Using Plex Server with a VPN

To answer the question a few posts back, I can confirm Astrill VPN definitely works, provided you get their port forwarding add-on.

I've tried to read through the thread but it's gotten very convoluted. 

I'm using PIA and plex doesn't work with my server (OSX yosemite). Do I need to switch VPN service? I don't want to use any special hacks, is there a service that I can just buy and set the port and be done with? 

Thank you!

Here is a link to a very user friendly Windows tutorial using XFlak's Bat file:

http://www.cuttingcords.com/home/2014/11/8/protecting-your-privacy-with-vpn

Works perfectly with Windows 7.

I ran into the issue of bypassing my VPN for Plex server and worked on it for a few days, and read through most of this thread.

What I realized last night was that my.plexapp.com is hosted on Amazon Web Services cloud, and the servers are load-balanced with distributed DNS.  The static route to my.plexapp.com was only half of the solution, because it doesn't work when Plex's IP address changes on you.  As a result, as some have realized, you see it resolving to many different IP addresses, and I see some very interesting and elaborate solutions devised to address this.

However, I think I've managed to solve it very simply.

1) Add a persistent static route to ONE of the IP addresses, say for example, 184.169.173.31, with your gateway being the IP address of your router (ex: 192.168.1.1)

2) Add an entry in your hosts file to resolve my.plexapp.com to that IP address.

For Windows:

1) Open your Command Prompt with "Run As Administrator" (right-click the Command Prompt icon in Accessories)

2) Add persistent static route:  route add 184.169.173.31 192.168.1.1 -p

3) Open Notepad with "Run As Administrator" (see above)

4) In Notepad, open "c:\Windows\system32\drivers\etc\hosts"

5) Add a new line, "184.169.173.31    my.plexapp.com"

For Mac, you can basically follow the same idea.

The reason why this works is simple:  you basically only need one of the my.plexapp.com IPs, because while AWS is presenting you with different IPs, *all* of the IP addresses actually work, so you just need to force your PC to pick just one.  Instead of relying on DNS, with the hosts file entry present, Plex Media Server will only talk to my.plexapp.com on that one IP.  Since that IP is statically routed to go out your non-VPN interface, Plex will see your public IP address, and your friends will come through the public IP (you still need your Plex port open, e.g., 32400).

Again, this is to have PMS bypass the VPN and go through your public interface.  This is a different solution than those of you who are trying to (or want to) have your PMS go through the VPN.

My friends say my server is now available again, so as far as I know, this fixed the issue.

Hope this helps.

Thank you so much yooniverse, it works perfectly :)

Hullo peeps!

Let's see if anyone easily can point out my mistake. I run PMS on a dedicated NAS on Debian 7.

If I have VPN off then everything works as expected. However, if i start VPN (running OpenVPN) then naturally Plex won't connect to my PMS server remotely. It does however work locally.

So this is what I have done. In steps.

1. In PMS I set a port manually, for this test I did actually use 32400.

2. I open this port in my router.

3. I add the below lines to my client.conf OpenVPN config file on the NAS, before starting OpenVPN:

    3.1 route 184.72.0.0 255.255.0.0 my.gateway.ip

Hi all,

The HOWTO on how to use Plex Server with a VPN without modifying your router is now updated for Mac Yosemite and verified that it works:

https://forums.plex.tv/topic/117451-myplex-with-a-vpn-that-supports-port-forwarding/?p=703644

Is this for you?:

• Your VPN client is on your Mac
• Your VPN server supports Port Forwarding (most do)
• You want an easier solution that works

If you have Plex Pass, please vote on this Bug Fix request: https://forums.plex.tv/topic/145989-bug-listen-to-manually-specified-port-on-vpn-interface/that will allow people with port forwarding VPNs to avoid all this complex work around.

I wrote a windows batch file to route my.plexapp.com's current IP address (with mask 255.255.0.0) to your machine's default gateway (e.g. 192.168.2.1). I promise the bat file is safe, just google me and my reputation will speak for itself.

The code is below but I also uploaded a zip containing the bat file and an exe version of the bat file (same as the bat file except runs invisibly). For best results, use windows task scheduler to launch the exe (with highest privileges) as often as you'd like.

This will ensure that even if the IP for my.plexapp.com changes, your setup will automatically route it past your VPN. A list of routed IPs will be saved here:

"%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt

I'm using PIA and this works perfectly.

Enjoy!

XFlak

@echo off
setlocal
set PATH=%SystemRoot%\system32;%SystemRoot%\system32\wbem;%SystemRoot%
chcp 437>nul
echo my.plexapp.com VPN Route Exception Builder

echo by XFlak

echo.
::get Default Gateway

ipconfig|findstr /I /C:“Default Gateway”|findstr /I /C:“1” >“%temp%\gateway.txt”

set /p gateway= <“%temp%\gateway.txt”

set gateway=%gateway:*: =%

::echo %gateway%
::set gateway=192.168.2.1
echo Getting my.plexapp.com’s current IP address

echo.
ping “my.plexapp.com”|findstr /I /C:“my.plexapp.com” >“%temp%\my.plexapp.com.txt”
set /p PlexIP= <“%temp%\my.plexapp.com.txt”

set PlexIP=%PlexIP:*[=%

set PlexIP=%PlexIP:~0,-24%

echo %PlexIP%

echo.
set zero=%PlexIP:.=%

set zero=%zero:.=%

echo set PlexIP=%%PlexIP:%zero%=0.0%%>“%temp%\plex.bat”

call “%temp%\plex.bat”
::echo %PlexIP%
if not exist “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt” goto:skipcheck
findstr /I /C:“%PlexIP%” “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt”>nul

IF NOT ERRORLEVEL 1 (echo IP already routed, exiting…) & (goto:fin)

:skipcheck
echo route -p add %PlexIP% mask 255.255.0.0 %gateway%

route -p add %PlexIP% mask 255.255.0.0 %gateway%

echo.
echo Adding IP to %userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt

echo.

echo %PlexIP% >>“%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt”
:fin
::echo fin

::pause
exit

edit: code was missing a ">", old version still worked but log only retained latest IP, the 4 people who downloaded the last version may want to redownload the new one

Ive been trying to use this to work but i am having trouble.  I tried the batch file by itself and i modified it to use 255.255.255.0 subnet.  I can get it to work for a while if i restart plex but it always stops working within a few minutes.

Have you utilized the Selective Routing script to define your needs? I have used it successfully on Merlin builds as well as, most recently, Tomato builds.  I just switched from as Asus router to a Netgear R7000 and have this as my SR Script... I added the Plex AWS IP addresses along with the IPChicken IP to verify...

#!/bin/bash
# This code goes in the WAN UP section.
# This code based on the contributions from this thread:
# http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
# http://linux-ip.net/html/adv-multi-internet.html
# http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally, OpenVPN will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING
#
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
# iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
# Ports 80 and 443 will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
# All traffic from a particular computer on the LAN will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
# All traffic to a specific Internet IP address will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
# All UDP and ICMP traffic will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
# All traffic from a specific Internet IP address range USING CIDR NOTATION will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -s 74.125.229.0/24 -j MARK --set-mark 0
# All traffic to a specific Internet IP address range USING CIDR NOTATION will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -d 98.207.0.0/16 -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 32400 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.2.100 -p tcp -m multiport --sport 32400 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 8888 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.2.100 -p tcp -m multiport --sport 8888 -j MARK --set-mark 1
# Bypass Plex IP Ranges https://forums.aws.amazon.com/ann.jspa?annID=1701
# FROM/SOURCE
iptables -t mangle -A PREROUTING -i br0 -s 184.169.128.0/17 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 184.72.0.0/18 -j MARK --set-mark 1
# TO/DESTINATION
iptables -t mangle -A PREROUTING -i br0 -d 184.169.128.0/17 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/18 -j MARK --set-mark 1
#Bypass IPChicken
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 209.68.27.16 -j MARK --set-mark 1

I have modified the SR script for my own needs and copied into Administration/Scripts/WAN Up, then I rebooted my R7000 router (AdvancedTomato 2.6-128). I use IPVanish for my VPN connection and OpenVPN Client is configured as per their instructions.

I believe that the WAN Up script is running before the OpenVPN client is connected, therefore the script is incomplete. Any thoughts?

Brian

I have modified the SR script for my own needs and copied into Administration/Scripts/WAN Up, then I rebooted my R7000 router (AdvancedTomato 2.6-128). I use IPVanish for my VPN connection and OpenVPN Client is configured as per their instructions.

I believe that the WAN Up script is running before the OpenVPN client is connected, therefore the script is incomplete. Any thoughts?

Brian

Try it in in the Firewall tab vs the Wan UP section... 

Thanks Jason, having issues with my VPN provider. Just tried the script in the Firewall tab no luck :-(

Could it have something to do with Custom Configuration of the VPN provider?

I have a R700 with the latest Advanced Tomato firmware.

Thanks in advance

Brian 

Thanks Jason, having issues with my VPN provider. Just tried the script in the Firewall tab no luck :-(

Could it have something to do with Custom Configuration of the VPN provider?

I have a R700 with the latest Advanced Tomato firmware.

Thanks in advance

Brian 

Brian-

Are you connected to your provider in general or are you saying your routing Plex outside the VPN in general is not working?  The script works... 

-Jason

Jason

Yes I am connected to my provider and yes its the routing of Plex outside the VPN that is not working.

My script below, have I made a mistake???

#!/bin/bash

# This code goes in the WAN UP section.

#

# This script configures "selective" VPN routing. Normally, OpenVPN will route ALL traffic out

# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some

# traffic to bypass the VPN and use the regular Internet instead.

#

# To list the current rules on the router, issue the command:

# iptables -t mangle -L PREROUTING

#

# Flush/reset all the rules to default by issuing the command:

# iptables -t mangle -F PREROUTING

#

#

# First it is necessary to disable Reverse Path Filtering on all

# current and future network interfaces:

#

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do

echo 0 > $i

done

#

# Delete and table 100 and flush any existing rules if they exist.

#

ip route flush table 100

ip route del default table 100

ip rule del fwmark 1 table 100

ip route flush cache

iptables -t mangle -F PREROUTING

#

# Copy all non-default and non-VPN related routes from the main table into table 100.

# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"

#

# NOTE: Here I assume the OpenVPN tunnel is named "tun11".

#

#

ip route show table main | grep -Ev ^default | grep -Ev tun11 \

| while read ROUTE ; do

ip route add table 100 $ROUTE

done

ip route add default table 100 via $(nvram get wan_gateway)

ip rule add fwmark 1 table 100

ip route flush cache

#

# Define the routing policies for the traffic. The rules will be applied in the order that they

# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set

# to "1" it will bypass the VPN.

#

# EXAMPLES:

#

# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# Ports 80 and 443 will bypass the VPN

# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1

# All traffic from a particular computer on the LAN will use the VPN

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.0.77.211 -j MARK --set-mark 0

# All traffic to a specific Internet IP address will use the VPN

# iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0

# All UDP and ICMP traffic will bypass the VPN

iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# All traffic from a specific Internet IP address range USING CIDR NOTATION will bypass the VPN

# iptables -t mangle -A PREROUTING -i br0 -s 74.125.229.0/24 -j MARK --set-mark 0

# All traffic to a specific Internet IP address range USING CIDR NOTATION will use the VPN

# iptables -t mangle -A PREROUTING -i br0 -d 98.207.0.0/16 -j MARK --set-mark 0

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 32400 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -s 10.0.77.211 -p tcp -m multiport --sport 32400 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 8888 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -s 10.0.77.211 -p tcp -m multiport --sport 8888 -j MARK --set-mark 1

# Bypass Plex IP Ranges https://forums.aws.amazon.com/ann.jspa?annID=1701

# FROM/SOURCE

iptables -t mangle -A PREROUTING -i br0 -s 184.169.128.0/17 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -s 50.18.0.0/16 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -s 54.241.0.0/16 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -s 184.72.0.0/18 -j MARK --set-mark 1

# TO/DESTINATION

iptables -t mangle -A PREROUTING -i br0 -d 184.169.128.0/17 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK -set--mark 1

iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK -set--mark 1

iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/18 -j MARK -set--mark 1

#Bypass IPChicken

iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 209.68.27.16 -j MARK --set-mark 1

Brian

Hi all,

The HOWTO on how to use Plex Server with a VPN without modifying your router is now updated for Mac Yosemite and verified that it works:

https://forums.plex.tv/topic/117451-myplex-with-a-vpn-that-supports-port-forwarding/?p=703644

Is this for you?:

• Your VPN client is on your Mac
• Your VPN server supports Port Forwarding (most do)
• You want an easier solution that works

Thank you so much!  Worked like a charm.  I'm on a mac running yosemite.

.........

......

.........

Everything is working great at the moment. I followed the instructions posted on the link Mattammie posted, which used XFlak's script. I also applied yoouniverse's latest method of editing the hosts file. I DID NOTICE, that the zip file and the exe inside the archive posted by XFlak's tested positive for malware when scanned against various databses. These may be false positives, but I just want to inform our users of the potential risk. The bat file was fine however. Still, thank you all for the good work.

Virus Total Results:

Zip file: results

Exe file: results

Bat file: results

--------------------

OS: Windows 7

VPN: PIA

Dynamic DNS: NO-IP

Plex Port Forwarded on Modem/Router

Appreciated - thank you.  Used XFlak's file. 

I did make a mistake, and found an oddity.  I pointed the scheduled task at the bat file, didn't work.  When I pointed it at the exe it worked.

The oddity is I have two VPN services (and I use openvpn for each if that matters).  Worked with one, not the other.  Simple solution - use the one it worked with. 

A nice benefit is I use subsonic for streaming my music from home to my phone, and it wouldn't work if I had the VPN running, but now it does to.  Now - it's been up for all of 10 minutes so hopefully I'm not declaring success too soon, but appreciate all the tips in the thread!  I've set up my torrent client to only operate when the VPN is on, and I was getting complaints about my Plex being blocked when obtaining torrents - hopefully now that's all good!

I wrote a windows batch file to route my.plexapp.com's current IP address (with mask 255.255.0.0) to your machine's default gateway (e.g. 192.168.2.1). I promise the bat file is safe, just google me and my reputation will speak for itself.

The code is below but I also uploaded a zip containing the bat file and an exe version of the bat file (same as the bat file except runs invisibly). For best results, use windows task scheduler to launch the exe (with highest privileges) as often as you'd like.

This will ensure that even if the IP for my.plexapp.com changes, your setup will automatically route it past your VPN. A list of routed IPs will be saved here:

"%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt

I'm using PIA and this works perfectly.

Enjoy!

XFlak

@echo off
setlocal
set PATH=%SystemRoot%\system32;%SystemRoot%\system32\wbem;%SystemRoot%
chcp 437>nul
echo my.plexapp.com VPN Route Exception Builder

echo by XFlak

echo.
::get Default Gateway

ipconfig|findstr /I /C:“Default Gateway”|findstr /I /C:“1” >“%temp%\gateway.txt”

set /p gateway= <“%temp%\gateway.txt”

set gateway=%gateway:*: =%

::echo %gateway%
::set gateway=192.168.2.1
echo Getting my.plexapp.com’s current IP address

echo.
ping “my.plexapp.com”|findstr /I /C:“my.plexapp.com” >“%temp%\my.plexapp.com.txt”
set /p PlexIP= <“%temp%\my.plexapp.com.txt”

set PlexIP=%PlexIP:*[=%

set PlexIP=%PlexIP:~0,-24%

echo %PlexIP%

echo.
set zero=%PlexIP:.=%

set zero=%zero:.=%

echo set PlexIP=%%PlexIP:%zero%=0.0%%>“%temp%\plex.bat”

call “%temp%\plex.bat”
::echo %PlexIP%
if not exist “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt” goto:skipcheck
findstr /I /C:“%PlexIP%” “%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt”>nul

IF NOT ERRORLEVEL 1 (echo IP already routed, exiting…) & (goto:fin)

:skipcheck
echo route -p add %PlexIP% mask 255.255.0.0 %gateway%

route -p add %PlexIP% mask 255.255.0.0 %gateway%

echo.
echo Adding IP to %userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt

echo.

echo %PlexIP% >>“%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt”
:fin
::echo fin

::pause
exit

edit: code was missing a ">", old version still worked but log only retained latest IP, the 4 people who downloaded the last version may want to redownload the new one

Nice script... BUT YOU HAVE SOME  MAJOR MAJOR  MAJOR FLAWS!!!!

You should NOT be using the subnet mask you are using. Class B routes like you have could send bit torrent and other traffic people want BEHIND the VPN out their ISP IP. You are routing a TON of internet IP's out the ISP route and not the VPN! Your script should be modified in the following way:

1. Don't ping my.plexapp.com! Use "nslookup my.plexapp.com" and grab the IP's Plex is currently using that way.

2. Once using the NSLOOKUP IP's, route to them with 255.255.255.255 subnet mask so you are only routing Plex traffic to my.plexapp.com out the ISP gateway, everything else still stays behind the VPN.

Let me know if that makes sense, or if you need a better explanation. 

For those looking for VPN services that allow Plex to work behind it, LiquidVPN's Dynamic IP service works just fine... No configuration needed in Plex, or on the VPN side, port mapping is done auto-magicly. 

Nice script... BUT YOU HAVE SOME MAJOR MAJOR MAJOR FLAWS!!!!

You should NOT be using the subnet mask you are using. Class B routes like you have could send bit torrent and other traffic people want BEHIND the VPN out their ISP IP. You are routing a TON of internet IP's out the ISP route and not the VPN! Your script should be modified in the following way:

1. Don't ping my.plexapp.com! Use "nslookup my.plexapp.com" and grab the IP's Plex is currently using that way.
2. Once using the NSLOOKUP IP's, route to them with 255.255.255.255 subnet mask so you are only routing Plex traffic to my.plexapp.com out the ISP gateway, everything else still stays behind the VPN.

Let me know if that makes sense, or if you need a better explanation.

For those looking for VPN services that allow Plex to work behind it, LiquidVPN's Dynamic IP service works just fine... No configuration needed in Plex, or on the VPN side, port mapping is done auto-magicly.

If what you're saying holds, I've been torrenting openly for the past 2 weeks [emoji35]
6890, would you mind updating the existing script? I would do it myself if knew how to program. Or, is there a way to undo the changes made by XFlaks script??

I believe what 6890 was/is saying is that there are some *potential* issues with XFlak's approach. The biggest being the subnet mask. By applying a 255.255.0.0 netmask, you are only matching on the "network" part of the IP - and routing all hosts on that particular network through your default gatway. Since Plex is hosted on Amazon cloud, you could potentially be routing other Amazon-related IPs out your default gateway. Agreed, that could be no bueno.

However, with that said, this *should* not impact your torrenting as it's unlikely that would be using Amazon.

You can test what IP you are reporting via your torrent client with a method such as this. 

Updating XFlak's script to use a different netmask should be relatively simple.

To remove the routes that have been added by the process, just open an administrator command prompt and run "route print" to see the routes then use "route delete IP_ADDRESS" to remove the ones you don't want (they should be under the IPv4 Persistent Routes.

NOTE: XFlak's script maintains a physical file (%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt) with these IPs that have been added to the route table. If you remove them from the table, the script will not add them back until you remove the file (because it thinks it has already added them).

I started down the road of updating XFlak's script and quickly realized making significant changes to a Windows batch script is a pain (unless you've got some experience in batch scripting I suppose). 

My use case was that I wanted to address the shortcomings (use nslookup and variable netmasks) and also be able to add additional hosts to route through my default gateway. For example, I use a service to update my IP for my domain name. I don't want my domain name mapped to my VPN address. I also might not want to download usenet via the VPN.)

For simplicity, I created a PHP CLI script that does what I need. It doesn't require a full PHP install (with a web server). It's similar to XFlak's script but a bit more robust. It can handle multiple hosts with individual netmask definitions and will both add and remove entries (if an IP changes, it will remove the no longer needed ones).