Posted: Mon Mar 13, 2017 0:24 Post subject: PureVPN, Netgear ReadyNAS and Plex Media Server
I'm hoping someone can help me out here, as I think I'm now out of my depth. I have the following:
1) A Netgear router with DD-WRT v24-sp2 (10/06/14) kongac
2) A Netgear NAS with OS 6.6.1, running a Plex Media Server
3) A PureVPN subscription + NAS Firewall option
4) A Smart TV with a Plex app
5) A Roku with a Plex app
6) Various other devices in my house, only some of which I want to use the VPN
So far I have, with the help of various people here:
managed to get my router set up with OpenVPN reasonably securely and only directed to those devices that I want it to. I've even managed to add in some ad-blocking too (I don't like some of the adverts that pop up on YouTube when my kids are watching).
What I'm struggling with, is getting my Plex Media Server to work as it used to before I tried experimenting with a VPN.
That is, I *think* the way it used to work is that the PMS was able to detect when other devices were on the same LAN and stream directly through that, as well as have a direct connection to devices outside of the LAN to stream through the internet.
At the moment, I can't get either of those two things working. I have tried:
1) opening the port that seems relevant (whatever I set it to in my server Plex settings) using the PureVPN NAT add-on
2) forwarding said port in my router settings
3) Using the code listed in the first link I posted above to forward the port
but whatever I do, the Plex app says that my server is not visible to the outside world and gives suggestions to do with "Double NAT".
On top of that, it did seem to be working on the devices in my house for a few days (albeit sometimes saying it was using Plex's relay service) but at the moment none of them even detect a server at all.
I would greatly appreciate any help that anyone can provide. I'm happy to share further information if needed, but I wasn't too sure what to include.
I have a very similar situation -
By modifying the firewall script I'm now able to:
- Run openVPN client to PureVPN on my router
- Route select devices through the VPN, while others go direct to the ISP
- Plex is running on one of the devices that's being routed to the VPN, but the Plex port is excluded.
- Added a "VPN kill-switch", but still allow Plex to work.
My problem is speed, and I assume there is something in my config that's not quite right, but i have no idea how to troubleshoot or find it. And to be frank, PureVPN tech support is not helpful - at least not yet.
I have a 100Mb down / 50Mb up connection, but running the VPN to the closest server speedtest.net drops to ~5-10Mb down - and that's just not ok.
Tech support immediately blamed my hardware as being "not powerful enough to handle the encryption at full speed" - which is fine if its true, but they haven't asked for or collected any logs or anything to prove it. Didn't even ask what model I'm running [DIR-868L Rev.A]. I believe it's powerful enough because I ran with HMA with much higher speeds.
Anyway - I don't want to hijack this thread - I'd be happy to share scripts I use if @SisyphusBond would find it useful... But if anyone can help on troubleshooting.. much appreciated, just need some guidance.
I believe this is the part of the script that is missing from what you already have:
# add firewall rule
iptables -t mangle -A PREROUTING -i br0 -s $INTERNAL_ADDR_PLEXSERVER -p tcp -m multiport --sport 32400 -j MARK --set-mark $FW_MARK
# Bypass VPN for Plex.TV
DNS_LIST="`nvram get wan_get_dns` 8.8.8.8 8.8.4.4 209.244.0.3"
URL_LIST="plex.tv canyouseeme.org"
for DNS_SVR in $DNS_LIST; do
for URL in $URL_LIST; do
for IP in `nslookup $URL $DNS_SVR | awk -F " " '{print $3}' | grep -Ev "(^$|$DNS_SVR)"`; do
if `iptables -L PREROUTING -t mangle -n --line-numbers | grep -q $IP`; then
echo "Already created iptable rule for $IP/32"
else
echo "Creating iptable rule for $IP/32"
iptables -t mangle -A PREROUTING -i br0 -s $INTERNAL_ADDR_PLEXSERVER -d $IP/32 -j MARK --set-mark $FW_MARK
fi
done
done
done
That will get all the addresses that plex.tv and canyouseeme.org use and add the fwmark to it. I'm making the assumption that the rest of your script is already ok.
You can check if its working properly by going to this url: http://plex.tv/pms/:/ip
If you see the IP addr from the ISP, it worked.
I believe this is the part of the script that is missing from what you already have:
Thanks! I'll give that a try this evening. If I still have problems, I'll revert to the other suggestion above. I'm hopeful your solution works though, as shutting down Netflix and iPlayer for a few days will not go down well with my family...
I should perhaps add that I had to reboot both the router and NAS last night for other reasons, and it was working closer to what I wanted this morning, but it seems to be fluctuating a bit throughout the day and sometimes the server is inaccessible. Sometimes it says it has a remote connection with no problems.
does indeed now give me the IP for my ISP connection, and the PMS now works just fine on my LG Smart TV.
It is still only giving me relayed connections on my Roku, but given that it is working everywhere else I'm starting to suspect now that this isn't necessarily to do with DD-WRT or the VPN...
It is still only giving me relayed connections on my Roku,
What are relayed connections?
The code you added should allow the plex server to go out to register itself on plex.tv, and make wan connections available to it.
I'm assuming your Roku and TV are on your LAN, so the code shouldn't have affected that.
Maybe share your full firewall script?
and also do a "ip rule show" ?
I should perhaps also add that in my Plex server settings it now says that the server is remotely accessible. It wobbles occasionally and disappears, but most of the time is giving no further error messages that I can see.
Bunsen wrote:
The code you added should allow the plex server to go out to register itself on plex.tv, and make wan connections available to it.
I'm assuming your Roku and TV are on your LAN, so the code shouldn't have affected that.
They are both on the LAN, yes. If it's relevant, I believe that the Roku app requires a secure connection whereas the official LG TV app does not. I have also tried using XPlay, a 3rd party app that somehow works as though it were accessing Plex through a web browser (I believe) and that actually shows me when it is starting up that it is connecting to the LAN IP address for my NAS. It also runs much, much faster than the other two options.
Bunsen wrote:
Maybe share your full firewall script?
What's the etiquette for doing so if it's fairly long? Post it here, or some other place and include a link?
Basically I've just taken two bits of code from the second link in my first post (labelled as "allow only outbound connections to the VPN (no inbound)" and "port forward from the VPN and into the LAN"), as well as the ad-blocking script that's listed in the DD-WRT Wiki. Oh, and the code you posted higher up this thread.
Bunsen wrote:
and also do a "ip rule show" ?
Is that something I run through the DD-WRT command console? Or from the NAS?
I should perhaps also add that in my Plex server settings it now says that the server is remotely accessible. It wobbles occasionally and disappears, but most of the time is giving no further error messages that I can see.
So the relayed connection says "Indirect", or "Remote", or "Nearby"... or something else? I've only ever seen those three. Mine is now stable at "Remote" when I'm outside my network, and "Nearby" when I'm home, but it took some tuning of scripts.
SisyphusBond wrote:
Bunsen wrote:
The code you added should allow the plex server to go out to register itself on plex.tv, and make wan connections available to it.
I'm assuming your Roku and TV are on your LAN, so the code shouldn't have affected that.
They are both on the LAN, yes. If it's relevant, I believe that the Roku app requires a secure connection whereas the official LG TV app does not. I have also tried using XPlay, a 3rd party app that somehow works as though it were accessing Plex through a web browser (I believe) and that actually shows me when it is starting up that it is connecting to the LAN IP address for my NAS. It also runs much, much faster than the other two options.
Still sounds to me like somethings not being routed correctly...
SisyphusBond wrote:
Bunsen wrote:
Maybe share your full firewall script?
What's the etiquette for doing so if it's fairly long? Post it here, or some other place and include a link?
Basically I've just taken two bits of code from the second link in my first post (labelled as "allow only outbound connections to the VPN (no inbound)" and "port forward from the VPN and into the LAN"), as well as the ad-blocking script that's listed in the DD-WRT Wiki. Oh, and the code you posted higher up this thread.
Does your firewall script add the iptables, or ip rules? If the adblocking script keeps running those, it might be putting things in the wrong order if its not cleaning up [I'll explain that at the end of this reply].
I'm not sure the accepted etiquette, I'm new too - I was thinking just save it in a txt file, and upload here.
SisyphusBond wrote:
Bunsen wrote:
and also do a "ip rule show" ?
Is that something I run through the DD-WRT command console? Or from the NAS?
Its a CLI command - you can telnet/ssh to run it, or run it in the web GUI under Administration-->Commands: put it in the top box, and hit the button at the bottom that says "Run Commands"
The reason I mention this command is that it was the source of [one of] my issues. The list is parsed top to bottom, so the rule that sends the "marked" traffic through the wan link needs to be on top of a rule that sends the traffic from that IP through the VPN tunnel. The firewall script should be adding the rules in the correct order, but i found that if the route-up.sh ran again, it would put the IP rules on top of the fwmark rule. So, I'm advising you check that - in whatever way is easiest for you.
I'll start this reply by saying that I found another way around my issues, but I'm not sure it's perfect so I'll continue investigating in case it helps anyone else.
Basically (I think) my only remaining problem was through my Roku, and I discovered that if I set it to "Always" allow insecure connections, instead of "Only on Same Network", then it suddenly detects my PMS on the LAN and plays everything quickly and directly.
With that in mind...
Bunsen wrote:
So the relayed connection says "Indirect", or "Remote", or "Nearby"... or something else? I've only ever seen those three. Mine is now stable at "Remote" when I'm outside my network, and "Nearby" when I'm home, but it took some tuning of scripts.
It depended on the device. On my TV it says "Nearby". On the Roku I would get a text box pop up when selecting a server saying that it was a relayed connection, with the link I posted above underneath for explanation.
Bunsen wrote:
Does your firewall script add the iptables, or ip rules? If the adblocking script keeps running those, it might be putting things in the wrong order if its not cleaning up [I'll explain that at the end of this reply].
I'm not sure the accepted etiquette, I'm new too - I was thinking just save it in a txt file, and upload here.
I've tried attaching it here as a txt file.
Bunsen wrote:
Its a CLI command - you can telnet/ssh to run it, or run it in the web GUI under Administration-->Commands: put it in the top box, and hit the button at the bottom that says "Run Commands"
I tried running this through the web GUI and I got a brief window saying it was doing something, and then nothing appeared or happened. I haven't had a chance to try it with Telnet/SSH yet.
Bunsen wrote:
The reason I mention this command is that it was the source of [one of] my issues. The list is parsed top to bottom, so the rule that sends the "marked" traffic through the wan link needs to be on top of a rule that sends the traffic from that IP through the VPN tunnel. The firewall script should be adding the rules in the correct order, but i found that if the route-up.sh ran again, it would put the IP rules on top of the fwmark rule. So, I'm advising you check that - in whatever way is easiest for you.
I'm hoping this makes more sense to me if I can get the above bit to work properly.
OR
[This is if you are trying to do split tunneling by FWmarking the Plex traffic, which I don't see you trying to do - except in the code i asked you to add before]
Code:
#FORWARD PLEX OUT THE WAN CONNECTION
# firewall rule to stop Plex from going through VPN
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.2 -p tcp -m multiport --sport 32400 -j MARK --set-mark $FW_MARK
# Bypass VPN for Plex.TV
DNS_LIST="`nvram get wan_get_dns` 8.8.8.8 8.8.4.4 209.244.0.3"
URL_LIST="plex.tv canyouseeme.org"
for DNS_SVR in $DNS_LIST; do
for URL in $URL_LIST; do
for IP in `nslookup $URL $DNS_SVR | awk -F " " '{print $3}' | grep -Ev "(^$|$DNS_SVR)"`; do
if `iptables -L PREROUTING -t mangle -n --line-numbers | grep -q $IP`; then
echo "Already created iptable rule for $IP/32"
else
echo "Creating iptable rule for $IP/32"
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.2 -d $IP/32 -j MARK --set-mark $FW_MARK
fi
done
done
done
If you do decide to go the split tunnel route.... let me know because this would require a little more work, but the top option is MUCH easier - with the drawback[?] of not being able to use plex if the tunnel goes down.
I too have a similar situation and would prefer the split tunnel. Would you mind elaborating as to the additional steps needed for this to work? Also can it function with a killswitch, or will the killswitch shut down the wan in your setup?
I ask because I have a setup working that has plex using the wan, but can't seem to implement a killswitch that won't shut down the wan when the vpn tunnel goes down.
@Bunsen
I ask because I have a setup working that has plex using the wan, but can't seem to implement a killswitch that won't shut down the wan when the vpn tunnel goes down.
I can elaborate - but before I continue, please explain your statement above.
You say you want a killswitch, but dont want to kill the wan connection when the tunnel goes down... isnt that the point of the killswitch?
Or are you saying you want to kill all wan traffic... with the exception of the plex traffic? can you attach your firewall script as well so i can take a look at what rules you're already adding - and what's messing it up?
But it sounds like you're close - If you're marking the plex traffic already, all you need to do is write an ALLOW rule in the killswitch for anything marching the mark.
Here is where i'm going to assume that you have been trying to integrate scripts from @eibgrad - I'm going to continue to use variables already defined by them, if not, you'll need to substitute your own:
Code:
iptables -A $FW_CHAIN -s $ip -m mark --mark $FW_MARK -j ACCEPT
That would add the rule to the chain that is already created in their script - but if you don't use PBR, you should change "$ip" to the lan IP of your Plex server
I think I need to ask how you want your Plex server to talk to users outside local network.
Either you have the traffic going through the VPN tunnel, or you want it to bypass the VPN tunnel and go right out the wan connection.
It looks like the firewall script is trying to do both.
Yeah, that's pretty obvious once you say it. I'm not sure how I missed that, to be honest.
If I had the traffic going through the VPN tunnel then would Plex have difficulties in identifying when devices not using the VPN tunnel were on the same LAN?
If I had the traffic going through the VPN tunnel then would Plex have difficulties in identifying when devices not using the VPN tunnel were on the same LAN?
I've used both "methodologies" - when plex was going over the VPN, or split tunnel - in neither case did my lan devices have any problem finding the server.
The only issue i had with the "plex over vpn option" was that i had a cron job to reset the vpn connection every hour in order to get a new IP address - when this happened plex would take some time to "advertise itself" to plex.tv, and let wan clients know the new address.
Okay, I feel to some extent that I've come full circle and most of it appears to be working but there are a couple of bits I'm not sure about. I don't know if I've missed something.
I've gone back to just trying the code to forward it through the VPN:
# port forward from the VPN and into the LAN
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 32400 -j DNAT --to 192.168.1.2:32400
iptables -I FORWARD -i tun0 -p tcp -d 192.168.1.2 --dport 32400 -j ACCEPT
Plex is playing nicely on my LAN (as long as I leave the Roku set to always allow insecure connections). The settings page of the PMS says I have remote access, and the external IP address it shows there matches the VPN server I'm using.
However, I can still only get indirect access from outside of my LAN and the link you gave above:
