Leaderboard

One more year for me! Thanks AirVPN and keep up the good work

## Plex Remote Access via a AirVPN with Proxmox This guide explains how to run a Plex Media Server in a virtual machine that routes all its traffic through a separate, dedicated VPN gateway VM. This is ideal for users who want to expose Plex to the internet without revealing their home IP address. ## The "Double NAT" Problem The challenge is a "double NAT" scenario. A standard Plex setup assumes a simple path: Internet -> Your Router -> Plex. In this VPN setup, the path is more complex: Internet -> VPN Public IP -> VPN Server -> Your Alpine Gateway VM -> Your Plex VM this is some what of a guide for myself to show you how to configure the firewall rules to correctly forward traffic through this chain. when you have more than 1 NIC on a linux VM make sure you only have 1 gateway. you can have a NIC with no gateway and it will connect to LAN clients. ## 1. System Overview This setup uses two virtual machines on a Proxmox host: Alpine Linux Gateway VM: A minimal VM that connects to your VPN service (e.g., AirVPN using WireGuard) and acts as a router and firewall. Similar to Whomnix. Plex Server VM: A VM running your preferred OS (like MX Linux) that holds your Plex installation. Its internet traffic is routed exclusively through the Alpine Gateway. connects to NFS share for media. Network Layout: Proxmox Host: Connected to your main LAN. Internal Network: A private virtual bridge in Proxmox (e.g., vmbr1) using a subnet like 10.66.66.0/24. This network is for communication between VM's only, no WWW access until you connect to the alpine gateway. Alpine VM: Has two network cards. One on your LAN which connects to AirVPN (192.168.1.x, then the internal network forward packets to VM's with IP (e.g., 10.66.66.1). Plex VM: Has one network card on the internal network with a static IP (e.g., 10.66.66.70) and its gateway set to the Alpine VM's IP. (10.66.66.1) ## Step 1: Configure VPN Port Forwarding Get your forwarded port from AirVPN . This will be the first link in the chain. Log in to your VPN provider's control panel (the first image shows AirVPN's panel). Request a new port forward. Note the two ports it gives you change the Local Port diffrent from the main one: External Public Port: The port the outside world will connect to (e.g., 40516). Internal Forwarded Port: The port your gateway VM will receive traffic on (e.g., 6699). ## Step 2: Configure the Alpine Gateway VM Alpine Linux This is the most critical part. The Alpine VM must be configured to forward traffic from the VPN tunnel to your Plex VM. install wireguard and set up the AirVPN wireguard with wg-quick to auto start when booted up. This set up will use the following format. WWW 40516 --> AirVPN 6699 --> Alpine Gateway 40516 --> Plex VM 32400 ### A. Enable IP Forwarding Edit /etc/sysctl.conf and make sure this line is uncommented: net.ipv4.ip_forward=1 ### B. Create a Startup Script In Alpine, rc services are used for startup. Create a script to bring up your VPN and apply your firewall rules. Create the file: sudo nano /etc/local.d/vpn-firewall.start Paste the following script inside, adjusting interfaces and IPs as needed. #!/binbash sleep 5 ip link set eth1 up sleep 2 # Bring down the tunnel to ensure a clean state wg-quick down wg0 2>/dev/null sleep 2 # Bring up the WireGuard tunnel wg-quick up wg0 sleep 2 echo "WireGuard tunnel activated." >> /var/log/wireguard-boot.log # Flush old rules for a clean slate iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING iptables -F FORWARD echo "Applying new iptables rules..." >> /var/log/wireguard-boot.log # Rule 1: Allow established connections to return iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Rule 2: Masquerade (NAT) all outgoing traffic from the internal network through the WireGuard tunnel iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE # Rule 3: DNAT - This is the Plex port forward. iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 6699 -j DNAT --to-destination 10.66.66.70:32400 # Rule 4: FORWARD - This allows the packet from the DNAT rule to be forwarded to the Plex VM. iptables -A FORWARD -i wg0 -o eth1 -p tcp -d 10.66.66.70 --dport 32400 -j ACCEPT echo "Firewall rules applied successfully." >> /var/log/wireguard-boot.log # Ping check host="10.128.0.1" count=1 if ping -c "$count" "$host" > /dev/null 2>&1; then echo "$(date) Ping to $host successful." >> /var/log/wireguard-boot.log else echo "$(date) Failed to ping $host. Restarting WireGuard." >> /var/log/wireguard-boot.log wg-quick down wg0 2>/dev/null && wg-quick up wg0 && sleep 3 fi echo "$(date) WireGuard setup complete." >> /var/log/wireguard-boot.log Make the script executable: sudo chmod +x /etc/local.d/vpn-firewall.start Now this script will run automatically on boot. ## Step 3: Configure Plex Remote Access ✅ Finally, tell Plex about your custom setup. In Plex, go to Settings -> Remote Access. Check the box for "Manually specify public port". Enter the External Public Port AirVPN gave you (e.g., 40516). Click Apply. Plex should briefly check the connection and then show the green "Fully accessible" message. I wouldn't trust Plex port checker use the AirVPN one as it is more robust and won't give false positives. Your Plex server is now fully accessible from outside your network through your secure VPN gateway. Once you confirm Alpine is set up properly you can now set the drive to be read only as good practice. Make sure you untick Enable Relay in network in Plex to avoid using the unreliable and slow speed network. if you have issues check you have right ports forwarded in alpine with iptables -t nat -L PREROUTING --line-numbers