Trouble with downloads over VPN

[emby.trace706 2]

I have a VPN setup into my environment, but I can't seem to get downloads working on a specific tunnel. I have Emby server running on TrueNAS, and the port to access the web interface is 9096. I restricted the VPN tunnel to only allow the IP of the Emby server, and port 9096, both TCP and UDP, with no external traffic (won't allow browsing internet from the vpn). I can connect to the server, browse the library, and play content, however when I go to download, I get an error that I do not have emby premiere, but upon checking the server settings, the key is there. The server itself should not be routing through the vpn, so the policy restricting the vpn should not affect the server. I did create another vpn tunnel that had no such restrictions, and was able to download mostly fine. I had one instance where the file would not play afterwards but after deleting the download and re-downloading the file, it worked. Do I need more ports that 9096 open?

[Luke 39870]

HI, do you use https? if so then you'd also need to open that port.

Quote

I can connect to the server, browse the library, and play content, however when I go to download, I get an error that I do not have emby premiere

What device does this happen from? Does it have an internet connection? Is it also behind the vpn?

[emby.trace706 2]

15 minutes ago, Luke said:

HI, do you use https? if so then you'd also need to open that port.

What device does this happen from? Does it have an internet connection? Is it also behind the vpn?

The device I get the error that I don't have emby premiere is my phone, which is connected via the VPN. The VPN only has port 9096 allowed to the emby server, and no other internal resources, and no external (outbound) traffic allowed. HTTPS traffic is not allowed to the server box, as I didn't want the TrueNAS web interface to be available. However the Emby docker container shares an address with the host, the truesnas box. I am a bit unsure of how the ports translate into docker, as I thought 9096 worked for everything. Port 9096 is what I would use to access the emby server interface as well, and what is defined when connecting in the app. 

 

I need to test it yet, but I am wondering if I need external connections to work as the emby app on the phone itself may need to connect out to validate the key?

Edited March 31 by emby.trace706
More info

[Neminem 824]

15 hours ago, emby.trace706 said:

The VPN only has port 9096 allowed to the emby server, and no other internal resources, and no external (outbound) traffic allowed.

That you issue the client needs to phone home to https://mb3admin.com to check license / device usage.

I think that what's needed, devs will need to validate, but try

[emby.trace706 2]

On 3/31/2025 at 11:51 AM, Neminem said:

That you issue the client needs to phone home to https://mb3admin.com to check license / device usage.

I think that what's needed, devs will need to validate, but try

Unfortunately that did not work. I did try adding the ports listed in the link below, as well as emby.media, and that did not work either. It seems to really want full external access for the server to even accept the download request. But even then I still get "File ready for transfer" and it just sits there.

https://emby.media/support/articles/Connectivity.html

[Luke 39870]

Hi, there are some cases of that that we’re looking into. Please let us know if you find anything else related to the vpn. Thanks.

[emby.trace706 2]

33 minutes ago, Luke said:

Hi, there are some cases of that that we’re looking into. Please let us know if you find anything else related to the vpn. Thanks.

I had the issue above, where I needed to allow mb3admin.com outbound, and I believe I may have done emby.media as well to be on the safe side. I found that even after that, I would see the request pop up on the server but would sit at "ready to transfer". That is because in my testing, I had my phone connected to another phone's mobile hotspot, and even unchecking the "download only on wifi" box, it didn't work through the hotspot. After switching to my mobile data, the download started. My VPN server is on my router, a Unifi Dream Router. I am happy to help test other scenarios for the Dev team if it would be helpful. On a side note, adding a "cancel download" button on the notification and in the app would be nice, as there is no easy way to stop the download.