What's new

GT-AX11000, VPN and Plex

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Maya

Occasional Visitor
Hi All,

I'm struggling with how to enable remote access to Plex while using a VPN. Wondering if anyone has any experience with this.

I've got an Asus GT-AX11000 running the latest firmware (3.0.0.4.384_8011-gf86f4e8).

I've got my Plex server running on a Synology DS918+. Everything worked fine before using a VPN. I just had to add manual port forwarding on the router (i.e. manually specified Plex public port routed to internal port 32400) and that worked fine to ensure remote access to Plex.

I then signed up for Surfshark VPN and got it set up in the VPN Fusion tab on the router. Using OpenVPN, I've got a couple of servers set up (diff locations) and my NAS is going through one. It works as expected and is great but, obviously, when using the VPN, Plex is no longer reachable from outside my network.

To make Plex reachable, I understand that I have to edit the ovpn config file to ensure that Plex connections do not to go through the VPN.

I've looked at lots of forums. They generally seem to be getting at the same thing - the most comprehensive I could find is here: https://www.reddit.com/r/PleX/comments/3ymh65/a_guide_on_using_plex_with_openvpn/. I followed that to edit the .ovpn config file. I added three lines, as I got three different Plex IP addresses when I followed Step 2 in that guide; they looked like this:
route [plexaddresses] 255.255.255.255 [mygateway].
I saw that some people had luck with a different subnet mask so I also tried a variation that looked like this:
route [plexaddresses] 255.255.255.0 [mygateway].
I kept the previous port forwarding, as that should have done the job (or so I thought). However, no matter what I tried, it just won't work for me.

Has anyone had any luck doing this? Is there some other way of achieving it?

This is not something I'm particularly familiar with so apologies if my language isn't perfect. Any help would be greatly appreciated! TIA
 
Are you using vpn fusion and want to keep your plex server from going through the vpn? If so you just edit the exception list.
 
Last edited:
Are you using vpn fusion and want to keep your plex server from going through the vpn? If so you just edit the exception list.

Thanks for your response.
I'm not sure that'll work. The Plex server is on my Synology NAS, which has lots of other things going on too - all the rest of those connections, I want through the VPN. The Plex server is the only thing that I don't. The exception list is based on the device IP, not specific ports/connections, i.e. the NAS as a whole is either on or off. The exception list doesn't seem to allow me to separate out the Plex server that way, I don't think.
 
The Synology has its own VPN client I believe so you can set individual apps on it to go through the VPN as needed rather than using VPN fusion
 
The Synology has its own VPN client I believe so you can set individual apps on it to go through the VPN as needed rather than using VPN fusion

It's an option but definitely not my preference. Before I had this router, I had the VPN set up on the Synology itself but it was buggy. If I had to reboot my router for any reason, it wouldn't automatically reconnect through the VPN and a key app I use would stop entirely. I would have to go in and muck around every time. Wasn't great for management when I was away from home. It was actually the reason that I bought this new router - so I could put the VPN on there and manage it more easily!

Back when I did that, I don't remember being able to split apps between connections (although it wasn't a big priority for me back then so it might be possible).

It's a good suggestion, for sure, but I really would prefer to do it through the router if it's at all possible.

EDIT: Doesn't seem like it's possible. I've set it up again on the Synology but same issue - either all connections through the VPN or none. Doesn't look like I can pick and choose based on what I can see and what info there is at: https://www.synology.com/en-global/.../DSM/AdminCenter/connection_network_vpnclient
 
Last edited:
Your Synology have dual lan ports? Have one port going out on VPN fusion and the other port with your regular port forwards pointing to it.
 
Your Synology have dual lan ports? Have one port going out on VPN fusion and the other port with your regular port forwards pointing to it.

That's thinking outside the box! I bond them (link aggregation) to increase/support transfer speeds... But, even if not, you can't define what runs through which - i.e. I couldn't set run Plex through one and the rest of the activity through another....

I mucked around for a few hours with the Synology again just to be sure...but I can't seem to do anything more with the NAS itself.

I think the answer lies on the router...seems to be the conclusion on the Synology forums too. I don't necessarily know whether editing the certificate is the only way though. This router seems to be able to do so much...I just don't know what I'm doing! Surely in amongst all those settings, there's a way.... Something like port-based routing through the VPN...because that would be perfect.
 
Last edited:
Ah fair enough, I'm used to using qnaps which let you define services and apps to individual ports.

I presume download station is the app being put through the VPN?
 
Ah fair enough, I'm used to using qnaps which let you define services and apps to individual ports.

I presume download station is the app being put through the VPN?

Aah, lucky you!

You presume correctly!!! :)
 
Ah in that case, I always just set download station to use the socks5 proxy and didn't bother with the VPN when I had my Synology. Still do the same on my qnap.
 
Aah, lucky you!

You presume correctly!!! :)

As long as your not concerned about your ratio (aka. not using a private tracker) then SurfShark will be fine.

I have a similar requirement and use a container with a vpn client as well as the torrent client. But I also use
an alternate ethernet port on the NAS.

The bonding will not increase the top speed of the connection only throughput so if you don't have multiple
concurrent clients using the link requiring greater than Gigabit throughput you have the option of using the
ethernet port for the container instead.
 
I have a similar requirement and use a container with a vpn client as well as the torrent client. But I also use
an alternate ethernet port on the NAS.

The bonding will not increase the top speed of the connection only throughput so if you don't have multiple
concurrent clients using the link requiring greater than Gigabit throughput you have the option of using the
ethernet port for the container instead.

But you should also be fine using the existing ethernet setup with a VPN within the container.
 
As long as your not concerned about your ratio (aka. not using a private tracker) then SurfShark will be fine.

I have a similar requirement and use a container with a vpn client as well as the torrent client. But I also use
an alternate ethernet port on the NAS.

The bonding will not increase the top speed of the connection only throughput so if you don't have multiple
concurrent clients using the link requiring greater than Gigabit throughput you have the option of using the
ethernet port for the container instead.

Sorry, I should have given a little more info on what else I do via the Synology. Here's a run down....

So, I do use a private tracker so ratio is important for me. I have an unlimited internet plan but I recently got a little email from my ISP about 'excessive usage'.... Umm...woops. Don't really want anyone to be looking too much into that, so VPN.

For Plex, I may have up to 3 users accessing my server and streaming media at any one time (usually fewer but that's a possible scenario). I have movies, TV series and music. For movies, I only procure full Bluray remuxes and have a lot of 4K in there. Plex tells me that the movie Gemini Man has the highest average bitrate in my collection at 97.5Mbps (but I understand that's just an average). Using link aggregation solved a problem I had when multiple people were streaming movies.

In addition to media, I often hold a lot of documents on my Synology NAS. This part is ad hoc and only when I'm working on something that's collaborative...but, when that's happening, I give people access and we tend to use my NAS as a place to work from. It's just for convenience, really.

I have a continuous backup to CrashPlan and use Docker for that. Also use Docker for the usual stuff like CouchPotato, Sonarr, etc.

With the exception of remote access to Plex, which I'm trying to solve here, this is all working really well for me right now. It's that rare sweet spot! As much as I'm open to improving things, as you can imagine, when thinks are working flawlessly, you don't really want to mess with it.

I didn't think any of the above was particularly relevant because I thought that surely this kick butt, super expensive router would be able to do what I want!!!
 
I didn't think any of the above was particularly relevant because I thought that surely this kick butt, super expensive router would be able to do what I want!!!

That's not really a fair statement.

If you choose a VPN provider that doesn't allow incoming connections over the VPN then you won't be able to maintain your ratio or allow incoming Plex connections using the VPN.

So, IIUC what you want to do, it's not really a router limitation.

As far as allowing a particular application to bypass the VPN, that's not at all a simple request.

I don't know of any way to do that unless you use a different IP address for communication and are able to configure the application to use that interface (or address) so you can route traffic for that application (address) to the WAN instead of the VPN.

Using the Merlin firmware you can route traffic for certain streaming services (but not arbitrary applications) via one of the VPN clients or the WAN but you can't do that for an "application" unless you have something to identify it by. In this case an IP address is probably the only choice you have and the Merlin firmware isn't available for the AX11000 anyway.

That IP address could be virtual on the NAS I guess, so you could do that.
As you've probably already seen the slit-tunnel VPN capability on the AX11000 is based on client IP address.

It also wasn't clear to me if you can specify a listening network interface in Plex because the setup option says "Preferred network interface" and the description says "The network interface local clients will use to connect" which implies not-remote to me but who knows what the Plex developers meant.

Ian
 
That IP address could be virtual on the NAS I guess, so you could do that.
As you've probably already seen the slit-tunnel VPN capability on the AX11000 is based on client IP address.

Thanks for your input.

It's my fault. I should have looked into this more before choosing a VPN... I just found a deal for Surfshark for ~$20 for 2 years so I kind of jumped at it, as I was in a rush. I honestly thought it would be straightforward to do this but I've never used a VPN before so that'll learn me.

If I could find a way of getting a virtual IP for Plex, that would be the way. I'll look into seeing if I can do that...

Is there any way of doing anything based on port (i.e. is there such a thing as port-based routing) on the AX11000...or a way of achieving that in some way? Attached are screen shots of what I see in Plex through the VPN and without if it helps at all.

I'm going to ask the same on the Plex forum if there's no way of doing it through the router and see how people get around this - I've noted in the original post what seems to be out there in terms of advice but no harm checking again. I might also check with Surfshark - their chat folks are super helpful.
 

Attachments

  • VPN issue.jpg
    VPN issue.jpg
    59.8 KB · Views: 217
It's my fault. I should have looked into this more before choosing a VPN... I just found a deal for Surfshark for ~$20 for 2 years so I kind of jumped at it, as I was in a rush. I honestly thought it would be straightforward to do this but I've never used a VPN before so that'll learn me.

Ha, me too, I asked the SurfShark folks (and, I agree, they are very helpfull) and they confirmed forwarded ports aren't available.

I ended up subscribing to another VPN service (as well) that does allow port forwarding.
Even then it's not straight forward since different providers (that do offer it) offer it do it in different ways, the one I subscribed to (inexpensive) opens all ports when you connect in the way they require for it, hence the single function, locked down container.

If I could find a way of getting a virtual IP for Plex, that would be the way. I'll look into seeing if I can do that...

Hopefully you can.
Not sure I can create additional virtual interfaces on the QNAP either (other than via applications that do this) but it should be possible so I'd expect the Synology to as well.

Is there any way of doing anything based on port (i.e. is there such a thing as port-based routing) on the AX11000...or a way of achieving that in some way? Attached are screen shots of what I see in Plex through the VPN and without if it helps at all.

Not that I can see and it did occur to me too.

I'm going to ask the same on the Plex forum if there's no way of doing it through the router and see how people get around this - I've noted in the original post what seems to be out there in terms of advice but no harm checking again. I might also check with Surfshark - their chat folks are super helpful.

Can't hurt, I'd be interested hearing in how you go with this.
 
Can't hurt, I'd be interested hearing in how you go with this.

I knew smarter people than me would have already dealt with this issue!

I can create a VM on the Synology easy enough - that should do it. Still, I'd like to figure it out without doing so...so I'll keep plugging away. I'll keep this thread updated as I go :)
 
Can't hurt, I'd be interested hearing in how you go with this.

I haven't given this as much attention as I wanted to; it kind of fell by the wayside... Still I thought I'd give an update since I have it working now.

I checked with Surfshark but they couldn't help and, while I played around with the ovpn config file some more, I couldn't crack it that way either.

Just so I could get it working as I wanted quickly, I ended up creating a virtual machine on the Synology (a virtual DSM) with its own IP. It was shockingly easy to do.
Honestly, I had originally not wanted to create a virtual machine because, when I'd done it in the past, they were quite slow and buggy, but that was when I was running Windows (probably with poor settings) and this is definitely not like that. A virtual DSM on the Synology runs as smoothly as the normal DSM, set up is intuitive, mounting folders is a breeze and it all works incredibly well.

I had two options:
1. Move the Plex Media Server to the virtual DSM and then put that through the normal internet, with the main NAS and all its installed apps behind the VPN.
2. Run Download Station on the virtual DSM instead, put that behind the VPN and have the main NAS with the Plex Media Server on it through normal internet.

Option 2 seemed like far less mucking around at least in the short term, as moving Download Station over took no time at all. I also read a post on the Plex forum which indicated that, when the Plex Media Server is running on a virtual machine, the hardware acceleration option may not work and CPU usage could end up higher. Don't know if that would have happened but I figured, since Plex is working nicely for me now, best not tinker if it can be avoided.

So, really, it's all working as I wanted, noting that my NAS is no longer sitting behind the VPN right now. When I get time, I might try out Option 1 to compare. Also, I'm still going to try to figure out if there's any way to split tunnel via port whether it's by editing the .ovpn config file or some other way. If I ever figure it out, I'll keep this thread updated.
 
Honestly, I had originally not wanted to create a virtual machine because, when I'd done it in the past, they were quite slow and buggy, but that was when I was running Windows (probably with poor settings) and this is definitely not like that. A virtual DSM on the Synology runs as smoothly as the normal DSM, set up is intuitive, mounting folders is a breeze and it all works incredibly well.

Right, is that similar similar to the QNAP QTS VM (QTS being the QNAP OS, I'm guessing DSM is the Synology equivalent)?

I had two options:
1. Move the Plex Media Server to the virtual DSM and then put that through the normal internet, with the main NAS and all its installed apps behind the VPN.
2. Run Download Station on the virtual DSM instead, put that behind the VPN and have the main NAS with the Plex Media Server on it through normal internet.

Option 2 seemed like far less mucking around at least in the short term, as moving Download Station over took no time at all. I also read a post on the Plex forum which indicated that, when the Plex Media Server is running on a virtual machine, the hardware acceleration option may not work and CPU usage could end up higher. Don't know if that would have happened but I figured, since Plex is working nicely for me now, best not tinker if it can be avoided.

That's right, hardware acceleration will only work if the VM system provides GPU passthrough. Don't know what the situation is on the Synology with that but on QTS VMs don't see the host GPU and GPU passthrough is only available on some QNAP models that have a PCIE GPU slot (yes, that's right, some models that "support" a graphics card don't allow passthrough for VMs).

So, really, it's all working as I wanted, noting that my NAS is no longer sitting behind the VPN right now. When I get time, I might try out Option 1 to compare. Also, I'm still going to try to figure out if there's any way to split tunnel via port whether it's by editing the .ovpn config file or some other way. If I ever figure it out, I'll keep this thread updated.

Often it is easier to divide and conquer, for example, I run my torrent client in a QNAP container that includes an OpenVPN client.
It's just so much easier, and being pre-packaged means all I needed to do was work out the options to pass to it.

AFAICS all you can do with split tunneling is to use ipset sets of IP addresses that services connect to and direct local clients to those addresses which can be set to be directed to a vpn client or the WAN.

So, if you can setup a service (say Plex) to use a specific internal address (not the NAS host address) you don't need to use the port, just the address. But that's probably too much trouble when a container or VM will do much the same in a simple manner.

Ian
 
Right, is that similar similar to the QNAP QTS VM (QTS being the QNAP OS, I'm guessing DSM is the Synology equivalent)?

That's exactly right - the Synology DiskStation Manager (DSM) is the OS for Synology DiskStation and RackStation products, just like QTS is for QNAP products.

Thank you for all your advice - what a wealth of knowledge! Based on the above, I think what I've done (i.e. torrent client through the VM) is probably the best solution for how I use my system. Everything's working well. Really appreciate your help :)
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top