This is from sbwoodside, so all credit goes to him. But I feel like he's easily solved this problem and not many people have noticed. 

Just a note to say thank you for cross-posting and with syntax corrections. I was one of the ones about to tear my eyes out with the iptables stuff... what finally worked for me was using a Parallels VM connected to the VPN and running just the programs I wanted to use the VPN. Also pretty easy to do, but glad there are other, more elegant ways.

I know how you feel, I think I had pulled most of my hair out (eyes were next) before I ran across a solution. I've been looking for one for literally months. Just so happy that smart people such as yourselves have led the rest of us to the proverbial water. lol :)

The more solutions, the better. Keep them coming. :)

Upgraded to Yosemite, now it doesn't work. :(

Just tried the instructions again from scratch on Yosemite and it's working again. But if you upgrade to Yosemite, you will need to do them all over again. Makes sense. Just glad it still works!

I'm back in business again. :)

XFlac:  Works like a charm, thank you!

PS - I use IPVanish if it matters to anyone.

I wrote a windows batch file to route my.plexapp.com's current IP address (with mask 255.255.0.0) to your machine's default gateway (e.g. 192.168.2.1). I promise the bat file is safe, just google me and my reputation will speak for itself.

The code is below but I also uploaded a zip containing the bat file and an exe version of the bat file (same as the bat file except runs invisibly). For best results, use windows task scheduler to launch the exe (with highest privileges) as often as you'd like.

This will ensure that even if the IP for my.plexapp.com changes, your setup will automatically route it past your VPN. A list of routed IPs will be saved here:

"%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt

I'm using PIA and this works perfectly.

Enjoy!

XFlak

@echo off
setlocal
set PATH=%SystemRoot%\system32;%SystemRoot%\system32\wbem;%SystemRoot%
chcp 437>nul
echo my.plexapp.com VPN Route Exception Builder

echo by XFlak

echo.
::get Default Gateway

ipconfig|findstr /I /C:“Default Gateway”|findstr /I /C:“1” >“%temp%\gateway.txt”

set /p gateway= <“%temp%\gateway.txt”

set gateway=%gateway:*: =%

::echo %gateway%
::set gateway=192.168.2.1
echo Getting my.plexapp.com’s current IP address

echo.
ping “my.plexapp.com”|findstr /I /C:“my.plexapp.com” >“%temp%\my.plexapp.com.txt”
set /p PlexIP= <“%temp%\my.plexapp.com.txt”

set PlexIP=%PlexIP:*[=%

set PlexIP=%PlexIP:~0,-24%

echo %PlexIP%

echo.
set zero=%PlexIP:.=%

set zero=%zero:.=%

echo set PlexIP=%%PlexIP:%zero%=0.0%%>“%temp%\plex.bat”

call “%temp%\plex.bat”
::echo %PlexIP%
if not exist “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt” goto:skipcheck
findstr /I /C:“%PlexIP%” “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt”>nul

IF NOT ERRORLEVEL 1 (echo IP already routed, exiting…) & (goto:fin)

:skipcheck
echo route -p add %PlexIP% mask 255.255.0.0 %gateway%

route -p add %PlexIP% mask 255.255.0.0 %gateway%

echo.
echo Adding IP to %userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt

echo.

echo %PlexIP% >>“%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt”
:fin
::echo fin

::pause
exit

edit: code was missing a ">", old version still worked but log only retained latest IP, the 4 people who downloaded the last version may want to redownload the new one

This worked for me using PIA. Awesome job, and thanks!

I wrote a windows batch file to route my.plexapp.com's current IP address (with mask 255.255.0.0) to your machine's default gateway (e.g. 192.168.2.1). I promise the bat file is safe, just google me and my reputation will speak for itself.

The code is below but I also uploaded a zip containing the bat file and an exe version of the bat file (same as the bat file except runs invisibly). For best results, use windows task scheduler to launch the exe (with highest privileges) as often as you'd like.

This will ensure that even if the IP for my.plexapp.com changes, your setup will automatically route it past your VPN. A list of routed IPs will be saved here:

"%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt

I'm using PIA and this works perfectly.

Enjoy!

XFlak

edit: code was missing a ">", old version still worked but log only retained latest IP, the 4 people who downloaded the last version may want to redownload the new one

Thanks - that worked great!

Now I just need to figure out a way to get uTorrent to not use my VPN for torrent downloads... any ideas?

Thanks shpankey for posting my solution here (with the corrections).

The reason I created that workaround was this this was supposed to work but didn't:

1. Go to AirVPN, get a random port forwarded. For example, 18445.
2. Go into Plex Media Server > Settings > Connect.
3. Check Manually Specify Port, put in 18445. Click Update

Well, now it seems that this does work. So thank you devs for fixing that.

So now all of you with a VPN that supports port forwarding, you can use that simple 3 step solution above, no more need for all the complexity.

Thanks shpankey for posting my solution here (with the corrections).

The reason I created that workaround was this this was supposed to work but didn't:

1. Go to AirVPN, get a random port forwarded. For example, 18445.
2. Go into Plex Media Server > Settings > Connect.
3. Check Manually Specify Port, put in 18445. Click Update

Well, now it seems that this does work. So thank you devs for fixing that.

So now all of you with a VPN that supports port forwarding, you can use that simple 3 step solution above, no more need for all the complexity.

You've gotten this to work with out the need for any special configuration? I'm unable to. Actually, at the moment it seems that I'm also unable to get your other configuration working (that was cross posted) working either... Seemed to have been working fine last week as well.

Can't see where anyone specifically solved/fixed the PIA + Plex issues so thought I'd add what I've done that seems to have fixed it. I've been having problems running both PIA and publishing Plex at the same time. Was always a one or the other deal for past month or so.

I will also add that before now Plex always required port 10343 when publishing for some reason. So tonight I added 32400 into windows firewall and Plex published to 32400 for the first time. (Inbound rules in Win firewall settings)

PIA is pretty much stock settings short of DNS and IPV6 protection. Remote port is auto, local port blank, and port forwarding unused. 

Everything's working no issue. Hope this helps someone.

**Edit

spoke to soon. About 5 minutes later it dropped the connection. Monkeying with it a little more by adding 32400 to port fowards in router and specifying that as the local port in PIA. If I publish Plex first and start VPN second it seems to work, but not the other way around. Testing by streaming with phone on cell not wifi and it does indeed work externally.

I wrote a windows batch file to route my.plexapp.com's current IP address (with mask 255.255.0.0) to your machine's default gateway (e.g. 192.168.2.1). I promise the bat file is safe, just google me and my reputation will speak for itself.

The code is below but I also uploaded a zip containing the bat file and an exe version of the bat file (same as the bat file except runs invisibly). For best results, use windows task scheduler to launch the exe (with highest privileges) as often as you'd like.

This will ensure that even if the IP for my.plexapp.com changes, your setup will automatically route it past your VPN. A list of routed IPs will be saved here:

"%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt

I'm using PIA and this works perfectly.

Enjoy!

XFlak

@echo off
setlocal
set PATH=%SystemRoot%\system32;%SystemRoot%\system32\wbem;%SystemRoot%
chcp 437>nul
echo my.plexapp.com VPN Route Exception Builder

echo by XFlak

echo.
::get Default Gateway

ipconfig|findstr /I /C:“Default Gateway”|findstr /I /C:“1” >“%temp%\gateway.txt”

set /p gateway= <“%temp%\gateway.txt”

set gateway=%gateway:*: =%

::echo %gateway%
::set gateway=192.168.2.1
echo Getting my.plexapp.com’s current IP address

echo.
ping “my.plexapp.com”|findstr /I /C:“my.plexapp.com” >“%temp%\my.plexapp.com.txt”
set /p PlexIP= <“%temp%\my.plexapp.com.txt”

set PlexIP=%PlexIP:*[=%

set PlexIP=%PlexIP:~0,-24%

echo %PlexIP%

echo.
set zero=%PlexIP:.=%

set zero=%zero:.=%

echo set PlexIP=%%PlexIP:%zero%=0.0%%>“%temp%\plex.bat”

call “%temp%\plex.bat”
::echo %PlexIP%
if not exist “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt” goto:skipcheck
findstr /I /C:“%PlexIP%” “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt”>nul

IF NOT ERRORLEVEL 1 (echo IP already routed, exiting…) & (goto:fin)

:skipcheck
echo route -p add %PlexIP% mask 255.255.0.0 %gateway%

route -p add %PlexIP% mask 255.255.0.0 %gateway%

echo.
echo Adding IP to %userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt

echo.

echo %PlexIP% >>“%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt”
:fin
::echo fin

::pause
exit

edit: code was missing a ">", old version still worked but log only retained latest IP, the 4 people who downloaded the last version may want to redownload the new one

Hi.

I have tried to run this script - .exe file.

This does not seem to do anything for me. How can I verify that it works ?

PS! I have mask on my network 255.255.255.0 - NOT 255.255.0.0. (Could this be the problem?)

Thx for any help.

Has anyone found a simple fix? I want to keep my VPN on all the time without dropping my server. Is there any VPN provider that supports port forwarding with an easy setup?

adamfox, I'm using AirVPN, Mac OS X Mavericks, and Viscosity.

My PMS worked flawlessly locally and via cellular prior to messing around with PIA.  Unfortunately I signed up for a year so I'm stuck....which leads me to a couple questions....please forgive me because I'm not a network guru so my questions may sound completely stupid.

1)  Has anyone successfully got PIA and Plex to work with the VPN setup on the router?  I have an Asus RT-AC68 flashed with Merlin.  I setup the VPN on the router so all my devices at home are behind the VPN.  PMS works on any device inside my home but no longer over Cellular.  I read all the previous posts about connecting to the PIA servers that allow port forwarding, such as Canada, and then figure out the port they forward and add that to PMS.  I've tried this from the router with no success.  I've read that PIA's portforwarding isn't to reliable, not to mention the connection to Canada is super slow.  When I enter the forwarding port into PMS and click connect, I'm able to login but the server doesn't connect.

2)  I read about others using a lower port number, so just for the sake of trying it, I changed the PMS port to POP3 port 110 and tried to connect.  PSM successfully logged in and the server connected.  When I tried to connect via cellular it would not connect to the server.  Via cellular using the browser I logged in and hit launch and I was able to see the server, but I was unable to connect to it.  I assumed it was a portforwarding issue.  I logged into my router and tried to forward port 110 to 32400 and saved the settings.  I went to canyouseeme and port 110 was open.  I tried to connect to again via cellular and I was unable to see the server.  Can you successfully forward port 110 to 32400?  or would I be better off trying what others did....load a torrent app to open up some random port?

I guess if I have to I could disable the VPN in the router and try using just PIA's app and go through all the steps to try to get it to work.....eg. use their port forwarding, run the static route script, or run a dual tunnel (which I'm not tech savvy enough to setup.

Any feedback would be greatly appreciated!!

I', curious as I almost purchased PIA today but need plex remotely

why does the port forward not work?

maybe I should use the pia vpn on a separate pc for torrenting only? but don't want to waste more hydro

Hey guys,
 
Just went through the trouble of getting PIA and canceling it because their port forwarding did not work. Tried kidamnesiac's suggestion and boom! online in 5 mins! Worth giving VersaVPN a try. They don't have as many servers as some of the other providers but it still works well. :)
 
Sorry kidamesiac. Don't think the referral link is working anymore. It redirects to the regular homepage. Appreciate your recommendation though!

My PMS worked flawlessly locally and via cellular prior to messing around with PIA.  Unfortunately I signed up for a year so I'm stuck....which leads me to a couple questions....please forgive me because I'm not a network guru so my questions may sound completely stupid.

1)  Has anyone successfully got PIA and Plex to work with the VPN setup on the router?  I have an Asus RT-AC68 flashed with Merlin.  I setup the VPN on the router so all my devices at home are behind the VPN.  PMS works on any device inside my home but no longer over Cellular.  I read all the previous posts about connecting to the PIA servers that allow port forwarding, such as Canada, and then figure out the port they forward and add that to PMS.  I've tried this from the router with no success.  I've read that PIA's portforwarding isn't to reliable, not to mention the connection to Canada is super slow.  When I enter the forwarding port into PMS and click connect, I'm able to login but the server doesn't connect.

Have you utilized the Selective Routing script to define your needs? I have used it successfully on Merlin builds as well as, most recently, Tomato builds.  I just switched from as Asus router to a Netgear R7000 and have this as my SR Script... I added the Plex AWS IP addresses along with the IPChicken IP to verify...

#!/bin/bash
# This code goes in the WAN UP section.
# This code based on the contributions from this thread:
# http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
# http://linux-ip.net/html/adv-multi-internet.html
# http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally, OpenVPN will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING
#
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
# iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
# Ports 80 and 443 will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
# All traffic from a particular computer on the LAN will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
# All traffic to a specific Internet IP address will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
# All UDP and ICMP traffic will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
# All traffic from a specific Internet IP address range USING CIDR NOTATION will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -s 74.125.229.0/24 -j MARK --set-mark 0
# All traffic to a specific Internet IP address range USING CIDR NOTATION will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -d 98.207.0.0/16 -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 32400 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.2.100 -p tcp -m multiport --sport 32400 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 8888 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.2.100 -p tcp -m multiport --sport 8888 -j MARK --set-mark 1
# Bypass Plex IP Ranges https://forums.aws.amazon.com/ann.jspa?annID=1701
# FROM/SOURCE
iptables -t mangle -A PREROUTING -i br0 -s 184.169.128.0/17 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 184.72.0.0/18 -j MARK --set-mark 1
# TO/DESTINATION
iptables -t mangle -A PREROUTING -i br0 -d 184.169.128.0/17 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/18 -j MARK --set-mark 1
#Bypass IPChicken
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 209.68.27.16 -j MARK --set-mark 1

You can't create the folder with the name ":" ? Let me try on my mac.

Just tried with my mac, You'll have to use Terminal to create the folder. "mkdir :"

You have to use Terminal. Open up terminal. type "open /etc"

EDIT:

Okay. I've been thinking about this for days but don't have an alternative solution to the one that i had proposed above. It works but I found it to be quite unstable also.

So all in all, i went around trying to find a complicated solution when static routes were the original solution.

I found that adding static routes seemed to fix the issue and i wrote up a shell script whilst borrowing code from JB90 to automatically add the routes.

Here's the script

#!/bin/sh
#Fetch Current Server Address for plex.tv

DNS=“$(dig plex.tv +short) $(dig @8.8.8.8 plex.tv +short) $(dig @209.244.0.3 plex.tv +short)”

UNIQ_IP=$(echo “$DNS” | tr ’ ’ ’

’ | sort -u | tr ’

’ ’ ')
for IP in $UNIQ_IP

do

        #Create localroute variable to see if route exists

        localroute=route | grep $IP

        #Check if route exists

        if [[ -z “$localroute” ]]; then

                #route doesn’t exist, add route

                route add -net “$IP” netmask 255.255.255.255 gw yourgatewayiphere

        else

                #route exists, hurray

                echo “yay”

        fi

done

EDIT 2:

Apparently the script above wasn't enough so I had to use this script below. Thanks to buhman on archlinux channel for helping and Grdnkln from linksysinfo.

You can place the script below in WAN UP or run it as a .sh

#!/bin/sh
This code goes in the WAN UP section of the Tomato GUI.
This code based on the contributions from this thread:
Route only specific ports through VPN (openvpn) | LinksysInfo.org

And from material in these articles:
10.4. Multiple Connections to the Internet
fedorasolved.org - fedorasolved Resources and Information.

This script configures “selective” VPN routing. Normally Tomato will route ALL traffic out
the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
traffic to bypass the VPN and use the regular Internet instead.

To list the current rules on the router, issue the command:
iptables -t mangle -L PREROUTING

Flush/reset all the rules to default by issuing the command:
iptables -t mangle -F PREROUTING


First it is necessary to disable Reverse Path Filtering on all
current and future network interfaces:

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do

echo 0 > $i

done

Delete and table 100 and flush any existing rules if they exist.

ip route flush table 100

ip route del default table 100

ip rule del fwmark 1 table 100

ip route flush cache

iptables -t mangle -F PREROUTING

Copy all non-default and non-VPN related routes from the main table into table 100.
Then configure table 100 to route all traffic out the WAN gateway and assign it mark “1”

NOTE: Here I assume the OpenVPN tunnel is named “tun11”.


ip route show table main | grep -Ev ^default | grep -Ev tun11 

| while read ROUTE ; do

ip route add table 100 $ROUTE

done

ip route add default table 100 via $(nvram get wan_gateway)

ip rule add fwmark 1 table 100

ip route flush cache

Define the routing policies for the traffic. The rules will be applied in the order that they
are listed. In the end, packets with MARK set to “0” will pass through the VPN. If MARK is set
to “1” it will bypass the VPN.

EXAMPLES:

All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
Ports 80 and 443 will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
All traffic from a particular computer on the LAN will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
All traffic to a specific Internet IP address will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
All UDP and ICMP traffic will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 32400 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -s 192.168.5.2 -p tcp -m multiport --sport 32400 -j MARK --set-mark 1

THANK YOU!!!!!!!!! For anyone running tomato with open vpn client on it use this script. Just change the ip to the static ip of your server and port on the last line.

I have PIA, and on their website it says that port forwarding reduces security, and to keep it disabled.  Before I mess with my settings, I'm just wondering if anyone can shed some light on this.  I'd love to be able to use both Plex and PIA at the same time, but if it'll likely open me up to security risks, I'd rather figure something else out, other than port forwarding.

Here is a link to a very user friendly Windows tutorial using XFlak's Bat file:

http://www.cuttingcords.com/home/2014/11/8/protecting-your-privacy-with-vpn

Works perfectly with Windows 7.