Jump to content

Access Emby outside of LAN without any port forwarding


atoka93
Go to solution Solved by Carlo,

Recommended Posts

adrianwi

Change your ISP!  As a minimum they should open 80/443, but I'd just find another.

Edited by adrianwi
Link to comment
Share on other sites

1 hour ago, Luke said:

Hi, what about a VPN?

A VPN might work, didn't think of that. Thank you!
 

29 minutes ago, adrianwi said:

Change your ISP!  As a minimum they should open 80/443, but I'd just find another.

They should provide something, I agree, but a great provider otherwise, so I will try a VPN before.

Link to comment
Share on other sites

Hi, is it just for you and your family or is it for others as well?
It get's more complicated trying to do this right if you just want it opening shared.
But it can be rather simple if just for you or your family and their devices.

Carlo

Link to comment
Share on other sites

  • Solution

I would check out both ZeroTier and TailScale which are very similar products.
They both have a free tier you would easily fit into with 50 and 20 devices on the free plan.

Essentially both allow you to setup your own private VPN service where you setup and control the clients and use of your VPN.
It's rather elegant in how they work. Your first node will the the Emby Server machine. Your Emby Server node machine opens a port to their server and basically lays dormant until a client you setup on a PC or phone want to access it.  So if you were on your phone, you would turn on the ZeroTier client which logs you in.  As soon as you try to access your Emby Server a connection is established directly from your phone to the Emby Server.  The tunnel that was open and checking in now sees you want to use it.

It's a clever solution to this problem as your Emby server opens a connection to their server and says "I'm ready let me know what one of my authorized devices needs me" and then just goes dormant until needed.  The key is that there is an active connection open just not doing anything.  So your Emby Server has punched through the CGNAT and blocking your ISP has in place.

The only semi tricking part is installing the software on the devices.  It's not hard and well documented but might take reading a couple of times to sink in.  The way they both work is that you get your very own IP space with your own dedicated IPs for each device.  This are "reserved" and unrouteable IPs on the public internet and meant just for this type of private use.

So the key and take away is that your Emby Server will have one of these reserved IP all to itself which you need to use.  It's this IP you will use in the clients you use remotely and not what is shown on Emby Dashboard.  It doesn't not matter if you always use this IP even when your home on your own LAN as you'll just have a tunnel that never leaves your LAN.  This private tunnel can should be left on for the Emby Server but might want to be manually turned on/off on cell phones if you pay for data as a precaution.

Try both ZeroTier and TailScale to see if one works better for you or if you like the setup/GUI better.

https://www.zerotier.com
https://tailscale.com

PS This these have absolutely nothing to do with other common VPNs you hear people talking about like PIA, NordVPN, etc.  The only thing they have in common is the fact they both use encrypted tunnels.  Other than that they work fundamentally different.  The only traffic that should ever pass through ZeroTier or TailScale in your use is to your Emby Server and not any other traffic as that will not be any different then it is now.

  • Like 4
  • Thanks 1
Link to comment
Share on other sites

I'm working on a set of guides to cover multiple ways to work around CGNAT that covers multiple use case to allow the Emby admin to pick the solution best for them or try a couple things to see what works best.

The guide will cover everything from these two services to creating/hosting your own tunnel in a cheap cloud instance for roughly $5/month. This gives you a public IP address that any client can use. The public IP in the cloud instance then uses a dedicated tunnel to the Emby Server.  Only the Emby Server uses it as all Emby clients and browsers use the public IP address from that point on. You could of course setup ddns or a domain name pointing to that IP address instead of having to know/remember the IP. This would allow you to also cache images in the cloud (depends on storage space) to make it faster for the clients as well.  Sounds hard but really isn't especially with step by step directions.

Other options include similar tunnel/VPN services you can purchase for $5/month but have limits and require specific software (OpenVPN or SSH) which may be easier than above but not as much features. Might not be as fast either.

Then of course, using a typical VPN service like PIA, NordVPN, etc you see advertised all over the net. Trick to this is using a provider that support static IP and/or port forwarding. Lots of downsides to this one IMHO as many sites block VPN addresses, likely worse throughput then having your own tunnel (as above), possibly revolving public IPs requiring DDNS or similar.

Then there is the grand daddy solution which does take some time to setup but adds a nice level of security and makes you site faster if done correctly which is setting your server up to run behind Cloudflare using their Argo tunnel service. This requires registering a domain name (all revolves around this), setting up certificates, walking through pages of options to make sure it's set exactly correct, then creating a tunnel using their software which is a 5 part process and making it a service or system startup function so it's always running.  I've created step by step directions for the hard part (creating tunnel) and it works great on Windows or Linux but can't run natively on most NAS and I've yet to get it to work in docker.  So this is a great solution if things fit but not universal yet.

There are 2 other methods as well but the above are the main ones.  Some easy and free, some free and complex with a couple easy to do but cost a few bucks a month.  Should be something to choose from for everyone with a CGNAT issue.

This could also allow for testing multiple options to see what's fastest or best for each person. The cloud instance tunnel is probably the best option of all if a couple bucks a month isn't prohibitive as it can also be setup to proxy all your graphics so the Emby Server doesn't have to send them over and over.

Once documented people should be able to follow step by step directions to set this up themselves or get help here in the community. It of course gives a few different options to try to see what's best for specific needs/environments.

  • Like 3
Link to comment
Share on other sites

adrianwi

Is it becoming common for ISPs to block ports so nothing can come in?  It's been a while since I switched (happy with Virgin Media speeds in UK) but I don't recall previous ISPs blocking how I use the service.

Link to comment
Share on other sites

It is pretty common. If I were guessing I'd say 1 in 5 to 1in 10 of all admins here in the forum have this issue.  The amount of people I help is far greater than that proportional wise of course or they may not need my help. So maybe it's not that bad (tarnished view) but it is pretty common.

I don't know the answer to that question. It seems like it comes and goes. Some ISPs seem to be tightening the network (usually in the "name" of security) while other are becoming more open to allow you to use what you're actually paying for. I've had that that as well and can remember thinking for a period of 18 months to 2 years that it seemed like things were getting more restrictive.  But then the next wave is more people getting out from behind CGNATs.

A lot of this is likely tied to equipment upgrades in some manner.  For example a "small" ISP might upgrade a 40Gb backbone to 100Gb to find out they can't route much faster then they previously could because of implementations in place like CGNAT that hurt performance in some way so they switch for no other reason then the change is "free" vs half a million in additional equipment.  

For other ISPs it could be a rollout of IP6 is much easier when not using CGNAT so to keep management and costs down CGNAT is removed.

An ISP might be over subscribed and use cable modems but switching 2 channels on the modem for more download gets them by while cutting down your ability to upload so they fix that problem by blocking much of the uploading with you guessed it CGNAT.

QOS and all kinds of other things come into play as well but it's almost always a management or $ reason they make changes. If it works in the customer favor they likely make it seem like they're giving you more for you money or listening but probably not as it was in their best interest.

It definitely common enough that I've been researching different solutions people can employ looking for the best option to fit their needs. Yet will be easy enough that they can setup and manage on their own. Maybe referring to a tutorial to help them get started.

Since I'm doing this I'm trying to come up with good solutions that cover different needs as well instead of trying to get everyone to use one method which might not be a good fit.

Link to comment
Share on other sites

  • 1 month later...
mediaserver1

@cayars I look forward to your guides on this issue. I am also in a CGNAT situation. My ISP will roll out IPv6 soon but that will also be on a CGNAT mode. So no public facing option.

Static IP is a option in both IPv4 and IPv6 but I am trying to avoid it, as ISP will not run any firewall or security protocol for my connection in that case. I use a Asus router with built-in Trend Micro firewall and I think that will not be enough to secure my network.

I am trying to setup my first media server on Raspberry Pi. So trying to keep a very low budget on the complete setup. Hence looking at ngrok free plan tunnel.

Is there a way to update the dynamic ngrok tunnel name to a DDNS service provider ? Maybe through some scripts ? 

If you can cover a setup with below in your articles, or point me to existing ones, it will be a big help.
           NGROK (free) + script_or_some_automation (to update the NGROK tunnel name to a DDNS service as a CNAME to my own custom domain) + DDNS + NGINX (SSL against a paid domain name) + Emby (SSL Self Signed)

Except for the Emby Premier & buying a domain name, I am trying to keep all the other components on free tier plans only.

Link to comment
Share on other sites

ISPs do very little for you security wise except not allow connections to make it to your WAN port if behind a CGNAT. :)

You don't need the service provider providing any security for you. People often make the job of a firewall overly complex but at the heart of a firewall is the job of determining what packets shall pass and what shall not pass into the local LAN. For most home use this is as easy as setting up all incoming unsolicited traffic as blocked while manually port mapping ports like 8096 or 8920 to redirect to a specific IP address on your network  (and only that IP) for a program like Emby. Things like IDS, QOS, VPN, etc. aren't really "firewall" jobs and actually are better off not being part of the firewall itself. 

So depending on the cost of a static IP that would ideally be the way to go as it really simplifies your setup. Otherwise you need to do something like a setup behind Cloudflare which requires a domain name and then setting up a tunnel (think private vpn) between your server and Cloudflare.  This second option works well but is a much harder/complex setup. The tunnel is the tricky part but I've got it down to almost cut and paste for windows and Linux but not for docker or any NAS appliances.  If the NAS has the ability to run a VM that could likely be used to run a stripped down headless Linux with the tunnel.

I could probably set this up to run a tunnel on a low powered Rasberry Pi as well but haven't tried it.

So in your situation @mediaserver1 I'd check on cost for the static IP and if not consider the tunnel with Cloudflare if running on Windows or Linux.
What OS are you running Emby on at present?

Link to comment
Share on other sites

mediaserver1

@cayars, thank you for your suggestions. I am trying to avoid the cost of a new firewall device. Static IP price by itself is affordable. But I don't want to commit to a separate firewall setup now. So I will prefer the tunnel option. Cloudflare or Ngrok which ever works.

I currently run Emby on Linux. On Rpi also I will be happy to run other linux variant also if the tunnel requires linux. It a Pi 4B 8GB model which will only run Emby, maybe nextcloud or owncloud later if system resporces permit.

Otherwise I was considering going the DietPi or OMV way. But this is not a blocker at all.

I will have a external 5TB drive attached to the Pi as the media source.

Please help me with the script for the tunnel option if possible.

Link to comment
Share on other sites

Cloudflared should work for Pi in 32 or 64 bit versions as it supports Debian Buster and the 64 bit version for Pi was just officially released.

Did I understand you correctly that you're running Emby full time on the Pi? Does it do any any transcoding or do you pre-convert media to direct play from the Pi?
Which model do you have?

I've got the newer Pi 4 with 8 GB in an Argon case with 512MB SSD. I haven't tried it but Cloudflared should run on this using 32 or 64 bit Pi OS as it's based off Debian and arm as well as arm64 is supported for Buster.

 

Link to comment
Share on other sites

mediaserver1

@cayars Raspberry Pi 4B 8GB variant. Two drives connected over USB. Drive1: SSD which also acts as the boot drive. Second drive is a 8TB external HDD with all the media contents and network shares.

No transcoding.

I don't know how to pre-convert media files. Is it a out of box feature provided undr Emby premier ? Or do we have to have additional software setup to achieve this ?

Link to comment
Share on other sites

5 hours ago, mediaserver1 said:

@cayars Raspberry Pi 4B 8GB variant. Two drives connected over USB. Drive1: SSD which also acts as the boot drive. Second drive is a 8TB external HDD with all the media contents and network shares.

No transcoding.

I don't know how to pre-convert media files. Is it a out of box feature provided undr Emby premier ? Or do we have to have additional software setup to achieve this ?

What OS are you running or do you want to run (hopefully 64 bit)? I think with that I can duplicate your setup enough to give this a try and see if I can get a tunnel going.

Link to comment
Share on other sites

Do you have it already setup?
If not do me a favor and send me a private message (hover over my avatar and choose message).
If you don't have it setup yet I'll give you some info to setup a generic password on setup for a couple accounts. You can then send me an image of your install which I'll work with.
That will save me time setting this up and I can concentrate on the cloudflared setup, get it working and send you back the image!

Carlo

Link to comment
Share on other sites

  • 3 months later...
  • 3 months later...
denzoid
On 12/23/2021 at 11:18 AM, cayars said:

I'm working on a set of guides to cover multiple ways to work around CGNAT that covers multiple use case to allow the Emby admin to pick the solution best for them or try a couple things to see what works best.

The guide will cover everything from these two services to creating/hosting your own tunnel in a cheap cloud instance for roughly $5/month. This gives you a public IP address that any client can use. The public IP in the cloud instance then uses a dedicated tunnel to the Emby Server.  Only the Emby Server uses it as all Emby clients and browsers use the public IP address from that point on. You could of course setup ddns or a domain name pointing to that IP address instead of having to know/remember the IP. This would allow you to also cache images in the cloud (depends on storage space) to make it faster for the clients as well.  Sounds hard but really isn't especially with step by step directions.

Other options include similar tunnel/VPN services you can purchase for $5/month but have limits and require specific software (OpenVPN or SSH) which may be easier than above but not as much features. Might not be as fast either.

Then of course, using a typical VPN service like PIA, NordVPN, etc you see advertised all over the net. Trick to this is using a provider that support static IP and/or port forwarding. Lots of downsides to this one IMHO as many sites block VPN addresses, likely worse throughput then having your own tunnel (as above), possibly revolving public IPs requiring DDNS or similar.

Then there is the grand daddy solution which does take some time to setup but adds a nice level of security and makes you site faster if done correctly which is setting your server up to run behind Cloudflare using their Argo tunnel service. This requires registering a domain name (all revolves around this), setting up certificates, walking through pages of options to make sure it's set exactly correct, then creating a tunnel using their software which is a 5 part process and making it a service or system startup function so it's always running.  I've created step by step directions for the hard part (creating tunnel) and it works great on Windows or Linux but can't run natively on most NAS and I've yet to get it to work in docker.  So this is a great solution if things fit but not universal yet.

There are 2 other methods as well but the above are the main ones.  Some easy and free, some free and complex with a couple easy to do but cost a few bucks a month.  Should be something to choose from for everyone with a CGNAT issue.

This could also allow for testing multiple options to see what's fastest or best for each person. The cloud instance tunnel is probably the best option of all if a couple bucks a month isn't prohibitive as it can also be setup to proxy all your graphics so the Emby Server doesn't have to send them over and over.

Once documented people should be able to follow step by step directions to set this up themselves or get help here in the community. It of course gives a few different options to try to see what's best for specific needs/environments.

I could really use a guide for this (searched but didn't find one) ...any updates?

  • Agree 1
Link to comment
Share on other sites

In a nut shell when your ISP is running CGNAT it's like a firewall in that no inbound traffic will reach your LAN unless a device on your LAN has started/opened a connection first.

There are several work-arounds that I'd consider easy to complex.  A lot of this depends on the nature of how your remote access will be used.  If it's just you and family using mobile phones, tablets, computers on the go then the easier method is using a service such as TailScale that creates a private VPN.  Tailscale acts like a middle man or director.  Your server will run Tailscale and open a connection to their service which punches through the CGNAT.  Then any client setup with Tailscale and authorized to connect to your server can start the VPN.  Tailscale has your port open already so it trying to shim the client to use that port so everything is direct without them doing any relaying of packets.  This works really well.

The are middle solutions such as getting a cheap hosting site and setting up a tunnel from your Server to the hosted computer.  You setup Emby to use the public IP of the hosted machine which acts like a relay for your server.  No software is needed on a client.

The most complex method but not hard (for me anyway) is using Cloudflare via an Argo tunnel.  It's "complex" due to the number of steps needed as a whole.  You will need a domain name so if you don't have one already, will need to register one.  You create an account at Cloudflare which is free.  You then have to set/adjust the nameservers for your domain to what Cloudflare tells you to set them to.  Next is adjusting the settings on Cloudflare that work well with Emby. You then have Cloudflare generate a certificate for you to use which will be in the wrong format so this needs to be converted to PK#12 format using a password.  The generated PK#12 cert and password used is then added to Emby in the Network menu.

Lastly an Argo tunnel is setup using a subdomain such as emby.yourdomain.com.  Setting the tunnel up for Linux and Windows is pretty much copy/paste from scripts I've got.  The client side of the tunnel is then set to point to Emby's port.  Your now done and ready to test.

With the use of the tunnel your server can run from anywhere without any changes needed. By the same token, there is nothing you need to do when your ISP changes your WAN IP.

So it really depends on need what the best approach is.

Carlo

PS I can assist parts of this after figuring out the proper solution.

 

  • Thanks 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...