So if I am using a vpn on my server should I be able to play files on my lan through the router. It currently seems to work this way but is it normal or is there something wrong with my vpn. Basically I want to run my server with the vpn always on and play files on my roku and I want all the data to stay local.
Tl;dr: If you’re using a commercial VPN provider, like Private Internet Access, then you don’t really have anything to worry about, especially if keep “Remote Access” turned off in Plex. If you’re using a work or home VPN (and if they record your internet history, and/or have more open ports), then things are a little different, but you should be fine for the most part as long as you turn off “Remote Access”, “auto check for updates”, and uncheck every metadata agent.
If you want a more thorough explanation, you can read on below.
Access to LAN and VPN networks at the same time:
Being able to access your local network and VPN at the same time is normal on many VPN technologies. OpenVPN (which is probably what is used by your commercial VPN provider), works in routing mode and bridged, and on Windows devices (for example), it defaults to routing mode and sets up a virtual network interface. Windows will still see your home network and devices via your normal network interface, while the virtual network interface is seen as having the only working internet connection (meaning all your internet traffic gets routed through it, instead of your home network). Which gives you the best of both worlds; LAN access and an encrypted VPN tunnel to external networks.
Some business VPN clients work in bridged mode, which would put your Plex server on the VPN server’s subnet, instead of keeping them both separate. Given your request, this isn’t what you want and should be avoided.
When Plex connects to external networks:
Not including Plex extras (like channels/plugins, etc), there’s only a few reasons that the Plex app would access an external network (internet). To check for updates, get movie/tv information, and if you enable “Remote Access”. If you’re connected to a commercial VPN provider, it’s likely they will block most non-standard ports, meaning Remote Access will not work (some providers will open ports for you after you contact their support staff). Either way, I don’t think any of these things are worth worrying about, unless you’re using a work or home VPN. If you’re using a work VPN, it might be inappropriate to have a Plex update server, or TheTVDB or things like that on your internet history.
Concerns about data leakage between networks:
Your VPN network and your local home network aren’t on the same subnet, which means you don’t have anything to worry about when it comes to accidental data leakage regarding your Plex library, what you’re streaming or anything like that. Plex uses GDM (Plex’s custom broadcast protocol) as it’s broadcast method, which means it’s the client (your roku) who asks your home network if there’s a Plex server on it. If there is a Plex server on the same network as the roku, the server will respond. Anything your stream to your roku will stay on the subnet that has both your server and rokue on it (your home network). The server itself doesn’t send out any kind of broadcast in this sense, so if your server is connected to VPN, you have nothing to worry about in that regard.
How to further lock down your server if you still have concerns:
If you’re connected to a workplace VPN, and they use devices with Plex apps at your job (for some reason), then there’s a good chance that they’ll see your Plex server (since technically your server is connected to 2 LANs at the same time; your home and your work intranet). In this case, there’s a setting within Plex itself to let you specify which network Plex treats as the local network, and then it will consider all other networks to be external networks. After you fill that out, disable automatic updates, uncheck every metadata agent, and make sure Remote Access is turned off and you should be golden to use your work network and stream with Plex to your home network.
And as always, you can use your firewall to limit Plex, and all the ports associated with it. You can make it only use a certain interface, or only allow it to access local networks, or trusted/private networks. There’s a wide variety of ways to do this depending on what OS you have and what firewall you’re using.
Over the past several years, Reddit has steadily gotten worse due to the greedy behavior of the owners and administrators. They do not deserve the content we provide; they do not deserve the value we bring to this platform; they do not deserve any success that they have obtained by destroying what others have created.
This has been edited due to Reddit’s decision to [effectively kill third-party apps] (https://old.reddit.com/r/apolloapp/comments/144f6xm/apollo_will_close_down_on_june_30th_reddits/) by charging an unreasonable amount of money to access the Reddit API.
Fuck you /u/spez
Depends, do you have firewall rules set up so that local traffic doesn’t route through the firewall? If not then all your streams are going over the internet at terminating from your VPN provider.
Why do you want your server to always have a VPN? Does it do other things like a personal PC? Or are you just wanting it for security? Plex provides HTTPS out of the box so no one can tell what you’re streaming if that’s what concerns you.
Your post is very unclear. What are you connecting to via VPN from where/what?
You’re absolutely right about Plex not going outside the home network. Plex accesses external networks for only a few reasons, and Remote Access is probably the only one that OP cares about.
Otherwise, Plex will only deliver streams to devices on its own subnet. In OP’s case that’s the VPN network and OP’s home LAN. Since the VPN network has no devices or clients on it, the only real option for Plex to stream to is OP’s home network.
No streaming data leaves OP’s local network.
I am just concerned about grabbing metadata and plex log in. I would rather vpn that stuff. The computer is just an old computer I use as a server.
I’m not sure I understand what you’re trying to say in regards to firewalls and the streams going over the internet.
Even if OP had no firewalls at all (ignoring the obvious security implications), the VPN network and his home network are on different subnets (unless OP is using an obscure VPN provider who uses server side bridges for some reason; but then they wouldn’t be able to see their home network). Plex, by default, will only route streams to the subnets that it’s connected to and it even says this in the Plex Server network settings. In OP’s case, the Plex Server is connected to 2 subnets, the VPN’s network and OP’s home LAN. Given the way that Plex’s broadcasting/network discovery works (GDM), it can’t route any streams onto a subnet that has no devices on it. This means it can’t send streams to the VPN’s network, nor can it send streams to the internet as if it’s a local network, because the internet doesn’t work that way. Only subnets with devices that actively broadcast will be acknowledged by the Plex Server; so OP’s home LAN, with their roku device, is the only subnet that can receive streams from the Plex server.
If you’re saying that OP can force Plex to only use the subnet of their choice by adjusting the rules in their firewall, you’re totally right. But the lack of firewalls or lack of proper rules in a firewall doesn’t mean Plex streams will be routed outside the subnet that it’s on, much less onto the general internet or to the VPN.
Why are you concerned about the metadata grabbing?
A firewall rule would determine which NIC (as the VPN connection will be a TUN interface) the Plex server communicates over. A VPN connection by default will normally prevent communication over anything other than the TUN.
You could force Plex to work over one interface or another, and it’s not a bad idea if you’re unsure or have doubts about what interface it’s using.
I guess I haven’t seen any set ups like the one you mention in a while, at least not on desktop OS’s by commercial VPNs. As I understand it, a lot of the major VPN providers (at least NordVPN, PIA, and PureVPN) are using the TAP interface on PCs, which makes life easier by allowing the virtual interface to create, capture and parse the headers in the frames it receives/sends (because it’s a layer 2 device which handles frames, unlike TUN which is layer 3). This means, keeping local and external networks separate should be easier to achieve without manual intervention (like firewall rules).
Any frames populated with headers that contain MAC addresses of local devices (or of the physical network interface) will be ignored by the TAP interface; meaning those frames will be handled by the physical device and routed normally onto the local network. All externally bound, and received, frames will be handled by the TAP interface, and would therefore be routed towards the TAP’s subnet (because the header would point to the MAC of the VPN provider’s device which is only available on the TAP’s subnet).
Edit: Just talking about destination MAC addresses, not the source. And since OP can see and interact with this local network, it’s likely he has the setup described above.
It has nothing to do with your VPN provider or MAC addresses. Routing tables are local and at layer 3.
I’m not really sure what’s happening here, but I feel like we’re talking about entirely different things. I don’t know how you can say that MAC addresses don’t matter, especially considering my entire comment, hell, this entire post (given that it’s about LAN and Plex) is about the LAN level; not hops between multiple networks, which happens later. But I guess I’ll try to explain what I wrote in a different way and include links on the concepts I’m talking about.
How does user data get transmitted over a physical medium? It has to travel down the OSI model by a process called encapsulation, because you can’t stick high level user data directly onto a physical medium, right? This means that user data → segments → packets and all of that is eventually encapsulated into frames (layer 2). Frames are what ensures the packet reaches its destination WITHIN the local network (if it’s intended for another physical network, the old data link layer (aka frame) is discarded once it reaches the router and a new one is applied once it enters another physical network). See Network layer interaction with the Data Link layer.
This travel through the local network is possible because the frame has a header which contains the destination and source MAC addresses, and this is assisted by the fact that devices on the network have an ARP table and can properly forward the frame to the correct destination (WITHIN the local network). Running an ARP table request (arp on linux, or arp -a in Windows) on the device connected to the VPN, will show you the hosts on both subnets; which means you can see the VPN provider’s device that receives the frames from your TAP interface. Don’t take my word for it, connect to your VPN and run a traceroute. You’ll see the very first device will be the gateway address on your VPN’s subnet (well, it’d have to be, or else your VPN wouldn’t be working at all).
So can you see how it would be advantageous to emulate a layer 2 device which can write and read all frames received by the physical layer 2 device? Any packet bound for an external network will be captured and handled by the TAP driver, written to a frame that is designated to travel within the subnet that connects your TAP virtual interface to the VPN’s network. Any packet that isn’t bound for an external network can be processed normally and put into a frame that is bound for the local network (or the home subnet); unmodified by the TAP driver.