Emby Connect, Express VPN, Remote User Access...

[ihayes916 0]

Greetings - 

I am observing odd behavior.  I've read that remote user access via Emby Connect won't work if there is a VPN running on the machine that is the Emby Server.  However, I am noticing that it IS working for 2 users, but not working for others.

Can anyone speak to why this might be happening?  Ideally, I would love it to work for all users - but I can't figure out this behavior.

Other details....
Emby 4.6.7.0
Express VPN
Windows 10

Thanks for any clues...
Isaac

[Luke 37253]

Quote

I've read that remote user access via Emby Connect won't work if there is a VPN running on the machine that is the Emby Server.

Hi, this isn't exactly true, it's just that the VPN may make it a little more difficult to setup and this can cause some to think that it can't be used.

[Luke 37253]

Quote

Can anyone speak to why this might be happening? 

What exactly is happening?

[ihayes916 0]

Thanks Luke!

Before I started using VPN, all users could access server and stream remotely using their EMBY connect account.  Since I've been using VPN, 2 users can still connect, but the third cannot.  

"User1" EMBY connect, Roku client app, is able to connect/stream.

"User2" EMBY connect, Roku client app, is able to connect/stream.

"User3" EMBY connect, XBOX client app, is NOT able to connect.  Reports "connection failure" when trying to connect to my server, after entering thier EMBY connect credentials.

I had "User3" create a new EMBY connect account.  Same error.  "User3" also tried from phone, same error.

 

Again, User1, User2, and User3 all had access prior to VPN usage.  Now, only User3 has issues.  The inconsistency of this behavior makes it hard for me to wrap my brain around the issue.

[Luke 37253]

Are they able to do a manual connection by entering your server address into the app?

[Carlo 4331]

A VPN to Emby is actually pretty transparent and not an issue at all.  Emby (client or server) runs fine over them.

The issue you may read about with the server is not being able to use meta-provider or other services.  The reason is simple.  People use public VPNs for all kinds of reasons including hacking, probing systems and other annoying things.  So many web sites and meta-providers ban those IP addresses.

Like any other network adapter put in a computer it will have it's own IP address and very well will have a different gateway address. The device or computer running the VPN now has potentially 2 starting paths to get to any place on the Internet. Some VPNs force use of the VPN by changing the routing table so the only way to get outbound is by the VPN connection. It may or may not allow you to still access local IP addresses.

Other VPN services offer slightly more advanced control over this routing by what they call "Split Routing" but it's nothing you can't control from the command line yourself. Split routing makes it nice for noobs to routing as you can pick services, programs or destinations (depends on service how they do this) and specify if they use the VPN connection or not.

On windows you can view how the routing is setup with a "route print" from the command line.  You can modify this yourself with the route command as well. "Route --help"

You can easily see what path the is used by doing a "tracert domain" or "tracert x.x.x.x" using the IP address.

So that's kind of how it works behind the scenes.

What I'd ask first about the xbox client is where do they have the VPN setup?  Is it running on the xbox itself or on the home router?
You would also want to ask them if the VPN support split tunneling or a way to bypass the VPN for certain services or destinations.
If they don't know, ask them what VPN service they are using.

[ihayes916 0]

@Luke still waiting to get back with the user to test this.  I'll update once i have this answer.

 

@cayars thanks for this explanation!!  I might not have been super clear on this. It is not the XBOX client (remote user3) that is running the VPN (nor the other two users) but rather MY host machine/server (Win10) that is running the VPN (express VPN).

[Carlo 4331]

I guess I'd ask why you're running a VPN on the server machine?
Do you at least have it split tunneled so nothing Emby Server does runs through it?

[ihayes916 0]

@cayars VPN on "server" machine bc it's my only machine.

re: split tunneled...just learning about this so for now, no.  But I will definitely work towards this.

All this being said, what still confuses me is the face that 2 out of 3 users can still access/stream content.  If it is a VPN issues, why would it not cause issues for ALL the users?

[Carlo 4331]

It could be because they were setup prior to the VPN being in place so they got your true external IP. If they can connect to it they likely don't have to query the Emby Connect backend to see if you have a new IP for the server.  The 3rd person likely is trying to connect when you had the VPN is place which is never going to work as the VPN isn't set to forward incoming packet to your Emby Server.

The only thing you can do right now to fix this is remove the VPN and restart your server.

What VPN provider are you presently using?  Depending on the provider I may be able to give you some advise to allow you to keep it in place but not have Emby use it.

An alternative setup if you are using other software that you want to run behind a VPN is to go virtual for that software. Hyper-V & Virtual Box on windows will both work for this. You could then install Windows or other OS in the VM with your VPN.

[Luke 37253]

@ihayes916 has this helped? Are you still running into this?

[ihayes916 0]

On 11/28/2021 at 8:48 AM, cayars said:

It could be because they were setup prior to the VPN being in place so they got your true external IP. If they can connect to it they likely don't have to query the Emby Connect backend to see if you have a new IP for the server.  The 3rd person likely is trying to connect when you had the VPN is place which is never going to work as the VPN isn't set to forward incoming packet to your Emby Server.

The only thing you can do right now to fix this is remove the VPN and restart your server.

What VPN provider are you presently using?  Depending on the provider I may be able to give you some advise to allow you to keep it in place but not have Emby use it.

An alternative setup if you are using other software that you want to run behind a VPN is to go virtual for that software. Hyper-V & Virtual Box on windows will both work for this. You could then install Windows or other OS in the VM with your VPN.

Apologizes for the delay...busy  times.
Thanks for these notes!  So I was thinking along the same lines.  Maybe people who can still connect were connected bf the VPN...but now I can't even connect remotely.
In order to sort things out, here's what I've done and my observations.

1. VPN currently running (Express VPN)
2. Noted Remote (WAN) access IP address in Emby Dashboard (http://45.xxx.xxx.xx/)
3. Tried to connect remotely/manually using this IP address (given by Express VPN: http://45.xxx.xxx.xx/) - FAILED.
4. Tried to connect directly to this IP via browser IN NETWORK - FAILED.
5. Disabled Express VPN
6. Restarted Server
7. Noted Remote (WAN) access IP address in Emby Dashboard changed -  (http://71.xxx.xxx.xx/)
8. Tried to connect remotely/manually using this IP address (Real IP: http://71.xxx.xxx.xx/) - PASS.
9. Tried to connect directly to this IP via browser IN NETWORK - pass
10. Started VPN
11. Restarted server
12. Noted Remote (WAN) access IP (http://45.xxx.xxx.xx/)
13. repeat all above - same results.

Soooo....TLDR;
Can't connect remotely when Express VPN is running.

But...not even if I try to access directly via the WAN IP??  Shouldn't that work?
Thoughts?

[ihayes916 0]

On 12/7/2021 at 11:09 AM, Luke said:

@ihayes916 has this helped? Are you still running into this?

Hey Luke - thanks for the follow up.
Still having this issue.  Definitely the VPN...  :(

[ihayes916 0]

OH SNAP!  Express VPN does "split tunneling"
 

Quote

What is the split tunneling feature?
The split tunneling feature allows you to decide which apps use the VPN and which apps don’t when your device is connected to ExpressVPN.
https://www.expressvpn.com/support/troubleshooting/split-tunneling-desktop/#what-is-connection-per-app

So I just tried this...
1) added EMBY as an app to NOT use the VPN
2) restarted EMBY 
3) observed that the WAN IP has gone back to my "real IP" (http://71.xxx.xxx.xx/)
4) tried to connect remotely and locally to "real IP" - connection FAILS. 

This feels really close to a solution. 
I wonder if there is more I need to add to the "VPN Exclusion" other than the "EmbyServer.exe" file? 

Any thoughts?

[ihayes916 0]

FIXED! Huzzah!
So, in my trouble shooting, I removed the port forwarding in my router settings.  Added it back and now all is working.

Not sure this is the "BEST" solution, but remote users can now connect.

For those playing along...

Fix:
Used Express VPN split tunneling and "exclude" Emby.

[Luke 37253]

Thanks for the feedback.