCH_SET $IPSET_NET  dst $IPT_MARK_MATCHED
    fi
 
    # clear marks (not available on all builds)
    [ -e /proc/net/clear_marks ] && echo 1 > /proc/net/clear_marks
 
    # route-noexec directive requires client to handle routes
    if grep -Eq '^[[:space:]]*route-noexec' $OVPN_CONF; then
        local i=1
 
        # search for openvpn routes
        while :; do
            local network="$(env_get route_network_$i)"
 
            [ "$network" ] || break
 
            local netmask="$(env_get route_netmask_$i)"
            local gateway="$(env_get route_gateway_$i)"
 
            [ "$netmask" ] || netmask="255.255.255.255"
 
            # add host/network route
            if route add -net $network netmask $netmask gw $gateway; then
                echo "route del -net $network netmask $netmask gw $gateway" \
                    >> $ADDED_ROUTES
            fi
 
            i=$((i + 1))
        done
    fi
 
    # route openvpn dns servers through the tunnel
    if [ ${ROUTE_DNS_THRU_VPN+x} ]; then
        awk '/dhcp-option DNS/{print $3}' $ENV_VARS \
          | while read ip; do
                if ip route add $ip via $VPN_GW; then
                    echo "ip route del $ip via $VPN_GW" >> $ADDED_ROUTES
                fi
            done
    fi
 
    # copy main routing table to alternate (exclude all default gateways)
    ip route show | grep -Ev '^default |^0.0.0.0/1 |^128.0.0.0/1 ' \
      | while read route; do
            ip route add $route table $TID
        done
 
    if [ "$(env_get redirect_gateway)" == "1" ]; then
        # add WAN as default gateway to alternate routing table
        ip route add default via $WAN_GW table $TID
    else
        # add VPN as default gateway to alternate routing table
        ip route add default via $VPN_GW table $TID
    fi
 
    # force routing system to recognize changes
    ip route flush cache
 
    # disable reverse path filtering
    for rpf in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo "echo $(cat $rpf) > $rpf" >> $RPF_VARS
        echo 0 > $rpf
    done
 
    # start split tunnel
    ip rule add fwmark $FW_MARK table $TID
}
 
down() {
    # stop split tunnel
    while ip rule del fwmark $FW_MARK table $TID 2> /dev/null
        do :; done
 
    # enable reverse path filtering
    while read rpf; do eval $rpf; done < $RPF_VARS
 
    # remove added routes
    while read route; do $route; done < $ADDED_ROUTES
 
    # remove rules
    while $IPT_MAN -D PREROUTING -j $FW_CHAIN 2> /dev/null
        do :; done
    $IPT_MAN -F $FW_CHAIN
    $IPT_MAN -X $FW_CHAIN
    $IPT_MAN -D OUTPUT -j CONNMARK --restore-mark
    if [ ${IPSET_SUPPORTED+x} ]; then
        $IPT_MAN -D OUTPUT -m mark --mark 0 \
            -m set $MATCH_SET $IPSET_HOST dst $IPT_MARK_MATCHED
        $IPT_MAN -D OUTPUT -m mark --mark 0 \
            -m set $MATCH_SET $IPSET_NET  dst $IPT_MARK_MATCHED
    fi
 
    # clear marks (not available on all builds)
    [ -e /proc/net/clear_marks ] && echo 1 > /proc/net/clear_marks
 
    # remove ipset hash tables
    if [ ${IPSET_SUPPORTED+x} ]; then
        ipset -F $IPSET_HOST
        ipset -X $IPSET_HOST
        ipset -F $IPSET_NET
        ipset -X $IPSET_NET
    fi
 
    # delete alternate routing table
    ip route flush table $TID
 
    # force routing system to recognize changes
    ip route flush cache
 
    # cleanup
    rm -f $ENV_VARS $RPF_VARS $ADDED_ROUTES
}
 
main() {
    # reject cli invocation; script only applicable to routed (tun) tunnels
    [[ -t 0 || "$(env_get dev_type)" != "tun" ]] && return 1
 
    # quit if we fail to meet any prerequisites
    verify_prerequisites || { echo "exiting on fatal error(s)"; return 1; }
 
    # configure ipset modules and adjust iptables "set" syntax according to version
    configure_ipset && IPSET_SUPPORTED= || { echo "warning: ipset not supported"; }
 
    # trap event-driven callbacks by openvpn and take appropriate action(s)
    case "$script_type" in
              "route-up")   up;;
        "route-pre-down") down;;
                       *) echo "WARNING: unexpected invocation: $script_type";;
    esac
 
    return 0
}
 
main
 
) 2>&1 | logger -p user.$([ ${DEBUG+x} ] && echo debug || echo notice) \
    -t $(echo $(basename $0) | grep -Eo '^.{0,23}')[$$]

Try using UDP instead of TCP in your VPN client.

I had a similar problem with my Android client. Just couldn’t connect to the PMS. I use Freedome VPN on both my PMS machine and my Android phone. All used to work just fine, but unfortunately I happened to reset my phone on Wednesday night and at the same time Windows had installed new updates. So I’m not sure which one is the culprit.

I solved this by bypassing VPN with the Plex app. This could be done from Freedome VPN app settings. It’s a simple solution, but works for my needs as I use PMS mostly when at home, but not always on my computer or another machine with a player.

Hi
you can use openvpn for android, and configure it not to work with pms
see this thread : https://forum.xda-developers.com/shield-tv/help/vpn-apps-t3752497

i had the same problem, im using the nordvpn IKE version now and that seems to work just fine for me so ill hope for you too https://itunes.apple.com/nl/app/nordvpn-ike-unlimited-vpn/id1116599239?mt=12

Did anyone get this going? This thread is a year old and curious if anyone has VPN working while using Plex.