Bringing out the big guns - PLEX, VPN and portforwarding

Wolf666

Here pfSense rules.
The key is now to map 32400 on VPN servers, for example port 45000.
In plex settings then change default to 45000… and you are done!
Remember Plex uses TCP on 32400, UDP is not necessary.
In your associated firewall rule use default gateway not VPN WAN.

IMG_0244.PNG_thumb

IMG_0245.PNG_thumb

Xerial

Thanks!

I copied your rules but it did not work. PLEX shows the VPN provider's IP but clearly states that the machine is not available from the outside (ports 32400).
I've screenshotted both my rules, merged them into one picture and attached it here.

EDIT: Just to clarify the VPN service I use offers a public IP without any firewall at all so there's no need to open anything up there.

![2017-01-29 14-58-35.jpg](/public/imported_attachments/1/2017-01-29 14-58-35.jpg)
![2017-01-29 14-58-35.jpg_thumb](/public/imported_attachments/1/2017-01-29 14-58-35.jpg_thumb)

Wolf666

It is not a matter of firewall in VPN servers sides….you need to forward exactly port 32400, your provider must set this (other providers offer this service).

Because Plex Media Server registers itself as VPN_Public_IP:portX (that port MUST be set in plex settings) but since that port is not solely assigned to you and changes....from Plex Clouds is lost communication back to you....this trigger the condition "server not reacheable".
Again you really need your provider assign to you and only to you a port to be mapped to 32400, in order to establish the correct routing from Plex Clouds:

Plex Clouds->VPN_Public_IP:portX->VPN_Tunnel_IP:32400->PlexMediaServer:32400
PortX is that assigned in VPN servers and set in Plex Media Server settings.

Which is your VPN provider...I will check their services.

Xerial

It's a Swedish provider at http://ovpn.se/en/

Just seems weird that they didn't tell me this when we were trying to solve the issue..

Wolf666

They don't offer port forwarding but this: https://www.ovpn.se/en/faq/functionality/does-plex-work-while-using-ovpn….
I don't like the fixed public IP assignment... frankly speaking you should change provider.
My provider offers several ips but I have assigned always the same ports, better solution for security.

Xerial

And I have the public address service configured on my plex machine, which brings me here :)

Wolf666

Try to set outbound rule with static port for your Plex Media Server, using your vpn gareway. this solution will open a comunication with plex clouds and they will be able to reach you without any port forarding since you have a state alive.

Xerial

As much as I think that sounds like a great idea I am really not sure as to what to put where here. Could you please help me understand that?

I yellowmarked the areas where I am not sure. I am guessing the interface should be OPT1 (my VPN client running with the public id). Also the address under translation should be QA (which is my test machine for this). But when it comes to source destination and pool options I'm not sure.

![2017-01-29 18-13-43.jpg](/public/imported_attachments/1/2017-01-29 18-13-43.jpg)
![2017-01-29 18-13-43.jpg_thumb](/public/imported_attachments/1/2017-01-29 18-13-43.jpg_thumb)

Wolf666

Interface: the one assigned to VPN
Source: ip of media plex server

Translation
Address "network" and thick "static port"

As a first step use the defaults and see the behavior.

Xerial

Something like this? I can't select network under Translation Address. At the moment it is not working.

Also I should probably mention that you can't select a single client as source. Only an entire network. So if I input 10.20.30.40 (which is my PLEX client's ip) I get 10.20.30.0/24.

1.jpg_thumb

Wolf666

In source don't put any port…if Plex ask to go with 32400 the static port preserve natting the port.
In the transaltion section, in address you should be able to select "network address".... do you have other options?

Xerial

I can only choose from my host aliases and "other subnet".

2.jpg_thumb

Wolf666

Use exactly "interface address"

Xerial

Still the same results.. Reposting my rules in the attached picture. Does it matter that I have rules to forward traffic coming in on 32400 via the WAN activated the same time as I have the corresponding rule but for traffic coming in from OPT1 (VPN)?

3.jpg_thumb

Wolf666

Can you post the gareway screenshot and interface assignement…
Opt1 is the VPN gateway? Or the interface assigned to plex subnet?

Xerial

Here you go!

Opt1 is the vpn gateway yes.

4.jpg_thumb

Wolf666

I don't have any other idea…sorry.

Xerial

No problem you really did make an effort so thank you very much friend!

Xerial

@Wolf666:

I don't have any other idea…sorry.

Hey Wolf I just wanted to tell you (and anyone else with this weird problem) that I solved it. After spending an hour or so googling yet another time I found a thread where a guy had issues not very different from mine. He received the advise to remove all rules under the OpenVPN tab under rules. After I did that it worked. The rule I had there was automatically created from the OpenVPN server wizard that I had run a while back. Really weird but it did the trick!

Wolf666

Great! Thank you for feedback.