ScottyT 9 Posted March 22, 2024 Posted March 22, 2024 (edited) Hello everyone, I propose integrating a Tailscale-like functionality directly into Emby clients and servers to facilitate remote connections without the necessity of a non CGNAT connection or opening up home firewalls and the security concerns that entails. While starting a Tailscale client is relatively straightforward for most tech-savvy individuals, it becomes less intuitive on devices like TVs (where it can't be autorun), often causing confusion among users. To circumvent this, I typically set up a NanoPI as a proxy for remote users, directing their Emby client to it. However, if the open sourced Tailscale client were integrated into Emby, clients could transparently connect from any location with an internet connection. I understand that this integration would require significant effort, but I believe it would be a highly utilized and defining Premiere feature, attracting users from other Emby alternatives. Running the Emby server itself with the linuxserver.io docker mod is already straightforward, and the server can be easily referred to by a simple name rather than by an IP address or a lengthy FQDN. https://tailscale.dev/blog/docker-mod-tailscale Anyway, food for thought. Keep up the good work. Edited March 22, 2024 by ScottyT url 1 1 1 3
Luke 42077 Posted March 22, 2024 Posted March 22, 2024 Hi, the problem is this can’t be integrated into the web app, Roku, smart TV apps. It’s really only possible on Android, windows, and maybe Apple. So given that, that would lead to an inconsistent experience. It’s better in my opinion to pursue improvements that can be used universally.
ScottyT 9 Posted March 22, 2024 Author Posted March 22, 2024 Hi, Yeah that's understood but a shame nonetheless. I do see most devices can run WebAssembly so that may always be an option? 1 1
rcsnoopdog 11 Posted October 4, 2024 Posted October 4, 2024 On 22/03/2024 at 19:52, ScottyT said: Hello everyone, I propose integrating a Tailscale-like functionality directly into Emby clients and servers to facilitate remote connections without the necessity of a non CGNAT connection or opening up home firewalls and the security concerns that entails. While starting a Tailscale client is relatively straightforward for most tech-savvy individuals, it becomes less intuitive on devices like TVs (where it can't be autorun), often causing confusion among users. To circumvent this, I typically set up a NanoPI as a proxy for remote users, directing their Emby client to it. However, if the open sourced Tailscale client were integrated into Emby, clients could transparently connect from any location with an internet connection. I understand that this integration would require significant effort, but I believe it would be a highly utilized and defining Premiere feature, attracting users from other Emby alternatives. Running the Emby server itself with the linuxserver.io docker mod is already straightforward, and the server can be easily referred to by a simple name rather than by an IP address or a lengthy FQDN. https://tailscale.dev/blog/docker-mod-tailscale Anyway, food for thought. Keep up the good work. Hello Rich here I have been looking to use Tailscale but i am a bit stupid when it comes to network issues, I need TAILSCALE to bypass cgNAT for remote access, would a free account on here work for me, i have windows pc connected direct to router & want to give remote access to fiends & family, i have about 5 different households i want to give remote access to with probably 4 or 5 tv's in each & maybe loads of phones & tablets, will i be able to do that with a free account, also what is NanoPi because when i googled it i got the impression it was a piece of equipment i would have to pay money for?
Neminem 1515 Posted October 4, 2024 Posted October 4, 2024 Hard reality check... Self hosting vs pay 5$ for a static ip. 1) Self hosting Do you know what you doing ? Do you need a NanoPi or do you have a work around ? Do you want to educate your self ? Do you know where to go when it breaks ? 2) pay 5$ for a static ip. You have someone to blame. You can call them if its not working. but then again you should weigh it. pros vs con. paid vs self ( someone to call ) Free almost vs paid. Its on you.
rcsnoopdog 11 Posted October 4, 2024 Posted October 4, 2024 I'm convinced static ip here i come, thanks Neminem
olympus1 46 Posted February 23, 2025 Posted February 23, 2025 (edited) After using all kind of ways for remote access the only thing I feel comfortable with is by using tailscale. Opening ports when more and more ISPs block CGNAT, static IPs etc, and the most important of all... exposing my NAS to the internet is a big no for me for various reasons. Using slow relays etc is also a no for me also for various reasons. Nothing compares to the "easy to setup and always working", security, privacy and speed of a virtual private network. It would be amazing if Emby someday would have some kind of tailscale integration. So user would just add his tailscale account directly to the Emby app and won't have to install the tailscale app and to make sure it is open. Edited February 23, 2025 by olympus1 2
nodiaque 62 Posted July 30, 2025 Posted July 30, 2025 I know this post is old, but I'm currently looking into this myself. Depending on your configuration, there's many thing you can do. Let's say you have a server running emby as a docker. You can have that server run tailscale with exit-node. With the exit-node feature, your traffic will go out from the server itself. By enabling allow-local-lan in the config, you will be able to access emby docker. Another way would be to use the subnet routing, but this can lead to problem on other network using the same subnet. One way I'm currently trying, using unraid docker, is to enable tailscale in the container. Unraid normally do everything and all I have to do is click the link in the beginning of the log file to enable the container in my device list. But with the official emby docker, it seems unraid is unable to install tailscale on it because I never see the option to authorize the container nor even the installation itself. This would be the easiest way and normally, nothing is required, it's installed by unraid. Unsure why it's not working here 1
nodiaque 62 Posted August 2, 2025 Posted August 2, 2025 Doesn't need to be premium at all. Tailscale is free. Right now, the only reason why it doesn't work with the unraid plugin is because it seems to ignore the entrypoint parameter. Else, it would work.
TariqK 6 Posted August 3, 2025 Posted August 3, 2025 18 hours ago, nodiaque said: Doesn't need to be premium at all. Tailscale is free. Right now, the only reason why it doesn't work with the unraid plugin is because it seems to ignore the entrypoint parameter. Else, it would work. Having it bundled and integrated with Emby ready for use out of the box can easily be justified a a premium feature.
nodiaque 62 Posted August 3, 2025 Posted August 3, 2025 I don't think you get how tailscale work and licensing. It's not something you bundle with. It's just a package you install and authorize. By the licensing of tailscale, you cannot make it a paid feature.
sh0rty 714 Posted August 3, 2025 Posted August 3, 2025 (edited) What's with Netbird, Netmaker, Twingate, Zerotier users? I think it's a very bad idea to commit to only this one proposal. If you want it dummy-user bulletproof, there is no way around a good Reverse Proxy solution in front of Emby. And yes, the server maintainer has to tinker more so that the users need to tinker less. If I had one wish, I would beg @Lukeand the dev team to implement a setting in client apps like in Immich to set up custom proxy headers. Pangolin Reverse Proxy is used in this example: You would set up the custom proxy header "P-Access-Token=xxx" and "P-Access-Token-Id=yyy" inside the Emby app and it can connect successfully to your Emby behind Pangolin Reverse Proxy with all the bells and whistles like 2FA, Passkeys etc since the Request Headers tell Pangolin: "Hey Pango, I'm a trusted app via your setup Headers for the resource requested but not able to use your Pangolin Login Prompt like a Browser". Currently you need to open a ton of paths like /emby/web/* or /emby/Items/* to be able to use an Emby app from the outside of LAN world via Reverse Proxy with an authentication layer in front of Emby. Source: https://github.com/orgs/fosrl/discussions/455#discussioncomment-13446830 Edited August 3, 2025 by sh0rty 1 1
olympus1 46 Posted February 8 Posted February 8 (edited) On 8/3/2025 at 10:08 PM, sh0rty said: What's with Netbird, Netmaker, Twingate, Zerotier users? I think it's a very bad idea to commit to only this one proposal. If you want it dummy-user bulletproof, there is no way around a good Reverse Proxy solution in front of Emby. And yes, the server maintainer has to tinker more so that the users need to tinker less. If I had one wish, I would beg @Lukeand the dev team to implement a setting in client apps like in Immich to set up custom proxy headers. Pangolin Reverse Proxy is used in this example: You would set up the custom proxy header "P-Access-Token=xxx" and "P-Access-Token-Id=yyy" inside the Emby app and it can connect successfully to your Emby behind Pangolin Reverse Proxy with all the bells and whistles like 2FA, Passkeys etc since the Request Headers tell Pangolin: "Hey Pango, I'm a trusted app via your setup Headers for the resource requested but not able to use your Pangolin Login Prompt like a Browser". Currently you need to open a ton of paths like /emby/web/* or /emby/Items/* to be able to use an Emby app from the outside of LAN world via Reverse Proxy with an authentication layer in front of Emby. Source: https://github.com/orgs/fosrl/discussions/455#discussioncomment-13446830 What about them? If Netbird, Netmaker, Twingate, Zerotier doesn't support WebAssembly Emby can't add "built-in" support for them. If they add support for it, Emby could support them too. The whole point of using Tailscale, ZeroTier etc is exactly that, for NOT using reverse proxy and for NOT exposing your NAS to the internet. We Tailscale, Netbird, Netmaker, Twingate, Zerotier users do NOT want to use a reverse proxy, we use Tailscale exactly for that, for NOT exposing our NAS to the internet. Edited February 8 by olympus1
sh0rty 714 Posted February 10 Posted February 10 (edited) On 2/8/2026 at 4:43 PM, olympus1 said: What about them? If Netbird, Netmaker, Twingate, Zerotier doesn't support WebAssembly Emby can't add "built-in" support for them. If they add support for it, Emby could support them too. The whole point of using Tailscale, ZeroTier etc is exactly that, for NOT using reverse proxy and for NOT exposing your NAS to the internet. We Tailscale, Netbird, Netmaker, Twingate, Zerotier users do NOT want to use a reverse proxy, we use Tailscale exactly for that, for NOT exposing our NAS to the internet. BTW, I also use ZTNA for my admin user when I'm outside so I'm not against it. And exposing a NAS to the internet is always as bad idea, for this you use a bastion host with RP. And I just said that relying on Tailscale solely is not a good idea imo. Chill bro, no need to write capitalized. The request from first post will not happen anyways, so no further discussion needed Edited February 10 by sh0rty
olympus1 46 Posted February 13 Posted February 13 (edited) On 2/10/2026 at 11:11 PM, sh0rty said: BTW, I also use ZTNA for my admin user when I'm outside so I'm not against it. And exposing a NAS to the internet is always as bad idea, for this you use a bastion host with RP. And I just said that relying on Tailscale solely is not a good idea imo. Chill bro, no need to write capitalized. The request from first post will not happen anyways, so no further discussion needed I am very chill sir, a single capitalized word with 3 letters made you nervous? You wrote NAS capitalized, are you chill? It doesn't matter if Emby is going to add support for it, or not. If Emby devs decide they are not interested, that's totally fine. Btw, Emby devs are going to decide, not you, you personally have no idea if they ever going to support it or not. Luke's latest reply about it is that it something that can't be ruled out. Not likely, but not rejected. And there is no reason hijacking this feature request thread with your wishlist. Create a new thread and request there what you want (a setting in client apps to set up custom proxy headers). Edited February 13 by olympus1 2
sh0rty 714 Posted Friday at 09:28 PM Posted Friday at 09:28 PM (edited) 9 hours ago, olympus1 said: Btw, Emby devs are going to decide, not you, you personally have no idea if they ever going to support it or not. This is absolutely right. 9 hours ago, olympus1 said: And there is no reason hijacking this feature request thread with your wishlist. Can you elaborate me where I can find the forum rule pointing out that it's forbidden to give personal negative feedback to a FR? 9 hours ago, olympus1 said: Create a new thread and request there what you want (a setting in client apps to set up custom proxy headers). I already did some time ago. But thanks for pointing out. Edited Friday at 10:05 PM by sh0rty
olympus1 46 Posted Sunday at 01:38 AM Posted Sunday at 01:38 AM On 2/13/2026 at 11:28 PM, sh0rty said: This is absolutely right. Can you elaborate me where I can find the forum rule pointing out that it's forbidden to give personal negative feedback to a FR? I already did some time ago. But thanks for pointing out. Nobody said it is forbidden. I said there is no reason to. There is no reason to hijack other threads to spam your feature request because the feature request you did hasn't been implemented yet.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now