Access Emby Server Without Port Forwarding

[scott46953 30]

This is an amazing idea, it does take a little bit of setting up to accomplish..  why can't we incorporate the server to have an option for non-port use? 

Ports aren't necessarily required, all it needs to be established is the person that's trying to access the server to first acknowledge the server. 

Once that is done no Port is needed. 

This is done all the time, even with torrents..

I'm sure the server can be programmed with an option to use it without ports.. address depends on how many people actually need the option..

I'm in this particular position right now, routers locked, can't open ports so it's useless internet to me right now.. unless I follow all these steps.. which I'm sure I can do..

Is it a lot of work? To program the server to have the option to not need ports opened? This would be an amazing feature..

Edited December 22, 2024 by scott46953

[hapylestat 10]

 

39 minutes ago, scott46953 said:

This is an amazing idea, it does take a little bit of setting up to accomplish..  why can't we incorporate the server to have an option for non-port use? 

Ports aren't necessarily required, all it needs to be established is the person that's trying to access the server to first acknowledge the server. 

Port's are required - if you'd like to use it without 3d party infrastructure.  NAT escape only possible in a connection PUSH configuration (when initial connection are established from client to server), such as: relays, tunnels, vpn, etc.   And all that things require some form of server, which is accessible from the internet with ports and ip address....  and cost money

[scott46953 30]

Maybe some of these are compatible with routers that are also compatible with VPN settings? 

Trying to find the easiest way without having to install any programs on the server.

[scott46953 30]

Also while it's fresh on my mind, I have a multi-wan router, example it's capable of doing three or four wan at the same time...

When I enable this, how does the server react? 

Does the automatic setting in network settings work okay? Or does it need to be manually set for the very first wan? I know that lan settings is only one.. so that one's pretty easy to figure out.

When I open up ports on a multi-wan router, will I be able to access the server from any of the IP addresses associated with each of the wan's?

[Clackdor 109]

1 hour ago, scott46953 said:

Also while it's fresh on my mind, I have a multi-wan router, example it's capable of doing three or four wan at the same time...

When I enable this, how does the server react? 

Really this is going to depend on your router and how you have routing, gateways, failover, and NAT if using IPv4 setup, as well as how port forwarding is handled by the router itself in such a scenario. 

At least on PFsense I can forward the same port to the same server on multiple different WAN connections if I wanted. 

If for whatever reason I wanted the same server accessible from different WAN connections, my approach would be to use a reverse proxy and forward the ports to that and have the proxy pass the traffic to the emby server. I would use a different subdomain for each WAN connection. You would need proper DNS records on the provider. It could be done over IP, but it would be cumbersome.

For example. emby1.example.tld would resolve to wan 1, emby2.example.tld would resolve to wan 2, etc. You wouldn't be able to use emby connect for this feature though as that is only going to resolve to a single IP/domain name.

IMO anything short of basic port forwarding or reverse proxy support is out of scope for anything emby should support as far as remote access. If you don't want to/can't directly forward ports to emby or use a reverse proxy then there are already 3rd party solutions to handle this better than anything the emby team could/would implement.

The one feature that the team could implement that might be useful when connecting through a VPN would be an area on the network page to specify local addresses/subnets for clients connecting through a VPN so that they are treated as remote connections rather than local. This could help prevent bandwidth issues and force the server to transcode to a lower bitrate rather than trying to direct stream content that exceeds the internet connection bandwidth.

Edited December 22, 2024 by Clackdor

[pwhodges 2012]

4 hours ago, scott46953 said:

Ports aren't necessarily required, 

In the protocols used for streaming etc, they absolutely are - they're a fundamental part of network addressing.

4 hours ago, scott46953 said:

even with torrents.

Yes torrents use ports too, which is why my router and firewall have entries for them.

Paul

[scott46953 30]

Ports do help for connections yes, but for internets that do not have any open ports and most everything is blocked, yeah torrent still find a way through and work without ports.. I guess what I'm saying is, why isn't there a way to incorporate that, I'm not sure if the term is hole punching, it's been a long time since I got deep into it.. does it require communication with a computer in the middle in order to determine and make connection initially? But I believe once the connection is established, open ports are no longer required.

Example, my cell phone mobile data, no ports everything blocked... Torrent downloads still work. How does it establish that connection? If I have a router with no ports, and then I connect three or four more routers to them, all them with no ports open, torrent downloading still works.  Decentralized tracking or DHT I believe may be helping the connection for ones that have no ports available... So servers that have access to Internet that don't mind running a DHT help others complete the connection.. 

I guess it's always good to have a dream Port freedom

For now I guess dumping the internet that does not have ports is the easiest option. 

Second option is finding a good decent VPN that supports port forwarding as long as the main router has the VPN options in the menu..

 

[Clackdor 109]

 

 

31 minutes ago, scott46953 said:

I guess what I'm saying is, why isn't there a way to incorporate that, I'm not sure if the term is hole punching, it's been a long time since I got deep into it.. does it require communication with a computer in the middle in order to determine and make connection initially? But I believe once the connection is established, open ports are no longer required.

Personally I don't see any value in the devs spending time and resources on this kind of feature. They would at minimum have to host servers to handle connection negotiation and the networking code of both the server and clients would have to be completely rewritten. The traditional client/server model that emby uses is more desirable for it's intended audience and much more ideal than further complicating the networking code to handle p2p negotiations with NAT hole punching.

On the flip side, Plex handles this problem by relaying the entire stream through their servers if a direct port forward isn't available. One of the big selling points of emby is that they aim to know as little about your server, your media, and your users as possible. The devs themselves have expressed no desire to implement these kinds of relay servers that pass full content streams through them.

Simply put, this isn't the kind of thing the dev team should be focusing on, nor is it something that I think the larger emby community would want the devs to focus on.

If you can't directly port forward, there are already workable solutions. You can use an overlay VPN like tailscale that supports NAT hole punching to connect back to your home network without having to forward any ports. Alternatively you can get a public VPS and establish a connection between it and your home network so that you can have emby exposed via a publicly accessible port. Cloudflare tunnels is also a potential third option, however I'm not 100% clear whether streaming media through it is against their TOS or not.

[darkassassin07 652]

1 hour ago, scott46953 said:

for internets that do not have any open ports and most everything is blocked, yeah torrent still find a way through and work without ports..

When you are unable to open a port for your torrent client, you are ONLY able to connect to other torrent users that have opened their own ports for you to connect to. Even then, you discover clients/users via third party trackers that tell you how to connect to each of the other seeds. A standard web server has no such discovery/tracking service.

 

Relating to Emby: either the client, or the server must have a port open for the other to connect to. It's not reasonable or even possible in most cases for the client to have a port open (a phone on mobile data as an example) nor would it be reasonable to have the server keep track of where/how to reach each client; so instead, the server must be the one to keep a port open and listening for clients to connect to it.

 

In cases where neither the client or the server can open a port; a third party must get involved, being the one to open a port listening for both client and server connections. Cloudflare tunnels, tailscale, a VPS with a vpn tunnel to the servers lan, etc. Both the server and the client must reach out to this third party together to get in contact with each other.

Plex, as an example, provides the middle-man service by having both the clients and the servers connect to their public infrastructure which has its own ports open, proxying connections through their own servers. While this makes things easy to use/setup; it provides Plex (the company) with complete access and control over every single plex installation.

 

Emby has no such control/restrictions over YOUR server; at the cost of more setup work for you.

 

 

TLDR; ports are ALWAYS used. If you didn't open a port, and neither did the other end of the connection; there's a third party in between that did.

[scott46953 30]

Private Internet Access website

This is compatible with routers that have VPN menu.

They provide your own private IP address with 10gb speeds and is media friendly with video from Emby (Unlimited Data)

It also passes ports and seems to have affordable plans as low as $2 a month.

Believe this is the right option and easiest to do.

I will test this out and report back

[pwhodges 2012]

17 hours ago, scott46953 said:

why isn't there a way to incorporate that, I'm not sure if the term is hole punching, it's been a long time since I got deep into it.. does it require communication with a computer in the middle in order to determine and make connection initially? But I believe once the connection is established, open ports are no longer required.

Look into Tailscale, which does that, and is free for personal use; some people here use it to get round cgNAT (which in effect disables port forwarding).

Paul

[scott46953 30]

I got it to work using PIA with port forwarding...

The issue I am stuck with now is, with using noip com to use a hostname they have an option to port 80 redirect.

This is useful so you can change the randomized port that PIA gives you everytime it connects.

but when i use the feature it works in a web browser, but in the app it gives me an error of wierd info at the bottom of screen at login.

it takes the host name, but rejects the user pass login, lol

so i use my.no-ip.org and set port in app to 80

after that... 

if i can get this issue resolved, that VPN setup will be golden

[scott46953 30]

Is it possible to maybe get this worked on? That way no IP can redirect not just the hostname, but also the port?

I'm not sure if there's any other way to follow a changing port from a VPN without this feature working. Does anybody else know of a way to do this other than the way that I'm currently trying? If anybody is interested I can post the instructions on what I did to get this to work up to this point. 

It's very easy, and it will work with mobile devices and mobile data.

[Suliamu 36]

I can recommend nebula by slack. 
https://github.com/slackhq/nebula 

It is way more lightweight than most other VPN solutions and very flexible and easy to setup.
You just need _one_ publically accessible system somewhere on a cheap vserver that established all connections that are behind NAT and such. 
Then you also don't need to open ports in your homerouter. 

Edited January 6, 2025 by Suliamu

[scott46953 30]

9 hours ago, Suliamu said:

I can recommend nebula by slack. 
https://github.com/slackhq/nebula 

It is way more lightweight than most other VPN solutions and very flexible and easy to setup.
You just need _one_ publically accessible system somewhere on a cheap vserver that established all connections that are behind NAT and such. 
Then you also don't need to open ports in your homerouter. 

easy to use? but requires another internet that has ports?  Thanks for sharing. It is something to look into for some servers.

[scott46953 30]

PIA (Private Internet Access) website, sign up, download the app you need for your device.

after installing, goto settings, enable Request Port Forwarding and I usually select WireGuard connection type and change timeout to max or 2 minutes.

back to main window, you want to manually select the server for any that shows icon for port forwarding  (usually all of the OUTSIDE of the USA servers)

USA servers do not support port forwarding at this time.

Connect to the VPN server and check to see if internet is working and do a speedtest website of your choice. find a server that has low ping, good speeds, and a port shows up under the ip address in the app.  If it says error, then it does not have a port.

Once you get a port number and a good server.  Goto a Can You See Me website of your choice.  I usually pick portchecker website because it lets  you change the test IP.

enter the VPN IP if it is not already showing, and type in the port number showing on the VPN under the IP listed.

if it says OPEN, then your ready.  You can either change Emby http port to this port... or you can setup port forwarding on the VPN device to Receive the VPN port example 49887 and forward it to 8096 on your shared ethernet and out that to your server computer...

If you plug more the one internet source into the server you will need to manually setup the network settings in Emby

when using the vpn you may need to add the local ip of the VPN server in the LAN networks setting in Emby,

to find the local ip of the VPN on win11 type "View Network Connections" in the search box in task bar, then find the VPN Network and open it up and click details.

Here you will find the local ip address and local DNS it uses.  Then convert it to look like the example in the Lan network Emby setting.

Example, mine has the following, 10.5.134.0/24, 192.168.1.0/24, 10.0.0.0/24, 172.16.1.0/24, 10.5.128.0/24, 34.199.8.0/24

I changed the very last number of the local IP's to 0 and added a /24

now on a computer, mobile cell, or anything that is running an outside internet, check the Emby and see if it works using the VPN IP and port listed on the VPN app.

now no-ip host name the VPN ip and all is needed is an update to the no-ip host name ip whenever you change the servers.

No-ip has a host name port forward to forward port 80 to any port you choose, this does work on web browsers, but not on the Emby app.

if this host name port forward worked then all you will ever need is your host name and a simple port 80 forever.

myserver dot com

port 80

and whatever Ip and port number you enter in the no-ip settings will make the Emby server work for all without having to change every app you have.

hoping to find a work around or maybe a future update to fix the host name port forward feature.

For now the host name does work using the port showing on the VPN app.

I think i have everything listed, it may not be perfect, but it does work on any internet without open ports.

ExpressVPN also supports VPN port forwarding, but I have not tested it yet. But should be similar.

 

 

[pwhodges 2012]

5 hours ago, scott46953 said:

it does work on any internet without open ports.

You've got open ports - they're just somewhere else ("outsourced", if you like).

Paul

[Suliamu 36]

On 1/6/2025 at 2:25 PM, scott46953 said:

easy to use? but requires another internet that has ports?

Yes.
Very easy to use.
You set up the configs and certificates at your computer and then just install nebula through packet manager or binary in all your machines you want to connect, copy and paste the config and certs into it, and you "virtual network" works.
And it is secured through industry-standard encryption. 
The problem with those methods layed out above by others is that when you make port forwarding, either in your router or through your VPN-provider, you expose this port to the outside world. 
And this is necessary if you want those emby-apps to work "on the go" by this principle.  
And i can guarantee you that there is people searching automatically for vulnerable services, - especially in those IP-Ranges of VPN-Providers.
And even more so because Emby (and other media-servers) are often deployed together with GPU-capabilities, a tidbit for every script-kiddie out there in the world. 
But yes in order for nebula to work behind NAT and firewalls you need this one machine, a vserver somewhere, that is reachable to serve as a "lighthouse".
It can be the cheapest option of vserver - on "lowendbox" you can get those 1CPU-vservers even for free sometimes.  
 

And yes there is other similar solutions, with wireguard and such, - it was also mentioned here somewhere in this thread, but contrary to those nebula has an extremely low footprint and way simpler configuration (but seen from the other side also way less features, but those are not relevant here).  

Edited January 8, 2025 by Suliamu

[scott46953 30]

the idea is to just install the emby app on devices, enter the hose name from no-ip with the port 80 and be done.

I do not want to drive to people house and install an external app, then if it breaks in the future i have to return..