All of a sudden stopped being able to connect

[jigglypuff89 0]

I haven't been able to use Emby for a while.  Haven't had time to look into it.  I can't think of anything that changed.  It's possible there was a windows update.  I run Hide.me VPN.  I can log in on the computer I run the server on but when attempting to log in on any device on the home network I get an "Error Connecting to Network" notification.  Based on my activity log it last worked correctly on 04/19.  In looking through the help guides I was looking into the firewall settings but it looks like the two ports that need to be allowed are already allowed so I didn't want to mess with anything.  In the firewall it shows embytray.exe both being blocked as well as allowed but I assume that has to do with my VPN?  I apologize as I'm not a coder or anything but I can definitely follow rudimentary instructions.  Also this is probably dumb but the attached log for the server only seems to be valid for today?  I only had two logs show up unfortunately.  Please let me know what other info I can give or what other screen shots I can attach.  Thanks!

hardware_detection-63788932746.txt embyserver.txt

[Abobader 2952]

Hello jigglypuff89,

** This is an auto reply **

Please wait for someone from staff support or our members to reply to you.

It's recommended to provide more info, as it explain in this thread:

Thank you.

Emby Team

[Luke 37151]

HI, what other device are you trying to use on the home network?

[jigglypuff89 0]

Nvidia Shield, Amazon Fire Stick, and my Android phone have all been used in the past for Emby while on the home network

[Luke 37151]

How about using the web interface from a smartphone?

[jigglypuff89 0]

Just tried and same problem. And yea just to clarify I can log in to my accound just can't get into my server. I deleted it a while ago trying to see if just adding it back in would work and didn't have any success.

[Luke 37151]

Can you try just entering lanip:port into the browser address bar?

[jigglypuff89 0]

I'm just getting search results?  It's not taking me to an actual location on either the desktop that's running the server or my mobile phone

[Luke 37151]

try http://ip:port

[jigglypuff89 0]

This screenshot is from my phone but same results on the computer running the server

[Happy2Play 8321]

He means http://192.168.0.109:8096 but this would assume you are on LAN.  Otherwise it would be http://WANaddress:8096, you should see your WAN address on the dashboard.

 

[jigglypuff89 0]

Oh wow I feel like an idiot. On my phone it gets stuck on loading and won't move forward. On the desktop running emby it goes to my emby sign in screen. 

[Luke 37151]

OK so if you can't even connect from another device inside the network, then this usually points to a firewall on the server machine. It could also be caused by the VPN.

Can you try turning off the VPN?

[jigglypuff89 0]

Interesting. That totally worked. Am I unable to run emby behind my vpn?  I've always done so in the past. I've always been able to run it behind hide.me on my LAN but i never figured out how to use it through the VPN remotely. I don't understand why my VPN wouldn't allow it to work anymore locally. I'd much prefer to keep using it through the VPN

[Luke 37151]

Do you need to configure the vpn to not block the incoming traffic?

[jigglypuff89 0]

Wondering if the port settings on my VPN need to be modified?

[Luke 37151]

@cayars may have some tips.

[jigglypuff89 0]

Sorry it looks like we posted at exactly the same time.  I'm unsure of how to configure the vpn to do that.

[Carlo 4330]

Going to cover a lot of info so sit back and try to absorb as much as possible. Feel free to follow up with any questions you might have.

WHY CAN'T I GET TO MY EMBY SERVER WHEN THE PUBLIC VPN IS RUNNING?
Understand that a Public VPN is not and end to end tunnel where all your traffic resides.  Instead it's a half finished tunnel that drops you packet right back on the public internet just down the road a bit from where they started.  The exit server is on the Internet and has an IP address.  It's that IP address that Emby sees when looking up your WAN address.  No unsolicited traffic is allow in on that IP.  Only packets leaving that IP are allowed back in because the VPN provider know's who it needs to send it to.  Remember 100 people might be sharing that IP so if traffic was allowed to come in from now where, who would the VPN provider send it to?  Nobody knows and that's the problem.  So basically for all purposes think of the exit point as being firewalled with no inbound traffic allowed that didn't originate from that IP.

So running Emby behind a public VPN is not ever going to work unless one of two things is setup. You get a static IP from the provider usually $5 to $10 additional each month AND they allow all inbound traffic on that IP. The second way is getting a static port forward from the VPN company. This port forward is usually only setup for one pop and the port is strictly yours and doesn't change.

Either of those allows traffic inbound.  The VPN provider now understand how to route the packet.  If you got a static IP from them they know to send all traffic inbound to the IP to you.
If you got a port forward then any traffic going to that port is sent to you.  That is how the VPN provider knows the traffic is destined to you.

What doesn't work is getting a port forward that changes.  The VPN provider can easily track the changing port and make sure you always get the traffic but you have no easy way to set that up in your network to forward to a specific port in Emby. It can be done but is not easy.  No need for that complexity anyway as you can get a static port easily for a specific POP (point of presence) or destination VPN server.  You then ONLY ever use that VPN server.  What ever port they assign you gets entered for the port number used in the network menu of Emby. DONE.

I GET INBOUND TRAFFIC TO MY EMBY SERVER NOW WITH THE STATIC IP OR STATIC PORT FORWARD OVER VPN, BUT NOW EMBY DOESN'T WORK CORRECT

 

Keep in mind that even when either of those two methods are used and you get inbound traffic to your Emby server, you may still experience issues with Emby having trouble connecting outbound to some sites.  Some of the meta-data providers block all known VPN IP address (on purpose). They do this because people use VPNs trying to attack, probe, leach data from them. They see all public VPN IPs as a constant source of issues from people trying to hide their real IP.  The simple way to "fix" that problem is to ban those problem IPs.

So if using a public VPN service you want to do a full library scan and carefully check your server log file for errors. A "connection refused" message is a tell-tale sign of this trouble and you will want to test from a browser behind the VPN access the meta-provider to verify they are blocking the IP. Timeouts are getting more common and may be what your Emby Server log shows instead. The meta-data providers setup their routers to not answer packets from those IPs that are banned and just discard them.  That makes the originator wait and wait until the connection times out.

BEST METHOD TO USE A PUBLIC VPN WITH EMBY IS,     TO NOT USE THE VPN WITH EMBY!
OK, to explain what I just said.  Looking at the picture of your VPN configuration you have a menu choice called Split Tunneling. Use it.  Split tunneling allows you to define what traffic or programs use the VPN and which do not.  The easiest setup is default all programs and traffic to use the VPN but then set one exception for the PROGRAM Emby.  The software will then watch the traffic so all outbound packets from Emby regardless of port used go out your normal internet router as normal.  All other traffic is routed through the VPN connection.

You setup Emby now as if the VPN does not exist.  Normal Port forward setup in your router pointed to Emby. Once that's is set restart Emby Server and it should no longer see the VPN address or use the VPN gateway but will use your routers WAN address and your router as the default gateway.   All traffic sent from Emby is also in the clear and won't have blocking issues with meta providers.

NON EMBY RELATED BUT WHY A PUBLIC VPN MIGHT NOT DO ANYTHING AT ALL FOR YOU.

Anything else running on the same PC will be behind the VPN which I imagine is the actual goal, as you have something there you don't want your ISP to see.  That may or may not be true. ISPs rarely look at actual traffic since there is nothing to see but encrypted traffic.  Instead what they look at mostly is the trusty DNS server logs which log every request you make to xyz.com looking up the IP address.  But they do not need to look at just their own logs as they will have their routers setup to log all port 53 (DNS) traffic going through the network.

DNS is the phonebook of the Internet; DNS resolvers translate human-readable domain names into machine-readable IP addresses. By default, DNS queries and responses are sent in plaintext (via UDP), which means they can be read by networks, ISPs, or anybody able to monitor transmissions. Even if a website uses HTTPS, the DNS query required to navigate to that website is exposed.

Think of a normal, unencrypted DNS query as being like a postcard sent through the mail: anyone handling the mail may happen to catch a glimpse of the text written on the back side, so it is not wise to mail a postcard that contains sensitive or private information.

DNS over TLS (DoT) and DNS over HTTPS (DoH) are two standards developed for encrypting plaintext DNS traffic in order to prevent malicious parties, advertisers, ISPs, and others from being able to interpret the data. Continuing the analogy, these standards aim to put an envelope around all postcards going through the mail, so that anyone can send a postcard without worrying that someone is snooping on what they are up to.

Secured DNS transactions is what's needed.  No port 53 use but instead you setup your network to use DoT or what I'd suggest is using DoH which are both secured. I prefer DoH because it uses port 443 and blends in with all other web traffic where DoT has it's own port making it an easier target.  With some fancy algorithms you can figure out some things when using DoT. You can certainly traffic shape it and slow it down or add a couple things to the headers to trip up some routers into leaking data.  When you don't have a dedicated port but all the DNS looks up are handled over DoH the encrypted traffic all looks the same and you can't tell a DNS lookup from a page send or acknowledgement. 

That's mostly true and why you also need this to fill in the missing gap. Technically anyone like your ISP could do DNS Spoofing or DNS Cache Poising but most likely would just emulate the endpoint and pretend to be the Destination DNS server. This is where DNSSEC comes in.  This uses public/private keys very similar to websites so you can tell if the answer you got back is from the signed owner. 

With DNSSEC in place using DoH, there is nothing practical that can be done by the ISP to see what you're doing or looking up.

So far so good but there is still one overall issue with using a public VPN and how your ISP may still easily know where every packet you send is going. Now you might be thinking HAH, I'm using a VPN and use my VPN's companies DNS so it's all encrypted and the ISP can't see anything. Logically that sound fine but there's a giant problem with public VPNs and that's how easy they are to exploit.  VPN services use top-notch encryption to secure your connection, usually in the form of AES-256 or ChaCha20. Both of these ciphers are the best of the best if used to secure the complete chain of packets from point A to B.  That's not how public VPNs work and why you may still be very vulnerable.   You go from A (your house) to B (VPN public server) to C (destination).  Your packets are protected by the cipher from points A to B which is probably close to your house because you choose the lowest latency connection right?  That's also what almost all VPN client software choose as a result. DO NOT DO THIS.

What do you think happens when your using Verizon FIOS with said VPN provider that's close and pears with Verizon? You hand over the keys to Verizon is what happens because they see the traffic leaving unencrypted when your VPN provider dumps it on the net that Verizon controls! Mr ISP can look at everything right at that spot and now clearly understands all of your traffic. Between the big players a VPN is almost useless because they trade this info.  Hey I'll give you information on these 10K exit ports if you give me 10K export ports from your system.  When 5 or 6 of the main providers have this automated at different peering points where your VPN exit side is the located the chances of your packet not hitting one of the "members" is not very likely. If the packet goes through a "member" it's fed right back to your ISP and for all practical purposes it's like you didn't use the VPN at all.

The only way to truly secure and hide the traffic is to control both ends of the communication. Next best is to setup your own VPN running OpenVPN or Wireguard on a cheap hosting company virtual machine. This gets you away from what I just described with automatic Exit/IP sharing. If not possible, 3rd way is easy but counter intuitive and that's to pick a VPN server not in your geographic location. Find out where the POP is located then lookup who peers there.  So for example if I want to hide something and my only choice is a public VPN I'm not going to choose a NY or Phila POP (I'm in southern NJ) as the NY pops are actually in NJ not NY anyway.  If I choose either of those locations there is a very high chance my ISP has the destination IP of the server my packets are being sent to before the 4th packet leaves the VPN!

Instead I'm better off using a Montreal CA POP or maybe something in Mexico. But I'm going to need to tracert the packets to see what network those packet use immediately after leaving the VPN.  With any luck I get a local or government ran ISP not associated with my ISP.  Yes it will kill my speed and raise my latency but take away the ability to easily piece together my traffic.  Not good for streaming but I don't need protection for streaming. 

Moral is public VPNs do not give you the kind of protection you think or have been lead to believe especially not the way most people use them picking the closest (dumbest choice) server with the best latency numbers. Any time you use a Public VPN only a portion of your traffic is running through the tunnel.  You need to make sure your ISP or other likely partners in crime have no access to the exit location.  Any VPN that isn't controlled by you or trusted party on both sides is an unsecured connection!

I BURIED MY IP 100 DIFFERENT WAYS TO MAKE IT IMPOSSIBLE TO KNOW IT'S ME BUT...
So you done everything you can to make it impossible for the NSA to track your IP down so now I'm in the clear correct? Probably, right up until you use your web browser and connect to a site that is. Any site that's into deep tracking will know it's use right away regardless of IP.  That's because of the unique markers your browser has and the information it gladly gives to every site it connects to.  It's like leaving a finger print on everything you touch.  If you visit a site running Google Ads or other advertising networks they know it's you and you data will be sold.  Google doesn't sell "personal data" or your habits as they want that for themselves, same as Amazon as they want to make a sale now or in the future based on your info, BUT they all sell non personal information. One of the pieces of info that is sold is your marker as well as known information such as all known IP address you've used.  So your browser gave away your VPN IP address that easily ties back to your actual IP in X time. I know 2 smaller advertising agencies and about 4 "free bless their hearts" hosts that "graciously" donate bandwidth to host javascript and programming libs called when you hit different sites. They look for a long list of matches that have $ value and on of those is same marker from multiple IPs in X minutes.  This info gets pushed right out as close to real time as possible to parties that subscribe. 

So you see the problems involved in trying to cover your tacks with an IP change.  Not so easy unless you get a bit smarter how you use the VPN.  Such as having a Virtual Machine built clean that never touches the internet without the VPN running.  That VPN will have it's own unique marker but will always have the VPN address. You main host would never use the VPN and only have your real IP.  Mix either of the two and you potentially gave your ID away.  BTW, it's not just advertising sites and "free hosts" but more and more high traffic sites that do this kind of thing.  It's easy money for them to capitalize on just by being a bit creative with the data your browser gives them freely.

I could go on and on but I'll save it for another day.  Have a look here to get a rough idea how this would work: https://amiunique.org/fp

Carlo

[Luke 37151]

@jigglypuff89 has this helped?

[jigglypuff89 0]

This has helped greatly.  Running perfectly locally. Unable to have a static ip with my vpn service so not going to mess with the port forwarding. Going to look into https and certificates as well as setting up a reverse proxy for remote viewing but even with how nicely it's laid out in the guides I might find someone to help me set those up as it seems somewhat complicated. Thanks very much! 

[Luke 37151]

Thanks for the feedback.