Hi,
have been watching Wendell's videos for a while and have been waiting for years for his video on "How to use a server behind NAT for Mail, Plex and other content". He recently mentioned it again on the Linux channel so I thought I should just try to do it. Since my provider cannot give me a public IP I have had this struggle for about 2 years. This is what I came up with:
I purchased a cheap VPS (with the ancient 2.6 Kernel unfortunately) with Debian 8 minimal and did the standard procedure (Harden SSH, Iptables, limited user account etc.). The Linode Tutorial on "Securing Your Server" was a good starting point. I then configured it to be an OpenVPN Server (Had to wait a few days for support to enable TUN/TAP for the OpenVZ contaiener). I set up an OpenVPN client on the PfSense in the lab (Yea I know running it on a virtual machine is bad practice) connecting to the VPS Server. Surely enough, this seemed to work fine.
After having the network infrastructure set up, I installed apache and configured different virtual hosts for each subdomain. I set up a letsencrypt certificate on all subdomains so everything is encrypted on the front end of things. For the plex subdomain I used a reverse proxy to point to the PfSense box. On the PfSense it is then port forwarded to the appropriate Plex container on port 32400. While doing it I kept thinking that this couldn't possibly be best practice to use a reverse proxy AND port forwarding. On the other hand I didn't want the VPN tunnel to terminate in my plex container since it would bypass my pfSense firewall and jeopardize the whole container as well as needing to install openvpn on it. I would appreciate any input on this.
Anyways I tested it going to plex.mydomain.com and luckily enough it work (I won't mention an hour of troubleshooting with firewall rules here). Unfortunately it still shows the Plex login page. I will try to put the VPN network in the noauth configuration for plex so it won't show up and bypasses the whole myplex thing. I further want to put an authentication on plex.mydomain.com either through apache or some simple web page so I have some sort of authentication. Next step is to do something similar with the mail.mydomain.com subdomain to connect to my Exchange server (Yes I have a licence). This should enable the webmail. Don't know what I am going to do with the smtp part and reverse DNS and all the other mail nonsense.
If you have any questions or input let me know I am open for suggestions. I hacked this together in roughly one day so give me a break ;)
Edit: Ascii was totally messed up so replaced with screenshot