Tutorial: Remotely connect to PlexConnect over VPN using 2 Tomato Routers

Below is how to configured an ATV on a network without a Plex Server or PlexConnect to remotely connect to a Plex/PlexConnect Server.

 

Here is my setup:

Location #1

- Netgear R7000 running Tomato 1.28.0000 -124 K26ARM USB AIO-64K (10.0.100.1) 

     - unRAID Server running PMS and PlexConnect Dockers (10.0.100.50)

Location #2

- Linksys WRT310N v1(no USB) running Tomato 1.28.0005 124 ND VPN (192.168.1.1)

     - ATV3 (192.168.1.12)

 

Basic step outline:

- setup location #1 router as OpenVPN server

- setup location #2 router as OpenVPN client

- only use the VPN for the ATV

- configure location #1 router to handle the redirection of trailers.apple.com so no changes are needed on the ATV

- configure PlexConnect to use non standard (80/443) ports

- allow Plex artwork to show on the remote ATV

 

 

1.)  Setup Location #1 to use a Dynamic DNS.  This will keep the ATV connected even after your ISP changes your public IP.  Directions can be found in the link from step #2

 

 

2.)  To configure Location #1's router to act as the OpenVPN server, we first must create the proper keys.  I found this link to be quite helpful in acquiring the necessary keys:

http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/

This should provide you with ca.crt, dh1024.pem, SERVERNAME.crt, SERVERNAME.key, CLIENT.crt, and CLIENT.key

 

 

3.)  Setup OpenVPN server on Location #1 router.

VPN Tunneling -> OpenVPN: Server -> Basic

Start with WAN - checked

Interface Type - TUN

Protocol - UDP

Port - 1194

Firewall - Automatic

Authorization Mode - TLS

Extra HMAC - Disabled

VPN subnet/netmask - 10.8.0.0  255.255.255.0

 

VPN Tunneling -> OpenVPN: Server -> Advanced

Poll Interval - 0

Push LAN to clients - checked

Direct clients to redirect internet traffic - unchecked

Respond to DNS - checked

Advertise DNS to clients - checked

Encryption cipher - AES-128-CBC

Compression - Adaptive

TLS renegotiation time - -1

Manage Client Specific options - unchecked

Allow user/pass auth - unchecked

 

VPN Tunneling -> OpenVPN: Server -> Keys

enter each key as appropriate in the following format:

-----BEGIN PRIVATE KEY-----

VPN Tunneling -> OpenVPN: Client -> Basic

Protocol - UDP

Server Address/Port - your.ddns.address 1194

Firewall - Automatic

Authorization Mode - TLS

Extra HMAC - Disabled

Create NAT on tunnel - unchecked

 

VPN Tunneling -> OpenVPN: Client -> Advanced

Poll Interval - 0

redirect internet traffic - unchecked

accept DNS configuration - Strict

Encryption cipher - AES-128-CBC

Compression - Adaptive

TLS renegotiation time - -1

verify server certificate - unchecked

custom configuration - route-nopull

 

VPN Tunneling -> OpenVPN: Client -> Keys

Certificate Authority -> ca.key

Save your settings

 

 

5)  Configure Location #2 router to have all devices bypass the VPN except for the ATV

Administration -> Scripts -> WAN Up (192.168.1.12 is the local IP of the ATV)

sleep 60
ip route flush table 200
ip route flush cache
ip rule add from 10.0.14.12 lookup 200
VPN_GW=`ifconfig tun11 | awk '/inet addr/ {split ($2,A,":"); print A[2]}'`
ip route add table 200 default via $VPN_GW dev tun11

6)  Configure Location #2 router to route trailers.apple.com to the ATV without assigning a static DNS server on the ATV itself.  In other words, absolutely no configuration is necessary on the ATV.

Administration -> Scripts -> Firewall (IP's correspond to the designations at the top of this post)

REMOTE_PLEXCONNECT=10.0.14.50
REMOTE_PLEXCONNECT_PORT=8081
REMOTE_PLEXCONNECT_SSL_PORT=8082
APPLETV=192.168.1.12
REMOTE_ROUTER=10.0.100.1
plexconnect_addr=(expr "(nslookup 2>/dev/null REMOTE_PLEXCONNECT|grep '^Address')" : 'Address.* \([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\)')
appletv_addr=(expr "$(nslookup 2>/dev/null APPLETV|grep '^Address')" : 'Address.* \([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\)')
router_addr=(expr “$(nslookup 2>/dev/null $REMOTE_ROUTER|grep ‘^Address’)” : ‘Address.* ([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9])’)
iptables -I FORWARD -i br0 -o tun11 -j ACCEPT

iptables -I FORWARD -i tun11 -o br0 -j ACCEPT

iptables -I INPUT -i tun11 -j REJECT

iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -s $appletv_addr -d $router_addr --dport 80 -j DNAT --to-destination $plexconnect_addr:$REMOTE_PLEXCONNECT_PORT

iptables -t nat -A PREROUTING -p tcp -s $appletv_addr -d $router_addr --dport 443 -j DNAT --to-destination $plexconnect_addr:$REMOTE_PLEXCONNECT_SSL_PORT

Advanced -> DHCP/DNS -> Dnsmasq

address=/trailers.apple.com/10.0.100.1
address=/atv.plexconnect/10.0.100.1

7.)  The PlexConnect Settings.cfg file that corresponds with the above routing rules:

[PlexConnect]
enable_plexgdm = True
ip_pms = 10.0.14.50
port_pms = 32400
enable_dnsserver = True
port_dnsserver = 53
ip_dnsmaster = 8.8.8.8
prevent_atv_update = True
enable_plexconnect_autodetect = True
ip_plexconnect = 10.0.14.50
hosttointercept = trailers.apple.com
port_webserver = 8081
enable_webserver_ssl = True
port_ssl = 8082
certfile = ./assets/certificates/trailers.pem
loglevel = Normal
logpath = .

8.)  If you were to start the PlexConnect at this point, it would not give your remote location coverart as it is currently not authorized to do so without credentials.  To solve this, open up your PMS to

Settings -> Network  and Show Advanced

Change List of networks that are allowed without auth to your two networks.  For me the following worked:

192.168.1.0/255.0.0.0,10.0.100.0/255.0.0.0

 

 

9.)  Reboot both routers and the ATV.  The WAN Up script at Location #2 has a 60 delay so you may have to wait a few minutes for your ATV to join the VPN.

 

 

10.)  Install the certificate on your ATV as described here:

https://github.com/iBaa/PlexConnect/wiki/Install-Guide-Certificate-via-Ethernet

 

 

11.)  On your ATV, open the trailers app and you should be in business.

Can this also be accomplished with 2 dd-wrt or sveasoft or alternative flashed routers? How secure is this method? I assume you can't get fanart working using this method. Not trying to knock your method by any means which is a very nice find btw just want to point out what does work and what does not using this method so users know what to expect using this method. Feel free to correct me on the fanart stuff if I'm wrong ;)

This method should be fairly secure as it uses OpenVPN to connect the server and ATV. Quite different than exposing potentially vulnerable ports to the world, specifically DNS.


I used the dnsmasq based Tomato firmware along with OpenVPN but DD-WRT should work as well as it too is dnsmasq based and can run OpenVPN. Additionally, many of the iptable entries above could be eliminated if the user chose to manually change the ATV DNS. The above solution allows PlexConnect to be used with an un-touched ATV. In theory, other router firmware and VPN solutions should work as well. The basics are connecting multiple locations securely via VPN and routing the ATV through the VPN so it sees the PlexConnect client as existing on the same network.


Fanart is working but only after properly setting the IP/Netmask of the ATV on the PMS “List of networks that are allowed without auth” as shown in step #8 above. Obviously the PlexConnect client must have PIL installed. I am using needo’s PMS unRAID docker alongside Pducharme’s PlexConnect unRAID docker with PIL installed.

I have nearly the same setup working between two locations, also with Tomato routers. However, instead of doing all the routing via scripts and iptables rules and changes to your plex connect config (steps 5, 6, and 7), with "Push LAN to clients" checked as you recommend in step 3

you should be able to just use the fixed LAN IP address for your PMS connected to router 1 as the manual DNS server on your ATV connected to router 2.

That's how I have it set up.

My LAN on router 1 is 192.168.0.0 and my PMS + PlexConnect box is at 192.168.0.46.

The LAN on router 2 is 192.168.5.0. Once router 2 was connected to router 1 over the VPN link, router 1's LAN is set up as a routable destination on router 2. So I just went into the ATV config and put in 192.168.0.46 - exactly the same config that I have for my other ATV which is physically on the same LAN as router 1 (and the PMS + PlexConnect box).

Works great, though be ready for some extended buffering time over the WAN interface... I only stream SD content over the WAN.

Because you are not checking the "Direct clients to redirect Internet traffic" box, only the traffic that is meant to go between the two LANs will travel over the VPN. All other normal internet traffic on both LANs goes directly to the internet - router 2 does NOT send all of its traffic through router 1.

As a bonus, if you also push a route for the remote LAN in the VPN server config for router 1 like this:

[common name is the same as whatever you use when generating the client cert]

... then you can also reach all the hosts on the LAN attached to router 2 from those on the LAN on router 1. 

For instance, I can look at the video from my LAN attached surveillance cams at my remote location (router 2) by using their IP addresses on the 192.168.5.0 network when my laptop is connected to router 1.

This should be the most secure way to set up remote access since none of these services are available outside of the VPN. 

EDIT: one more crucial thing. make sure you do NOT have Tomato intercepting DNS traffic (Advanced: DHCP/DNS), otherwise your DNS requests will never make it to PlexConnect :^O

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.