Jump to content

VPN - Emby Remote Access - Secure Solution?


JulesC

Recommended Posts

I know VPN & Emby remote access is not a new topic. I'm looking into a secure way to provide VPN for my home and still ensure Emby remote access works while providing the best security possible.

I have Emby remote access currently working on my NAS by providing a Google Domain (https://mydomain.com), SSL/HTTPS, and Reverse Proxy. I tried installing OpenVPN on the NAS, but Emby remote access was not accessible; as OpenVPN doesn't support Port 443. I have a 30-day trial version of ExpressVPN currently installed on my NAS and individual devices (LAN connected & WiFi where possible), but I still encounter the same problem; Emby remote access / support for Port 443 doesn't appear to work.

ExpressVPN supports VPN Split-Tunneling if installed on a VPN Router, which would provide security for my Home devices, NAS, and allow Emby to bypass VPN for remote access. Since I have a Google Domain (https://mydomain.com), SSL/HTTPS, and Reverse Proxy for Emby remote access, I'm "thinking" this might be the best overall solution.

I'm definitely not an expert with VPN, all secure network solutions, etc., so I would definitely appreciate any guidance.  
 

Note: If you recommend running VPN via home router, which VPN Router would you recommend?

Edited by JulesC
Link to comment
Share on other sites

1 hour ago, sooty234 said:

pfsense

@sooty234 thanks. I’m not that familiar with Pfsense. Are you referring to Firewall, Router, or both? What model would you recommend? I’m assuming for the Router that you can install VPN on it (i.e. ExpressVPN, etc. ). What VPN are you using? Thanks 

Link to comment
Share on other sites

sooty234
3 hours ago, JulesC said:

If you recommend running VPN via home router, which VPN Router would you recommend?

https://www.pfsense.org/download/

Just get a cheap mini PC and install it. Then you can set up an interface for the VPN. Most commonly with OpenVPN. I ran Torguard on mine for a few years, though I didn't use split tunneling. But pfsense should allow you to do what want. Plenty of guides and youtube videos out there..

Link to comment
Share on other sites

I use a slightly different method. This allows my Synology to be behind ExpressVPN and my users to connect through SSL to my Emby server.

I have 2 DDNS set up, the standard synology.me one, and the 2nd a no-ip DDNS that bypasses the VPN so my Emby users can still access my Synology, but everything else goes through, in my case, ExpressVPN, including synology.me.  The address for the no-ip DDNS is setup with a SSL cert, which Emby uses for remote users, so they have SSL connections to my Emby server.

screenshot of DDNS

In the screenshot, the 45.xxx.xxx.xxx address is the IP from my VPN, ExpressVPN, and the 36.xxx.xxx.xxx is my local public IP for direct connections. To get the two DDNS with different IP addresses, you can manually edit the IP address from the same screen as the screenshot. After editing it Synology seems to remember how you've set it up. Good luck

Hope this may help. I can connect to quickconnect as normal, without having to change anything on my clients. I don't have to use a split tunnelling, reverse proxy, all traffic, apart from Emby users, go through the VPN and Emby remote users connect with SSL. Remote clients do not have to use OpenVPN to connect.

Link to comment
Share on other sites

@kaj thank you for sharing your setup. I’ve never been a fan of quickconnect, but I must admit this is very interesting.

Just curious, where do you have ExpressVPN installed (i.e. NAS, Router, etc.)? I’m assuming on your NAS based on DDNS entry.  Not sure I follow how you created the two different IP addresses? So you have quickconnect pointing to the NO-IP external address and the level of security is SSL for Emby remote users - Right? 

Can you please help me understand the security benefits of your approach vs what I proposed? Just trying to figure out the best setup for overall security (local and remote access).

 I could be over simplifying this, but I believe your approach and my suggested approach gives us the same level of security, but going about it two different ways.

I truly appreciate your input and guidance. 

Edited by JulesC
Link to comment
Share on other sites

@JulesC I probably didn't explain it very clearly :) I'll try my step-by-step. It works for me and once setup is simple to maintain. 

I wanted a solution that put my NAS behind a VPN (ExpressVPN). I have ExpressVPN installed on the NAS directly: Control Panel - Network - Network Interface- Created an ExpressVPN  using the OpenVPN configuration file I created from the ExpressVPN:

image.thumb.png.214a726e5f8f0c7905ddb012f02c7084.png

The trouble was none of my remote users (who are all extremely non-technical) could connect when my NAS is running the VPN.

So I then created a DDNS using no-ip to point at my Synology non-VPN address. In the earlier screenshot the IP address beginning with 36 is my normal non-VPN public IP from my ISP. When I connect (under Network Interface on the NAS) to the VPN, the Synology IP address no changes to the VPN IP address (the 45 one). This puts my whole NAS under the protection of the VPN.

I can then log in to the no-ip website and manually edit my no-ip DDNS to point at the 36 address and then go to Control Panal - External Access - No-ip.com entry, edit it so that it points to the 36 address of my ISP. This then gives me two IP address I can connect to, one protected by the VPN and one 'open'.

Then I pointed a domain I own to the no-ip DDNS. That domain I then created a SSL cert for, and then used that address as my external domain on Emby, with the custom SSL cert. Now my remote users use that domain to connect to my Emby server, so that is using a secure SSL connection.

As my official Synology DDNS (the second entry in the screenshot) is using the VPN connection, all my other traffic is going through this and is thus being protected from my ISP.

Not sure if this helps, please feel free to ask for any more clarification.

Link to comment
Share on other sites

14 hours ago, kaj said:

@JulesC I probably didn't explain it very clearly :) I'll try my step-by-step. It works for me and once setup is simple to maintain. 

I wanted a solution that put my NAS behind a VPN (ExpressVPN). I have ExpressVPN installed on the NAS directly: Control Panel - Network - Network Interface- Created an ExpressVPN  using the OpenVPN configuration file I created from the ExpressVPN:

image.thumb.png.214a726e5f8f0c7905ddb012f02c7084.png

The trouble was none of my remote users (who are all extremely non-technical) could connect when my NAS is running the VPN.

So I then created a DDNS using no-ip to point at my Synology non-VPN address. In the earlier screenshot the IP address beginning with 36 is my normal non-VPN public IP from my ISP. When I connect (under Network Interface on the NAS) to the VPN, the Synology IP address no changes to the VPN IP address (the 45 one). This puts my whole NAS under the protection of the VPN.

I can then log in to the no-ip website and manually edit my no-ip DDNS to point at the 36 address and then go to Control Panal - External Access - No-ip.com entry, edit it so that it points to the 36 address of my ISP. This then gives me two IP address I can connect to, one protected by the VPN and one 'open'.

Then I pointed a domain I own to the no-ip DDNS. That domain I then created a SSL cert for, and then used that address as my external domain on Emby, with the custom SSL cert. Now my remote users use that domain to connect to my Emby server, so that is using a secure SSL connection.

As my official Synology DDNS (the second entry in the screenshot) is using the VPN connection, all my other traffic is going through this and is thus being protected from my ISP.

Not sure if this helps, please feel free to ask for any more clarification.

@kaj thank you for your willingness and patience to assist me.

I have installed ExpressVPN on my NAS the same way as you shared in your screenshot.

Yes, my remote users are also non-technical and I don't want to have to try to explain to them how to enable VPN on their end...UGH!

Here is my understanding and follow-up questions - please confirm . . .

No-IP.com:

1. It sounds like you used a Domain that you created for this. If so, where did you do that (I'm assuming externally...i.e., Google Domains, etc.) and do you have any special configurations when you created this Domain?
2. You're pointing this Domain to your WAN/Public IP Address (ISP provided).
3. You created a SSL for this Domain
4. This configuration is used to provide remote access to Emby.  

Synology DDNS:

1. You created this directly on the NAS.
2. The IP Address 45... is your Local IP Address for your NAS where you have ExpressVPN installed.
3. Are you (as the Admin) the only one accessing your NAS remotely? If you have others accessing your NAS (i.e. File Sharing, etc.) are they using VPN?

MY CURRENT SETUP + NEW CONSIDERATIONS + QUESTIONS:

1. I have a Google Domain (pointing to my Public/WAN IP), SSL, Reverse Proxy & Port-Forwarding for my remote users, which appears to be working pretty well. The problem is that VPN enabled on my NAS blocks this access method.
2. With moving ExpressVPN to a VPN Router (i.e. Linksys WRT3200ACM), I can enable Split-Tunneling where I can re-route my Emby remote connection to bypass VPN (similar to what you're achieving, but I keep the Domain, SSL, Reverse Proxy and no dependency on Quickconnect. Another benefit of VPN Router is that every home device (PCs, tablets, smartphones, IoTs) and my NAS are all protected by VPN without installing clients on each device and worrying about simultaneous users. 
3. As for NAS remote access, I'm only currently doing this with a non-Admin account through VPN.
4. Would love to better understand how I can open up remote access to my NAS for other select individuals as securely as possible. I'm assuming that you have this setup - Right? If so, can you share additional learnings.

Thanks again for ALL your help and guidance.

Edited by JulesC
Link to comment
Share on other sites

@JulesCMy usage is probably a little different to yours. I don't really have any remote users using any service except Emby. However, I connect remotely using both Synology apps (DS File, DS Cam etc) using QuickConnect over SSL and I also connect remotely using my custom domain (SMB, web services etc) also over SSL.

No-IP.com

1. Yes, In the DNS settings on my domain host:

image.thumb.png.b975a1d5795ce384d20fb91bf55d3115.png

'nas' is a sub-domain of my domain, i.e. nas.mydomain.com and points to the No-IP DDNS

2. Yes

3 & 4. I followed this guide: https://support.emby.media/support/solutions/articles/44001160086-secure-your-server

 

Synology DDNS

1. Yes. Control Panel - External Access - DDNS - Add and choose Synology as the provider.

2. IP 45 is the address after starting the ExpressVPN you installed on the NAS.

3. Normally yes. One user (non-admin) uses DS Cam. A few users access a couple of web services (Ombi, over the No-IP DDNS - yes, I have to open that port on my router)

 

MY CURRENT SETUP + NEW CONSIDERATIONS + QUESTIONS

1. The reason I moved away from using a reverse proxy was that try as I might, I just couldn't get remote users to register as remote users. They always connect to Emby as local users and so wouldn't transcode, which is essential given my upload speed and their download speeds. I tried, made posts to try and find out why, but no luck. Probably I'm a muppet and made some kind of configuration error somewhere, but I couldn't find out where. So I went to SSL cert method instead.

2. I can't use VPN on my ISP supplied router. I do use a Raspberry Pi with Adguard Home on it. I looked at using the Pi as a VPN/Reverse Proxy but it started to get beyond my comfort level, especially as the method I now use it sufficient for my use.

3. Setting up the Synology DDNS would let the Synology QuickConnect apps work, even with a VPN

4. I think I answered this above.

Hope this helped.

Link to comment
Share on other sites

@kaj Thank you for sharing all of this information with me. It's been very helpful and educational...very much appreciated.

I think I understand your setup and I have no further questions at this time.

If you ever decide to revisit implementing a Reverse Proxy, I would gladly share my learnings and setup to hopefully assist you...just shoot me a message.

Thanks again 

  • Thanks 1
Link to comment
Share on other sites

I like the suggestion sooty234 made;  pfsense.  I’ve used pfSense for a few years now.  I have a reverse proxy set up in the router and only have 2 ports open to the world (80 and 443).  I have domains set up (ex, emby.mydomain.com).  So a remote end user can go to https://emby.mydomain.com and then the reverse proxy takes over routing the connection internally to 192.168.1.13:8096 (the emby server on my Synology NAS).  I have a SSL certificate set up on the router as well to keep the connection secure.  I can VPN to the home network (I use OpenVPN which certainly will support 443) but I don’t need VPN to securely connect to my Emby set up.  There are lots of ways to accomplish what you want!

Edited by jch
  • Like 1
Link to comment
Share on other sites

On 1/20/2021 at 2:52 PM, jch said:

I like the suggestion sooty234 made;  pfsense.  I’ve used pfSense for a few years now.  I have a reverse proxy set up in the router and only have 2 ports open to the world (80 and 443).  I have domains set up (ex, emby.mydomain.com).  So a remote end user can go to https://emby.mydomain.com and then the reverse proxy takes over routing the connection internally to 192.168.1.13:8096 (the emby server on my Synology NAS).  I have a SSL certificate set up on the router as well to keep the connection secure.  I can VPN to the home network (I use OpenVPN which certainly will support 443) but I don’t need VPN to securely connect to my Emby set up.  There are lots of ways to accomplish what you want!

@jch & @sooty234 thank you for your suggestions for Pfsense. I've heard of Pfsense, but I have no firsthand experience with it, so if you don't mind, I have some noob questions I was hoping you could help me with.

  1. What are you running on it (i.e. firewall, router, VPN (OpenVPN), reverse proxy (Caddy, Nginx) etc.)?
     
  2. What hardware (custom built mini-PC or pre-packaged/Netgate) are you using and how much RAM? I saw that they suggest an Intel NIC 
     
  3. How are you connecting your Pfsense Router to your WiFi Router so they don't conflict?
    Note: My current setup includes - Spectrum Modem / Netgear Nighthawk R8000P WiFi Router / Gigabit Network Switch / Synology NAS DS1520+
     
  4. Here's how I'm currently enabling remote access for Emby users:
    I have Emby remote access currently working on my NAS by providing a Google Domain (https://mydomain.com), SSL/HTTPS, and Reverse Proxy (running on NAS. I tried installing OpenVPN on the NAS, but Emby remote access was not accessible; as OpenVPN doesn't support Port 443. I have a 30-day trial version of ExpressVPN currently installed on my NAS and individual devices (LAN connected & WiFi where possible), but I still encounter the same problem; Emby remote access / support for Port 443 doesn't appear to work. Express VPN suggested running their product on a Router so I could enable Split-Tunneling and bypass VPN for remote Emby users.
     
  5. Are your remote Emby users coming through VPN in your setup? If I have a Google Domain, SSL/HTTPS & Reverse Proxy in place now for remote access, is this enough and I shouldn't worry about them using VPN?
     
  6. The Pfsense YouTube videos I've come across appear to be older. Do you have recommended videos or other sources that you would recommend for beginners?

That's all I have for now. Let me know if you need any additional information. TIA for your help.

Edited by JulesC
Link to comment
Share on other sites

sooty234

pfsense is a complete firewall/gateway. You install it like you would install an OS. It doesn't use a lot of power, unless you really want to run max security, which you won't. Almost any mini PC will work (not things like R-Pi). If you don't have an old PC laying around, you can pick up a cheap Chinese one on ebay. Mine is actually far more than I need. I had an old i5 6500 with MB and a dual port 10G NIC laying around, so I put them to work. 

You can create interfaces and clients quite easily. I haven't tried a split tunnel, but there are videos like this one;

 

I also read recently, that the next version of pfsense will support wireshark. So that's exciting!

I don't use a VPN at the moment, but I still have the interface and client setup. Maybe I'll tinker with wireshark split tunneling when it gets integrated.

 

Edited by sooty234
  • Like 1
Link to comment
Share on other sites

Sooty234 has answered most of your questions but I’ll add my two cents.

  1. I run a VPN server (OpenVPN on port 443) and a reverse proxy on my pfSense in addition to its regular firewall duties.  (I run a cloud server and a calendar server on my NAS – also through the reverse proxy)
  2. I have a small footprint i3 fanless computer with 4 NICs and 8G RAM that I installed pfSense on.  Yes, an Intel NIC is apparently essential though I haven’t tried any NIC except Intel.
  3. My wifi gear runs in AP mode so there is no conflict.  (Spectrum Modem -> pfSense -> network switches -> wifi AP gear)
  4. Using pfSense and reverse proxy will (after some editing of the OpenVPN config file) allow use of port 443.  I needed this to connect from my office where 1194 is blocked.

5)    I do not have remote users go through VPN.  While doing so provides another layer of security I think (my opinion) the reverse proxy and SSL layer are good enough.

6)    There are many up to date videos on how to set up and configure pfSense.  Lawrence Technologies, as suggested by sooty234, is an excellent resource.

Good luck with your launch into pfSense.  You’ll find it is flexible and will allow you to do many things if you like to tinker.  And just a note regarding Emby.  I run Plex off of the same storage folder on my NAS at home and I have found a number of instances where Emby will play files that Plex throws its arms up in the air and refuses.  It has become my goto media player for that reason.

  • Like 1
Link to comment
Share on other sites

9 hours ago, jch said:

I run a VPN server (OpenVPN on port 443) and a reverse proxy on my pfSense in addition to its regular firewall duties.  (I run a cloud server and a calendar server on my NAS – also through the reverse proxy)

@jch thank you for your continued assistance...greatly appreciated. I have a couple additional questions...if you don't mind.are you using?

What Reverse Proxy are you using? (i.e. HAProxy or something else)?

9 hours ago, jch said:

I have a small footprint i3 fanless computer with 4 NICs and 8G RAM that I installed pfSense on.  Yes, an Intel NIC is apparently essential though I haven’t tried any NIC except Intel.

Is this a custom build that you put together from scratch? If so, what components besides 4 NICs & 8GB RAM did you use. If you started with an old PC, what model did you use? Would a HP Elite 8300 Ultra Small Slim High Performance Business Computer PC meet the needs:

  • Intel Core i5-3470s, 2.9 GHz 3rd Generation Processor, 6M cache, Turbo up to 3.6GHz.
  • 8GB DDR3 Ram
  • HDD 120GB
  • NIC: Intel 82579LM Gigabit Network Connection

    I
    'm assuming this will work, but wanted to confirm.
     
9 hours ago, jch said:

Using pfSense and reverse proxy will (after some editing of the OpenVPN config file) allow use of port 443.  I needed this to connect from my office where 1194 is blocked.

I would like to reapply this in my setup. Can you please share what edits you made or point me to the resource you followed?

9 hours ago, jch said:

I do not have remote users go through VPN.  While doing so provides another layer of security I think (my opinion) the reverse proxy and SSL layer are good enough.

Thank you for confirming!!! That's what I was thinking as well.

Yes, Emby is and has been my go to media player as well.

So looking forward to learning more and tinker with Pfsense.  Thanks to you and @sooty234 for your help and guidance!!!

Edited by JulesC
  • Like 1
Link to comment
Share on other sites

@sooty234 thank you! I will definitely check this out. Please keep sharing your learnings. 

Can you please look at my earlier post to see if my “HP Elite8300 Ultra Small Slim PC” will meet the requirements for running Pfsense (Router/Firewall), OpenVPN, Reverse Proxy, Snort IPS, etc.)?  Thank you 

Link to comment
Share on other sites

sooty234
27 minutes ago, JulesC said:

@sooty234 thank you! I will definitely check this out. Please keep sharing your learnings. 

Can you please look at my earlier post to see if my “HP Elite8300 Ultra Small Slim PC” will meet the requirements for running Pfsense (Router/Firewall), OpenVPN, Reverse Proxy, Snort IPS, etc.)?  Thank you 

 

7 hours ago, JulesC said:

 Would a HP Elite 8300 Ultra Small Slim High Performance Business Computer PC meet the needs:

  • Intel Core i5-3470s, 2.9 GHz 3rd Generation Processor, 6M cache, Turbo up to 3.6GHz.
  • 8GB DDR3 Ram
  • HDD 120GB
  • NIC: Intel 82579LM Gigabit Network Connection

    I
    'm assuming this will work, but wanted to confirm.

It's comparative to mine, and has more than you need.

Link to comment
Share on other sites

@sooty234 and @jch I have a network connection question I wanted to run by you - please

I'll have the [ISP Modem] -->  [Pfsense] --> [Network Switch] <-- [Netgear Nighthawk R800P - converted to Access Point]

My assumption here is that the [ISP Modem] will plug into the [Pfsense Router - will 1 NIC meet my needs or will I need 2 - - 1 for ISP modem and 1 for Network Switch? The HP Elite 8300 only has 1 NIC] it will be plugged into my [Network Switch], and the [Netgear Nighthawk R800P] will be plugged into the [Network Switch] ... similar to the image below - Right?

 

How to Connect an Access Point to pfSense | Open School Solutions

Note: I realize that I'll have to convert my Wireless Router (Netgear Nighthawk R800p) from a Router to an Access Point.

Are there any other changes I should consider?

TIA for your continued guidance and support.

Edited by JulesC
Link to comment
Share on other sites

sooty234

And make sure you aren't double NATing. It should be fine, but if you aren't putting your ISP modem in bridge mode, make sure that pfsense doesn't NAT. I believe it shouldn't and just be a gateway. But pfsense will be providing you network IPs, so make sure there are no conflicts your ISP modem.

Edited by sooty234
Link to comment
Share on other sites

1 hour ago, sooty234 said:

You need a dual NIC for pfsense. It's a gateway, so traffic in and traffic out.

@sooty234 Did you have to order a separate NIC for your HP Elite 8300 Ultra Small Slim PC or did you find one with 2 NICs?  

Edited by JulesC
Link to comment
Share on other sites

1 hour ago, sooty234 said:

And make sure you aren't double NATing. It should be fine, but if you aren't putting your ISP modem in bridge mode, make sure that pfsense doesn't NAT. I believe it shouldn't and just be a gateway. But pfsense will be providing you network IPs, so make sure there are no conflicts your ISP modem.

@sooty234 This makes sense.  Thank you!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...