OpenVPN client port forwarding

So I’m working on my OpenVPN setup for college, which includes a way to continue hosting my Plex server while in the dorms. I know I won’t have the ability to port forward, so does anyone know how I would go about using a VPS hosted VPN (OpenVPN or otherwise) to port forward.

Eg:

Client at 10.x.x.125:32400 <-> VPN <-> internet.com:32400

So for example, Plex should detect my server at internet.com:32400 but in all reality it’s detecting the VPN which is then sending the traffic back and forth.

I’m aware of the performance hit this may cause, but does anyone have any pointers, I can’t seem to get iptables to work.

Are you asking how to connect a plex client located at your dorm to a plex server located at your previous residence? If that’s the case, the role the vps and vpn plays is unclear to me. But you use the DNAT target of the PREROUTING chain in the nat table to port forward.

No, the Plex server will be located in my dorm, and needs to have a connection to the internet via port 32400. The dorm network is not direct connect, and I can’t forward a port for the server.

Ah so you want to use the vps as a reverse proxy. If you just have 2 points, the machine hosting plex and the vps, it’s easiest to use openvpn in point to point mode.

On the server you could run openvpn:

[email protected]:~# openvpn --ifconfig 10.200.0.1 10.200.0.2 --dev tun  --secret /tmp/secret.key --daemon

where 10.200.0.1 is the vps and 10.200.0.2 is the plex machine. And then forward traffic to the plex machine:

[email protected]:~# iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.200.0.2

And on your plex machine you can connect to the openvpn instance on the vps:

[email protected]:~# openvpn --ifconfig 10.200.0.2 10.200.0.1 --dev tun  --secret /tmp/secret.key --remote (vps' address)  --daemon

And the secret key for openvpn:

[email protected]:~# openvpn --genkey --secret secret.key

That will direct traffic sent to the vps on tcp port 32400 to the plex machine.

The issue will be how to make sure the plex instance routes its traffic back through the vps (the client will almost surely drop return traffic if it does not come back throught the vps). You have two options: 1) route all traffic from the plex machine through the vps; or 2) route only plex traffic back through the vps.

In my opinion, routing only plex traffic back through the vps is best accomplished by SNATing all forwarded traffic so the plex machine thinks the traffic originally came from the VPS:

  [email protected]:~# iptables -t nat -A POSTROUTING -d 10.200.0.2 -p tcp --dport -j SNAT --to-source 10.200.0.1

which probably let’s you leave the plex machine’s routing table alone.

Plex machine is windows, so I’ll most likely use point to point on a pfsense VM.

Second question, where are you defining the 10.200.0.1 addresses? Should OpenVPN be assigning addresses in that range?

I just picked 2 addresses in the ipv4 non-routable range. So just pick whatever two addresses in the 10.0.0.0/8 ; 192.168.0.0/16 ; or 172.16.0.0/12 range you like that doesn’t cause a local conflict for your network. I doubt the two address have to be consecutive or even in the same subnet for a point to point connection; but I have always just picked adjacent addresses.

I also don’t know if there are some BSD specifics that my suggestions above violate.

Edit: And if it’s just a plex client/server you are trying to hookup, you could probably improve performance by dropping encryption on the openvpn tunnel and just let plex handle the connection security.