Jump to content

Access Emby outside of LAN without any port forwarding

atoka93

By atoka93
in Synology

 Share
Go to solution Solved by Carlo,

Recommended Posts

denzoid

denzoid   41

Posted
Posted
On 8/31/2022 at 10:05 PM, cayars said:

In a nut shell when your ISP is running CGNAT it's like a firewall in that no inbound traffic will reach your LAN unless a device on your LAN has started/opened a connection first.

There are several work-arounds that I'd consider easy to complex.  A lot of this depends on the nature of how your remote access will be used.  If it's just you and family using mobile phones, tablets, computers on the go then the easier method is using a service such as TailScale that creates a private VPN.  Tailscale acts like a middle man or director.  Your server will run Tailscale and open a connection to their service which punches through the CGNAT.  Then any client setup with Tailscale and authorized to connect to your server can start the VPN.  Tailscale has your port open already so it trying to shim the client to use that port so everything is direct without them doing any relaying of packets.  This works really well.

The are middle solutions such as getting a cheap hosting site and setting up a tunnel from your Server to the hosted computer.  You setup Emby to use the public IP of the hosted machine which acts like a relay for your server.  No software is needed on a client.

The most complex method but not hard (for me anyway) is using Cloudflare via an Argo tunnel.  It's "complex" due to the number of steps needed as a whole.  You will need a domain name so if you don't have one already, will need to register one.  You create an account at Cloudflare which is free.  You then have to set/adjust the nameservers for your domain to what Cloudflare tells you to set them to.  Next is adjusting the settings on Cloudflare that work well with Emby. You then have Cloudflare generate a certificate for you to use which will be in the wrong format so this needs to be converted to PK#12 format using a password.  The generated PK#12 cert and password used is then added to Emby in the Network menu.

Lastly an Argo tunnel is setup using a subdomain such as emby.yourdomain.com.  Setting the tunnel up for Linux and Windows is pretty much copy/paste from scripts I've got.  The client side of the tunnel is then set to point to Emby's port.  Your now done and ready to test.

With the use of the tunnel your server can run from anywhere without any changes needed. By the same token, there is nothing you need to do when your ISP changes your WAN IP.

So it really depends on need what the best approach is.

Carlo

PS I can assist parts of this after figuring out the proper solution.

 

Wow! This is the most thorough and thoughtful answer I think I have ever received on any help forum, ever! Sorry it has taken me this long to reply (see below),

I think the first option is a no go... I installed TailScale on my UnRaid server and so far so good, then I installed TailScale on one of my AndroidTV boxes and it didn't go well...it won't open and the screen just goes completely white for a few seconds, then completely black. Then that box lost the ability to connect to any devices on my LAN, in particular my UnRaid server. It looks like I'll have to do a factory reset (on the Android box) to get it to work again. So with my limited skills and the fact that my friends/family that I want to be able to connect are in different countries this just doesn't look like a very viable option.

The second option sounds very promising as far as no software needed on the client side the only complication is I do not have a static ip from my isp. Previously I was using  DynDns which worked great at my previous location/isp. I do still have a DynDns account, I don't know if that could be used in conjunction with 3rd party hosting site or not, please let me know.

The third option looks to be the best to solve all the issues I'm facing but it does look to be a steep learning curve (for me) to get to work correctly. I would be willing to give it a try if you know of any good tutorial videos/websites you could refer me to I'd appreciate it. Hopefully if I get stuck you might possibly be able to help me (again). Thanks. 

  • Thanks 1
Link to comment
Share on other sites
Carlo Emby Team

Carlo   4330

Posted
Posted

Thanks for the nice words on the replay. :)

With the hosted approach it won't matter if your ISP uses dynamic IP or how often they change it as the connection from Emby Server inside your LAN will be establishing the VPN connection to the host.  Since it's opened/started from inside your LAN you won't have to do any port forwarding either!

I can help you with the Cloudflare connection. Since it does take longer than a normal support session I only do them in the evenings my time and it needs to be flexiable.  By this I mean I'll help at 8 or 9pm assuming a normal support issue doesn't come up that would take priority in which case you would get bumbed back a half hour/hour or to the next day.  So a bit of flexibility is needed

With that said you can try and get a lot of this done yourself.  You will need a domain name so if you don't have one can start looking for something you like (extension doesn't matter) and register it.  Then signup for a Cloudflared account and follow the instructions for changing the domain servers.  You can save this step by registering the domain through Cloudflared. That's a good way to go if the do registrations for the extension you want and if the price is reasonable (compare).  Doing that saves about 1/3rd the overall time so it's a big help.  I can run through the CF settings and make any needed changes and then help you get the tunnel setup.  If it's running on Windows I can do this in 5 to 10 minutes at most. Other platforms take a bit longer (I've got Windows scripted more or less).

So if you want to go this route get started on the domain registration and then send me a private message and we'll work out a join session time via TeamViewer. Make sure to let me know what OS you have Emby running on.
You can hover over my avatar to get message options to send private messages to me.

Carlo

Link to comment
Share on other sites
  • 2 months later...
nanohits

nanohits   18

Posted
Posted

Yeah I am running an Unraid server and under CGNAT and I use Cloudflare Zero Trust and it just works and it is pretty easy to setup. Zerotier is a bit more complex and not completely free.

  • Thanks 1
Link to comment
Share on other sites
  • 1 month later...
jang430

jang430   10

Posted
Posted
On 9/4/2022 at 7:04 AM, cayars said:

Thanks for the nice words on the replay. :)

With the hosted approach it won't matter if your ISP uses dynamic IP or how often they change it as the connection from Emby Server inside your LAN will be establishing the VPN connection to the host.  Since it's opened/started from inside your LAN you won't have to do any port forwarding either!

I can help you with the Cloudflare connection. Since it does take longer than a normal support session I only do them in the evenings my time and it needs to be flexiable.  By this I mean I'll help at 8 or 9pm assuming a normal support issue doesn't come up that would take priority in which case you would get bumbed back a half hour/hour or to the next day.  So a bit of flexibility is needed

With that said you can try and get a lot of this done yourself.  You will need a domain name so if you don't have one can start looking for something you like (extension doesn't matter) and register it.  Then signup for a Cloudflared account and follow the instructions for changing the domain servers.  You can save this step by registering the domain through Cloudflared. That's a good way to go if the do registrations for the extension you want and if the price is reasonable (compare).  Doing that saves about 1/3rd the overall time so it's a big help.  I can run through the CF settings and make any needed changes and then help you get the tunnel setup.  If it's running on Windows I can do this in 5 to 10 minutes at most. Other platforms take a bit longer (I've got Windows scripted more or less).

So if you want to go this route get started on the domain registration and then send me a private message and we'll work out a join session time via TeamViewer. Make sure to let me know what OS you have Emby running on.
You can hover over my avatar to get message options to send private messages to me.

Carlo

Hello @cayars,

I was able to setup Emby server/ cloudflare, and it's accessible from outside without opening ports.  But when I try to setup Emby app, I know what to put in the url, but what do we put under ports?  It's no longer 8096.  80 doesn't work, neither 8080.

Link to comment
Share on other sites
Carlo Emby Team

Carlo   4330

Posted
Posted

443 is likely what you're going to need to setup for the remote port.  Cloudflare is going to treat the URLs as web requests on port 80 and 443.

To use port 443 you need to setup a certificate you get from Cloudflare.

Link to comment
Share on other sites
jang430

jang430   10

Posted
Posted

My problem right now is how to remove 8096, and get 443.  Does it matter if I'm using a container?  

Is there a cost to setup a certificate from Cloudflare?  I'm currently using the tunnel route to access my emby from outside.  Using the tunnel doesn't require port number.  But when I'm trying to access it from within using the same url, e.g. emby.xxx.com, it naturally goes out of my network, and come back to my server.  I have a pihole dns server set up, and I'm trying to add a local dns entry to pihole so it doesn't have to go out, but pihole doesn't take port 8096 or any port for the matter.  

Link to comment
Share on other sites
  • 3 weeks later...
Luke Emby Team

Luke   37068

Posted
Posted
On 1/30/2023 at 9:07 AM, jang430 said:

My problem right now is how to remove 8096, and get 443.  Does it matter if I'm using a container?  

Is there a cost to setup a certificate from Cloudflare?  I'm currently using the tunnel route to access my emby from outside.  Using the tunnel doesn't require port number.  But when I'm trying to access it from within using the same url, e.g. emby.xxx.com, it naturally goes out of my network, and come back to my server.  I have a pihole dns server set up, and I'm trying to add a local dns entry to pihole so it doesn't have to go out, but pihole doesn't take port 8096 or any port for the matter.  

@jang430 were you able to figure out your connections?

Link to comment
Share on other sites
jang430

jang430   10

Posted
Posted

I decided to use my Sophos XG Firewall and use WAF feature instead.  Although I cannot figure out how to get self signed working from my firewall, so still experimenting :D

  • Thanks 1
Link to comment
Share on other sites
  • 1 year later...
mbc0

mbc0   61

Posted
Posted (edited)

Hi @Carlo

I have just been reading all the comments in this thread as I am looking to shutdown my dedicated remote server due to costs and run locally but I have a Vodafone 5G sim in a Teltonika RUTX50 5G router which works amazingly well with 50mb+ upload speeds but yes, you guessed it I cannot forward any ports.  Did you ever get a chance to write those guides?  I would love to move my embyserver to my local unraid server if possible but am not confident in these types of configs without a guide.  

*UPDATE* I have just seen that SpaceInvaderOne has released a video on creating a cloudflare tunnel, would it be ok to just follow that or are there security issues, data streaming limits etc?

 

 

Many thanks!

Edited by mbc0
amendment
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...