I updated my script posted here:
https://forums.plex.tv/topic/64600-using-plex-server-with-a-vpn/page-3#entry602919
Specifically, I updated the script\attachment, it’s now more efficient\secure by using nslookup instead of ping and using subnet mask 255.255.255.255 instead of 255.255.0.0. Thanks to 6890 (aka John Doe at cutting cords) for the suggestions.
edit: for a clean slate, use the command “route -f” or follow the instructions posted above to manually remove each entry
If anyone has any other suggestions on how to enhance the script, I’m all ears. Feedback is always welcomed and appreciated
I updated my script posted here:
https://forums.plex.tv/topic/64600-using-plex-server-with-a-vpn/page-3#entry602919
Specifically, I updated the script\attachment, it's now more efficient\secure by using nslookup instead of ping and using subnet mask 255.255.255.255 instead of 255.255.0.0. Thanks to 6890 (aka John Doe at cutting cords) for the suggestions.
edit: for a clean slate, use the command "route -f" or follow the instructions posted above to manually remove each entry
Thank you for creating this. I am having some issues getting this to work. I have the script set to auto run on logon and at 1hr intervals thereafter The permitted plex ips have about 5 ips logged in however I am unable to connect to plex from outside my network when my vpn (in my case PIA) is activated. I have forwarded port 32400 in my router and have manually specified port 32400 in the server however i cannot get it to work. The settings page shows the public ip along with the specified port 32400 however it says private ip unknown. Any help would be greatly appreciated.
I am having the same exact problem as ms1760 in the post above. I'm also also PIA and have the correct port forwarding. The previous script used to work but no longers and cannot get the new one to work by XFlac.
The only thing of substance to change is the subnet. I think some people were reporting this issue which is why I used 255.255.0.0 in the first place.
To test if the subnet is the problem, add the IP’s saved here (%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt) to your route table using the following cmd line as a guide. Be sure to update your gateway.
route -p add 54.241.0.0 mask 255.255.0.0 192.168.2.1
I don’t understand why a subnet of 255.255.255.255 works for some (including me) but not others. If someone else can provide an explanation I’m willing to incorporate a solution into the script.
Also check to make sure entries are being properly added to your routing table with the “route print” command
If it turns out a subnet of 255.255.0.0 solves the problem, those impacted can find the first draft of the script at the cuttingscords webpage.
The only thing of substance to change is the subnet. I think some people were reporting this issue which is why I used 255.255.0.0 in the first place.
To test if the subnet is the problem, add the IP's saved here (%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt) to your route table using the following cmd line as a guide. Be sure to update your gateway.
route -p add 54.241.0.0 mask 255.255.0.0 192.168.2.1
I don't understand why a subnet of 255.255.255.255 works for some (including me) but not others. If someone else can provide an explanation I'm willing to incorporate a solution into the script.
Also check to make sure entries are being properly added to your routing table with the "route print" command
If it turns out a subnet of 255.255.0.0 solves the problem, those impacted can find the first draft of the script at the cuttingscords webpage.
Ok so i tried this method i disabled the original bat from auto running at startup by disabling the task and deleting the batch. I cleared routes using route-f i then manually routed the following masks
255.255.255.255
255.255.255.0
255.255.0.0
255.0.0.0
None worked.
I did an ipconfig and noticed the VPN uses 255.255.255.252
i routed this mask and then i decided to uncheck the vpn kill switch the internet wouldnt connect so i restarted the pc and magically i was able to access plex remotely from my phone while not on the network. Can internet kill switch be causing issues in this regard? My configuration for PIA is killswitch, dns leak protect, ipv6 protect If so how can you protect yourself as far as being able to prevent certain services whch need killswitch active for protection (i want certain apps like my torrent client to stop functioning if the traffic is not relayed through the vpn)
In your example u say u got it working using a different subnet and disabling the kill switch. Try one at a time to determine which actually made a difference. If your vpn was enabled then the kill switch shouldn’t make a difference.
If I had to guess, try disabling only dns leak protection and see if the new script works. If that doesn’t fix it, try each of the other options one at a time until u figure out the culprit.
I don’t have ip v6 protection, dns leak or kill switch enabled.
In your example u say u got it working using a different subnet and disabling the kill switch. Try one at a time to determine which actually made a difference. If your vpn was enabled then the kill switch shouldn't make a difference.
If I had to guess, try disabling only dns leak protection and see if the new script works. If that doesn't fix it, try each of the other options one at a time until u figure out the culprit.
I don't have ip v6 protection, dns leak or kill switch enabled.
K so i was able to confirm it working with killswitch, ipv6 and dns leak enabaled on PIA side. So it probably has to do with the subnet at least for me. I am not sure if there is a way to automate this in a batch as manually doing this can be a hassle. Someone asked me to give them a step by step on what i did so i sent them this. I apologize in advance for the capslock
I managed to get it to work by changing the subnet as discussed in the thread. Try this:
OPEN START MENU
IN SEARCH TYPE CMD
RIGHT CLICK ON IT CLICK RUN AS ADMINISTRATOR
TYPE IN:
route -f
HIT ENTER
TYPE IN:
route print
THIS WILL CONFIRM THERE IS NOTHING IN YOUR ROUTING TABLE
TYPE
ipconfig
THIS WILL GIVE YOU
THE DETAILS OF YOUR CONNECTION:
NOTATE YOUR SUBNET MASK WHEN VPN IS ACTIVE AND WHEN VPN IS DISABLED. FOR ME IT WAS 255.255.255.252. LEAVE COMMAND PROMPT OPEN
THEN OPEN YOUR PERMITTED PLEX IP LOCATION BY GOING BACK INTO THE START MENU CLICKING IN THE SEARCH BAR AND PASTING THIS:
%userprofile%\AppData\Local\Plex Media Server\PermittedPlexIPs.txt
RIGHT CLICK ON THE DOCUMENT THAT COMES UP AND CHOOSE OPEN FILE LOCATION. SHOULD TAKE YOU TO YOUR PROFILE LOCATION OF THE TXT FILE. (THIS PART IS OPTIONAL) YOU CAN IF YOU WOULD LIKE NOW RIGHT CLICK ON THE TEXT DOCUMENT AND CREATE A SHORT CUT TO YOUR DESK TOP SO YOU DONT HAVE TO TRY TO TRACK IT DOWN EVERY 5 SECONDS WHILE TESTING
OPEN THE DOCUMENT NOTATE ALL THOSE IPS (SHOULD BE ABOUT FIVE IPS MAYBE MORE MAYBE LESS) DONT MAKE CHANGES TO THE DOCUMENT.
INSTEAD ROUTE ALL OF THEM MANUALLY IN COMMAND PROMPT.. TO DO THIS OPEN A NEW NOTEPAD DOCUMENT AND PASTE THE IPS IN THE NEW DOCUMENT FOLLOWED BY YOUR SUBNET MASK FOR YOUR CONNECTION WITHOUT VPN ACTIVE FOLLOWED BY YOUR DEFAULT GATEWAY ( YOU CAN JUST COPY AND PAST THE BELOW REPLACE THE X'S FOR THE IPS IN YOUR PLEX PERMITTED IPS. YOU DONT HAVE TO DO THIS INDIVUALLY I HAVE A NOTEPAD DOCUMENT SETUP WITH ALL THE IPS ADDED IN UNDER THE DIFFERNT MASKS. IF IT FAILS WHEN I REBOOT I JUST START OVER COPY THE COMMAND BELOW AND PASTE THE WHOLE THING INTO CMD IT WORKS FLAWLESSLY. FOR ME THE SETUP LOOKS LIKE THIS:
route -p add xxx.xxx.x.x mask 255.255.255.252 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.252 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.252 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.252 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.252 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.252 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.252 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.252 192.168.1.1
ONCE YOU DO THIS GO AHEAD AND TYPE:
route print
THIS WILL CHECK IF IT WORKED. IF YOU SEE YOUR IPS FROM THE PLEX PERMITTED IPS DOCUMENT IN YOUR IPV4 TABLE ROUTED TO THE GATEWAY YOU SELECTED GREAT. OPEN UP YOUR WEB BROWSER (WITH YOUR VPN CONNECTED) AND GO TO YOUR PLEX > SETTINGS > SERVER > REMOTE ACCESS > MANUALLY SPECIFY PORT > 32400 (MAKE SURE YOUR ROUTER IS SET UP TO FORWARD THIS PORT) ONCE YOU DO ALL THAT HIT RETRY. IF IT FAILS GO BACK TO COMMAND PROMPT AND TYPE:
route -f
THEN CONFIRM ITS CLEAR WITH:
route print
THEN DO IT ALL OVER AGAIN. YOU AT THIS POINT ARE JUST CHANGING THE MASK
route -p add xxx.xxx.xxx.xxx mask 255.255.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.0.0 192.168.1.1
THIS WILL CHECK IF IT WORKED. IF YOU SEE YOUR IPS FROM THE PLEX PERMITTED IPS DOCUMENT IN YOUR IPV4 TABLE ROUTED TO THE GATEWAY YOU SELECTED GREAT. OPEN UP YOUR WEB BROWSER (WITH YOUR VPN CONNECTED) AND GO TO YOUR PLEX > SETTINGS > SERVER > REMOTE ACCESS > MANUALLY SPECIFY PORT > 32400 ONCE YOU DO ALL THAT HIT RETRY. IF IT FAILS GO BACK TO COMMAND PROMPT AND TYPE:
route -f
THEN CONFIRM ITS CLEAR WITH:
route print
THEN DO IT ALL OVER AGAIN.
route -p add xxx.xxx.xxx.xxx mask 255.255.255.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.255.255.0 192.168.1.1
THIS WILL CHECK IF IT WORKED. IF YOU SEE YOUR IPS FROM THE PLEX PERMITTED IPS DOCUMENT IN YOUR IPV4 TABLE ROUTED TO THE GATEWAY YOU SELECTED GREAT. OPEN UP YOUR WEB BROWSER (WITH YOUR VPN CONNECTED) AND GO TO YOUR PLEX > SETTINGS > SERVER > REMOTE ACCESS > MANUALLY SPECIFY PORT > 32400 ONCE YOU DO ALL THAT HIT RETRY. IF IT FAILS GO BACK TO COMMAND PROMPT AND TYPE:
route -f
THEN CONFIRM ITS CLEAR WITH:
route print
THEN DO IT ALL OVER AGAIN.
route -p add xxx.xxx.xxx.xxx mask 255.0.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.0.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.0.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.0.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.0.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.0.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.0.0.0 192.168.1.1
route -p add xxx.xxx.xxx.xxx mask 255.0.0.0 192.168.1.1
KEEP TRYING THE DIFFERNT MASKS IN YOUR IPCONFIG IF IT WORKS: PROFIT
IF IT DOESNT: IDK THIS IS JUST WHAT DID IT FOR ME.
So what subnet worked for you at the end of the day? I could easily create a few different versions of the bat with file different subnets if there’s a demand
I just updated my script... again, find it here:
https://forums.plex.tv/topic/64600-using-plex-server-with-a-vpn/page-3#entry602919
now it includes a read me, an uninstaller, and multiple versions of the script for different subnet's. Try them in the following order until you find one that works for you. Warning, the further you get to the bottom of the list the more IPs will bypass your VPN.
255.255.255.255
255.255.255.252
255.255.255.0
255.255.0.0
255.0.0.0
Here's a question, do you think I should have the script remove IPs no longer used by plex.tv? I can easily add this, and I think it makes sense to do so, just want to get some feedback before making the change.
I ran into the issue of bypassing my VPN for Plex server and worked on it for a few days, and read through most of this thread.
What I realized last night was that my.plexapp.com is hosted on Amazon Web Services cloud, and the servers are load-balanced with distributed DNS. The static route to my.plexapp.com was only half of the solution, because it doesn't work when Plex's IP address changes on you. As a result, as some have realized, you see it resolving to many different IP addresses, and I see some very interesting and elaborate solutions devised to address this.
However, I think I've managed to solve it very simply.
1) Add a persistent static route to ONE of the IP addresses, say for example, 184.169.173.31, with your gateway being the IP address of your router (ex: 192.168.1.1)
2) Add an entry in your hosts file to resolve my.plexapp.com to that IP address.
For Windows:
1) Open your Command Prompt with "Run As Administrator" (right-click the Command Prompt icon in Accessories)
2) Add persistent static route: route add 184.169.173.31 192.168.1.1 -p
3) Open Notepad with "Run As Administrator" (see above)
4) In Notepad, open "c:\Windows\system32\drivers\etc\hosts"
5) Add a new line, "184.169.173.31 my.plexapp.com"
For Mac, you can basically follow the same idea.
The reason why this works is simple: you basically only need one of the my.plexapp.com IPs, because while AWS is presenting you with different IPs, *all* of the IP addresses actually work, so you just need to force your PC to pick just one. Instead of relying on DNS, with the hosts file entry present, Plex Media Server will only talk to my.plexapp.com on that one IP. Since that IP is statically routed to go out your non-VPN interface, Plex will see your public IP address, and your friends will come through the public IP (you still need your Plex port open, e.g., 32400).
Again, this is to have PMS bypass the VPN and go through your public interface. This is a different solution than those of you who are trying to (or want to) have your PMS go through the VPN.
My friends say my server is now available again, so as far as I know, this fixed the issue.
Hope this helps.
Thank you! I've been looking for a solution to circumvent the VPN entirely. I don't care about PLEX bypassing the VPN but I found no mention of it anywhere else. I simply added the route command into a batch file and have it run on startup. Works like a charm.
FYI, if you’ve set a static IP address in the hosts file you just need to run the route command once, not set up on a task scheduler.
The problem with this method however is that it won’t work if the IP address changes entirely.
The best solution would be to replace Plex.tv in my script with whatever web address you want to bypass and set it up to run on a schedule. This way it will work even if the IP changes.
While I think that I posted the EC2 IP's at some point, I figured I should re-post them anyway...
Amazon regularly assigns and re-allocates IP addresses to Plex based on a number of issues that are not even related to this software... Here is the link to the most current EC2 allocations:
https://forums.aws.amazon.com/ann.jspa?annID=1701
For me, I have never seen an IP for Plex that falls outside of these IP ranges...
184.169.128.0/17
50.18.0.0/16
54.241.0.0/16
184.72.0.0/18
-Jason
Good work XFlak
I know this is for if you have PIA running on the same VM that has plex server running, currently I have two VMs to isolate this issue but I like your idea just exclude Plex from the VPN traffic. However I guess there isn't a real way to encrypt Plex traffic when steaming to others is there? if there isn't then how safe is steaming to other? Can't your ISP actually see the stuff your streaming? This is my only concern is that your ISP is able to see what your streaming and I don't think its good.
If u want to encrypt your Plex streaming, u need to investigate port forwarding with your vpn service which may raise a whole whack of other security concerns.
There is another potential solution. Set up your own open vpn server on your local network and connect to it when your away from home. Then the Plex stream will be unencrypted over the LAN (but who cares, not monitored by ISPs) and encrypted once it leaves the LAN. Only issue with this method is the additional resources it takes, which is why it may be good to use you yourself, but not to share with friends (i.e. you don’t want lots of people connecting to your personal open vpn, especially at the same time)
That being said, having Plex bypass your VPN isn’t something I’m personally concerned about. Unless you are sharing with tons of people it’s doubtful anyone would investigate/care what you’re doing.
Any idea why this would work with some VPNs and not others? I have two different services/providers - and link to either through OPEN VPN. On one service, I can still connect to Plex and on the other (UnoVPN from Unotelly) I cannot. Thx!
No idea sorry. Other than an online computer networking course, all I know about this stuff I learned from this thread. I just wrote a batch script based on the info others had already provided
Standing up your own vpn is an option but then I really don't want them to have access to my internal LAN. I haven't read this whole forum but does your batch will work of the plex servers changes their ip?
Yes it works if Plex IP changes. U dont need to read the whole thread but you should try to at least read my post/read-me.
Hey all, so I got a new router and it had features to add my VPN through it. Question is. does anyone know how to open the port for plex to see my real ip? Since its going through thr router. I cannot just route the plex ip addresses anymore. I was hoping there is a way to open the port so the router allows that port to show my real ip.
