Remote Access with DD-WRT OpenVPN Client

@kdecoster1 said:
Added the bypass, working now

Good to hear!

@JasonMeudt said:
For our needs, ‘Plex’ resides in these ip #'s…

[Announcement] Amazon EC2 Public IP Ranges - Deprecated Thread | AWS re:Post

I have never had an address outside of here…

184.169.128.0/17
50.18.0.0/16
54.241.0.0/16
184.72.0.0/18
52.0.0.0/8
54.0.0.0/8

It’s a great game of “whack a mole” isn’t it. Not sure if this was due to the outage recently, but quite a few of the Plex IPs are now outside those ranges. Doing some dig’s, here’s what I’m now seeing:

[root@NethServer shorewall]# dig +short www.plexapp.com
www.plexapp.com.cdn.cloudflare.net.
104.20.12.29
104.20.13.29
[root@NethServer shorewall]# dig +short plexapp.com
104.20.13.29
104.20.12.29
[root@NethServer shorewall]# dig +short plugins.plexapp.com
74.86.186.25
[root@NethServer shorewall]# dig +short plex.tv
52.18.19.203
52.48.79.17
52.17.56.75
52.48.191.121
54.76.59.172
52.31.137.240
[root@NethServer shorewall]# dig +short app.plex.tv
54.76.242.214
52.31.34.189
52.31.195.127
[root@NethServer shorewall]# dig +short pubsub.plex.tv
pubsub.plex.bz.
103.3.62.6
[root@NethServer shorewall]# dig +short metrics.plex.tv
metrics-1673044558.eu-west-1.elb.amazonaws.com.
52.17.176.169
54.171.244.252
52.49.76.59
[root@NethServer shorewall]# dig +short plexapp.tv
185.53.179.8
[root@NethServer shorewall]# dig +short plex.direct
82.94.168.7

From memory, when I last really checked on these, pubsub.plex.tv (pubsub.plex.bz) rotated through 3 different adresses based on a 60 second TTL.

Do you know any other locations that Plex goes looking for.

Cheers.

@EddieA said:

It’s a great game of “whack a mole” isn’t it. Not sure if this was due to the outage recently, but quite a few of the Plex IPs are now outside those ranges. Doing some dig’s, here’s what I’m now seeing:

metrics-1673044558.eu-west-1.elb.amazonaws.com.
52.17.176.169
54.171.244.252
52.49.76.59

Do you know any other locations that Plex goes looking for.

Cheers.

I think we are concerned with the AWS (Amazon Web…) IP’s more so than anything else…

If we stick with the one I listed you “SHOULD” still be connecting ok since AWS does not have anything outside of there for Plex’s purposes.

@JasonMeudt said:
I think we are concerned with the AWS (Amazon Web…) IP’s more so than anything else…

If we stick with the one I listed you “SHOULD” still be connecting ok since AWS does not have anything outside of there for Plex’s purposes.

Yeah, it was quite a while ago I researched all the outgoing connections from Plex to make my list and I don’t think I narrowed down exactly what function each of these affected when pushed down the VPN. It’s definitely the plex.tv ones that are used in the determination of your server being accessible outside your network.

My only “concern”, if that’s the right word, is the huge number of IPs that could be excluded from the VPN, which depending on your reasons for the VPN, could include some of the CDNs you specifically want VPN’d.

Cheers.

Here is an updated script that does not rely on the actual IP’s address of Plex…

# http://www.linksysinfo.org/index.php?threads/routing-traffic-between-regular-i - Pastebin.com

! # Routing traffic between regular ISP and two VPN connections | LinksysInfo.org
! # Put this in the Firewall portion of the script section in Administration
!
! #!/bin/sh
! set -x # uncomment/comment to enable/disable debug mode
!
! (
! TID=“200”
! FW_MARK=“0x88”
! IPSET=“myipset”
!
! # cleanup from prior execution
! (
! # stop split tunnel
! ip rule del fwmark $FW_MARK table $TID
!
! # delete firewall rules
! iptables -t mangle -F
!
! # delete ipset hash table
! ipset -F $IPSET
! ipset -X $IPSET
!
! # delete alternate routing table
! ip route flush table $TID
!
! # force routing system to recognize our changes
! ip route flush cache
!
! # enable reverse path filtering
! for i in /proc/sys/net/ipv4/conf//rp_filter; do echo 1 > $i; done
!
! sleep 3
! ) > /dev/null 2>&1
!
! # quit if neither OpenVPN client is active
! ! ip route show | egrep -qm1 ‘tun1[1-2]’ && exit
!
! # copy main routing table (exclude all default gateway routes)
! ip route show | egrep -v ‘^default|^0.0.0.0/1|^128.0.0.0/1’
! | while read route; do
! ip route add $route table $TID
! done
!
! # add WAN as default gateway
! ip route add default via $(nvram get wan_gateway) table $TID
!
! # force routing system to recognize our changes
! ip route flush cache
!
! # disable reverse path filtering
! for i in /proc/sys/net/ipv4/conf//rp_filter; do echo 0 > $i; done
!
! # load required netfilter modules
! (modprobe xt_set || modprobe ipt_set) 2> /dev/null
!
! # create ipset hash table
! insmod ip_set_hash_ip
! ipset -N $IPSET iphash -q
! ipset -F $IPSET
!
! # add firewall rule
! iptables -t mangle -A PREROUTING -p tcp -m multiport --sport 3000,8085,32400 -j MARK --set-mark $FW_MARK
! iptables -t mangle -A PREROUTING -m set --match-set $IPSET dst -j MARK --set-mark $FW_MARK
!
! # OUTPUT for Admin page of router (Set port for your setting)
! iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 8080 -j MARK --set-mark $FW_MARK
!
! # start split tunnel
! ip rule add fwmark $FW_MARK table $TID
!
! ) 2>&1 | logger -t “ovpn_split[$$]”

In addition, put this in your DNSMasq custom configuration:

ipset=/netflix.com/google.com/plex.tv/my.plexapp.com/canyouseeme.org/myipset

Jason,

Your updated script works perfect and better than my old one, great job. It even passes the www.ipleak.net test. I did notice “netflix.com” on your DNSMasque config, I’m trying to get Netflix to work on my network but can’t seem to figure it out. I live in the USA, but Netflix is blocking me because of the VPN. I have the same router (Netgear R7000 w/ Tomato by Shibby) as you have. If you have figured it out can you post something? I know it doesn’t have anything to do with Plex, but I sure would appreciate some direction.

By the way, Tomato is by far much superior to Kong firmware. I was having major speed issues with Kong so I switched over to Tomato. Tomato is consistently fast, even through my VPN, I recommend it.

Thanks

@kdecoster1 said:
Jason,

I did notice “netflix.com” on your DNSMasque config, I’m trying to get Netflix to work on my network but can’t seem to figure it out. I live in the USA, but Netflix is blocking me because of the VPN.

Yeah… I am still having to work on that one… As with Plex, Netflix appears to use AWS for their service. In addition, I think that they use a prolific amount of subdomains as well… I am going to sniff around the packets (when I get a chance…) and see, exactly, what domains are involved.

As a side note, I attempted to engage a Netflix CS to have him tell me… Lol… That was almost comical. In the end, they could care less that you can’t connect to them with a VPN. In fact, their head echelon even said so recently.

In the end, I will get it, but when I get a chance…

All-

Just as an FYI, in regards to connecting to Netflix via an OpenVPN client… If you are using the script I listed before, you can change the DNSMasq option to:

ipset=/netflix.com/*.netflix.com/nflximg.net/nflxvideo.net/nflxext.com/google.com/plex.tv/my.plexapp.com/canyouseeme.org/myipset

Then, since Tomato allows you to bypass any/all DNS requests, simply check “Intercept DNS port
(UDP 53)” under ADVANCED>DHCP/DNS and make sure that you entered in your selected DNS servers in BASIC>NETWORK.

Now, unless you are using the Android client for Netflix, you should be able to stream from Netflix even with their Geo/VPN blocking. I say Android in that the Netflix Client is hardcoded to use specific DNS servers within the app…

@JasonMeudt said:
ipset=/netflix.com/*.netflix.com/nflximg.net/nflxvideo.net/nflxext.com/google.com/plex.tv/my.plexapp.com/canyouseeme.org/myipset

Then, since Tomato allows you to bypass any/all DNS requests, simply check “Intercept DNS port
(UDP 53)” under ADVANCED>DHCP/DNS and make sure that you entered in your selected DNS servers in BASIC>NETWORK.

Hi Jason, thanks for all of this great information!
I just got a Netgear R7000 with Shibby/Tomato installed.

I have PIA up and running, when I was checking my IP using various sites, it was coming up as the correct PIA servers. However if I asked google on my computer/phone it would show my true IP.

I removed “google.com” from the “DNSMasq custom configuration” and it now shows the correct PIA IP. Are there any negative consequences to removing this? I don’t want my google searches to be tied to my IP anyway, so I wasn’t sure why it was being excluded from the VPN tunnel.

Anyways, I have only done two things since getting PIA running.

1. I added the script from your March 27th post to the Administration>script>firewall section in the Shibby/Tomato GUI.
2. I added ipset=/netflix.com/*.netflix.com/nflximg.net/nflxvideo.net/nflxext.com/plex.tv/my.plexapp.com/canyouseeme.org/myipset to the Advanced>DHCP / DNS Server (LAN)>Dnsmasq Custom configuration section in the Shibby/Tomato GUI.

I have not been able to access plex remotely.

I have three questions:

1. Where do I specify my plex server IP, ports, etc. or does the script figure all of this out and just plug-and-play?
2. I’m not sure how to accomplish the manually specification of the PIA DNS servers you mentioned in the quoted post. In BASIC>NETWORK I see 3 areas with 0.0.0.0 under “static DNS (IP Port)” and 0.0.0.0 under “WINS (for DHCP)” Do I change any of those?
3. Under Basic Settings>DDNS>Dynamic DNS Service do I change anything or do I leave "Use WAN IP Address XXX.XXX.XXX.XXX (recommenced)? The Xs are my true IP address.

I apologize for the (probably) silly/obvious questions, but I’m a bit new and still learning. Thanks in advance!

@robert.j.erickson said:

I have not been able to access plex remotely.

I have three questions:

1. Where do I specify my plex server IP, ports, etc. or does the script figure all of this out and just plug-and-play?
2. I’m not sure how to accomplish the manually specification of the PIA DNS servers you mentioned in the quoted post. In BASIC>NETWORK I see 3 areas with 0.0.0.0 under “static DNS (IP Port)” and 0.0.0.0 under “WINS (for DHCP)” Do I change any of those?
3. Under Basic Settings>DDNS>Dynamic DNS Service do I change anything or do I leave "Use WAN IP Address XXX.XXX.XXX.XXX (recommenced)? The Xs are my true IP address.

I apologize for the (probably) silly/obvious questions, but I’m a bit new and still learning. Thanks in advance!

1. Do you have your port forwarding set up? You must have the proper ports set up under the Port Forwarding section under Tomato.
2. Under Basic>Network>WAN Settings, set your DNS Server to manual and then key in which ever DNS servers you wish.
3. Yes… You want to access you ‘True’/Non PIA IP’s. That is the whole point of this excercise… You are routing ‘around’ PIA since they do no ‘do’ port forwarding that well…

Hope that helps…

@JasonMeudt said:

1. Do you have your port forwarding set up? You must have the proper ports set up under the Port Forwarding section under Tomato.
2. Under Basic>Network>WAN Settings, set your DNS Server to manual and then key in which ever DNS servers you wish.
3. Yes… You want to access you ‘True’/Non PIA IP’s. That is the whole point of this excercise… You are routing ‘around’ PIA since they do no ‘do’ port forwarding that well…

1.1 I have a port forwarded to 32400 on the tomato GUI and have inputted that port on the plex server GUI. I tested and was able to gain remote access before I setup PIA using that port.
1.2~~ My question was more regarding the script posted on 2016-03-27. In the original script you specified your server IP @ 192.168.3.100, and I couldn’t find anywhere to input my server IP in newest script. ~~Are there any changes I need to make specific to my setup? EDIT: I have it working now. The answer to this question is “NO”, the script automatically finds the server
2. I’m also on Shibby Tomato for the R7000 and under “Basic>Network>WAN Settings>LAN” I see the header “Static DNS” with three spaces to add IPs. I’m assuming that is where I should add the IPs for PIAs DNS servers? Are there pros/cons to leaving this default vs. inputting PIAs DNS servers?
3. Perfect, this is good to know!

P.S. I added 3 entries to the DNSMasq custom configuration section

• *.plex.tv
• craigslist.org
• *.craigslist.org

I have it up and working, for those who read through this guide. Do the following:

1. In the Advanced Settings>DHCP/DNS>DHCP / DNS Server (LAN)>Dnsmasq Custom configuration section, add

ipset=/netflix.com/.netflix.com/nflximg.net/.craigslist.org/craigslist.org/nflxvideo.net/nflxext.com/plex.tv/my.plexapp.com/*.plex.tv/canyouseeme.org/myipset

rebind-domain-ok=/plex.direct/

2. The sites follwing “ipset=/” are personal preference. I added craigslist and removed google
3. In the Administration>Scripts>Firewall section, paste the text (script) from JasonMeudt’s comment posted on March 27th here
4. Click save
5. Reboot your router (optional)
6. Big thanks to JasonMeudt for all his help

@robert.j.erickson said:
I have it up and working

Nice! Good to hear that you are all taken care of…

I just updated to the new pleX server today it seems to have affected the remote access.

On the server, I get “Not available outside your network” and
Private 192.168.1.### : 32400 Public 108.61.228.26 : ##### Internet

I am able to access pleX using “indirect connection” on a remote device that I tested, but the quality is very poor. Is this just a coincidence and perhaps a mistake on my end or are other people experiencing this after the newest update, as well?

@robert.j.erickson said:
I just updated to the new pleX server today it seems to have affected the remote access.

On the server, I get “Not available outside your network” and
Private 192.168.1.### : 32400 Public 108.61.228.26 : ##### Internet

I am able to access pleX using “indirect connection” on a remote device that I tested, but the quality is very poor. Is this just a coincidence and perhaps a mistake on my end or are other people experiencing this after the newest update, as well?

Just asking if you have tried to reboot both your system (plex server) and the router…

My system is working just fine… If 108.xx.xxx.xx is your TRUE IP, then everything is OK (outside of the fact that you posted it here…), but if it is not, then rebooting will probably help.

@JasonMeudt said:
Just asking if you have tried to reboot both your system (plex server) and the router…

My system is working just fine… If 108.xx.xxx.xx is your TRUE IP, then everything is OK (outside of the fact that you posted it here…), but if it is not, then rebooting will probably help.

I had rebooted the router right away, but not the server.

The 108.xx.xxx.xx is a PIA server

I just rebooted both router and server. Now the pleX server GUI is now showing my TRUE IP and the server is now accessible by remote access (green icon). I feel silly as heck, as I am a frequent supplier of “reboot the system” advice.

Thanks for the reply, Jason!

@JasonMeudt 's script looks ideal - but it needs Tomato? DD-WRT doesn’t seem to have support for ipset [as far as I can find]
Any way to do this without going to Tomato?

@AdamSigel said:
DD-WRT doesn’t seem to have support for ipset [as far as I can find]
Any way to do this without going to Tomato?

While I have not researched it, try this out…

I got it sorted - thank you!
I used your script as a template and removed the ipset pieces, then i used something similar to the approach in the link you provided - but instead of adding routes, it creates the iptable rules.

I don’t know if one is better/more efficient than the other - but it works for me now.
Thanks again!

@AdamSigel said:
I got it sorted - thank you!
I used your script as a template and removed the ipset pieces, then i used something similar to the approach in the link you provided - but instead of adding routes, it creates the iptable rules.

I don’t know if one is better/more efficient than the other - but it works for me now.
Thanks again!

Share the script… Someone may use it in the future!