cptbrainia 3 Posted June 25, 2024 Posted June 25, 2024 I'm trying to connect to my Emby server via VPN, but when I try to login, I get the following message: "You've not been granted remote access to this server. Please ask your server administrator to grant you the appropriate access." It would be more helpful to state what that "appropriate access" consists of, but nevertheless, here we are. After google searching, it looks like I need to have "allow remote connections to this emby server" enabled. I logged in to check and it's already enabled. I'm 100% positive this was unchecked previously so I'm not sure how it got checked, but it is now, so I'm not sure why my login is being rejected. Can I have some help with this problem and also what exactly "allow remote connections to this emby server" does? I find it weird that connecting via.a local IP address on the local lan is identified as a remote connection. Regardless, I couldn't find what this option technically does. I generally love emby, but I'm having nothing but problems with it on this trip.
sa2000 674 Posted June 26, 2024 Posted June 26, 2024 14 hours ago, cptbrainia said: I find it weird that connecting via.a local IP address on the local lan is identified as a remote connection If the source IP address is changing in the requests getting to the server, then the requests may appear to be coming from outside the local network. I just tried it with remote connections the embyserver unticked in server network settings and it worked for me when having ExpressVPN running. I tried with ExpressVPN connected on the Emby Client machine and also tried it with it connected on the Emby server PC - for me the requests from Emby Web continued to work and access the server ok. Where is the vpn running ? on the server machine or client ? and what is the client device / OS? You could get the network details when running the vpn - eg if on windows, get the ipconfig info and also enable debug logging on the emby server and when the problem arises with the error message - then copy out the logs and zip and send me by Private Message through the forum - they would be unredacted logs so I can see the IP addresses For location of logs see https://emby.media/support/articles/Server-Data-Folder.html and For this I would need the raw log file (embyserver.txt) with debug logging enabled.
cptbrainia 3 Posted June 26, 2024 Author Posted June 26, 2024 My internet connection is pretty bad here, but I think I got this working. I'm not sure what your ExpressVPN testing accomplished; aren't you still accessing Emby via port forward? An ExpressVPN connection won't put you on your local lan; just a different IP address somewhere else on the internet. The VPN is running on the firewall and I'm connecting via a MAC with a wireguard client. It puts me onto my home network (albeit on a different subnet). I've never wanted nor allowed remote connections to my emby server so I'm not familiar with the options. I thought it was one single checkbox in the network settings, but it looks like you need to have that checked (it was), plus, you need to have the same box checked under the user account. So, once I had both check boxes checked, everything worked as it should. What I'm curious about is what "enable remote connections" actually does. I don't want anyone to be able to connect to my server unless they're on my lan. I won't be opening any ports but don't want anyone to use EmbyConnect either. Is there a page/URL you can direct me to on how to secure Emby while allowing VPN access (from the LAN)?
sa2000 674 Posted June 26, 2024 Posted June 26, 2024 (edited) 3 hours ago, cptbrainia said: I'm not sure what your ExpressVPN testing accomplished; aren't you still accessing Emby via port forward My use of the vpn was just on the windows machines and not the router. Yes it did change the public IP address and it did add a new local IP address but the existing local IP address was still there - so my tests were not relevant to your setup. 3 hours ago, cptbrainia said: I've never wanted nor allowed remote connections to my emby server so I'm not familiar with the options. I thought it was one single checkbox in the network settings, but it looks like you need to have that checked (it was), plus, you need to have the same box checked under the user account The extra setting at the user level gives more control to the server admin 3 hours ago, cptbrainia said: What I'm curious about is what "enable remote connections" actually does. I don't want anyone to be able to connect to my server unless they're on my lan. I won't be opening any ports but don't want anyone to use EmbyConnect either The "Allow remote connections to this Emby Server" Network Emby Server setting would allow or disallow requests coming in from what it deems as not within the local network subnet IP addresses. And you have a general server wide setting as well as more granularity at the user level. And if you also have "Enable automatic port mapping" selected on the server network setting, then it will attempt to use uPnP on the router to open a public port for remote access. So in your case, you need the "Allow remote connections" option but you do not want the automatic port mapping, And if you do not add a NAT manual port forward in the router then there should no connections to your Emby Server from the WAN/Internet. You can test that yourself and trying the displayed url on the server settings Dashboard page - It will say "Remote (WAN) access: <url>" You can confirm the server is not accessible from the outside by trying this url in a browser. Updated to add: There is more settings to give more control on detection of remote/local IP addresses - with network setting "Read proxy headers to determine client IP addresses" - when set to Yes, the Emby Server would also check these headers for the IP address the request may have originated from. 3 hours ago, cptbrainia said: Is there a page/URL you can direct me to on how to secure Emby while allowing VPN access (from the LAN)? vpn is a niche area and it affects remote access and port forwarding would no longer work. I am sure some users manage to get it to work but it is a complex area/ I will see if we can cover your use case in the documentation. At the moment for remote access we have this sentence "If you have a VPN running on the host computer TURN THIS OFF as that may interfere with your Emby Server routing." in this support article https://emby.media/support/articles/Remote-Setup.html But for your use case, you would not be looking at remote access article - so adding to this sentence may not help. I will follow it up Edited June 26, 2024 by sa2000 add mention of request headers for forwarded / origin/source IP
pwhodges 2012 Posted June 26, 2024 Posted June 26, 2024 5 hours ago, cptbrainia said: I won't be opening any ports but don't want anyone to use EmbyConnect either. Note that Emby Connect is not a way to get around access or accessibility restrictions (unlike Plex, Emby don't pass your data through their servers). Paul
cptbrainia 3 Posted June 27, 2024 Author Posted June 27, 2024 I appreciate the responses; thank you. I don't think my use case is *that* rare. From googling, there seems to be a number of users that leverage VPNs to gain access to their LAN when offsite so that they don't need to open ports on the firewall. That's the boat I'm in. I'll need to look into Emby Connect more. I don't use it at all so I don't know what it does or how to enable it (and therefore how to ensure it stays disabled). I'll also look more into the proxy headers sections. I suspect that this is what's causing the need to enable remote connections. Is there a document or forum thread on locking down/securing Emby? Not just a description of each setting individually, but a document focused on hardening Emby? Thanks again for the help.
sa2000 674 Posted July 1, 2024 Posted July 1, 2024 @cptbrainia I have updated the support documentation to cover your use case. Added a paragraph on these pages - same article https://emby.media/support/articles/Advanced-Menu.html and https://emby.media/support/articles/Connectivity.html
cptbrainia 3 Posted July 3, 2024 Author Posted July 3, 2024 Hi and thanks for the responses. Sorry for the delay; I'm on the road with limited internet access. I read through the documentation and I think some of the verbiage is confusing. I have my stuff working so I don't really need this clarified for me, but in case it helps you... https://emby.media/support/articles/Connectivity.html Quote From here, we suggest using the Emby Connect feature as it takes the guesswork out of external connectivity. You only need to read below if you're not using Emby Connect, or you're having trouble connecting. The steps following this quote are how to setup to setup remote access connectivity via Port Forwarding. Based on that and the above quote, it seems like Emby Connect is used to avoid Port Forwarding, but based on what I read here, it seems like it's more of a type of SSO for users that access more than one Emby server (and/or have an Emby forum account): Quote Emby Connect is a free optional service that allows a person to use one set of username/password credentials when accessing Emby's Forums and Community as well as any Emby Server's setup for you to login using Emby Connect. The user no longer needs to remember the URL or IP/port of each Emby Server, not do they have to remember different login names and passwords as set on the different Emby Servers. But at the bottom of the same page, it says this: Quote The sole purpose of the Emby Connect feature is to help your devices locate your Emby Server so that you don't have to set it up yourself. If I'm understanding Emby Connect properly, it doesn't help with locating (i.e., discovering) Emby servers, but more remembering past connections. Is that right? It also seems that if I don't setup port forwarding, Emby Connect won't work at all. Is that also right? The paragraph added to this about a VPN connection to your own router seems straight forward enough. One last thing... Both URLs link to this page: https://github.com/EmbySupport/Emby.Docs/blob/master/Remote-Setup.md This page walks through how to enable remote connections to the emby server, but doesn't mention that it needs to be performed for each user that needs remote access as well. Finally, I would add somewhere in the troubleshooting that if you are able to get to the login page, but are getting an "invalid password" error, to check and ensure remote access is enabled for the specific user you're trying to login as. Hopefully this feedback helps a bit. 1
Luke 42077 Posted July 4, 2024 Posted July 4, 2024 Hi, yes it does! @sa2000will review this for possible improvements we can make. Thanks !
sa2000 674 Posted July 9, 2024 Posted July 9, 2024 @cptbrainia Thank you for your continued feedback. I have reviewed the Connectivity and Remote-Setup support documents and made some changes. Please have a look at the updated documents. Thanks
Q-Droid 989 Posted July 9, 2024 Posted July 9, 2024 I suspect this would've worked if the OP had added the local VPN (wireguard) subnet to the LAN subnet in the Emby network settings? Nothing else needed unless this was tried and I missed it. 1 2
sa2000 674 Posted July 10, 2024 Posted July 10, 2024 (edited) 19 hours ago, Q-Droid said: I suspect this would've worked if the OP had added the local VPN (wireguard) subnet to the LAN subnet in the Emby network settings? Nothing else needed unless this was tried and I missed i Thanks. Yes that would be an easier option. I don't think it was tried and @cptbrainiafound that enabling Remote Connections made it work. I see that we just mention Bandwidth Restrictions for this "LAN networks" setting. That would need tweaking. @cptbrainiaCould you try this as alternative to having Remote Connections enabled - especially since you indicated you did not want remote access. So find the IP address subnet used by the VPN locally and add that subnet to the LAN networks server setting. This is the screen in Server Settings Edited July 10, 2024 by sa2000
Neminem 1518 Posted July 10, 2024 Posted July 10, 2024 Just remember to also add you Lan network range in there too. Other wise you might not be able to login with your lan connection. Here is my lan network config. Wireguard Lan 10.253.0.0/24 192.168.1.0/24 10.253.0.0/24, 192.168.1.0/24 1 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now