Using Plex Server with a VPN

@gadgeypop

I’d like the echo the appreciation for getting a solution for OS X. I’m currently encountering what seems to me to be a strange problem, and I was wondering if you might be able to help.

So if I turn on PMS with no VPN, remote access just works. Hurrah. If I run your bash script, remote access continues to work. If I then enable my VPN, thanks to your bash script, the public IP address in the server mapping remains unchanged (so it seems that your script is correctly routing traffic from plex to my server, bypassing the VPN). However, for whatever reason, I still get the “Not available outside your network” error.

This fix really seemed like it was going to work, sucks that I seem to be stuck so close to the end. Any ideas? You mentioned something earlier about port forwarding on your router; what does that rule look like?

I don’t get it. I’m on macOS. I edited my /etc/hosts like yoo mentioned to this:
184.169.173.31 my.plexapp.com

Then i added the following route to my OpenVPN config:
route 184.169.173.31 255.255.255.255 net_gateway

But Plex can’t connect to my server.

I tried the VPN route method with 208.64.38.55 for whatsmyip.org and that way i was able to confirm the routing works, because whatsmyip.org is now showing my real IP while behind a VPN.
Maybe 184.169.173.31 for my.plexapp.com doesn’t exist anymore? I can’t even ping it from anywhere.

i also tried

route my.plexapp.com 255.255.255.255 192.168.7.2 (My Server's IP)

and
route 184.169.0.0 255.255.0.0 192.168.7.2 route 50.18.105.0 255.255.255.0 192.168.7.2 route 50.18.254.0 255.255.255.0 192.168.7.2 route 50.18.178.0 255.255.255.0 192.168.7.2

and even this:

route 184.72.0.0 255.255.192.0 192.168.7.2 route 184.169.128.0 255.255.128.0 192.168.7.2 route 50.18.0.0 255.255.0.0 192.168.7.2 route 54.241.0.0 255.255.0.0 192.168.7.2

Edit: I sniffed my network traffic without the VPN running and came up with these routes Plex needs (I also added some IP checking tools for my DynDNS tool). Got it working now

route my.plexapp.com 255.255.255.255 net_gateway route pubsub.plex.bz 255.255.255.255 net_gateway route plex.tv 255.255.255.255 net_gateway route 54.194.0.0 255.255.0.0 net_gateway route 54.229.0.0 255.255.0.0 net_gateway route 82.94.0.0 255.255.0.0 net_gateway route 109.45.0.0 255.255.0.0 net_gateway route dynamicdns.park-your-domain.com 255.255.255.255 net_gateway route echoip.gosmd.net 255.255.255.255 net_gateway

A current update. XFlak’s script will also work on Windows 7 for StrongVPN.

Does anyone have any experience with VersaVPN that would be willing to give a couple of pointers? I’ve read through this thread that a couple of you have it working flawlessly but I can’t seem to get my set up working correctly.

I currently have VersaVPN running as an OpenVPN Client on my Asus router which is working other than allowing port 32400 to open… I’ve turned off the firewalls on my plex server and manually forwarded port 32400 on my router. When I turn off the OpenVPN Client the port works but as soon as I turn the VPN back on it doesn’t.

I’ve opened a ticket at VersaVPN but they haven’t been much help other than suggesting to turn off firewalls…

Any help or suggestions that anyone can offer would be much appreciated! TBH on close to wits end

Thanks,
Bruggy

@bruggy_37 said:

I currently have VersaVPN running as an OpenVPN Client on my Asus router

Considering you have your router running as a client, try this script (I forget, but ASUS-WRT should be able to…)

https://forums.plex.tv/discussion/comment/1156066/#Comment_1156066

@JasonMeudt said:
Considering you have your router running as a client, try this script (I forget, but ASUS-WRT should be able to…)

https://forums.plex.tv/discussion/comment/1156066/#Comment_1156066

It doesn’t look like ASUS-WRT has a section to add the above mentioned script. Could I just PUTTY into the router and run the script from there? I appreciate the help

@bruggy_37 said:

@JasonMeudt said:
Considering you have your router running as a client, try this script (I forget, but ASUS-WRT should be able to…)

https://forums.plex.tv/discussion/comment/1156066/#Comment_1156066

It doesn’t look like ASUS-WRT has a section to add the above mentioned script. Could I just PUTTY into the router and run the script from there? I appreciate the help

Then I would recommend flashing a different “OS” version to one that does…

If you want to keep the same basic functionality, then you could go with ASUSWRT-Merlin:

http://asuswrt.lostrealm.ca/

Scripts are the basis for truly making your router function…

I use Tomato by Shibby:

http://tomato.groov.pl/

but am going to switch to to Toastmans version here:

I’m familiar with Merlin and have flashed his latest onto my router. My question now is where do I place your script? (https://forums.plex.tv/discussion/comment/1156066/#Comment_1156066) I can likely append the dnsmasq.conf file via Putty for the updated dnsmasq config but unsure as to where to place the other.

@bruggy_37 said:
I’m familiar with Merlin and have flashed his latest onto my router. My question now is where do I place your script? (https://forums.plex.tv/discussion/comment/1156066/#Comment_1156066) I can likely append the dnsmasq.conf file via Putty for the updated dnsmasq config but unsure as to where to place the other.

For the Primary Script:
Admin → Scripts → Firewall…

For the DNS name routed entries (DNSMasq):
Advanced → DHCP/DNS → Dnsmasq (custom entries)

Hit ‘Save’ and reboot…

This is based on Tomato firmware, so DDWRT may be slightly different.

XFlak’s VPN Bypass script for Plex Media Server working well with SlickVPN but only after disabling IP/DNS leak protection , which would seem to defeat the purpose, so I tested with leak detection turned off @ https://ipleak.net/ nothing was being leaked. Plex server is visible outside the network running a VPN, cheers

If anyone is interested this is how I got around the Plex/VPN issue

It’s not elegant, but is rock solid and works - especially after banging my head around for months trying to find an answer.

My Case/Requirements - Headless server that acts as 24/7 Plex and Torrent box - requiring VPN and Plex publishing
Attempted solutions 1) Usual router attempts including tables 2) Virtual Machines - didn’t work and resource inefficient 3) Break out torrent machine/function and VPN to Raspberry Pi powered off server USB - worked but looked Borgish and had a lot of limitations and hassles

Solution - Parallel/cascaded (yes it’s oxymoron) router with dual NIC connections

Required 2nd (dd -wrt) router and 2nd NIC ($15 total spent on ebay)

The flow is -
Primary router connects directly to the server (connection 1)
The 2nd router (DD-WRT) stand between the main router and the server (connection 2)
-Make connections static and on different subnets -
DD-WRT is required to run the 2nd router and will be setup as an always on VPN Client (anything running through this router is automatically VPN protected - instruction are basic and listed on the VPN providers install site).

From here you can go multiple routes - no pun intended but this is what I did for what I was trying to do.

Set NIC 1 (connection 1) adapters metrics below NIC 2 (connection 2 “DD-WRT”) - this drives all traffic onto the 1st connection by default including Plex - Not VPNed but for me blazingly fast - 225+ down 25+ up. (lookup how to change windows network adapter metrics)

Now comes the fun - In the torrent app (I use utorrent) settings you can “bind” the app to an IP. I bound it to the 2nd (VPN) NIC’s IP. You could also do browsers and/or just about anything else that looks for an internet connection (lookup IP Binding Tools)).

Wala! raw dog beafy regular use internet speeds (Plex published for my brothers) and raincoated VPN/incognito “other” activity

Check online with sites like http://checkmytorrentip.net/ to see what IP you are showing to the torrent world. If it was setup correctly it should show the VPN issued IP in the torrent tracker. This is what the rest of the Torrent world sees.

I’m now working on setting up the VPN NIC as the lower metric default and pulling out the Plex Server to the 2nd NIC (inverse of what I just did). It’s proving to be a little bit of a square peg round whole.

See my attached pic

Ive been attempting to utilise xflak but no matter what i do i cant seem to access plex while PIA is running. I have the correct .exe tasked to run every hour in my task scheduler i also have pia port forward active as well as the port being manually specified. are there any suggestions you could give me to do next to try and make it work. My level of knowledge with scripts and all that stuff is non existent so if there are any basic things i could do or am not doing I would have huge appreciation if you could tell me. Thanks

Back once more… so I have everything setup not sure why it randomly keeps failing. Right now this is the problem. I am checking my remote access tab it shows the following when the vpn is running

Private: 10.15.xx.xx: 32400 < Public: MY ACTUAL PUBLIC IP FROM MY ISP: 32400 X Internet

While my public ip is correct its forwarding the traffic to an ip (where it says private) that correlates to the VPN (in my case PIA). but should it not be forwarding to 192.168.1.222 which is the local ip for my plex server?

I did the override in the .bat by removing the :: and adding my actual default gateway to ensure I was using the correct gateway, This is how the bat looks that I am using right now and it is failing again. Any help? Nothing has been changed on the computer. If needed I can provide the results of routeprint

1. Remote access tab now reads Not available outside your network
2. My connection on my plex app on my phone now shows (Indirect)
3. My parents can no longer access the plex app at their house (I set up manual connections in their roku plex app to connect to my real isp provided public IP with the right port and forwarded the port in my own router to my local ip of the computer running my plex sever)

@echo off
setlocal
set PATH=%SystemRoot%\system32;%SystemRoot%\system32\wbem;%SystemRoot%
chcp 437>nul

title VPN Bypass for Plex Media Server
chdir /d “%~dp0”
if not exist support cd…

echo VPN Bypass for Plex Media Server
echo by XFlak
echo.

::get Default Gateway
ipconfig|findstr /I /C:“Default Gateway”|findstr /I /C:“1”>“%temp%\gateway.txt”
set /p gateway= <“%temp%\gateway.txt”
set gateway=%gateway:*: =%
::echo %gateway%
::If gateway is detected incorrectly, override it by uncommenting the below like (delete : and input your correct gateway
set gateway=192.168.1.1

echo Getting plex.tv’s current IP addresses…
echo.
echo Note: Log of plex.tv’s routed IP’s saved here:
echo %userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt
echo.

nslookup “plex.tv”|findstr /I /V “Server: Address: Name: timeout” >“%temp% emp.txt”
findstr /I /C:" " “%temp% emp.txt” >“%temp%\plex.tv.txt”

echo.

cd /d “%temp%”
for /F “tokens=*” %%A in (plex.tv.txt) do call :list %%A
goto:donelist

:list

set PlexIP=%*
set PlexIP=%PlexIP:* =%
set zero=%PlexIP:.=%
set zero=%zero:.=%
set zero=%zero:*.=%
echo set PlexIP=%%PlexIP:%zero%=0%%>“%temp%\plex.bat”
call “%temp%\plex.bat”
echo %PlexIP%

if not exist “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt” goto:skipcheck

findstr /I /C:“%PlexIP%” “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt”>nul
IF NOT ERRORLEVEL 1 (echo IP already routed, skipping…) & (goto:EOF)
:skipcheck

echo route -p add %PlexIP% mask 255.255.255.0 %gateway%
route -p add %PlexIP% mask 255.255.255.0 %gateway%
echo.

echo %PlexIP% >>“%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt”

goto:EOF

:donelist

::clean no longer used IPs

echo.
echo Removing routed IPs no longer used by plex.tv
echo.

if exist “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs2.txt” del “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs2.txt”>nul
if not exist “%userprofile%\AppData\Local\Plex Media Server” goto:doneclean
if not exist “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt” goto:doneclean

cd /d “%userprofile%\AppData\Local\Plex Media Server”

for /F “tokens=*” %%A in (PermittedPlexIPs.txt) do call :clean %%A
goto:doneclean

:clean

set PlexIP=%*

findstr /I /C:“%PlexIP:~0,-1%” “%temp%\plex.tv.txt” >nul
IF ERRORLEVEL 1 goto:remove

echo IP still used: %PlexIP%
echo %PlexIP% >>“%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs2.txt”

goto:EOF

:remove
echo IP no longer used: route delete %PlexIP%
route delete %PlexIP%

goto:EOF

:doneclean

if exist “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt” del “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt”>nul

if exist “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs2.txt” move /y “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs2.txt” “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt”>nul

echo.
echo Finished, exiting…
@ping 127.0.0.1 -n 3 -w 1000> nul

route print

pause

exit

::Other route commands
::route print
::route -p add 54.241.0.0 mask 255.255.0.0 192.168.2.1
::route delete 54.241.0.0 mask 255.255.0.0
::route -f

@gadgeypop

Using NordVPN software (no port forwarding or routes allowed). I put the first static route you mention in hosts as well. I do have port 32400 set manually in PMS and have my router port forwarding traffic there. I tried your script but on the latest Sierra, no go. I manually run the script (app doesn’t seem to work on the latest Sierra) and see all the hosts added. PMS is showing my true ISP based IP address BUT still can’t publish. Any ideas?

I have made a launch daemon for Mac and thought I finally had it…sadly while it loads these routes, I still don’t have a published server. There must one ingredient still missing…any help appreciated!

route my.plexapp.com 255.255.255.255 net_gateway route pubsub.plex.bz 255.255.255.255 net_gateway route plex.tv 255.255.255.255 net_gateway route 54.194.0.0 255.255.0.0 net_gateway route 54.229.0.0 255.255.0.0 net_gateway route 82.94.0.0 255.255.0.0 net_gateway route 109.45.0.0 255.255.0.0 net_gateway route dynamicdns.park-your-domain.com 255.255.255.255 net_gateway route echoip.gosmd.net 255.255.255.255 net_gateway

Has anyone had an issues with the bat file not working all of a sudden? Was working great til a few days ago.

bat no longer works. I’ll look into it later today and post my findings if i fix it.

EDIT: Change all references from “my.plexapp.com” to “plex.tv”

The problem is the findstr is looking for my.plexapp.com which isn’t used anymore so it finds nothing and fails to save the ip to the txt file.

EDIT: It may actually have to be app.plex.tv, I added them both just in case and works now.

Sorry, but I’m new to this and I’ve seen so many versions of this “bat” file I dont know what’s what anymore. I have IPVanish running openvpn and I can’t get my Plex Server accessible. Where is the working script that I need (if one even exists)?

@Grimshad said:
bat no longer works. I’ll look into it later today and post my findings if i fix it.

EDIT: Change all references from “my.plexapp.com” to “plex.tv”

The problem is the findstr is looking for my.plexapp.com which isn’t used anymore so it finds nothing and fails to save the ip to the txt file.

EDIT: It may actually have to be app.plex.tv, I added them both just in case and works now.

Thanks Grimshad for finding a solution to this. I tried to add both “plex.tv” and “app.plex.tv” separately but still no go for me. I noticed you mentioned you added them both, but I’m not sure how to do this in the .bat file. Can you possibly share you .bat file for us noobs here? Thanks in advance.

I stumbled onto this thread because I’m trying to work around this issue as well- I’m not sure if this has been mentioned already but you should be careful about having these huge IP blocks bypass the VPN. The subnet mask 255.255.0.0 includes ~16,000 IP addresses from the block in the route entry.

The blocks I’ve seen people using here belong to Amazon Web Services, Vodafone and XS4ALL- all cloud hosting providers where Plex most likely hosts their myplex servers. But do you know who else hosts at these same places? You can bet whoever you’re trying to avoid via VPN sometimes hosts there as well. You’re whitelisting over 64,000 addresses to your public IP (so if someone hosting a torrent is in one of those IP blocks, your torrent program is going to connect via your public route rather than the VPN route, giving away your identity).

Always make sure you know what the stuff you paste off the internet into your terminal actually does before you take the advice. This solution might work but it’s got side effects!

I’m going to try and see if it is possible to do routing based on process ID or something, that way you can just target plex traffic.