Access Emby Server Without Port Forwarding

[gillespie.skip@gmail.com 0]

I recently switched internet providers from Comcast to T-Mobile since Comcast jacked up my rates and started to enforce a data cap.

What I did not realize until after I signed up for T-Mobile Home Internet is that they lock down there hardware.  I cannot bridge mode my router or use port forwarding on their hardware.

Is there any way around that so I can still have access to my server from the outside world without being able to forward ports?

I know my security cameras utilize an outside server that the DVR connects to that bypasses port forwarding.  Is something like that possible?

[Luke 42077]

Hi, this might be tricky. Perhaps with a VPN? @cayars may have some tips.

[Carlo 4561]

Yes, there are several ways to do this but one in particular that I've I've been testing with a good half dozen Emby users that needed something like this. I had been testing this personally for maybe 6 months as well. I can't find a downside to this method unlike typical VPNs or typical reverse proxy use.

It's not really a secret but I wanted to get some use of this on multiple different platforms first to work out any kinks and be able to support it.

The only requirement is that you need to have your own domain name that you can control. It can be a paid or free domain but you need to be able to change the Name Server for the domain to point to cloudflare.  Here's the overall list of steps involved:

Register a domain name.
Signup for a free Cloudflare account.
Add your domain to Cloudflare.
Change your Name Servers to what Cloudflare gives you to use.
WAIT
This takes from 15 minutes to a few hours to kick in and transfer to Cloudflare.
In the meantime you can configure Cloudflare with the specific settings needed to work with Emby Server and not abuse their services.
You will be able to setup any type of DNS record you will need like A and CNAME records but we will handle the "emby" sub domain programmatically so don't set anything up specifically for Emby use.

At this point you can get your own domain certificate from a 3rd party like Let's Encrypt or use a private cert directly from Cloudflare (what I do).  We have to convert this cert to the pk12 format Emby needs and install this in Emby.

Up until this point you are basically doing the same thing anyone would do setting up Emby for Cloudflare use. Now the fun/tricky part and it's a wee bit different depending on OS platform is setting up an Argo Tunnel.  This used to be a paid only feature but they opened it up to free accounts as well (hence me starting to play with it).

This tunnel is created using a single piece of software called cloudflared which is a CLI (command line only tool) that is used to establish an encrypted connection from your Emby Server machine to the Cloudflare Edge network.  There are 5 steps to this but for Emby use I've got pretty much "cut and paste" instructions.  These steps include getting authorized by Cloudflare (you do this from the CF dashboard), setting up PEM certs (used between you and CF), setting up the actual tunnel, configuring the tunnel for services (ie https, web sockets & SSH) and port, joining this to a location, creating a special DNS record with PEM cert associated with it (used by tunnel) and giving it a name such as "emby".

Now you just start the tunnel and if done correctly you will be able to open a web browser or any Emby app and type in emby.your_domain.ext and it will work. At this point you just set this up so your computer establish the tunnel every time you restart the computer.  On windows I create a service to start automatically so you don't have to do anything.

After that long process it just works. You do not need to open any ports on your router so this is actually a good solution for anyone! The only way into your network is going through Cloudflare which is setup to only allow secured ports 443 and web socket access.  If your ISP gives you a different WAN IP every single day it also wouldn't matter to you either because your computer always initializes the tunnel with an outgoing connection. You could use this on a notebook, walk over to your neighbors with a different IP and it starts working again. Once setup it just works!

There are a lot of positives to this approach except for the detailed setup (not hard).

If you already have a domain name or want to get one, open a free account on Cloudflare and start the process of updating your Name Servers. Once Cloudflare has control over your DNS records, I can run through the rest of the steps in stages which will give me a chance to write it all down and make a tutorial out of it for everyone's benefit.

Carlo

[gillespie.skip@gmail.com 0]

I appreciate the responses.

Wow!  This sounds like it might be a weekend project (not a lunchtime project from work).  I will start going through this this weekend.

[Carlo 4561]

It sounds worse then it actually is now that I've got it all worked out. There was hardly any documentation at all on this when it first came out.  Now you can find some decent info on Google or at least enough info to push you in the right direction. 

You can easily spend more time trying to find the domain name you want vs the rest of the setup.

What OS are you running Emby Server on?

[gillespie.skip@gmail.com 0]

Currently, I'm running Windows 8.1.  Have been running this for probably 7 or 8 years. 

Right now, it is the only windows machine I have left.  I am considering moving it to Linux. 

I have 2 laptops running Ubuntu (one running 20.04 LTS and one running 21.10).

My file server is on a Raspberry Pi running Raspian Buster.

[Carlo 4561]

The only real way to solve this problem is with a tunnel of some type to bypass your ISP CGNAT they have in place.
The Cloudflared solution with a domain name is probably the best method overall.
Other things you might consider is getting a cheap VPN or VM for $5 a month with unlimited bandwidth and setting this up with a WireGuard tunnel to your home.  You essentially route all your Emby traffic through this. Emby will see the IP of VPS/VM so you just use that static IP to access Emby.  That gives you complete control over the tunnel.

Depending on the CPU power and transfer rate you consistently get, you could likely use the same box as a general purpose VPN as well to bypass/hide traffic from your ISP.

You could also use a public VPN server if you get the right one but for the cost difference you are far better off setting up your own server.  You can find guides to do this with a Google search.  But the Cloudflared approach is still the best I've found as it increases the speed of your system due to it's caching of images when setup correctly.

[dr024 1]

I also have TMHI and had pretty much given up on trying to accomplish certain things from my home network. I am just getting started with Emby in the last 24 hrs. I stumbled across it as a potential solution to my Kodi library failing to scan/update new files and add them to the library. Emby was relatively easy to setup and use as a solution to my library challenge. This led me to want to use Emby for more then just doing the heavy lifting for library/metadata management. I want to be able to use Emby to access my media from outside my network. While researching that, I came across several posts in these forums referencing CloudFlared/Argo Tunnel to accomplish this with TMHI as your ISP. i tried following the guidance and piecing together the ingredients to this particular recipe with some progress but ultimately no success. I already had/have a domain name  and account (free) with cloudflare. So essentially i started with

On 11/21/2021 at 2:25 PM, cayars said:

configure Cloudflare with the specific settings needed to work with Emby Server and not abuse their services.

To configure these items i followed the best practice guide i found on the forum for cloudflare and emby by @pir8radio

I then moved onto

On 11/21/2021 at 2:25 PM, cayars said:

you will need like A and CNAME records but we will handle the "emby" sub domain programmatically so don't set anything up specifically for Emby use.

 These are my current DNS A records in the cloudflare dashboard. i imagine this should suffice if I interpret what i read accurately.

On 11/21/2021 at 2:25 PM, cayars said:

At this point you can get your own domain certificate from a 3rd party like Let's Encrypt or use a private cert directly from Cloudflare (what I do).  We have to convert this cert to the pk12 format Emby needs and install this in Emby.

I completed this using a cert from coudflare and converted the cert to the format Emby needs and pointed Emby to the cert in the settings.

On 11/21/2021 at 2:25 PM, cayars said:

Up until this point you are basically doing the same thing anyone would do setting up Emby for Cloudflare use. Now the fun/tricky part and it's a wee bit different depending on OS platform is setting up an Argo Tunnel.  This used to be a paid only feature but they opened it up to free accounts as well (hence me starting to play with it).

Emby Server is running on an Nvidia Shield, if i understood correctly cloudflared doesnt need to be running on this device just another device on my network. in which case i opted for my windows desktop that is always on. Is my logic accurate?

On 11/21/2021 at 2:25 PM, cayars said:

This tunnel is created using a single piece of software called cloudflared which is a CLI (command line only tool) that is used to establish an encrypted connection from your Emby Server machine to the Cloudflare Edge network.  There are 5 steps to this but for Emby use I've got pretty much "cut and paste" instructions.  These steps include getting authorized by Cloudflare (you do this from the CF dashboard), setting up PEM certs (used between you and CF), setting up the actual tunnel, configuring the tunnel for services (ie https, web sockets & SSH) and port, joining this to a location, creating a special DNS record with PEM cert associated with it (used by tunnel) and giving it a name such as "emby".

Now you just start the tunnel and if done correctly you will be able to open a web browser or any Emby app and type in emby.your_domain.ext and it will work. At this point you just set this up so your computer establish the tunnel every time you restart the computer.  On windows I create a service to start automatically so you don't have to do anything.

After that long process it just works. You do not need to open any ports on your router so this is actually a good solution for anyone! The only way into your network is going through Cloudflare which is setup to only allow secured ports 443 and web socket access.  If your ISP gives you a different WAN IP every single day it also wouldn't matter to you either because your computer always initializes the tunnel with an outgoing connection. You could use this on a notebook, walk over to your neighbors with a different IP and it starts working again. Once setup it just works!

i went through the install process, authenticated, created the tunnel, created the config files and since it was for an application i used this format for the config file

url: http://emby In-Home (LAN) access:8920

tunnel: <Tunnel-UUID>

credentials-file: ~\downloads\.clouflared\credentialsfile.json

I started routing the traffic and that added had a cname record to my domain that i named emby

When i started the tunnel it appears to start but then errors out as pictured below.

Despite error tunnel appears to still be running. when i try to access emby files at emby.mydomain.ext from my tablet on lte in i get the following error.

It seems apparent i made some mistakes in going through this process. I appreciate anyone who took the time to read thru the whole post. I also appreciate any clarity or guidance.

Best Regards.

J

[Carlo 4561]

Looks like you're close but with those errors it will not work.

Is this a running on windows?
If so, send me a private message so we can expand on your setup a bit without having it in public.
If you prefer I could do a remote session with you and get you setup.

Carlo

[upssnowman 4]

Would something as simple as ZeroTier be even easier to use? I haven't tried something this complex but I know I can ssh between all my servers remotely and locally without opening up any ports on my router if I use the 10.X IP ZeroTier IP addresses provided. And ZeroTier is free for 50 devices

[dr024 1]

@cayars The Emby server is running on an Nvidia shield. the cloudlfared items are running on a windows box. Ill send you a PM shortly.

@upssnowman i came across zerotier as an option whilest researching and deploying this setup. ZT sounds promising and isnt off the table completely. Quite the opposite, I will be looking at deploying ZT once i can get this CF solution configured and tested. that will give me a baseline to measure against and make an informed decision about which solution i need for my use case. I just happened to be eating the CF sandwhich first, im going to try and finish it before i start biting into ZT.

 

[upssnowman 4]

What I liked was how easy it was to setup/use. And the IOS iPhone app is free and works great!

[Carlo 4561]

3 hours ago, dr024 said:

@cayars The Emby server is running on an Nvidia shield. the cloudlfared items are running on a windows box. Ill send you a PM shortly.

@upssnowman i came across zerotier as an option whilest researching and deploying this setup. ZT sounds promising and isnt off the table completely. Quite the opposite, I will be looking at deploying ZT once i can get this CF solution configured and tested. that will give me a baseline to measure against and make an informed decision about which solution i need for my use case. I just happened to be eating the CF sandwhich first, im going to try and finish it before i start biting into ZT.

 

The PC would have to be left on 24/7 for that to work.  Nothing wrong with that but if you do this you would be far better off moving the Server to the PC as well.
Is this something we could do?

[dr024 1]

@cayars Thank you for the help earlier. I am glad it wasn't a complex fix. The time and effort are greatly appreciated. I am going to let this simmer for about a week and I'll PM you.

[Carlo 4561]

You were so close. You had everything setup perfectly except the config file. Even that was darn close but has mixed formats in in thanks to the way they do samples (all over the place). I know how frustrating things of that nature can be. 

I just happened to know the ingress format they wanted since you were routing to another machine. Don't ask how long it took me to figure out.

You may want to keep things like they are now. I was just commenting that if you had to leave the PC on for the tunnel it may make sense to just use that for Emby as well.
BTW, see if you have an old PC or notebook not being used.  A Notebook could be setup with the tunnel running on it which is low powered. You could actually run that from a thumb drive with a headless Linux server even.

[Misfit404 0]

@cayars If possible I am having the same issues, do you mind helping me as well?

[Luke 42077]

On 2/6/2022 at 1:09 PM, Misfit404 said:

@cayars If possible I am having the same issues, do you mind helping me as well?

Hi there @Misfit404 can you please describe the issue that you're having? Thanks.

[Rikitydj 3]

Hi guys, i have emby running on a dedicated unraid box, id like to have it available from outside my LAN without opening a port.

 

I cant use 443 as my UNIFI system uses that which is handy... Any ideas?

[pwhodges 2012]

Opening a port is necessary, just as you can't (I presume) go through closed doors.

The only way around it is to use a tunnel of some kind - which in essence is opening a port from the inside...

As for 443 being in use, any alternative will do - except for already dedicated numbers (mostly under 1024) just choose.  Why not use Emby's default of 8020 8920 (for SSL, which I presume you're interested in as you mentioned 443).

Paul

Edited November 7, 2023 by GrimReaper
Default SSL port

[Carlo 4561]

On 11/4/2023 at 12:02 AM, Rikitydj said:

Hi guys, i have emby running on a dedicated unraid box, id like to have it available from outside my LAN without opening a port.

 

I cant use 443 as my UNIFI system uses that which is handy... Any ideas?

You allow access to UNIFI from outside your network?

What pwhodges mentioned above is the easy way to go since out of the box Emby would use port 8020 8920 by default.  

Without complicating things, just so know, down the road you could have many different software/servers running on your LAN all sharing 80 and/or 443 by making use of a reverse proxy server.  You set the proxy server up to look at the "host" part of the domain name such as emby.yourdomain.com.  You could have unify.yourdomain.com, emby.yourdomain.com, nas.yourdomain.com, www.yourdomain.com, etc...  The reverse proxy looks at the "host" portion of the domain name to know what internal IP to send the request to. All inbound ports making use of the reverse proxy are setup to forward directly to the proxy.  This is done to add another layer of protection in the mix as well as speed up requests and allow sharing of resources among other reasons.

Carlo

Edited November 7, 2023 by GrimReaper
Default SSL port

[Rikitydj 3]

Hi Carlo

 

I use unifi on the 443 port so I can set up a vpn with home wherever I am via the unifi gui, it's useful. 

 

This reverse proxy sounds great, could you recommend a guide to follow? 

[Luke 42077]

2 hours ago, Rikitydj said:

Hi Carlo

 

I use unifi on the 443 port so I can set up a vpn with home wherever I am via the unifi gui, it's useful. 

 

This reverse proxy sounds great, could you recommend a guide to follow? 

This guide is for nginx but most reverse proxies have similar options: 

 

[mp46241 0]

On 11/6/2023 at 6:56 PM, Carlo said:

You allow access to UNIFI from outside your network?

What pwhodges mentioned above is the easy way to go since out of the box Emby would use port 8020 8920 by default.  

Without complicating things, just so know, down the road you could have many different software/servers running on your LAN all sharing 80 and/or 443 by making use of a reverse proxy server.  You set the proxy server up to look at the "host" part of the domain name such as emby.yourdomain.com.  You could have unify.yourdomain.com, emby.yourdomain.com, nas.yourdomain.com, www.yourdomain.com, etc...  The reverse proxy looks at the "host" portion of the domain name to know what internal IP to send the request to. All inbound ports making use of the reverse proxy are setup to forward directly to the proxy.  This is done to add another layer of protection in the mix as well as speed up requests and allow sharing of resources among other reasons.

Carlo

carlo could you post a guide with the commands to get the cloudflare tunnel setup for emby? i am running emby server on unraid

[Luke 42077]

3 hours ago, mp46241 said:

carlo could you post a guide with the commands to get the cloudflare tunnel setup for emby? i am running emby server on unraid

Hi, please use this as a starting point: 

 

[hapylestat 10]

i would say - you have such routes: 
1) Check for real ip, if you have one and verify if your locked router support uPnP requests. It's basically an protocol, which asks router to create port forwarding for you. no third party services required.

2) VPN, but it would require from you to have some VPS under you control, to proxy traffic for you:

    Home (client) -> VPS (server)   <-  external emby clients

3) tunnels, which trying to punch through nat like mentioned Cloudflare Tunnels or tailscale.