Remote Access with open VPN

[Fedora 3]

Hi Guys I am new on Emby and I would some help to get off from this issue.

I am just another one struggling with remote Access, I have not problem at all to get server location when on /local but as I try to establish a connection from outside my local eth it looks blocked.

So after a research around, I have to dealing with port forwarding and all that staff, because Upnp not seem to works on my case... However 

I ve two router on my local, 192.168.1.1 and 192.168.3.1, the xxx.xxx.1.1 is  the ISP modem wired to xxx.xxx.3.1 which is a linksys 3200 running DDWRT firmware and open vpn client who provide the service to all my lan/wlan devices connected to the 192.168.3.1/xx  including my home server which is behind that too and..... now as I said on /local there are not problem I ve set all rules on server firewall and its working,

but not that easy when my attempts are from outside, (wan) I ve open 8096/tcp port for an unsecure connection but not lucky with it, UpnP is active too on both router but if I disable that nothing change, tried to uncheck  the UpnP box on Emby server , still "cannot locate it" also tried to sing up for an easy remote access, you know, just avoiding to get lost  dealing with address location, but I don,t think is that the problem.
 
IMG.
https://pasteboard.co/J8VsSKU.png

Now after rebooting, open/close Ports and UpnP I decided to try in a easier way to understand where I get blocked... so I ve temporary connected my server On my ISP modem (which has not a port forwarding options/ only UPnP port mapping is available on that router) and with UpnP active it finally works on both /local and remotely  perfectly.... so with this  done we got a clear idea that is not my first Modem/router the reason. (192.168.1.1)

Now my question are... It could be by the firewall may provided from VPN?

because all my network  its behind that, including the server, as I get back connected to my linksys (192.168.3.1) it back to not working, 

also from Open VPN client settings I ve disabled the Firewall protection by VPN side, rebooted and no works, 
well I suspect that the IP when I try to connect remotely is that VPN gives... But to do just one more attempt  I ve Used my real one too, used easy remote access, still not lucky

from /local on Emby Server setting all Users have "allow remote access" checked, only the Admin user who has the right to change server settings haven't got the option active  
but I don't think its that the problem, otherwise I couldn't even connect remotely using My ISP modem on step before.

All right, this is it, Hopefully some sweet could help me, I m sure is just about ports, but opening from the port forwarding seems not working 

Also I ve launch a port scanning inside and outside and well inside its okay, outside even opening 8092 port, the only port showed open are the common such as domain, http/s mails excc exc... and I don,t know why SSh port too is opened, ( talking about  internet side) I don't use SSH and I didn't open it from outside, but if I check my vpn/proxy's IP, that ssh port and common service ports are opened, not the 8092 whatever I do on the router, that ports won't change

I thinking to try to open that port using command line instead the GUI router interface, you know some times linux like the old way but I m not sure if with  IPTABLES  stuff will do a miracle

Waiting some professional advice 

Thank you all 



   
 
 

[BAlGaInTl 279]

I ve two router on my local, 192.168.1.1 and 192.168.3.1, the xxx.xxx.1.1 is  the ISP modem wired to xxx.xxx.3.1 which is a linksys 3200 running DDWRT firmware and open vpn client who provide the service to all my lan/wlan devices connected to the 192.168.3.1/xx  including my home server which is behind that too and..... now as I said on /local there are not problem I ve set all rules on server firewall and its working,

 

but not that easy when my attempts are from outside, (wan) I ve open 8096/tcp port for an unsecure connection but not lucky with it, UpnP is active too on both router but if I disable that nothing change, tried to uncheck  the UpnP box on Emby server , still "cannot locate it" also tried to sing up for an easy remote access, you know, just avoiding to get lost  dealing with address location, but I don,t think is that the problem.

 

IMG.

https://pasteboard.co/J8VsSKU.png

 

 

 

 

 

You have a couple of options.  I take it you mean that you have an OpenVPN server on your DDWRT router?  Are you able to connect to that from outside your LAN?  If so, you could just do that, and then use Emby.  It would definitely be a more secure option.

 

If you must access directly, I think you need to do portforwarding from both routers.

 

I would start with disabling UPNP.  Personally, I think it's nothing but issues.

 

Then you would have to forward the necessary ports from your ISP router to your DDWRT router, and then on to your server.

 

If you get that working, then I would seriously consider looking for information on how to secure that connection using SSL.              .

[Fedora 3]

You have a couple of options.  I take it you mean that you have an OpenVPN server on your DDWRT router?  Are you able to connect to that from outside your LAN?  If so, you could just do that, and then use Emby.  It would definitely be a more secure option.

 

If you must access directly, I think you need to do portforwarding from both routers.

 

I would start with disabling UPNP.  Personally, I think it's nothing but issues.

 

Then you would have to forward the necessary ports from your ISP router to your DDWRT router, and then on to your server.

 

If you get that working, then I would seriously consider looking for information on how to secure that connection using SSL.              .

 

thanks for reply, Well Following your tips I ve worked to get in remotely, and I can remotely connect using both router just without VPN active

 

So I ve Deactiveted UpnP everywhere set   all port forwarding rules as it should and its works only if the VPN is disconnected....

 

Leaving  all settings exactlly  as they are just turn on open VPN client it won't work anymore

 

So basically the problem is the VPN ololoo

that fun  

 

[BAlGaInTl 279]

There could be a firewall rule that is preventing it from working when the VPN is on.  

 

There is a way to get it to work behind a VPN..

 

Is your VPN a server that you can connect to?  Or is it a client that you connect to a VPN service with so all your traffic goes through a VPN?  If it's the latter, you can do that with some VPN, but you have to do some extra setup.

[Fedora 3]

There could be a firewall rule that is preventing it from working when the VPN is on.  

 

There is a way to get it to work behind a VPN..

 

Is your VPN a server that you can connect to?  Or is it a client that you connect to a VPN service with so all your traffic goes through a VPN?  If it's the latter, you can do that with some VPN, but you have to do some extra setup.

No its a Vpn Service provided from third party so I m just a client .... 

 

I don't know how to dealing with it because I must be behind a vpn... its just a bit more secure 

but if the VPN is ON Emby not work from remote access... tried so many different way, but as I turn On the VPN open client the remote connection get lost 

[BAlGaInTl 279]

No its a Vpn Service provided from third party so I m just a client .... 

 

I don't know how to dealing with it because I must be behind a vpn... its just a bit more secure 

but if the VPN is ON Emby not work from remote access... tried so many different way, but as I turn On the VPN open client the remote connection get lost 

 

Ah...

 

Yes, you need to use a VPN service that will support the passthough of ports. It could involve additional setup with your VPN provider.

 

I know that there are users here that have this setup, but I can't remember who off the top of my head.

 

Then you would have to connect to your VPN WAN address, not the IP address given to you by your ISP.

 

Who is your VPN provider?

Edited May 18, 2020 by BAlGaInTl

[Fedora 3]

Ah...

 

Yes, you need to use a VPN service that will support the passthough of ports. It could involve additional setup with your VPN provider.

 

I know that there are users here that have this setup, but I can't remember who off the top of my head.

 

Then you would have to connect to your VPN WAN address, not the IP address given to you by your ISP.

 

Who is your VPN provider?

I m gonna send an Email to them to see if they could help cause If I did understand right  what you said its their job now allow Emby go over, so Its anything I can change on my side

 

However its P.I.A. vpn ... you should know them if u know the top VPN providers  

[BAlGaInTl 279]

I'm pretty sure they support it, you probably just have to log on and set up a port forward similar to what you do with your routers.

 

There was some discussion about it here:

 

https://emby.media/community/index.php?/topic/76272-pia-private-internet-access-vpn-remote-server-access/?hl=%2Bvpn+%2Bsetup

 

Not sure if that's helpful, I didn't really study it.

[mastrmind11 717]

PIA doesn't do static IPs, and I think port forwarding is only supported at the client level.  Your setup seems a bit convoluted though.  Assuming you have cat5 coming from the ONT (and that you have fiber) the only reason to ever keep the shitty ISP modem is so that your DVR(s) work.  Assuming you only use internet from your ISP, ditch it and plug your Asus directly into the WAN line.  So much less of a configuration headache.

 

Of course this is all moot if you still have coax internet coming in.

Edited May 18, 2020 by mastrmind11

[BAlGaInTl 279]

PIA doesn't do static IPs, and I think port forwarding is only supported at the client level.  Your setup seems a bit convoluted though.  Assuming you have cat5 coming from the ONT (and that you have fiber) the only reason to ever keep the shitty ISP modem is so that your DVR(s) work.  Assuming you only use internet from your ISP, ditch it and plug your Asus directly into the WAN line.  So much less of a configuration headache.

 

Of course this is all moot if you still have coax internet coming in.

 

Ah... I didn't realize that was a client feature.  Probably not as easy to configure on a simple router client.

[Fedora 3]

PIA doesn't do static IPs, and I think port forwarding is only supported at the client level.  Your setup seems a bit convoluted though.  Assuming you have cat5 coming from the ONT (and that you have fiber) the only reason to ever keep the shitty ISP modem is so that your DVR(s) work.  Assuming you only use internet from your ISP, ditch it and plug your Asus directly into the WAN line.  So much less of a configuration headache.

 

Of course this is all moot if you still have coax internet coming in.

Well the reason why I have the ISP modem is just because I cannot do otherwise ololol... no there are not any cat5, just classic one... the second router just help me to manage my network+Open VPN client a bit better than ISP modem which is a standard.

 

 

Edited May 19, 2020 by Fedora

[Fedora 3]

PIA doesn't do static IPs, and I think port forwarding is only supported at the client level.  Your setup seems a bit convoluted though.  Assuming you have cat5 coming from the ONT (and that you have fiber) the only reason to ever keep the shitty ISP modem is so that your DVR(s) work.  Assuming you only use internet from your ISP, ditch it and plug your Asus directly into the WAN line.  So much less of a configuration headache.

 

Of course this is all moot if you still have coax internet coming in.

the reason why I use the ISP modem is because I cannot do it otherwise, there are not cat5 from outside, just classic phone line, however I used a second router to make easier manage my network+VPN  as the ISP modem its a standard model without many option |I may need.

 

 

I ve chat with my VPN provider to see what could be done on my case, and at the end ITS NOT POSSIBLE, what they said its just " you cannot connect into your server remotely if its connected on VPN SERVER " open that for them would be a security issues cause they have to open a port which may cause security problems.... that s what they said.... 

 

So the second option is get a domain and use https protocols and all of it without VPN at all 

 

Its in my opinion to risky running a service in http using a real ip too ... 

 

If anyone has a different Ideas to get it works, more than welcome

[BAlGaInTl 279]

the reason why I use the ISP modem is because I cannot do it otherwise, there are not cat5 from outside, just classic phone line, however I used a second router to make easier manage my network+VPN  as the ISP modem its a standard model without many option |I may need.

 

 

I ve chat with my VPN provider to see what could be done on my case, and at the end ITS NOT POSSIBLE, what they said its just " you cannot connect into your server remotely if its connected on VPN SERVER " open that for them would be a security issues cause they have to open a port which may cause security problems.... that s what they said.... 

 

So the second option is get a domain and use https protocols and all of it without VPN at all 

 

Its in my opinion to risky running a service in http using a real ip too ... 

 

If anyone has a different Ideas to get it works, more than welcome

 

You are correct.  Opening up the server using http only is not a good idea.

 

What is your ultimate use case? 

 

As I said at the beginning, one way to do it is to create a VPN on your home network that you connect to for remote access. Then when you connect to that... you can access your server just like you are on your LAN.  

 

Other options:

 

- Use your normal IP, but secure the connection using SSL.  There are lots of ways to do this, and plenty of guides out there if this is the way you want to go. Regardless, unless you plan on setting up your own VPN server, you should do this if you want an outside connection.

 

- Get a different VPN provider that DOES allow for passing through ports.  Keep in mind, that you will still want to secure your server using SSL (IMHO).

[Fedora 3]

You are correct.  Opening up the server using http only is not a good idea.

 

What is your ultimate use case? 

 

As I said at the beginning, one way to do it is to create a VPN on your home network that you connect to for remote access. Then when you connect to that... you can access your server just like you are on your LAN.  

 

Other options:

 

- Use your normal IP, but secure the connection using SSL.  There are lots of ways to do this, and plenty of guides out there if this is the way you want to go. Regardless, unless you plan on setting up your own VPN server, you should do this if you want an outside connection.

 

- Get a different VPN provider that DOES allow for passing through ports.  Keep in mind, that you will still want to secure your server using SSL (IMHO).

 

 

 

 

 

 

 

 

Well sooner I will see how to set Up Emby with a https protocols just to start, then Set up a vpn tunnel site to site its a bit over my knowlodgies, it doesn't means that I will not do it, just need more time for me to learn how to..... step by step 

 

Nha I won't change VPN provider just because that, I don't mind, and I prefer  learn  more stuff than just by pass the hard job  changing VPN provider making it easier

Edited May 19, 2020 by Fedora

[Fedora 3]

I would not open a new thread for just this question, however I try to ask here before, if anyone know how to ....

I managed to secure the emby server connection with SSL so now its all working both remote and local and https running as a charm  

Now I need to bypass Emby server from VPN app I m mean, I still need to keep the VPN open client on the server machine but I would to exclude Emby Server from vpn tunnel otherwise remote access won't work... the VPN app allow me to do, asking which executable file need to be excluded, as I m on Linux Mint and not on Classic Window where the .exe its easy to find... where is the file need to be placed on vpn app?? I had a look around /var/lib/emby ... but I couldn't find anythings on there... 

Any suggestions? 

Thanks 

 

[Luke 37024]

Hi, try running emby server and then check what processes are running. Please see if that helps. Thanks.

[Fedora 3]

Hi, try running emby server and then check what processes are running. Please see if that helps. Thanks.

Well I did it before post the question and from GUI (system monitor) I couldn't find any process running by Emby, However I have double checked from terminal and from there I found the process, and realised that Emby has its own User so found 

the right folder and finnally excluted from VPN now,,,, 

 

may will help some one, letting Know that the application executable file is /opt/Emby-server/bin/Emby-Server (Linux ) 

 

thank you all guys, all done for now... 

[Luke 37024]

Thanks for the feedback.

[advarito 0]

On 5/19/2020 at 7:36 PM, BAlGaInTl said:

 

You are correct.  Opening up the server using http only is not a good idea.

 

What is your ultimate use case? 

 

As I said at the beginning, one way to do it is to create a VPN on your home network that you connect to for remote access. Then when you connect to that... you can access your server just like you are on your LAN.  

 

Other options:

 

- Use your normal IP, but secure the connection using SSL.  There are lots of ways to do this, and plenty of guides out there if this is the way you want to go. Regardless, unless you plan on setting up your own VPN server, you should do this if you want an outside connection.

 

- Get a different VPN provider that DOES allow for passing through ports.  Keep in mind, that you will still want to secure your server using SSL (IMHO).

"As I said at the beginning, one way to do it is to create a VPN on your home network that you connect to for remote access. Then when you connect to that... you can access your server just like you are on your LAN.  "

How could I do this with Open VPN? thank you very much

[Fedora 3]

9 hours ago, advarito said:

 

How could I do this with Open VPN? thank you very much

Lot of time since I start this Post, and lot things are changed, It's actually nearly time to buy a life time Emby Subscription now :p however replying to your question and as I mentioned above, "you need to set up an VPN server at your home, (is not 3party VPN involved like NordVPN, PIA, and so on...you need to make your own first)  once you successfully  set a VPN server and connected with it, you could just looking for your Emby machine server like at home so with a local IP esp:192.168.x.x/24 or whatever it is.

of course you can do it with Open VPN protocol
My configuration is exactly that at the moment using a VPN server running on a physical firewall so I closed all https port/connections from WAN  and wherever I am, feels like home including shares folders/Drives, Emby.... and go on  (finally).

 

[advarito 0]

13 hours ago, Fedora said:

Lot of time since I start this Post, and lot things are changed, It's actually nearly time to buy a life time Emby Subscription now however replying to your question and as I mentioned above, "you need to set up an VPN server at your home, (is not 3party VPN involved like NordVPN, PIA, and so on...you need to make your own first)  once you successfully  set a VPN server and connected with it, you could just looking for your Emby machine server like at home so with a local IP esp:192.168.x.x/24 or whatever it is.

of course you can do it with Open VPN protocol
My configuration is exactly that at the moment using a VPN server running on a physical firewall so I closed all https port/connections from WAN  and wherever I am, feels like home including shares folders/Drives, Emby.... and go on  (finally).

 

Awesome, finally some light at the end of the tunnel.

Could you share how you did it or a tutorial to follow about how to?

thanks