Failure to connect to Emby Server from outside LAN

[thildebrand 0]

ERROR MESSAGE WHEN CONNECTING VIA EMBY CONNECT

Takes about 8 seconds to get into Emby Connect and see servers.licking on the Emby Server name, cursor goes roundyroundy for 16 seconds then times out with message: Unable to reach L1. We're unable to connect to the selected server right now. Please ensure it is running and try again.

ERROR MESSAGE WHEN CONNECTING VIA MANUAL CONNECTION

Trying via Edge browser (and DuckDuckGo and Brave) to address http://###.###.###.###:8096 (WAN IP addresses from Emby Dashboard). Progress bar below address gets about halfway across screen, then after about a minute or two: Webpage not available. The webpage at http://###.###.###.###:8096/ could not be loaded because: net::ERR_CONNECTION_TIMED_OUT

NOTE: Got no error messages when connecting within the LAN. All media played correctly.

 

BACKGROUND

All 3 windows firewall port rules are listed, as are the Emby Server program rules for UDP & TCP port types.

Router settings: Both 8096 TCP and 8920 UDP ports are forwarded through the router firewall and mapped to the internal 192.168.1.### IP address of the Emby Server host computer. (Tried initially on Asus R68 router, but when that failed to connect replaced with newly purchased TP-Link AX1800 router.)

In Emby Server Network settings, the default 8096 & 8920 are the local http & https ports. Allow remote connections to this Emby Server is selected. The default 8096 & 8920 are the public http & https ports. No external domain. Enable port mapping is selected. (Not using secure https yet)

In Emby Server Users settings, there are four users, each with their (Optional) Emby Connect email address specified and Allow remote connections to this Emby Server selected.

Tried Emby Server on one PC, then when failed to be connected to, shut down that server and installed Emby on a different PC which failed to be connected to also. In each case, made sure the device IP address for port forwarding in the router matched the correct PC on the LAN that was running Emby Server.

In both cases, a PC and an Android phone could connect to the Emby Server while within the same LAN as the Emby Server PC.CONFIGURATION

The op system is Windows 11 Home (current updates) running on new AMD Ryzen 5 7640HS w/Radion 760M graphics, 16GB RAM, 1TB SSD boot drive mini-PC dedicated to Emby Server. Media is in external USB enclosures. Emby software is up to date.

I'm happy to submit screenshots or other configuration information. Followed the Emby Forum settings to the best of my ability. Must be missing something... probably a simple thing but I'm just too slow / dumb to know what it is 

[Abobader 3464]

Hello thildebrand,

** This is an auto reply **

Please wait for someone from staff support or our members to reply to you.

It's recommended to provide more info, as it explain in this thread:

Thank you.

Emby Team

[pwhodges 2012]

Have you checked whether your ISP uses cgNAT (which blocks inward connections)?

Paul

[Happy2Play 9780]

Are you attempting to connect from within your LAN?  As this will fail most of the time do to hairpin nat on consumer routers.

Does a site like canyouseeme.org show your correct WAN address and Emby ports open?

 

Connecting from Client Apps | Emby Documentation

[thildebrand 0]

No incoming ports work according to canyouseeme.org. Therefore my ISP (Spectrum) must be using cgnat. So I'm hosed ?

Are there any next steps?

Should I try tunnelmole (https://softwareengineeringstandard.com/2025/07/12/cgnat-port-forwarding/)

Is there something that might work with AirVPN my current VPN provider? (Dealing with Emby Connect and my VPN simultaneously was down the road after I got the basic WAN connection working without the VPN running.)

And that still doesn't address https being the preferred method for security vs. http.

Again, trying proof-of-concept first, taking baby steps...

[G_i_z_m_o 0]

This will work, go to nordvpn download the vpn server and sign up and use the meshnet  Oh Bye the way it's completely free & you can connect anywhere in the world to your home server. Just put your host as http://youremail-yourvpn.nord into your client and it loads instant. Forget about emby connect 

[G_i_z_m_o 0]

Also just to clarify you don't need to run the vpn this is why it's free you don't have to pay for the vpn part of nord you can use the meshnet only which is all free so you pay nothing. Emby connect sometimes once in a while it might connect but usually never connects so this is a good work around until they sort out the emby connect issues. Emby is coming along though slowly but it sure beats the heck out of Plex Malware Server which is all malware spyware  avoid plex at all costs.

[pwhodges 2012]

Similar to NordVPN's meshnet is Tailscale - also free, and has been around a bit longer.

Paul

[thildebrand 0]

Can meshnet run on top of AirVPN, or would I have to switch to NordVPN (which is not a deal breaker) to simultaneously run a VPN while running meshnet?

[Luke 42077]

@Xuanlang  @Xuanlang1  @PeterMacalister  may have some AirVPN tips.

[thildebrand 0]

Have loaded NordVPN/Meshnet on both my Emby Server PC and a relatives PC. They are each logged into meshnet, and each have their own meshnet devices. Have linked them via meshnet invitation. Each computer, from the meshnet window, shows their own meshnet nord device under Personal Devices and the other computer's meshnet nord device under External Devices. Within meshnet on each computer all four boxes regarding types of access (file sharing, network routing, etc) are checked.

On relative's PC, with meshnet running, tried connecting via Edge to my http://myemail-everest.nord and cannot connect. Tried again with http://myemail-everest.nord:8096 and cannot connect. Tried via EDGE to go to my Emby Server PC WAN address with and without :8096 suffix, and cannot connect. Meshnet also showed an ip address associated with each of the email-everest.nord devices. I tried browsing to the IP address of my Emby Server's PC meshnet device from my relative's PC with and without a :8096 suffix and could not connect, although when trying with the :8096 suffix it was still going roundyroundy after 5 minutes without timing out. Don't know what's happening there.

On relative's PC, do I need to add inbound rules for ports and Embyserver program as well? On relative's router do I need to forward ports 8096/8920? On relative's PC do I need to load Emby Server?

Is there a "setting up meshnet for use accessing an Emby Server" guide somewhere?

[thildebrand 0]

Based on yesterday's announcement from NordVPN that they are withdrawing Meshnet as of December of this year, further effort exploring and testing a Meshnet cgnat bypass method will be a waste of time.

Now onto Cloudflare or Tailscale I guess.

Just realizing that my ISP (Spectrum cable) limiting my upload speed to 1.7-2.0Mbps (regardless of the no-fine-print 10Mbps upload listing on their website) means that even if I got this Emby access to work - the throughput would be terrible for the remote user.

Well, maybe in a year or so when bi-directional high bandwidth fiber is a thing in my neighborhood (for faster sustained upload speeds), and hopefully when local fiber suppliers (AT&T, et al) are embracing IPV6 and not employing CGNAT this remote Emby access will be achievable.

Thank you to all for the help to date!

[Luke 42077]

11 hours ago, thildebrand said:

Based on yesterday's announcement from NordVPN that they are withdrawing Meshnet as of December of this year, further effort exploring and testing a Meshnet cgnat bypass method will be a waste of time.

Now onto Cloudflare or Tailscale I guess.

Just realizing that my ISP (Spectrum cable) limiting my upload speed to 1.7-2.0Mbps (regardless of the no-fine-print 10Mbps upload listing on their website) means that even if I got this Emby access to work - the throughput would be terrible for the remote user.

Well, maybe in a year or so when bi-directional high bandwidth fiber is a thing in my neighborhood (for faster sustained upload speeds), and hopefully when local fiber suppliers (AT&T, et al) are embracing IPV6 and not employing CGNAT this remote Emby access will be achievable.

Thank you to all for the help to date!

Please let us know how things go. Thanks.

[Santiag0 10]

So now what do we do ? after seeing this on my nordvpn I cancel the auto 2 year renewal this month so I am glad at least we had a heads up or I would have been stuck with nord for 2 more years. I tried tailscale and I don't like it for the reason the speed is so slow it barely will open my emby and it will not play a movie for more than 5 seconds. Next I tried netbird and I couldn't get it to work so I am thinking will protonvpn port forwarding let me use emby outside of network without opening ports on my modem ?

My family uses emby every day for 3 years hopefully I can figure out something we need emby it's the best media software there is the other ones I tried them and no one in my family likes them including myself. 

I will keep looking how to connect without opening ports on my modem if I find something I will report back here. If someone knows a way please share guys thank you so much.

[pwhodges 2012]

It's hard to comment without you giving any background.

Are you behind cgNAT?  You don't say so - indeed, you imply that that you could open router ports but don't want to.  If that's the reason, what is your justification, and would another look at, say, security concerns help?

What is your actual internet speed, up and down?There's no particular reason why Tailscale, for instance, shouldn't allow you to use that, from my understanding of how it works - perhaps you are using it wrong?

Every case is different, so tell us more.

Paul

[Santiag0 10]

My internet speed is 1.5gig up and down and I now use proton vpn on my Emby computer and speeds are still fast. I can port forward 8096 but I read on this website it's not safe and I just read another one today someone's Emby was accessed from a port forward here 

 

If I knew how to safely do it I would but I have no idea how.

[AndreiP 33]

Well, the solution is there in that discussion: put password for all users and hide them from login screen. 

[Santiag0 10]

10 minutes ago, AndreiP said:

Well, the solution is there in that discussion: put password for all users and hide them from login screen. 

I did that years ago but my problem is with port forwarding on my modem router I'm not sure how to secure it do I buy a domain name ssl I'm not sure how it all works. I read so much I feel overwhelmed a little bit and might end up forcing myself to use Ubuntu and just get it over with and I would feel better after it's all running correctly. Think a coffee break is needed.

[pwhodges 2012]

49 minutes ago, Santiag0 said:

 I can port forward 8096 but I read on this website it's not safe and I just read another one today someone's Emby was accessed from a port forward

Opening any port to the Internet is unsafe - indeed, having a computer connected to the Internet at all is unsafe; but just how unsafe depends on how you configure the programs behind the ports.  The trick is to prevent the most likely means of this being exploited.

Every user must have a good password - that is the first and most fundamental rule.  Other good things are a decent malware checker (Windows Defender isn't too bad; I use Eset); enabling SSL to prevent sniffing to guess what you are running (the easiest way to do that IMO is a Caddy reverse-proxy).  I don't bother with a VPN; hiding my address is a bit pointless, frankly, and SSL already hides message contents.  Do any port forwarding manually - if you enable uPNP in the router that is in itself a vulnerability.

Paul

[pwhodges 2012]

4 minutes ago, Santiag0 said:

I did that years ago but my problem is with port forwarding on my modem router I'm not sure how to secure it do I buy a domain name ssl I'm not sure how it all works. I read so much I feel overwhelmed a little bit and might end up forcing myself to use Ubuntu and just get it over with and I would feel better after it's all running correctly. Think a coffee break is needed.

Yes, to enable SSL you need to get a domain name; it's easy to get one for something like $10 a year.  Free ones usually come with caveats.  If you set up Caddy as a reverse-proxy it will automatically do all the getting a certificate and renewing it for you.  It's just as easy on Windows as on Ubuntu, because none of this is particular to the OS.

Paul

[Santiag0 10]

Thank you for the detailed info, would I be able to setup ssl on a router that supports vpn allowing me to put a vpn on the router and have ssl on the router and proton vpn has port forwarding so how would that work if at all.

[pwhodges 2012]

I have no experience of that; hopefully someone else can jump in with an answer.

Paul

[Lessaj 467]

I think you could achieve that with pfSense (openvpn or wireguard) and HAProxy running on the same pfSense.

[Santiag0 10]

Thanks guys I have been reading on this most of the day surely I will figure something out I might end up buying some hardware off newegg.

[Luke 42077]

Please let us know how things go. Thanks.