Access via Wireguard VPN with Emby Windows App

[aqualord 2]

Hello, 

I found some frustraiting issue while using Emby for Windows. 

I can not access emby server from Windows Application with Wireguard tunnel (tunnel for all IPs) 

Im using local Server IP address and https (http doesn't work neither) and specific port. 

At the same time there is no problem to reach Emby Server by website using the same Wireguard tunnel with https. 

There is also no problem to reach the same network with Android app with exactly the same method. Local IP. Same port and https Protocol. 

 

Whats going on...? It seems to be a bug... 

Because website version is easily accessible... 

 

BR, 

aqua 

[Luke 42077]

Hi there, what exactly happens when you try to connect?

[aqualord 2]

HI!

That's exactly what I see:

 

And this is the proof that it works on website:

 

And I will give some small update that I found. On the Android device it works but while I use 5G N/W with the same Wireguard Tunnel, but if I use WiFi Network it doesn't work neither on Laptop nor on mobile. Anyway there is no such problem with Plex and Jellyfin

[aqualord 2]

@Lukecould You check my last post?

[Luke 42077]

Where does the SSL certificate come from?

[aqualord 2]

The certificate is genereted locally on NAS server for the local IP

[aqualord 2]

OK Guys,

I think that I found the resolution, ok, so the certificate is generated locally so I have a warning during attempting to connect to Emby Server but anyway with this certificate You are still able to use https instead of http in local Network (which I would like to use). So the problem with this certificate is maybe still valid if I would like to use Emby to connect from external Network but... if You use it only locally and via OpenVPN / Wireguard tunnel, just add a valid Wireguard Network address with a bitmask in:

1. Server Settings

2. Network

3. Local Network (1st text field)

It will resolve the problem if You use Emby only locally and over VPN Tunnel.

Hope that someone will find it helpfull

 

[Lessaj 467]

I believe the client apps (on all devices) will essentially use the system's CA store, so if it doesn't trust the certificate it won't allow a connection - in your browser you have the option of accepting the risk, but the client app does not. You can add a self signed certificate to the certificate store in Windows, the exact store that you should put it into if it's self signed vs a self CA signed is different and it's escaping me at the moment so a quick search should help you to find that. By adding the certificate to the certificate store your browser also won't pop up that it's untrusted anymore, so you can use that to verify if you did it correctly - just restart your browser after adding it to the store. I use the CA that is generated as part of my oVirt installation to self sign my own internal sites, I just add the CA as trusted and I have no problem with security warnings in my browser.

I could be wrong about this working for client apps, if the client app uses its own CA store then it won't and you would need a public CA certificate like from Lets Encrypt - ultimately that's what I'm using for Emby so I'm not 100% sure that this will work, but I have been adding the CA to the system store so my browser trusts it for my internal sites for years so it would definitely work for your browser.

[aqualord 2]

OK, so that wasn't all, it started to work but only for a short time, the other thing is that I had a problem also using http without SSL.

 

But I managed it anyway. This should help to You guys too. The full fix below:

 

1. Wireguard Settings

a) if You don't use split tunnel: I just needed to add MTU size in the [Interface] section: MTU=1280

b) If You would like to use SPLIT Tunne:

- Change the MTU like in point a) MTU=1280

- In the allowed IPs use not only local Network address but also Wireguard NW:

AllowedIPs = 192.x.x.x/24, 198.x.x.x/24
 

 

2. Emby Server Settings

2a. Server Settings

2b. Network

2c. Local Network (1st text field)

It will resolve the problem if You use Emby only locally and over VPN Tunnel.

Hope that someone will find it helpfull

 

Edited January 14 by aqualord