I am trying to set up NAT on a LinuxMint box, but failing at it. Need some help. Sorry for the verbosity of this post, but I wanted to give all relavent details I could think of.

The problem I am trying to solve is access to my Plex Media Server from outside my LAN. I do not want to use Plex's official solution, which is to set up an account with them and then use their servers as a middleman for connection to my media server. I want to keep this totally under my control, with no third-party middleman that could potentially cause privacy/security concerns.

So my proposed solution is to VPN from my remote client into my home LAN, and then access Plex from inside my LAN. This knocks the Plex companies account and middleman server out of the picture. The issue is that the Plex Media Server (the application running on my home Linux box) accepts connections without authentication from the home LAN, but requires authentication (again, through the Plex company middleman servers) for connection attempts from outside the LAN. Now, even though my client computer is VPN'ed into my home LAN, Plex Media Server still sees this as a connection attempt from *outside* the LAN. Why? Because my VPN is using TUN and not TAP. TUN requires that the VPN clients are on a seperate subnet from the home LAN, and then their communications are routed to the LAN's subnet. Contrastingly, TAP actually puts the VPN clients on the home LAN's subnet, so no routing is required. So why am I using TUN? Because one of my remote clients is an iPad, and iPads ONLY support TUN, they do not support TAP. OK, enough background.

So my situation is that my home LAN is 10.192.168.0/24 And my VPN clients are on 10.192.169.0/24 (note: 168 vs 169 in that third octet). Plex sees that incoming connection from a VPN client and says, "Hey, different subnet, therefore remote, therefore mandate that they authenticate through the Plex company servers". That's the whole third-party thing I am trying to avoid.

So my proposed solution is to NAT the incoming connections from the VPN clients, so that they appear to be originating from the home LAN subnet, not the VPN subnet. To fool Plex Media Server.

And that's where I'm failing - what I'm doing is not working. I'm sure it's some user error on my part - setting up the NAT'ing incorrectly.

My Linux server on my home LAN that is hosting the Plex Media Server is 10.192.168.2 and Plex Media Server runs on tcp port 32400. My VPN client is 10.192.169.20 (specific IP can vary, but always on the "169" subnet). I am running the iptables script on the Plex Media Server host, 10.192.168.2 My intent is to have these VPN clients come into port 32401 and have iptables change that destination to port 32400 and at the same time replace the incoming source IP address (on the VPN subnet) to be the same as the Plex Media Server IP address. So, in theory, Plex Media Server would see the incoming connection as originating from localhost, so therefore it wouldn't require authentication.

The problem is that NAT does not appear to be doing what I intend. If I try to connect incoming to port 32401, things just hang, the browser just spins on "Connecting..." (I should have mentioned, the Plex Media Server interface is http, so you access it with a web browser). My testing thus far has been done from computers inside my LAN. If a LAN computer tries to connect to port 32401, it should be NAT'ed just the same as a VPN client coming in to that same port. So I'm testing totally from the LAN for now, once that works, I'll move on the testing from the VPN.

Here's the script I'm using to set up NAT:
Here's the results after running the script:
The above output looks like exactly what I'm wanting. But it doesn't work when I attempt to come in to port 32401. Anybody know why?

Thanks in advance!

This looks promising, change my DNAT rule to a REDIRECT rule. It appears to have worked in my first test. More testing to follow...

New way of doing it:

... instead of the original way I was trying to do it:

Well, I can successfuly NAT the incoming port to a different port. But I cannot NAT the incoming source address to a new source address. I am wondering if this is because this iptables stuff is running on the same server that is to be the ultimate target of the packets. And maybe iptables is smart enough to know that the packet has already reached its final destination (the current server), therefore iptables is skipping the ROUTING and the POSTROUTING steps (and POSTROUTING is where you alter the source address). If this theory is indeed what is happening, does anyone know a way to force iptables to apply the POSTROUTING chain, even if iptables thinks that's a useless thing to do? Another alternative for me would be to try running the iptables NAT'ing on a totally different server than the Plex Media Server. And I would use that separate server as my own middleman in the connection. Luckily, I have lots of servers on my home LAN, and could use one of the others for this purpose. But that does add a bit of complexity to the setup.)

In order to see what's happening with my NAT'ing attempts, I stopped the Plex server running on port 32400 and replaced that with a simple PERL script LISTEN'er that logs the incoming connection specifics. The incoming IP address and the source port (the source port is meaningless, but it logs it anyway. This actually helps a little, because the source port is incrementing by one every time I make a new connection, so I can see that happening and know that my PERL script is working and not logging "stale" data from a previous connection).

Here's the script in its current form (you can see in the commented-out lines the others things I have tried, that didn't work either):

I was finally able to get all of this working, using a separate "middleman" computer on my LAN to do the NAT'ing.

On that middleman computer, 10.192.168.4, I run this script:

So when I VPN into my home LAN, I point my client's web browser to the middleman computer (not the real Plex Media Server computer, and that middleman redirects the traffic to the real Plex Media Server computer, doing all necessary NAT'ing.

This accomplishes my original goal - to be able to access my home LAN's Plex Media Server without having to go through a Plex company account, on Plex company middleman servers, using Plex company authentication.

Nobody else replied to this thread, but I decided to update it with my ongoing findings anyway, in case some time in the future somebody else may want to do what I have done, and runs into this thread via a search.

SOLVED!