Hello!
For the past week I have been searching forums, getting myself familiarized with Linux (Ubuntu 16.04).
I built a server out of my old PC after a recent upgrade, and moved all my media streaming off my Synology NAS (couldn't handle transcoding all my files) to this new server.
My main problem is I cannot access Plex outside of my LAN when I am using OpenVPN, works fine when disabled.
I'm trying to build an iptable, or anything, that I can route Plex traffic outside the VPN I'm on, in order to hopefully get remote working like it does when I turn off the VPN.
When I go to my settings and "Remote Server" I can see a green check after my private IP, another after my public IP, and it says at the top that Plex is fully accessible outside of my network. For some reason, this is inaccurate.
For a breakdown:
- Server running Ubuntu 16.04
- Plex is Version 0.9.16.6
- Server is setup for OpenVPN (tun0)
- Server connects to router which then connects to modem and outside world
- Would love to setup an iptable that guides Plex traffic to not use the tun0 VPN connection
- All other connections use the VPN (tun0)
- Port for Plex that says it has access is 8888 (Port opened by VPN)
The command to even load this file into iptables won't work, keep getting errors around the line 24 [for i in /proc/]
I would love any help, it will greatly reduce my sleepless nights and stress with this issue!
Here are my useless attempts so far (file called iptables.rules)
#!/bin/bash
# This code goes in the WAN UP section.
# This code based on the contributions from this thread:
# http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
# http://linux-ip.net/html/adv-multi-internet.html
# http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally, OpenVPN will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING
#
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/all/rp_filter ; do
echo 0 > $i
done
#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun0 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
# iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
# Ports 80 and 443 will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
# All traffic from a particular computer on the LAN will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
# All traffic to a specific Internet IP address will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
# All UDP and ICMP traffic will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
# All traffic from a specific Internet IP address range USING CIDR NOTATION will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -s 74.125.229.0/24 -j MARK --set-mark 0
# All traffic to a specific Internet IP address range USING CIDR NOTATION will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -d 98.207.0.0/16 -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 58846 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.34 -p tcp -m multiport --sport 58846 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 8112 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.34 -p tcp -m multiport --sport 8112 -j MARK --set-mark 1
# Bypass Plex IP Ranges https://forums.aws.amazon.com/ann.jspa?annID=1701
# FROM/SOURCE
iptables -t mangle -A PREROUTING -i br0 -s 184.169.128.0/17 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 184.72.0.0/18 -j MARK --set-mark 1
# TO/DESTINATION
iptables -t mangle -A PREROUTING -i br0 -d 184.169.128.0/17 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/18 -j MARK --set-mark 1