I established a Plex media server on my home network. For reasons, I need this server to be always connected to a VPN. This VPN (ExpressVPN) has a feature called “network lock” which by default will allow connections from the local network (192.168.1.0/24, for example).
- I set up a ddns hostname for my home router. So my media server has a consistent address.
- I configured plex to advertise this hostname.
- I set up a port forward in the home router to match the port advertised and the manual port configured in remote access
This is not enough…
Problems:
- the port forward still comes from an external IP address, so the VPN-protected host blocks the connection
- the plex media server does a query to plex.tv to discover its external IP address. Since this query comes from the vpn-protected system, the IP address returned by the query to plex.tv will be the VPN endpoint address, not the external address of my home router.
Solution - I establish a set of relays on another local system such that the communication with the VPN-protected server is all “local” and therefore allowed.
I have a small linux box which I use as a “jump” server in the house. I can ssh in to it, or remote desktop, etc from anywhere. I changed my port forward for the plex media server to point to this jump server instead.
On the jump server, I set up several relays using socat:
- To relay the port forwarded traffic from the Internet: /usr/bin/socat tcp-listen:32400,fork,reuseaddr tcp:192.168.1.91:32400
- To relay web requests to plex.tv from the VPN host: /usr/bin/socat tcp-listen:80,fork,reuseaddr tcp:plex.tv:80
- To relay web requests to plex.tv from the VPN host: /usr/bin/socat tcp-listen:443,fork,reuseaddr tcp:plex.tv:443
On the plex media server/VPN’ed host, I made a hosts file entry for plex.tv, using the IP address of my jump server.
Now, the plex media server picks up the correct external address, and I can access my server from anywhere, but the server remains always on the VPN. I put the socat executions into systemd template service thingies, so they start up automatically. I can also use this for other hosts which are also vpn’ed and I need special access to, for remote desktop, etc.
Technically, I think this would also be achievable using firewall rules on the jump server. If someone knows the magic involved, I’d be interested to hear the specifics.
I’m facing a kind of similar issue, my ISP has now put in a Carrier Grade NAT at his place and this has destroyed my port forwarding capacity from the stock router, they say that now I have to pay for a static IP (money leacher), any solution to overcome this as I love to have access of my Plex Media outside my house.
Not exactly your situation, but i have a VM in a subnet that only gets Internet access to VPN Server IPs and allows local.
By default I can’t access the VM from mgmt subnet since it’s not the same subnet and thus not local. Instead, I have to reverse NAT all mgmt traffic to the VMs subnet gateway to make it seem as if it’s all local to the VM.
I do this with opnsense->firewall->nat->outbound
Is split-tunnel not an option?
That’s an interesting solution. I think I would have gone another way, and moved everything that needed to be on the VPN to another VM also mounting the same shared network storage that Plex uses (if required).
You could setup a tiny cloud VM somewhere and have something in your local network VPN or ssh to it. Then have that cloud machine forward ports over that tunnel to your internal machine, and it looks to the outside world like you have that static IP.
I had to do this for a while on an old ISP. It was cheaper than their static IP and I found it satisfying that I wasn’t giving those crooks more money.
Nothing I did will help you unfortunately, if you don’t have the ability to forward ports (or set one of your hosts “DMZ”, which would let you do what I have done). The relaying is still dependent upon receiving the traffic at your router and getting it to the relay server.
It sounds like you’d need to use a VPN which allows and supports port forwarding. Of course you have to pay for that, too.
Yeah that’s quite similar. I’m sure I will make a fw/nat based solution work, when I’m not remote. I don’t like messing with my home firewall from remote because generally speaking that’s just asking to lock myself out or, even worse, prevent my wife from watching television.
No, because it’s an inbound connection. I’d have to allow inbound connections from the Internet. Furthermore, I’d have to allow my vpn’ed host to answer these external IP addresses.
If it was a specific outside network that I wanted to talk to without going through the vpn, that would be a case for split tunnel.
I did start out with all my vpn-requiring services inside a vm (on the same host as the plex media server). But, the NIC on the host (alx) kept barfing under load when the vm was busy torrenting. This is with Virtualbox. The shared folder support in the guest additions has a problem with reporting inodes - it shows an invalid number of them. So, some programs would sometimes fail to write files. I switched to using an nfs share on the vm host instead, and encountered the bug with alx. So I put everything natively on the host and it’s all happy now, but…everything is behind the vpn. So here I am =)
Something like tailscale on an Amazon EC2 free tier could work. It and ZeroTier are both based on WireGuard but don’t require port forwarding. Then the EC2 could be u/Fisher745 jump box.
even worse, prevent my wife from watching television.
i wish opnsense had a function like FreeNAS, where it “trys” the config for 60secs and if you don’t confirm, it’ll reset to the previous settings