Remote Access with DD-WRT OpenVPN Client


#1

Hello. I've had Plex up and running for a couple of years now, with remote access working like a charm. Recently, I bought a Netgear Nighthawk and installed DD-WRT, then configured OpenVPN client using PIA service. All devices connected to the router are now fully VPN'd.

 

Everything is working fine, with the exception of remote access to Plex. I'm a bit of a noob when it comes to command lines in the DD-WRT software, and I can't seem to get this working. Here is a summary of what I've tried so far.

 

- Enabled UPnP in DD-WRT

- Manually mapped remote port in Plex Server, also entered command line as per this post

 

Still doesn't seem to work... Can anyone help me get this fixed up? We are heading to the cottage on the weekend, and kinda need to access my Plex library up there.

 

Thanks.


#2

I have nothing directly to say about VPN, but Plex now requires a setting in the DNS server anyway. With or without VPN:

dd-wrt uses dnsmasq for DNS (or at least it can use it, so activate it if you haven't already)

ensure that you use a recent build of dd-wrt, open up its config, go to:
Services - Services - DNSMasq - Additional DNSMasq Options
and put in this into the field (on its own line):

rebind-domain-ok=/plex.direct/

https://support.plex.tv/hc/en-us/articles/206225077-How-to-Use-Secure-Server-Connections

(If you lose DNS after you add this line, your dd-wrt build is too old!)


#3

Thanks. I'll give this a shot tonight.


#4

I've given your recommendation a try. It turned my Remote Access section in PMS from the red X to the green check. I got pretty excited, but from there when I tested it on a device (iPhone app) it would not connect.... 

Any other ideas?


#5

Nope. Getting Plex to work with a VPN is hit & miss. Just do a search on VPN here in the forums. It is a major task and it only works with a few.


#6

I've given your recommendation a try. It turned my Remote Access section in PMS from the red X to the green check. I got pretty excited, but from there when I tested it on a device (iPhone app) it would not connect.... 

Any other ideas?

Plex routes itself outside of the 'regular' network interface since you cannot specify a 'specific' interface.  In the case of DD-WRT/Tomato firmwares, when you are running an OpenVPN client, you will need to route the specific IP addresses of Plex around your assigned IP from PIA...

For our needs, 'Plex' resides in these ip #'s...

https://forums.aws.amazon.com/ann.jspa?annID=1701

I have never had an address outside of here...

184.169.128.0/17
50.18.0.0/16
54.241.0.0/16
184.72.0.0/18
52.0.0.0/8
54.0.0.0/8

Now the good stuff... You can try this script in either the WanUp or Firewall portion of your router admin tabs...


EDIT: I would use this updated script instead of the one listed below... It includes DNS based resolution of the excluded sites...


https://forums.plex.tv/discussion/comment/1156066/#Comment_1156066


# This code goes in the FIREWALL section of the Tomato GUI.
# Make sure we leave enough time to enact our WAN and VPN routes
sleep 30
# Disable reverse path filtering as well, otherwise anything involving replies to remote access client won't work.
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
# Delete and table 100 and flush any existing rules if they exist.
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
# Create the new Table 100 NOTE: Here I assume the OpenVPN tunnel is named "tun11".
ip route show table main | grep -Ev ^default | grep -Ev tun11 <br>| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
# OUTPUT for Admin page of router (Set port for your setting)
iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 8080 -j MARK --set-mark 1
# Port based bypassing for specified internal IP
iptables -t mangle -A PREROUTING -i br0 -s 192.168.3.100 -p tcp -m multiport --sport 32400 -j MARK --set-mark 1
# Bypass Plex/AWS IP DESTINATION
iptables -t mangle -A PREROUTING -i br0 -d 184.169.128.0/17 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/18 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 52.0.0.0/8 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.0.0.0/8 -j MARK --set-mark 1
#Bypass CanYouSeeMe.org
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 107.20.89.142 -j MARK --set-mark 1
#Bypass LAN IP Computers/Systems
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.3.112 -j MARK --set-mark 1

In short, you can add a variety of route changes through this script.  As posted, it will route everything through your OpenVPN client (PIA) and then you must specify routes outside of that.  In my case, I routed Plex and CanYouSeeMe outside of the VPN.  I also specifically routed ports (top section) for Plex to my server.


#7

This is super fantastic! Thank you JasonMeudt. I'm a bit nOObish with this, but here goes a few questions. I'd like to play around with this tonight.

So, if I'm correct in understanding, what we've done here is create scripting to bypass the Plex traffic through regular ISP instead of PIA through OpenVPN, while all other traffic goes through OpenVPN.

Questions

  • How do I ensure OpenVPN tunnel is named "tun11". Likely a setting in my OpenVPN client section in dd-wrt?

  • In your script, what is the IP that I am changing to? For example, "192.168.3.100" is used twice before the bypass commands. Do I change this to the static IP I have assigned to my PMS machine? I'm assuming so, but am not sure.

  • Which of the Port commands in your script need to stay as part of bypassing VPN for Plex use?

  • There appears to be some extra in here. For my purposes, I just want Plex to be available remotely. I will delete the IPChicken and CanYouSeeMe sections (interested in why you have these bypassing?). The LAN section I can see being useful for devices on the network that you don't want going through the VPN.

  • What use is there for bypassing the ISP IP assigned address? (again, curiosity and I'm always looking for useful tips)

Thanks so much. Very appreciated.


#8

@russkajg1 said:
This is super fantastic! Thank you JasonMeudt. I'm a bit nOObish with this, but here goes a few questions. I'd like to play around with this tonight.

So, if I'm correct in understanding, what we've done here is create scripting to bypass the Plex traffic through regular ISP instead of PIA through OpenVPN, while all other traffic goes through OpenVPN.

Yep... All plex traffic would be routed outside of your VPN...

Questions

  • How do I ensure OpenVPN tunnel is named "tun11". Likely a setting in my OpenVPN client section in dd-wrt?

I use Tomato, but I can easily see my Tun adapter in a variety of my logs and settings.

  • In your script, what is the IP that I am changing to? For example, "192.168.3.100" is used twice before the bypass commands. Do I change this to the static IP I have assigned to my PMS machine? I'm assuming so, but am not sure.

Yes... This is my static IP intranet address...

  • Which of the Port commands in your script need to stay as part of bypassing VPN for Plex use?

  • There appears to be some extra in here. For my purposes, I just want Plex to be available remotely. I will delete the IPChicken and CanYouSeeMe sections (interested in why you have these bypassing?). The LAN section I can see being useful for devices on the network that you don't want going through the VPN.

I use ipchicken to verify the actual IP of my system (non-VPN...) and I use CanYouSeeMe for port checks

  • What use is there for bypassing the ISP IP assigned address? (again, curiosity and I'm always looking for useful tips)

Truthfully, if it comes in via the ISP assigned address, I want it to bypass my VPN...

Thanks so much. Very appreciated.


#9

I don't remember what it was exactly but I remember that OpenVPN server sometimes doesn't provide default getaway. There was some command in openvpn config file "push default-getaway ...." but I don't remember the syntax. When you connect to your vpn server check your ip/mask, dg, dns settings.


#10

Jason, huge props. This worked, from what I can initially tell.

One last thing I'm wondering. In the Firewall command section of dd-wrt where I input your commands, I'm interested in knowing if my commands above it are removed, altered or impacted anyway by your commands. I input these about a month ago to implement a kill switch on the PIA OpenVPN, and in my Firewall code they are located directly above your code.

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

Thanks


#11

@russkajg1 said:
Jason, huge props. This worked, from what I can initially tell.

One last thing I'm wondering. In the Firewall command section of dd-wrt where I input your commands, I'm interested in knowing if my commands above it are removed, altered or impacted anyway by your commands. I input these about a month ago to implement a kill switch on the PIA OpenVPN, and in my Firewall code they are located directly above your code.

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

Thanks

While I am in no way a firewall scripter, it looks like they would be fine. My script merely copies and uses a table for use with an interface. Your commands are interface driven, so they should be ok and not impact anything.

Like I said, I am not a firewall scripter, so take what I said above with a little mystery...


#12

Thanks a ton for all your effort on this, JasonMeudt....saved my bacon.


#13

JasonMeudt - your post has been extremely helpful. Plex is up and running! I'm actually interested in your other rules.

I have a wireless camera that resides on 192.168.1.111, port 11 on my LAN. I want to setup a port forwarding rule that allows me to come in via my ISP's WAN IP Address (say 64.56.334.12) on a specific port (say 11, to keep it consistent) and gain access to the wireless camera. I've searched, tried different combinations of your rules, but I simply can't seem to get this to work. Any suggestions would be very welcomed.

Thank you!


#14

@jfox00 said:
JasonMeudt - your post has been extremely helpful. Plex is up and running! I'm actually interested in your other rules.

I have a wireless camera that resides on 192.168.1.111, port 11 on my LAN. I want to setup a port forwarding rule that allows me to come in via my ISP's WAN IP Address (say 64.56.334.12) on a specific port (say 11, to keep it consistent) and gain access to the wireless camera. I've searched, tried different combinations of your rules, but I simply can't seem to get this to work. Any suggestions would be very welcomed.

Thank you!

Hmmm... If your internal ip is 192.168.3.100, then:

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 11 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.3.100 -p tcp -m multiport --sport 11 -j MARK --set-mark 1

Having said that, have you also forwarded your port in the actual gui for your router? Once both aspects are forwarded, then you should be ok...


#15

Wow, thank you for the reply! So I still have to do the port forwarding in the GUI? I was under the impression that once I started using the firewall portion of the router I needed to do the port forwarding in there (not in the GUI). The rule you outlined above will basically tell the router not to VPN data that is coming in via the ISP IP address on port 11? I'll give this a try and let you know how it goes. Thanks again for the quick reply. You seem to know your stuff...


#16

I was using this script and it stopped working for me recently. I'm thinking Plex changed the IP ranges they use. Any help with making this work again? Thanks


#17

Bypass Plex/Amazon AWS IP DESTINATION

iptables -t mangle -A PREROUTING -i br0 -d 184.169.128.0/17 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/18 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 52.0.0.0/8 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.0.0.0/8 -j MARK --set-mark 1


#18

Jason,

Worked perfect for me, although a made a few modifications by eliminating some stuff.

First: Updated to the newest DD-WRT (Kong Mod) (netgear R7000)

Entered this into Services - Services - DNSMasq - Additional DNSMasq Options
rebind-domain-ok=/plex.direct/

Added this code into Firewall Commands
sleep 30
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 8080 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.3.100 -p tcp -m multiport --sport 32400 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 184.169.128.0/17 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/18 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 52.0.0.0/8 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.0.0.0/8 -j MARK --set-mark 1

Note: I changed my local ip address, so I changed 192.168.128.3.100 to my server address that I use.

I use a Dell Poweredge Server for Plex, 3 Roku, Xbox One, many Iphones & Ipads. Everything seems to be working great.

Thanks Jason!


#19

Jason,

I do have one problem.....checked my VPN on www.ipleak.net and my ip is showing up :-(


#20

Added the bypass, working now :-)