Is this correct or backwards?

[clinktone670 0]

Do I have the correct numbers for internal and external on my router, or do I have them backwards?

[Happy2Play 9780]

You need a rule for both internal and external same port, you don't mix them.  And all you need it TCP.

external 8096 internal 8096 

[GrimReaper 4740]

6 minutes ago, clinktone670 said:

Do I have the correct numbers for internal and external on my router, or do I have them backwards?

Is actually neither, you have them wrong, as those are default ports for http (8096) and https (8920), you wouldn't want port forwarding set like that. 

Edited March 19, 2023 by GrimReaper
Cross-posted

[clinktone670 0]

Then there should only be one port forwarding rule on my router, external 8096 and internal 8920?

And this is what my Emby page looks like. Correct? REALLY appreciate the help!

[GrimReaper 4740]

3 minutes ago, clinktone670 said:

Then there should only be one port forwarding rule on my router, external 8096 and internal 8920?

No. 

12 minutes ago, Happy2Play said:

external 8096 internal 8096

If no SSL setup. 

[Happy2Play 9780]

The are two separate functions as mentioned.  If you are not supplying your own certificate then you only need to worry about http (8096).

[clinktone670 0]

So, you're saying I don't need the 8920 entry? Just an FYI, I am using a VPN without split tunneling.  Those two ports are open in the VPN settings.

[GrimReaper 4740]

5 minutes ago, clinktone670 said:

Just an FYI, I am using a VPN without split tunneling.  Those two ports are open in the VPN settings.

How are your clients connecting, trough your VPN or your WAN IP? 

[clinktone670 0]

I'd like them to go thru the dedicated IP on the VPN so they are secure when doing so.

[Happy2Play 9780]

Per the image is about what you are providing.  If you have a ssl certificate then you would need 8920 or how ever you configured it.

But if your VPN has port forwarding also then Emby would report your VPN address to clients.  If your VPN service does not have port forwarding Emby connections will fail and require you to give your WAN to the Client manually.

[clinktone670 0]

PureVPN does have port forwarding and it is allowing both 8096 and 8920 per my instructions. If I don't need 8920 in the router, VPN, and Emby, I will remove all mention of them.

[GrimReaper 4740]

3 minutes ago, clinktone670 said:

I'd like them to go thru the dedicated IP on the VPN so they are secure when doing so.

Going through your VPN will not secure them in any way, you need to set-up SSL connection for that. If all traffic would go through VPN (regardless http or https), you don't need port forwarding in your router as no open ports are needed in that scenario. 

[clinktone670 0]

I wanted them to connect to my Emby server thru my VPN, remotely, and not be able to be traced. No can do without an SSL?

[GrimReaper 4740]

15 minutes ago, clinktone670 said:

so they are secure

 

3 minutes ago, clinktone670 said:

not be able to be traced

Secure and anonymous are two different things. If you want them to be secure, that is achievable only through SSL connection. If you want them to be anonymous, there are several ways to achieve that, VPN being the most common. 

[clinktone670 0]

Ah, sorry for the wording there.  I need anonymous. Can't seem to get these settings right on the router, Emby and VPN. 

[GrimReaper 4740]

OK then, prerequisites to make them anonymous:

Server-side (you):

- Emby server listening on port 8096

- VPN tunnel with port forwarding (8096 forwarded) 

- Router - NO open ports required

Client-side (them):

- Emby client app

- VPN (any) 

If they are not connecting through any VPN on their side, their IP will not be masked, and traffic from their WAN IP and your VPN can be traced. 

[clinktone670 0]

So, it seems a moot point to make them anonymous unless they also use a VPN.  Thanks for all the responses!

[Happy2Play 9780]

Well Emby server will report your displayed WAN address on the Dashboard.  So with your VPN on it should show your VPN address and that is what the client will try to use. 

[clinktone670 0]

So they can be traced, but eventually the path will lead to my VPN address, and that's where the REAL tracing ends, eh?

[GrimReaper 4740]

Correct. 

[clinktone670 0]

You all have been great.Will see if I can get this to work now! Thanks again .

[Luke 42078]

Let us know how you get on. Thanks.

[clinktone670 0]

A three part photo, the first showing my Google Fiber box setting for ports, the 2nd showing my PureVPN settings, and the third showing the Emby Network page. This allows me to access Emby on both my own network here at home and when logged in remotely off of the home network. A friend also states that he can access Emby using the VPN IP address. The question now is......why would the old, non-VPN, WAN Remote Address still work???

[GrimReaper 4740]

5 minutes ago, clinktone670 said:

The question now is......why would the old, non-VPN, WAN Remote Address still work???

No. The question is why wouldn't it work? You still have ports in your router forwarded, despite twice mentioned:

3 hours ago, GrimReaper said:

If all traffic would go through VPN (regardless http or https), you don't need port forwarding in your router as no open ports are needed in that scenario.

 

3 hours ago, GrimReaper said:

Server-side (you):

- Router - NO open ports required

 

Edited March 19, 2023 by GrimReaper

[clinktone670 0]

I did try that, but to no avial. The remote access would not work. Is my current setup a security risk and are the remote users "anonymous"?