Menu
What's new
By:
Filters Better Search

[Tutorial] Plex VPN Bypass

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

C

CODYQX4

Occasional Visitor
Just thought I'd post my config because I've seen this several different ways, some of which involved several ports or whitelisting massive chunks of Amazon IP Addresses.

I'll assume you have Plex setup as well as your OpenVPN on your router, and you will need to use a static IP for the Plex server or this will break on IP change.

Step 1. Setup Remote Access in Plex
I used a manual port for this, but as it stands this won't work over VPN (unless you have some VPN that handles port forwarding). As most people are bypassing the VPN, we'll use this.

Choose whatever manual port you want and take note of it. At this point the Remote Access is not going to work.

Step 2. Forward this port to your Plex Server.
Use the port from step one as both the Port Range and Local Port. Enable Forwarding for "BOTH". Call your service Plex (doesn't really matter about the name).

Step 3. Easy VPN Domain Bypass
OpenVPN can lookup the IP Addresses via domain. I simply added "route plex.tv 255.255.255.255 net_gateway" (no quotes) to custom configuration on the OpenVPN client page. This makes that domain bypass the VPN. We need this because the Remote Access will get your VPN IP which most likely will reject your port. This makes it see your real IP.

Step 4. Make traffic over the Plex port bypass the VPN.
This uses a method that let me use SSH over VPN, something I struggled to get working with an OpenVPN Desktop client (actually never did get working. VPN dead = no SSH). It works the same way for Plex.

I use this script for my OpenVPN event handler (openvpn-event).
Code: 
#!/bin/sh

# Setup FWMarks
WAN0=200
WAN1=201
VPN1=211
VPN2=212
VPN3=213
VPN4=214
VPN5=215

# Disable Reverse Path Filtering
sleep 10
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
done

# Reset Primary WAN Routing Table
ip route flush table wan0
ip route del default table wan0
ip rule del fwmark $WAN0 table wan0
ip rule del fwmark $VPN1 table ovpnc1
ip rule del fwmark $VPN2 table ovpnc2
ip rule del fwmark $VPN3 table ovpnc3
ip rule del fwmark $VPN4 table ovpnc4
ip rule del fwmark $VPN5 table ovpnc5
ip route flush cache
iptables -t mangle -F PREROUTING

# Reset Primary WAN Routing Table Rules
#VPN_LIST="1 2 3 4 5"
VPN_LIST="1"
for VPNID in $VPN_LIST
do
    # Copy IP Routing Rules
    ip route show table main | grep -Ev ^default | grep -Ev tun1$VPNID | while read ROUTE;
    do
        ip route add table wan0 $ROUTE
    done
   
    # Set Active VPN State
    VPN_STATE=$(nvram get "vpn_client"$VPNID"_state")
    if [ $VPN_STATE -eq -1 ]
    then
        nvram set "vpn_client"$VPNID"_state"=2
    fi
done

ip route add default table wan0 via $(nvram get wan0_gateway)
ip rule add fwmark $WAN0 table wan0
ip rule add fwmark $VPN1 table ovpnc1
ip rule add fwmark $VPN2 table ovpnc2
ip rule add fwmark $VPN3 table ovpnc3
ip rule add fwmark $VPN4 table ovpnc4
ip rule add fwmark $VPN5 table ovpnc5
ip route flush cache

# Plex Traffic: Bypass VPN
iptables -t mangle -C PREROUTING -i br0 -p tcp --sport 32400 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 32400 -j MARK --set-mark $WAN0
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --sport 32400 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
    iptables -t mangle -A PREROUTING -i br0 -p udp --sport 32400 -j MARK --set-mark $WAN0
then
fi
iptables -t mangle -C PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark $WAN0
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --dport 32400 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p udp --dport 32400 -j MARK --set-mark $WAN0
fi

# SSH Traffic: Bypass VPN
iptables -t mangle -C PREROUTING -i br0 -p tcp --sport 22 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 22 -j MARK --set-mark $WAN0
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --sport 22 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
    iptables -t mangle -A PREROUTING -i br0 -p udp --sport 22 -j MARK --set-mark $WAN0
then
fi
iptables -t mangle -C PREROUTING -i br0 -p tcp --dport 22 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 22 -j MARK --set-mark $WAN0
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --dport 22 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p udp --dport 22 -j MARK --set-mark $WAN0
fi

That script works for me with 1 VPN (probably more than 1 as well). This will make all the Plex traffic going in and out of the port we chose not use the VPN. I only needed one port, and I didn't have to whitelist half of Amazon to make this work.

I tested this and I was able to access my Plex server via my iPhone on a different network, 25 miles away.
 
This is a very interesting and helpful tutorial. Thanks for that!

While I haven't looked into it in detail I was wondering if the same scheme could be applied to my scenario: I am trying to exclude the transmission daemon from the VPN.
Could this work with just minor changes or does it require a completely different approach?
 
stfn said:
This is a very interesting and helpful tutorial. Thanks for that!

While I haven't looked into it in detail I was wondering if the same scheme could be applied to my scenario: I am trying to exclude the transmission daemon from the VPN.
Could this work with just minor changes or does it require a completely different approach?
Click to expand...

I'm not familiar on how you'd do that on the router (perhaps the router IP gets the port forward if even necessary and you exclude that port like I did SSH and Plex), but if you're referring to the Web UI you should be able to exclude that port like I did SSH and Plex, and then port forward it. You'd then be able to access it over your WAN IP or DDNS name. If you mean actual torrent traffic I've never tried that at all since that's probably one of the biggest things I want VPN only.

I did have a Web UI setup as I described at one point though.
 
CODYQX4 said:
I'm not familiar on how you'd do that on the router (perhaps the router IP gets the port forward if even necessary and you exclude that port like I did SSH and Plex), but if you're referring to the Web UI you should be able to exclude that port like I did SSH and Plex, and then port forward it. You'd then be able to access it over your WAN IP or DDNS name. If you mean actual torrent traffic I've never tried that at all since that's probably one of the biggest things I want VPN only.

I did have a Web UI setup as I described at one point though.
Click to expand...
I do mean the actual torrent traffic since my VPN only has a handful of P2P servers and I hardly use them due to speed issues. I guess it depends on the country you are in if you want torrents to go through VPN or ISP...
 
Hi

I am very new to this, but do have a Plex server and have been struggling with how I can have both VPN up and Plex remote access. Looking at the 4 points above I am stuck on Step 4. Make traffic over the Plex port bypass the VPN.

Where do I create the 'openvpn-event' script (/jffs/scripts or somewhere else)
Do I name it openvpn-event or does it need a suffix (e.g. openvpn-event.sh)
How is it called / run?

I am assuming that once I know this I can install with winscp.

UPDATE: Found some installation notes https://github.com/RMerl/asuswrt-me...ver-VPN-and-Drop-connections-if-VPN-goes-down and installed - works perfectly
 
Last edited:
Hi,
Thanks for the excellent bit of script as it was exactly what I was looking for. I thought I had this working for a short time, however my PLEX seems to either throw an issue and not be accessible outside of my LAN or most recently I get an IP routing conflict error on my Asus router.

Any suggestions on why this might be?

Just to confirm I have my router to port forward my 32400 ports to the static IP address which has my PLEX server running and added the plex.tv info in the custom config section.

What can I check for in the asus log file to help diagnose the issue?

Any advice is appreciated.
 
burrellbloke, yes it does work and I have confirmed my torrent clients are routed through my VPN while my Plex is accessible over my ISP WAN IP address. I do still get the issues of IP Routing conflict message within the Merlin firmware on my Asus router and occasionally my Plex server does become difficult to access and will only allow a Direct connection from outside of my LAN.

Just to clarify that my Plex server is running on a Synology diskstation which has a static IP address within my LAN and Plex uses ports 32400. My Asus router handles the VPN connection and is flashed with the latest Merlin firmware. I have the port 32400 forwarded on my Asus router to my static Diskstation IP address and the diskstation IP address is added to the VPN routing configuration.

I am not sure why the routing conflict is happening and will continue to look to solve the issue, as there seem to be lots of people successfully using IP routing tables to specify ports which are excluded from the VPN tunnel.
 
I set this up as my openvpn-event but plex is still showing the VPN IP. Wont work.

Mind you i have Policy rules setup and only pointing this vpn to one ip. Could that be why?
 
Last edited:
Here are the settings i have below, it doesnt work. I setup openvpn-event in the jffs scripts folder as well. Using your script.

My plex uses 32400 port, i have it setup in merlin to port forward from local 32400 to port 32400 on the server ip.

In my openvpn-client settings page i have it policy based only routing vpn traffic to 192.168.1.4

And when i check plex it still shows the public VPN ip.
 
Okay so i got it to work using this but now i cant access amazon outside that plex server. Any idea? Doesnt make sense.

Code: 
#!/bin/bash
# This code goes in the WAN UP section.
# This code based on the contributions from this thread:
# http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
# http://linux-ip.net/html/adv-multi-internet.html
# http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally, OpenVPN will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING
#
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
 iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
# Ports 80 and 443 will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
# All traffic from a particular computer on the LAN will use the VPN
 iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.4 -j MARK --set-mark 0
# All traffic to a specific Internet IP address will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
# All UDP and ICMP traffic will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
# All traffic from a specific Internet IP address range USING CIDR NOTATION will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -s 74.125.229.0/24 -j MARK --set-mark 0
# All traffic to a specific Internet IP address range USING CIDR NOTATION will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -d 98.207.0.0/16 -j MARK --set-mark 0

#new
#iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport 32400,32443 -j MARK --set-mark 2
#iptables -t mangle -A OUTPUT -p udp -m multiport --dport 17827,32400,32443,32410,32412,32413,32414,32469 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -d plex.tv -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 32400,32443 -j MARK --set-mark 1




#old
#iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 32400 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 32400 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 8888 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 8888 -j MARK --set-mark 1


# Bypass Plex IP Ranges https://forums.aws.amazon.com/ann.jspa?annID=1701
# FROM/SOURCE
iptables -t mangle -A PREROUTING -i br0 -s 184.169.128.0/17 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -s 184.72.0.0/18 -j MARK --set-mark 1

#new
iptables -t mangle -A PREROUTING -i br0 -s 54.176.0.0/16 -j MARK --set-mark 1




# TO/DESTINATION
iptables -t mangle -A PREROUTING -i br0 -d 184.169.128.0/17 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/18 -j MARK --set-mark 1

#new
iptables -t mangle -A PREROUTING -i br0 -d 54.176.0.0/16 -j MARK --set-mark 1




#Bypass IPChicken
#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 209.68.27.16 -j MARK --set-mark 1
 
I am using an ASUS RT-AC5300 with Merlin firmware...

This is how I got mine to work: I think this is all the steps:
Step 1. Setup Remote Access in Plex
used port 3400

Step 2. Forward this port to your Plex Server.

Use the port from step one as both the Port Range and Local Port. Enable Forwarding for "BOTH". Call your service Plex (doesn't really matter about the name).

Login to router administration

WAN -> Virtual Server / Port Forwarding

I added PLEX:32400:192.168.1.110:32400:BOTH


Step 3. SSH into router

Terminal : SSH login@192.168.1.100

CD /

CD / jffs

CD / scripts

touch openvpn-event

nano openvpn-event

Copy the following TXT into the terminal window

Code: 
#!/bin/sh

sleep 2
 
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range x.x.x.x -j MARK --set-mark 0

# Plex Traffic: Bypass VPN
iptables -t mangle -C PREROUTING -i br0 -p tcp --sport 32400 -j MARK --set-mark 1
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 32400 -j MARK --set-mark 1
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --sport 32400 -j MARK --set-mark 1
if [ $? -eq 1 ]
    iptables -t mangle -A PREROUTING -i br0 -p udp --sport 32400 -j MARK --set-mark 1
then
fi
iptables -t mangle -C PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark 1
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark 1
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --dport 32400 -j MARK --set-mark 1
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p udp --dport 32400 -j MARK --set-mark 1
fi
exit 1

CTRL+X
Y
ENTER


Step 4. Restart OpenVPN Client

Login to router administration

VPN -> OpenVPN Clients

Service state (Turn OFF)

Service state (Turn ON)

VPN -> VPN Status (OpenVPN Client 1 should say connected)

Y

ENTER


Step 4. Restart OpenVPN Client

Login to router administration

VPN -> OpenVPN Clients

Service state (Turn OFF)

Service state (Turn ON)

VPN -> VPN Status (OpenVPN Client 1 should say connected)


From my MBP I did a what's my IP and it gave me my ISP IP. This is correct as I used this piece of code to specify that all devices not use the VPN

Code: 
 iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

From my Mac-mini running PLEX Server I did a what's my IP and it gave me the IP of the VPN Service. This is correct as I used this piece of code to specify that this device use the VPN

Code: 
 iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.2.50.110 -j MARK --set-mark 0

When I ran PLEX and checked the Remote Access is was connected successfully and had my ISP IP listed. This is correct as I used this piece of code to specify that port 32400 not use the VPN.

Code: 
# Plex Traffic: Bypass VPN

iptables -t mangle -C PREROUTING -i br0 -p tcp --sport 32400 -j MARK --set-mark 1

if [ $? -eq 1 ]

then

    iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 32400 -j MARK --set-mark 1

fi

iptables -t mangle -C PREROUTING -i br0 -p udp --sport 32400 -j MARK --set-mark 1

if [ $? -eq 1 ]

    iptables -t mangle -A PREROUTING -i br0 -p udp --sport 32400 -j MARK --set-mark 1

then

fi

iptables -t mangle -C PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark 1

if [ $? -eq 1 ]

then

    iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark 1

fi

iptables -t mangle -C PREROUTING -i br0 -p udp --dport 32400 -j MARK --set-mark 1

if [ $? -eq 1 ]

then

    iptables -t mangle -A PREROUTING -i br0 -p udp --dport 32400 -j MARK --set-mark 1

fi


I also did a speedtest from both of the devices. From my MBP it connected to a local server of my ISP for the speed test and gave me 300MB which is my service. When I did the same thing from my Mac-mini it connected to a server with my VPN service and the speed was not as good which I expected.

My question is what is the best way to make sure all other traffic from the Mac-mini is going through my VPN while only the Plex traffic is going through my ISP. I am a bit of a NOOB when it comes to this stuff.
 
Last edited:
Hi Guys i'm new here and trying to do the same thing and bypass my vpn.

i have a an ASUS RT_AC68U with current merlin firmware and im also running a plex server on one of my pcs.

Problem i have followed all the instructions in this thread and can ssh into modem using putty but can't change anything, below is text i used

ASUSWRT-Merlin RT-AC68U 380.69-0 Mon Dec 11 23:14:53 UTC 2017
admin@RT-AC68U-ED40:/tmp/home/root# cd /
admin@RT-AC68U-ED40:/# cd / jffs
admin@RT-AC68U-ED40:/# cd / scripts
admin@RT-AC68U-ED40:/# touch openvpn-event
touch: openvpn-event: Read-only file system
admin@RT-AC68U-ED40:/#

how do i get permission to create the event? am i missing something?

My goal is to have vpn running for everything but plex as i would like to be able to access it remotley

if it helps i have an isp assigned static ip address and my internal plex server ip is 192.168.1.32


any help would be appreciated

Edit, have figured out how to add the script there's no / between CD and the directory ie no cd / jffs its just cd jffs

problem being the script doesn't do anything other than to stop me accessing plex website.

I can see my plex server externally when vpn isnt running so i know the ports are being forwarded correctly. As soon as i connect to vpn i can no longer see my plex server.
 
Last edited:
CODYQX4 said:
Just thought I'd post my config because I've seen this several different ways, some of which involved several ports or whitelisting massive chunks of Amazon IP Addresses.

I'll assume you have Plex setup as well as your OpenVPN on your router, and you will need to use a static IP for the Plex server or this will break on IP change.

Step 1. Setup Remote Access in Plex
I used a manual port for this, but as it stands this won't work over VPN (unless you have some VPN that handles port forwarding). As most people are bypassing the VPN, we'll use this.

Choose whatever manual port you want and take note of it. At this point the Remote Access is not going to work.

Step 2. Forward this port to your Plex Server.
Use the port from step one as both the Port Range and Local Port. Enable Forwarding for "BOTH". Call your service Plex (doesn't really matter about the name).

Step 3. Easy VPN Domain Bypass
OpenVPN can lookup the IP Addresses via domain. I simply added "route plex.tv 255.255.255.255 net_gateway" (no quotes) to custom configuration on the OpenVPN client page. This makes that domain bypass the VPN. We need this because the Remote Access will get your VPN IP which most likely will reject your port. This makes it see your real IP.

Step 4. Make traffic over the Plex port bypass the VPN.
This uses a method that let me use SSH over VPN, something I struggled to get working with an OpenVPN Desktop client (actually never did get working. VPN dead = no SSH). It works the same way for Plex.

I use this script for my OpenVPN event handler (openvpn-event).
Code: 
#!/bin/sh

# Setup FWMarks
WAN0=200
WAN1=201
VPN1=211
VPN2=212
VPN3=213
VPN4=214
VPN5=215

# Disable Reverse Path Filtering
sleep 10
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
done

# Reset Primary WAN Routing Table
ip route flush table wan0
ip route del default table wan0
ip rule del fwmark $WAN0 table wan0
ip rule del fwmark $VPN1 table ovpnc1
ip rule del fwmark $VPN2 table ovpnc2
ip rule del fwmark $VPN3 table ovpnc3
ip rule del fwmark $VPN4 table ovpnc4
ip rule del fwmark $VPN5 table ovpnc5
ip route flush cache
iptables -t mangle -F PREROUTING

# Reset Primary WAN Routing Table Rules
#VPN_LIST="1 2 3 4 5"
VPN_LIST="1"
for VPNID in $VPN_LIST
do
    # Copy IP Routing Rules
    ip route show table main | grep -Ev ^default | grep -Ev tun1$VPNID | while read ROUTE;
    do
        ip route add table wan0 $ROUTE
    done
  
    # Set Active VPN State
    VPN_STATE=$(nvram get "vpn_client"$VPNID"_state")
    if [ $VPN_STATE -eq -1 ]
    then
        nvram set "vpn_client"$VPNID"_state"=2
    fi
done

ip route add default table wan0 via $(nvram get wan0_gateway)
ip rule add fwmark $WAN0 table wan0
ip rule add fwmark $VPN1 table ovpnc1
ip rule add fwmark $VPN2 table ovpnc2
ip rule add fwmark $VPN3 table ovpnc3
ip rule add fwmark $VPN4 table ovpnc4
ip rule add fwmark $VPN5 table ovpnc5
ip route flush cache

# Plex Traffic: Bypass VPN
iptables -t mangle -C PREROUTING -i br0 -p tcp --sport 32400 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 32400 -j MARK --set-mark $WAN0
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --sport 32400 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
    iptables -t mangle -A PREROUTING -i br0 -p udp --sport 32400 -j MARK --set-mark $WAN0
then
fi
iptables -t mangle -C PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark $WAN0
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --dport 32400 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p udp --dport 32400 -j MARK --set-mark $WAN0
fi

# SSH Traffic: Bypass VPN
iptables -t mangle -C PREROUTING -i br0 -p tcp --sport 22 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 22 -j MARK --set-mark $WAN0
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --sport 22 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
    iptables -t mangle -A PREROUTING -i br0 -p udp --sport 22 -j MARK --set-mark $WAN0
then
fi
iptables -t mangle -C PREROUTING -i br0 -p tcp --dport 22 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 22 -j MARK --set-mark $WAN0
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --dport 22 -j MARK --set-mark $WAN0
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p udp --dport 22 -j MARK --set-mark $WAN0
fi

That script works for me with 1 VPN (probably more than 1 as well). This will make all the Plex traffic going in and out of the port we chose not use the VPN. I only needed one port, and I didn't have to whitelist half of Amazon to make this work.

I tested this and I was able to access my Plex server via my iPhone on a different network, 25 miles away.
Click to expand...
This worked FLAWLESSLY.

Amazing thanks, and I will be pointing the threads that were attempting the same thing this way.
 
You must log in or register to reply here.

Similar threads

GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
146
GShlomi
GShlomi
A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
1K
Don->
D
deefour
Forcing device-specific port-range through VPN
Replies
9
Views
709
ZebMcKayhan
Z
G
VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN
Replies
4
Views
406
Grefyne
G
H
Port Forwarding Over WireGuard Connection?
2
Replies
22
Views
2K
houmi
houmi
Similar threads
Thread starter Title Forum Replies Date
C Plex.tv: Connect on Wired, Can't connect on Wifi? Asuswrt-Merlin 4
M Plex on 11000 Pro - Issues with certain files Asuswrt-Merlin 5
G Need help with VPN Asuswrt-Merlin 2
T Wireguard VPN Disable IPV6 Asuswrt-Merlin 0
O Assigned IP address to the WAN interface via VPN director: no internet connection - why? Asuswrt-Merlin 1
A Asus Merlin 388.6_2 VPN-Director Asuswrt-Merlin 5
M VPN FUSION & VPN DIRECTOR Merlin Firmware Asuswrt-Merlin 34
B VPN + Diversion Asuswrt-Merlin 5
S VPN director and LAN traffic Asuswrt-Merlin 2
B Firewall lan - vpn? Asuswrt-Merlin 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 883 (members: 13, guests: 870)
Top