How to selectively route traffic on macOS 14.5 for VPN and Plex?

A Mac makes a comparatively expensive and awkward IP router, if that is where you’re headed.

As for some of the available mechanisms for controlling activities and routing, options, Apple builds pf into macOS, and (separately) Apple also uses eBPF for some tasks. pf is pretty handy for adjusting what foes where.

Static routes also work. More info:

networksetup -help
networksetup -printcommands
sudo route -n add 198.51.100.0/24 203.0.113.1

I’m skeptical around VPNs generally, save for connecting into the internal network of an affiliated organization, and for geoshifting for CDN testing and such. If you’re not interested in having your metadata harvested as I’d expect happens with too many of the (over-hyped) commercial VPN providers, have a look at running your own Algo server.

If you don’t want to roll your own local network infrastructure, have a look at Ubiquiti gear. Not cheap, but is very flexible and capable and well-integrated. I’d generally look to offload routing activities to a (the) local IP router (firewall, router, gateway, NAT), with the (incoming) VPN server embedded with the same box serving NAT, and (if needed) the local Layer 3 (-ish) switch, rather than trying to manage that locally.

Offloading IP routing activities to a switch or gateway / router / firewall / NAT box means you also don’t risk clobbering all connectivity to or from your Mac, if some rule is “wrong”. At least your Mac still works, and you can (potentially) (more easily) reset the box with the “creative” routing.

You might want to check with the folks running the Plex servers as well, as I’m less familiar with configuring the IP traffic associated with those servers.

rothnd wrote:

I’m sure I’m barely touching the capabilities of my router (again lack of knowledge) but could I somehow take care of routes per IP all from there? Even though it’s 2 IPs to the same machine?

If the IP packet traffic is destined for different IP ports, most routers, firewalls, and packet filters with layer 3 access can adjust the path used for traffic, either through static routes, or more generally through quality of service settings, or otherwise.

rothnd wrote:

It seems like maybe I can add the VPN config to my router (Netgear Nighthawk XR500) and say which interface to use it or not (maybe), but then the question is how do I tell the Mac to use this interface for this and that interface for that? Trying to generalize a little.

I’m unfamiliar with that router.

IP works per the packet, and each packet is its own decisions, both from the client to the server, and the completely separate routing decisions that arise from the remote server back to the client. Echpacket can potentially take a different path.

rothnd wrote:

Sorry for more but reading up on the router and I wonder if it would be better/more feasible to use the router to VPN but exclude the one port (Plex port) from that instead of worrying over IP/interface?

I’m not entirely sure what network configuration you’re headed for here.

Whether your particular router can initiate a VPN connection to a remote server, I don’t know. Mid- and upper-end routers can have that feature. Or you might end up establishing that VPN from the client device.

I’d suggest discussing customized routing with the folks that know connectivity what Plex and the other apps involved might require, if that’s your central goal here.