Port 32400 Plex FreeNAS Issue | VPN Setup using pfSense

nak_attack

divsys….great news - I’ve got the Plex server working and the port opened correctly!! Thank you so much for all your help!

For anyone else experience a similar problem here’s what I did:

I upgraded / changed router utilizing pfSense from a standard NetGear router. Doing so caused many problems within my FreeNAS server. I had to change the router ip address on the server and in each jail. I also successfully (with the help and guidance of divsys  ;D) successfully mapped the correct port to work for Plex.

I can’t point my finger on what exactly made it all work, but I’m sure it was a combination of things: settings in my router that needed to be corrected and I then removed each jail and plugin then REINSTALLED them all while checking to see if they work before I moved onto the next one. Hope this helps!

Now onto figuring out the VPN!!! (not really looking forward to that)  :-\

Any advice on which post might be the most useful? I’m using the viscosity app on my mac and openVPN software on pfSense & iPhone.

divsys

Welcome to the ranks of successful pfsense implementors ;D

Glad it worked out ( I knew you could do it  ;) )

Now as for OpenVPN < deep breath >…

Here's my Readers Digest version of implementing a Road Warrior ( laptops, iphones, etc) OpenVPN in pfsense:

(I) Create certificates
You'll need to create 2 pieces for the OpenVPN server plus 1 piece for every device you wish to have connect.

• The Certificate Authority - "master" certificate used to create all others.
    "System->Cert Manager->CA click on '+' to add new certificate see 'Certificate_Authority_OVPN1.png'"

• The Server Certificate - OpenVPN servers certificate
    "System->Cert Manager->Certificates click on '+' to add new certificate, see 'Certificate_Server_OVPN1.png'"

-The Device Certificate - Used by the device which connects (laptop, iphone, etc). One per each device.
  "System->Cert Manager->Certificates click on '+' to add new certificate, see 'Certificate_Laptop_OVPN1.png'"

(II) Create the Road Warrior Server

• Make a new OpenVpn server in pfsense.
    "VPN->OpenVPN->Server click on '+' to add new server, see 'OpenVPN_ Server_defn.png'"

(III) Setup the needed rules

• Allow access to the external OpenVPN port
    "Firewall->Rules->WAN click on '+' to add new rule, see 'OpenVPN_ WAN_rule.png'"

• Allow OpenVPN traffic
    "Firewall->Rules-OpenVPN click on '+' to add new rule, see 'OpenVPN_ VPN_rule.png'"

continued…..


divsys

….continued

At this point you should have a running Road Warrior server on pfsense.  Now you need to connect to it.

(IV) Setup the export packages (iphone, etc)

• There's a great package that greatly simplifies the install process for devices called "OpenVPN Client Export Utility"
    "System->Packages->Available Packages click on '+' at the end of the 'OpenVPN Client Export Utility' line"

(V) Setup the laptop (iphone, etc)

-The export utility makes it easy to install a device via a browser.
-On the laptop browse to "192.168.5.1" (or the LAN address of your pfsense box)
-Login
Go to "VPN->OpenVPN->Client Export, see 'OpenVPN_ Client Export Utility1.png '"

-You should be able to click on the install package you need to import a configuration into your laptop.

Once you've setup the laptop you connect to pfsense via the OpenVPN client and your laptop will have full access to the LAN network from an outside connection.

It may look daunting, but if you go one step at a time you'll get it up and running.

Let us know how it goes for you ;D


nak_attack

divsys, all i can really say is THANK YOU! Your detailed explanation along with easy to follow instructions were invaluable - I got my VPN working!!!!  ;D ;D ;D ;D ;D ;D

I was able to successfully log in from my iPad, iPhone and MacBook Pro! Keep in mind that I did the test within my own network but all of the settings gave me no errors. Furthermore, I was able to test out my iPhone away from my network and that did work too!

Questions:

1. While away from my LAN I attempted to connect using my iPhone and I was NOT able to connect to 192.168.5.200:32400/web - my Plex Media Server. It just dawned on me that maybe i didn’t need to specific the port because the port forwarding rule would have worked? I was able to connect to the VPN while I was away from my LAN however now that I’m home I can’t seem to connect - it keeps saying ’timed out'. Is this because I’m using dyndns.org while on my LAN because dyndns can only be used outside the LAN?

2. For my iPad and MBP I didn’t choose the dyndns.org - but my home IP is visible. Should I change these two certs so that I use only dyndns.org?

3. What’s the difference and more importantly if you know between dyndns.org, Private Tunnel & Tunnelblick? Do I need all of them? Should I pay for their individual services? My understanding of Private Tunnel is that it ‘spoofs’ you ip (or as they like to say ‘hides it’) from the world. But when I used Tunnelblick I was not able to tunnel into my LAN because the IP they gave me was nothing close to what I entered into dyndns.

Hopefully my madness makes sense….and again...and again...thank you sooooooo much for all your help and patience!!!

I really couldn’t have done this without your guidance and support!  ;D

divsys

I was able to successfully log in from my iPad, iPhone and MacBook Pro! Keep in mind that I did the test within my own network but all of the settings gave me no errors. Furthermore, I was able to test out my iPhone away from my network and that did work too!

1. While away from my LAN I attempted to connect using my iPhone and I was NOT able to connect to 192.168.5.200:32400/web - my Plex Media Server. It just dawned on me that maybe i didn’t need to specific the port because the port forwarding rule would have worked? I was able to connect to the VPN while I was away from my LAN however now that I’m home I can’t seem to connect - it keeps saying ’timed out'. Is this because I’m using dyndns.org while on my LAN because dyndns can only be used outside the LAN?

The basic idea with OpenVPN is that it lets you work as if you were connected at home on your private network.  That's what V.P.N. stands for - Virtual Private Network.  As far as all your other programs are concerned, you're still at home once the connection is established.  The only thing to keep in mind is that your connection to home is across the internet, and is only as good as the weakest link in your "chain" to home. If your wireless at the coffee shop is bad or, the internet is having a slow day, your connection will be affected.  Just remember, when outside, you have to fire up Viscosity (or whatever VPN client you're using) first then do everything else on your home network.

In short, on your iPhone just connect to the Plex box the same way you would if you were at home without VPN. It should work.

2. For my iPad and MBP I didn’t choose the dyndns.org - but my home IP is visible. Should I change these two certs so that I use only dyndns.org?

In general I use DDNS for my connections. Depending on your ISP your WAN address may change hourly, weekly, or never.  For now, you're probably OK but you should go back and download your configuration file from pfsense again. This time choose the Dynamic DNS option.

3. What’s the difference and more importantly if you know between dyndns.org, Private Tunnel & Tunnelblick? Do I need all of them? Should I pay for their individual services? My understanding of Private Tunnel is that it ‘spoofs’ you ip (or as they like to say ‘hides it’) from the world. But when I used Tunnelblick I was not able to tunnel into my LAN because the IP they gave me was nothing close to what I entered into dyndns.

• One's a dessert topping and one's a floor wax (sorry baaaaad joke)  ::)

Tunnelblick and Viscosity are just two variants of OpenVPN clients.  If I remember, Tunnelblick is free and Viscosity is pay but cheap ($9??) . Just pick one or the other, whichever works best for you.  Both need a configuration file from pfsense's client export to work properly.

Private Tunnel is a pay for service that lets you "hide" your home WAN address when you surf the net.  Useful if you're in a country that limits your access to web sites based on where it thinks your WAN address "comes from" - probably doesn't apply to you (??).  Some use these services to hide their (nefarious) surfing history on the net, YMMV….

dyndns.org  is the service that translates your current physical WAN IP address into a domain name (text you can remember).  Dyndns is one of many services available to do this. They've recently dropped their free services and have gone to all pay.  There's lots of others that work well, I use freedns.afraid.org.  pfsense works with many of these services so that if your physical WAN address changes from your ISP, pfsense automatically updates the domain name to match.

Hopefully my madness makes sense….and again...and again...thank you sooooooo much for all your help and patience!!!

I really couldn’t have done this without your guidance and support!  ;D

What's a little madness among friends.

I'm perfectly happy to take all the credit, seeing as you did all the work  8)

JeGr

I'd add: if you have your VPN working I see no need for DynDNS and an active Port Forwarding rule. Other then you want to let the world view your plex server (if there's no layer of authentication) ;)
When your VPN is up, you're "back inside your Home LAN" so no need for a port forwarding there.

divsys

I agree on the port forwarding in general, I don't like to open anything to the outside world in my firewall unless needed.  That said, the Plex login service seems to have a central facility that needs to be able to talk to the local box to provide some features (I am not a Plex expert by any means).

The DynDNS is definitely needed if only to give the OVPN clients an address to "call home".

nak_attack

Thank you all of your help and suggestions!

CURRENT SETUP:

MBP - OpenVPN - Works!
iPad - OpenVPN - Works!
iPhone - OpenVPN - Works!

I chose to pay $9 for Viscosity app over Tunnelblick for my MBP.

I like the idea of using PrivateTunnel - whereas it would ‘hide’ my ip while using VPN - really don’t like the idea of putting my ‘public’ ip out in the world - I don’t publish my home address on anything either - I’m just weird that way or cautious. Anyways, do any of you know how I can integrate PrivateTunnel into my current setup using OpenVPN & DynDNS work. As I understand it, PrivateTunnel will provide you a choice of ip address from all around the world. I use dyndns currently and have it set to use my home ip address. I’m not really sure why I even pay for the DynDNS account other than that was recommended to me sometime ago.

ISSUE:
I’m really confused. I feel like the more I research this the more confusing it becomes! I’m not sure what steps I need to take to integrate PrivateTunnel, DynDNS and OpenVPN to work together. Any advice would be helpful. Please keep in mind that this is my very first VPN setup - so remember that I’ve still got diapers on!  ;D

divsys

Good to see things are up and running.  :)

I'm definitely NOT an expert on setting up PrivateTunnel type connections, but I see they have a fairly basic How-To on their site for pfsense.  From what I can see, this type of setup will effectively "hide" your true IP address for outgoing connections from your home LAN (ie. while you're at home, a web page would get PrivateTunnel's assigned IP address instead of your home IP).

As far as the RoadWarrior OpenVPN (connecting into home from the beach, shall we say) I don't see a particular advantage to the PrivateTunnel setup, whether you use DynDNS or simply an address given you by PrivateTunnel, your iPhone still needs to know what address to use for an OpenVPN connection.  And by extension, if your iPhone knows, "someone else" can know too.  In the end I don't see a huge benefit from trying to force the RoadWarrior side of your setup through PrivateTunnel.

The outgoing setup does look fairly straightforward.

Keep at it and let us know how it goes ;)

s3tix

I made a quick blog post, any questions message me! Hope this helps some of you

https://s3tix.wordpress.com/2016/06/12/plex-remote-access-with-pfsense/