OpenVPN client port forwarding

So I’m working on my OpenVPN setup for college, which includes a way to continue hosting my Plex server while in the dorms. I know I won’t have the ability to port forward, so does anyone know how I would go about using a VPS hosted VPN (OpenVPN or otherwise) to port forward.


Client at 10.x.x.125:32400 <-> VPN <->

So for example, Plex should detect my server at but in all reality it’s detecting the VPN which is then sending the traffic back and forth.

I’m aware of the performance hit this may cause, but does anyone have any pointers, I can’t seem to get iptables to work.

Are you asking how to connect a plex client located at your dorm to a plex server located at your previous residence? If that’s the case, the role the vps and vpn plays is unclear to me. But you use the DNAT target of the PREROUTING chain in the nat table to port forward.

No, the Plex server will be located in my dorm, and needs to have a connection to the internet via port 32400. The dorm network is not direct connect, and I can’t forward a port for the server.

Ah so you want to use the vps as a reverse proxy. If you just have 2 points, the machine hosting plex and the vps, it’s easiest to use openvpn in point to point mode.

On the server you could run openvpn:

[email protected]:~# openvpn --ifconfig --dev tun  --secret /tmp/secret.key --daemon

where is the vps and is the plex machine. And then forward traffic to the plex machine:

[email protected]:~# iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination

And on your plex machine you can connect to the openvpn instance on the vps:

[email protected]:~# openvpn --ifconfig --dev tun  --secret /tmp/secret.key --remote (vps' address)  --daemon

And the secret key for openvpn:

[email protected]:~# openvpn --genkey --secret secret.key

That will direct traffic sent to the vps on tcp port 32400 to the plex machine.

The issue will be how to make sure the plex instance routes its traffic back through the vps (the client will almost surely drop return traffic if it does not come back throught the vps). You have two options: 1) route all traffic from the plex machine through the vps; or 2) route only plex traffic back through the vps.

In my opinion, routing only plex traffic back through the vps is best accomplished by SNATing all forwarded traffic so the plex machine thinks the traffic originally came from the VPS:

  [email protected]:~# iptables -t nat -A POSTROUTING -d -p tcp --dport -j SNAT --to-source

which probably let’s you leave the plex machine’s routing table alone.

Plex machine is windows, so I’ll most likely use point to point on a pfsense VM.

Second question, where are you defining the addresses? Should OpenVPN be assigning addresses in that range?

I just picked 2 addresses in the ipv4 non-routable range. So just pick whatever two addresses in the ; ; or range you like that doesn’t cause a local conflict for your network. I doubt the two address have to be consecutive or even in the same subnet for a point to point connection; but I have always just picked adjacent addresses.

I also don’t know if there are some BSD specifics that my suggestions above violate.

Edit: And if it’s just a plex client/server you are trying to hookup, you could probably improve performance by dropping encryption on the openvpn tunnel and just let plex handle the connection security.