VPN's (PIA) and Emby

[Luke 37067]

Great work, thanks guys!

[miethos 0]

Hi guys,,

 

So I'm attempting to do the same thing only using the PIA through a Synology NAS - PIA setup using the netherlands VPN (using the ovpn file and certificate). I'm trying to access remotely but since the VPN is running as a gateway on the NAS, I obviously don't have access to the GUI that PIA uses like I would if I were running the VPN via my PC, and therefore cannot see the port in order to forward it. 

 

Anyone have any luck getting remote access working in this situation? I've searched as best I can, and so far all I can find are guides with IP tables that assume I'm a networking guru (I'm not). Any thoughts 

[siddhartha 11]

This solution is for Linux only, but the concept covers all platforms.
 
It is possible to operate both an externally accessible server and a VPN client on the same box. It requires a little bit of iptables magic though. What happens without the magic is that when a client sends WAN traffic to your router and your router forwards the appropriate packets to your NAS/media server running the VPN client, the return packets never reach the original client. This is because the VPN client sends return packets back out over the VPN to the WAN using a different IP and a different router (the external VPN router), so those return packets never actually reach the original client. It looks like this:
 

                                 INTERNET
                                  ^   |
                                  |   V
                                 [VPN IP]
                                  |   |
      CLIENT                    VPN ROUTER
        |                         ^   |
        |                         |   |
    [WAN IP]                      |   V
        |                        [WAN IP]
        |                         |   |
        V                         |   V
      ==============ROUTER==============     
        |                         ^   |
        |                         |   |
  [LOCAL IP eth0]                 |   V
        |                 [LOCAL VPN IP tun0]
        |                         |   |
        V                         |   V
    MEDIA BOX <------------> VPN SOFTWARE

 

What you need is some traffic bypassing the VPN and getting back to the original client. It should look like this:
 

                                 INTERNET
                                  ^   |
                                  |   V
                                 [VPN IP]
                                  |   |
        CLIENT                  VPN ROUTER
        |  ^                      ^   |
        |  |                      |   |
      [WAN IP]                    |   V
        |  |                     [WAN IP]
        |  |                      |   |
        V  |                      |   V
      ==============ROUTER==============     
        |  ^                      ^   |
        |  |                      |   |
  [LOCAL IP eth0]                 |   V
        |  |              [LOCAL VPN IP tun0]
        |  |                      |   |
        V  |                      |   V
    MEDIA BOX <------------> VPN SOFTWARE

 

There are two interfaces on the NAS/media server, eth0 and tun0. The interface eth0 is LAN traffic, and tun0 is VPN traffic. In a normal VPN setup, only packets originating from within your LAN, behind your router will go back out over eth0. ALL other packets (even if they're for a client connecting to your MEDIA BOX via your router) are returned via tun0 . We need to get some WAN traffic to go back out over eth0, but which traffic?
 
For this all to work, you setup port forwarding on your router, which you probably already have done. External clients enter the WAN IP of your router and a specific port, and your router directs that port traffic to your MEDIA BOX. So, a client connecting to a WAN IP of 24.113.7.113:52196 would hit your router and the router would see in its port forwarding rules that port 52196 should be forwarded to 192.168.1.10:8096 (MEDIA BOX). Note that when this happens, the router uses your [LOCAL IP eth0] and not your [LOCAL VPN IP tun0]! Bingo! We can safely reroute traffic coming in from eth0 back out over eth0 because it is assumed to be a client connection to your server!

 
I've read a bunch of different ways on how to do this, but what I find to be the most elegant is actually really cool. We mark the incoming connection packets on eth0 using iptables and then send any marked packets on that same connection back out on eth0 using ip route. We can do this with the following:

# Filter port forwarded packets from the local router on eth0 and mark them
/sbin/iptables -A PREROUTING -t mangle -m conntrack --ctstate NEW -i eth0 -j CONNMARK --set-mark 0x1
/sbin/iptables -A OUTPUT -t mangle -m connmark --mark 0x1 -j CONNMARK --restore-mark

# Route all marked packets back through the local router on eth0
/sbin/ip route add default via 192.168.1.1 table 100
/sbin/ip rule add fwmark 0x1 table 100

 This will all get reverted when you reboot, however. For these rules to persist, you modify the script that runs when your VPN client starts up. For example, OpenVPN uses update-resolv-conf. I added references to two scripts (up and down) in the file, each execute on the up and down calls respectively. My /etc/openvpn/update-resolv-conf with the updated lines noted near the bottom:

#!/bin/bash
# 
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL. 
# 
# Example envs set from openvpn:
#
#     foreign_option_1='dhcp-option DNS 193.43.27.132'
#     foreign_option_2='dhcp-option DNS 193.43.27.133'
#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#

[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0

split_into_parts()
{
	part1="$1"
	part2="$2"
	part3="$3"
}

case "$script_type" in
  up)
	NMSRVRS=""
	SRCHS=""
	for optionvarname in ${!foreign_option_*} ; do
		option="${!optionvarname}"
		echo "$option"
		split_into_parts $option
		if [ "$part1" = "dhcp-option" ] ; then
			if [ "$part2" = "DNS" ] ; then
				NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
			elif [ "$part2" = "DOMAIN" ] ; then
				SRCHS="${SRCHS:+$SRCHS }$part3"
			fi
		fi
	done
	R=""
	[ "$SRCHS" ] && R="search $SRCHS
"
	for NS in $NMSRVRS ; do
        	R="${R}nameserver $NS
"
	done
	echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"

        ###### Execute up script ######
	[ -x /etc/openvpn/up ] && /etc/openvpn/up

	;;
  down)
	/sbin/resolvconf -d "${dev}.openvpn"

        ###### Execute down script ######
	[ -x /etc/openvpn/down ] && /etc/openvpn/down

	;;
esac

 The contents of /etc/openvpn/up (assuming your router is 192.168.1.1):

#!/bin/bash

# Add customized routes to bypass the VPN for external server requests

# Filter port forwarded packets from the local router on eth0 and mark them
/sbin/iptables -A PREROUTING -t mangle -m conntrack --ctstate NEW -i eth0 -j CONNMARK --set-mark 0x1
/sbin/iptables -A OUTPUT -t mangle -m connmark --mark 0x1 -j CONNMARK --restore-mark

# Route all marked packets back through the local router on eth0
/sbin/ip route add default via 192.168.1.1 table 100
/sbin/ip rule add fwmark 0x1 table 100

# Route SSDP broadcasting to the LAN and not the VPN so local media devices (like smart DLNA TV's) can be found
/sbin/ip route add 239.255.255.250 dev eth0

The contents of /etc/openvpn/down:

#!/bin/bash

# Remove all customized routes

/sbin/iptables -D PREROUTING -t mangle -m conntrack --ctstate NEW -i eth0 -j CONNMARK --set-mark 0x1
/sbin/iptables -D OUTPUT -t mangle -m connmark --mark 0x1 -j CONNMARK --restore-mark

/sbin/ip route del default via 192.168.1.1 table 100
/sbin/ip rule del fwmark 0x1 table 100
/sbin/ip route del 239.255.255.250 dev eth0

I hope this helps anyone reading. I'm sorry for the detailed and complicated explanation, but I think it's important to really understand anything that concerns the security of your network. I've been pouring over this stuff all week and typing this out alone helps me understand it better.

Edited December 13, 2016 by siddhartha

[b0dyr0ck2006 57]

Hi guys,,

 

So I'm attempting to do the same thing only using the PIA through a Synology NAS - PIA setup using the netherlands VPN (using the ovpn file and certificate). I'm trying to access remotely but since the VPN is running as a gateway on the NAS, I obviously don't have access to the GUI that PIA uses like I would if I were running the VPN via my PC, and therefore cannot see the port in order to forward it.

 

Anyone have any luck getting remote access working in this situation? I've searched as best I can, and so far all I can find are guides with IP tables that assume I'm a networking guru (I'm not). Any thoughts

I don't have a NAS setup here but can you not access the NAS via a web address?

[miethos 0]

I can log into the NAS using Synology's quickconnect - however the emby app cannot be opened via quickconnect (I tried). It seems like this would be the easiest, or at least most elegant solution since everything else can be accessed via quickconnect.

 

 

Thanks for the details notes @@siddhartha - I'll give it a shot and see what I can come up with.

[tyr_88 4]

My servers been messed up in abind now after trying port forward I remove stupid PIA wipe it all out even REG reinstall somewhere it is keeping that data throwing my login off and I cannot even access through ROKU until I close VPN and then reboot

 

Been 3 days now fixing to wipe this install I guess

 

 

I don;t have access to router and am not allowed to run my own router via company policy if it's ping they ding my net.  ( I could gain it im sure but I like my net lol)

 

I run my server off main PC not web host I really hate PIA they have been super shady lately fixing to move to NORD

 

 

I can access admin panel though from PC that is it nothing connects when VVPN goes active just wiped the junk out again

 

 

 

 

 

 

Note Im using firewall port forward method but still this is ridiculous I noticed PLEX has nailed it they wrote bash scripts it seems and worked fine, I searched Emby PIA but get these threads unsolved

 

One method should be shoved in it's own post Linux / Windows / Selfhost + OS / NAS

 

barf think I'm gonna wipe OS and start over this is just ridiculous to figure out and what time I got free has been on this past week.

Edited August 16, 2017 by tyr_88

[tyr_88 4]

@@Luke @@Happy2Play

 

Hey guys would this have any effect to bypass the block on the VPN to Media Server? 

 

I just have ran across it and it is free Win10 Creators tested also, I have no idea I am stupified on these matters

 

BTW finally got PIA flushed working normal again

 

Marcs Updater

Advanced network filtering based upon DHCP server

Advanced network filtering based upon wireless SSID.

 

Your router does not support the service providers DNS-O-Matic, DynDNS, No-IP, OpenDNS, selfhost.de, spDNS (medical-it-services.de) or STRATO by default, or is limited in the number of dynamic DNS providers?

You can use this simple client to send IP changes to your dynamic DNS account automatically.

 

https://updater.marc-hoersken.de/

Marcs Updater is built for Windows and runs under Windows XP SP3 or newer.

[Luke 37067]

I am not quite sure but glad you got it back to normal.

[lifespeed 42]

I didn't read the whole thread.  I have a VPN from PIA that is on much of the time, it has no effect on incoming connections including Emby, a VoIP PBX as well as my FTP server.  I bind the local IP address as well as the external IP address, which is actually a hostname from DNSExit to static-ize my dynamic IP.  It is my understanding these are just the basic steps to enable access to Emby server from outside your network, with or without a VPN.

 

I don't see that the VPN has anything to do with incoming connections, and the outgoing traffic in response does not utilize the VPN socket either.  I did not configure any port forwarding in the VPN because it is not used for the aforementioned servers.  Just port forwarded the router and allowed Emby through the windows Firewall, again, just like a typical setup to accept connections from the internet.

[lifespeed 42]

I run my server off main PC not web host I really hate PIA they have been super shady lately fixing to move to NORD

 

What don't you like about PIA?

[b0dyr0ck2006 57]

I didn't read the whole thread. I have a VPN from PIA that is on much of the time, it has no effect on incoming connections including Emby, a VoIP PBX as well as my FTP server. I bind the local IP address as well as the external IP address, which is actually a hostname from DNSExit to static-ize my dynamic IP. It is my understanding these are just the basic steps to enable access to Emby server from outside your network, with or without a VPN.

 

I don't see that the VPN has anything to do with incoming connections, and the outgoing traffic in response does not utilize the VPN socket either. I did not configure any port forwarding in the VPN because it is not used for the aforementioned servers. Just port forwarded the router and allowed Emby through the windows Firewall, again, just like a typical setup to accept connections from the internet.

I don't have a static IP so there is where I was hitting issues. People trying to access the server without edits were encountering problems because the vpn address changes as well. The only was I could make this work was with binding the ports.

 

I shall look into this DNSexit and see if it will help

[lifespeed 42]

I don't have a static IP so there is where I was hitting issues.

This is the issue you need to solve, I don't think VPN has anything to do with it.  Here is the free service, you can run the IP update client on the Emby server PC, or even in a router that supports dynamic IP updating.  Emby is not accessed using the VPN, it does not matter if your VPN IP changes.  You need a static hostname for your dynamic IP facing the outside world at the modem.

[ajalfon 0]

I'm not sure if I'm doing this right and would appreciate some insight. On a mac if that matters.

 

In home address: http://192.xxx.x.xx:8096/

Remote: http://99.xxx.xxx.xxx:8096/

 

Do I put the Remote or the in home address in the bind to local network field in advanced settings? I've set up port forwarding for the port that the VPN connects to (23428)

 

I've tried putting both in the bind to local network address field but the server doesn't loading remotely.