STARLINK, CGNat and Remote Streaming

[Lukeyson 0]

Hi All

 

I'm in Regional Australia, and am just about to move from an 'NBN Fixed Wireless' service to Starlink from SpaceX. Previously, in order to get Emby remote streaming of my on-prem content to work, I had to have my carrier disable CGNat so I could get a proper registered dynamic IP address, and was able to port forward and get it working. It worked, technically, it was just that the Carrier 'Fixed Wireless' upstream bitrate is so diabolically terrible it made it nearly useless anyway.

The Starlink service I see is currently IPv4 CGNat only - with non-nat IPv6 on the roadmap. (yeah yeah, it's been on everyone's roadmap for nearly 20 years).

Since it's been quite a few years since I've found my previous CGNat fix, does EMBY yet have a streaming solution that supports CGNat? Even a paid online proxy/hub? Sorry if this is answered elsewhere - a search on CGNat returns an overwhelming number of hits as to make finding an answer to my specific question somewhat obfuscated.....

 

 

Lukeyson

[Carlo 4331]

There are ways to do this but basically you need to create a tunnel or use a VPN type connection to bypass the CGNAT. There are different ways to go about this but one of the best ways is to setup your own remote proxy/tunnel on a hosting site. You don't need much in the way of CPU or storage but want something with "unlimited" bandwidth.

That keeps you in total control and allows you to setup the remote host to cache your images making things load faster for users. This is more of an advanced setup but can be done for $5 or so a month or a low end hosting plan.

For non-technical technical types a hosting provider as mentioned above running a VPN server is the ticket. Often this can be done installing and setting up with a web GUI.

You can try public VPN services but you'll likely find they aren't great for Emby use.  The problem with them is that a lot of people use these services to hack from, run port scans and other questionable things.  So many of the meta-data providers block those addresses making it difficult to get meta-data for your libraries. You then have to setup specific routes to certain places to bypass the VPN.

Why don't you wait until you get the service to see if it's even worth doing or how well it will work? I could then setup you up a tunnel through my system to use for a couple days to play a bit and see if it's worth while to setup for remote use.

[GrimReaper 3329]

Following @cayars excellent advices, just one thing to add re:public VPN: if you do find one that suits your needs, make sure it allows port-forwarding, as lot of them don't.

[CBers 6782]

My son has just had StarLink installed and is facing the same issues as you, but not just with Emby.

Let us know how you get on @Lukeyson.
 

Edited November 11, 2021 by CBers

[scalda 69]

HI

I would like to add that i have started to work on getting past my Starlinks CGNAT, i have been succesful so far in useing ZeroTier and a cheap VPS from OVH, 
i have managed to access a basic webpage so far from external to my internal network, next step is for e to setup some reverse proxy stuff and see if i can access my basic services and then onto seeing if i can do emby and cctv

 I will keep you informed once i have gotten something to share

[Carlo 4331]

If you have a domain name or can get one, the way to go is using a Cloudflare account and Argo Tunnel.  No need for open router ports as it's essentially a tunnel from you to them.

PS if you like ZeroTier check out TailScale as well. I find it easier to use, more flexible (point to point) and faster as well.
It's free for personal use on up to 20 devices.  You can give access to other nodes that don't belong to you setting access restrictions as well.

What's nice about that is is for example if we wanted to use this to create a network between our systems it would be directly between us without them in the middle. The "headend" is only used to establish the connection but then gets out of the way unlike traditional VPN solutions where the server is always in the middle.

 

[scalda 69]

So i now have external access to my local stuff including emby which is great.

here is a rough routing
external -> ovh vps -> external nginx reverse proxy -> zerotier tunnel -> internal nginx reverse proxy -> local server.

All seems to work well and have full access to the services i need

if you would like more information please let me know

[Luke 37214]

Thanks for the feedback !

[Carlo 4331]

@scalda what's the latency and ping times like?

Are you doing this so you can run an Emby Server from behind the sat link for others to access?

If not ignore everything else
If so you can remove a lot of those steps as they shouldn't be needed.

You could go from:
external -> ovh vps -> external nginx reverse proxy -> zerotier tunnel -> internal nginx reverse proxy -> local server.

to
Argo tunnel->local server

It would work with a local reverse proxy if you had other needs for it but it really wouldn't be helping otherwise. The Argo tunnel would provide image caching at the "edge" closer to people using your server so once graphics are pulled from your server they are delivered to clients quickly. That would make scrolling through your media a lot quicker as the sat link is eliminated once cached.

[vfast 5]

On 12/12/2021 at 2:11 PM, cayars said:

Argo tunnel->local server

It would work with a local reverse proxy if you had other needs for it but it really wouldn't be helping otherwise. The Argo tunnel would provide image caching at the "edge" closer to people using your server so once graphics are pulled from your server they are delivered to clients quickly. That would make scrolling through your media a lot quicker as the sat link is eliminated once cached.

 

Hi Cayars - do you have any links to guides on setting this up? I also find myself now behind a CGNAT on 5G mobile network

[Carlo 4331]

Right now it's just my notes and sample command lines that work.  Just need to change domain name, tunnel, name, etc

What OS are you running Emby Server on?

[vfast 5]

19 hours ago, cayars said:

What OS are you running Emby Server on?

 

I'm running Emby in an Unraid docker so Linux

[Carlo 4331]

I have not got this to work in docker yet and haven't tried recently.

It's a bit tricky.  Here's a high level overview in general.
You have a single executable to use (Windows or Linux) that you load up with command line switches/options to tell it what to do.

The first step is authorization.  So you pass in the commands and the executable opens a browser window for you to login to your account and authorize it's use.  It also gives you the URL in case you need to copy/paste it and authorize on a machine without a browser. This step downloads certificate information (PEM files) and credentials.

Next you create a tunnel name which is pretty easy.

After this you create a config.yml file and set this up with the tunnel, the credentials and your cert information.  Everything has to be pointed to the proper location it expects to find these files which isn't the easiest thing to do in docker.

Next you create a DNS entry in Cloudflare for the tunnel to use.  "emby" most likely in this case.

Now you modify the config.yml file setting up the ingress rules and how to route the packets.  Not hard and has this format:
ingress:
  - service: http://IP:Port (ie http://192.168.1.20:8096)
    originRequest:
      originServerName: <hostname>.Your-Domain.Ext  (ie emby.carlo.tech)

Next we run a command to link the tunnel to the special dns record we created (ie emby)

Now we configure Emby networking to match the settings used above.  In this case no https (we'll let Cloudflare handle it for us) and just 8096 for external access.
We'll tell Emby to use a proxy and (so it can handle https but allow Cloudflare to do the work).

At this point a user would use https://emby.domain.ext:443 (basically a secured url).
The traffic received through the tunnel is 443 but our ingress rule allows Emby to answer on 8096 making it simpler as you don't have to setup any certs.

So up to this point is all setup and really should only need to be done one time.

In general use we run one command which starts up the tunnel. On Windows it can be made into a service so it's always active. Same on Linux.
In Docker it could fire off on launch.

So you can see how this would likely be problematic in docker as your network stack can get in the way. You might have some type of automatic proxy setup for docker which breaks things.  Then of course is the setup/config in docker which basically require have an empty docker shell you can SSH into to do the config.

I've never really used Unraid so I'm not going to be a big help unless it's like standard Linux.  In that case it might be much simpler as you could set this up outside of docker on the host machine and just use the ingress rule to forward to the docker IP.  As long as the network is bridged that would work.

I've wanted to help a few people set this up on Synology, Qnap and other NAS boxes but there isn't an compatible executable for those platforms yet so that only leaves docker or setting this up on a Linux or Windows PC that's on 24/7.  It can route across your network so the tunnel does not need to be setup/installed directly in docker.

 

 

[Iangbarton 0]

I have just installed the Tailscale Docker on my UNRAID server and Android phone. I can now open emby using the ip address provided by Tailscale on my phone. This seems to be about the simplest method to get remote access.

Also it works with CGNAT. My emby server is behind a starlink dish.

Edited January 5, 2022 by Iangbarton
Add further information

[Luke 37214]

Thanks for the feedback.

[RanmaCanada 359]

I know this appears to be about having servers behind a starlink, but what about clients.  I have some friends who have starlink, and they find it totally unusable when it comes to browsing my server, which is on fibre.  Should I make another post in regards to this, or should we keep all the starlink stuff in one place?  I have no problem with whatever the powers that be decide.  I just would like to get some answers, as would my friends.