'Unable to reach' server error

[twofacetoo 0]

Hey all. Setup Emby for my own purposes a while ago, allowing me to stream media from my Windows desktop computer in the UK (where the server is hosted) to my Android phone or Roku smart TV. It worked pretty well, then I tried to add some friends as users so they could access the server too. In both cases (one located in Germany, another in the UK with me but accessing from their home), neither one was able to actually access the server. Weirdly, it worked on my side previously, then when I tried to access it on my phone, the same error popped up when trying to use the server I'd accessed fine previously. I managed to fix that by setting up the Emby Connect email address for my own user (which I hadn't needed to do before), but it didn't work for my friend, even after they closed and re-opened the app.

So far I've just been looking around for help on the topic, and trying a few things in past forums and threads. I've tried fiddling with network settings including adding exceptions to the firewall for Emby to run and setting the network connection to Private, but it still hasn't helped. I even just tried killing the internet connection and restarting the server, still no luck. I should note also, I use a VPN on my computer but again I can access the server fine on both my TV and phone, which are linked to the same internet connection itself, being contained within the same house.

All in all, I have no idea what to do here. I'm not any kind of technical genius, I purely tried to set this up to have an easy way for my friends to watch movies and shows together, so this whole connection issue is completely stumping me. Again, it worked before on my side, then stopped, then re-linking the Emby Connect email seemed to fix it, but that only worked for me.

While my friend and I were working on it, I got 4 different logs, all of which have been attached. These were all generted between when we started until I decided to ask for help here to see what can be done. Any advice will be appreciated, even if it seems obvious. Again, I'm not tech-savvy, I'm just trying to make this work is all.

1. ffmpeg-remux-3f650a71-0b72-4d30-88bb-07b5565ff2ce_1.txt 2. embyserver-63903656845.txt 3. hardware_detection-63903656856.txt 4. embyserver.txt

[Abobader 3464]

Hello twofacetoo,

** This is an auto reply **

Please wait for someone from staff support or our members to reply to you.

It's recommended to provide more info, as it explain in this thread:

Thank you.

Emby Team

[Lessaj 467]

How did you set up the port forwarding rules? Try disabling IPv6 on the device, it looks like that's what's being advertised, it may work better with only IPv4 enabled.

[twofacetoo 0]

Just now, Lessaj said:

How did you set up the port forwarding rules? Try disabling IPv6 on the device, it looks like that's what's being advertised, it may work better with only IPv4 enabled.

On which device specifically? The router, or the computer? Again, sorry, not very knowledgable about this, I just followed online tutorials to do everything so far.

[Lessaj 467]

On the emby server device.

[twofacetoo 0]

51 minutes ago, Lessaj said:

On the emby server device.

Sorry for the delay, just managed to get both friends to try it after I disabled the IPv6 setting, got the same result for both.

[TMCsw 247]

9 hours ago, twofacetoo said:

I use a VPN on my computer but again I can access the server fine on both my TV and phone

VPN's block so much S#it! (local LAN is usually unaffected if set in VPN settings).

First, try turning it off; if that doesn't work, uninstall it (they tend to leave many blockers on).

This way, you can determine whether the VPN is the issue.

[Luke 42077]

@twofacetooplease let us know if this helps. Thanks.

[Lessaj 467]

Ah I didn't see the note about using a VPN client on the device. That will also affect the reported IP address since it reaches out to an external site for that, and if that traffic goes over the VPN client tunnel then it will report an incorrect external address. That's likely the issue.

[twofacetoo 0]

8 hours ago, TMCsw said:

VPN's block so much S#it! (local LAN is usually unaffected if set in VPN settings).

First, try turning it off; if that doesn't work, uninstall it (they tend to leave many blockers on).

This way, you can determine whether the VPN is the issue.

I've done that already during these tests, after every suggested step we've tried it both with the VPN on and off, and it still doesn't work.

[twofacetoo 0]

5 hours ago, Lessaj said:

Ah I didn't see the note about using a VPN client on the device. That will also affect the reported IP address since it reaches out to an external site for that, and if that traffic goes over the VPN client tunnel then it will report an incorrect external address. That's likely the issue.

Is there ANY way of this working with a VPN running? I live in the UK, our government has gone censor-crazy and begun blocking a lot of websites, it's basically impossible to get on the internet here without using a VPN in the first place. Basically, I refuse to turn it off - can Emby still work in this instance?

[hawkguru 4]

exclude emby from vpn?

[twofacetoo 0]

1 hour ago, hawkguru said:

exclude emby from vpn?

Would that just be the EmbyServer.exe program?

[hawkguru 4]

i excluded thr whole embyserver directory but i think if limitedp to executable or files do both the embyserver exeuctable u mentioned and embytray.exe

[Lessaj 467]

I don't use a VPN client on my device, it runs on my firewall, and similarly my DDNS client runs on my firewall too so that always uses the WAN connection to update the DDNS. In your case yes you probably need to exclude the server exe so that it can use your WAN connection. However it's concerning if it still doesn't work with the VPN disabled, though that may be because it hadn't updated yet, I'm not clear on the exact update frequency. Did disabling IPv6 on the device change what is displayed on the admin dashboard for remote access? To be clear, there's nothing inherently wrong with it using IPv6, plenty of devices support it, it was just an attempt to stick with IPv4 addresses since I believe sites like canyouseeme.org would only show the IPv4 address. You can use a service like that (with your VPN disabled, so it gets your actual external address) to check that the port forwarding is actually working correctly, and isolate it to an advertisement problem - if it's advertising the wrong address, it isn't going to connect.

[twofacetoo 0]

28 minutes ago, hawkguru said:

i excluded thr whole embyserver directory but i think if limitedp to executable or files do both the embyserver exeuctable u mentioned and embytray.exe

Yeah, using ExpressVPN I'm limited to selecting specific files, but I've added all instances of EmbyServer.exe and EmbyTray.exe from both the System and System.old folders, will reply again when I've checked with my friend on how it's looking.

[TMCsw 247]

2 hours ago, twofacetoo said:

ExpressVPN

A quick search results in:

Quote

ExpressVPN does support port forwarding, but only on routers running the ExpressVPN firmware—not in the Windows/macOS/Linux apps. 

 

[Luke 42077]

44 minutes ago, TMCsw said:

A quick search results in:

 

Ah it sounds like this is the issue then?

[twofacetoo 0]

10 minutes ago, Luke said:

Ah it sounds like this is the issue then?

Okay... I tried to setup port forwarding on my PC where the server is hosted, but doing so seemed to just completely circumvent traffic AROUND the VPN anyway, with my PC now registered as being in the UK instead of other locations, even when the VPN enabled. I've now undone all the steps I took previously, but it still hasn't reverted. So now not only does Emby not work, but my VPN seems to be compeletely fucking bricked as a result too.

Slight update: I swapped from using split tunnelling back to ExpressVPN's 'Lightway Turbo' option, and that seems to have rectified the VPN problem at least, but it looks like I'm at a complete dead end. Thanks to our brainless government there's no way in hell I'm going on the internet without my VPN enabled at all times, so if that's going to constantly break my Emby server then so fucking be it at this point.

Edited January 11 by twofacetoo

[TMCsw 247]

Please tone it down a bit...

Perhaps https://tailscale.com/download would work for you? 

Note: it has to be set up on both ends (server/user side). I haven't used this myself, but most I've heard say it's relatively easy...

[Lessaj 467]

1 hour ago, TMCsw said:

A quick search results in:

ExpressVPN does support port forwarding, but only on routers running the ExpressVPN firmware—not in the Windows/macOS/Linux apps. 

I think this is referring to incoming port forwarding via the VPN, and not incoming port forwarding via WAN, which running a VPN client should not prevent but I am not 100% sure about that because of where I run my VPN client. The problem here is WAN advertisement is needed in order for the connection to work properly.

Here's something you can at least try to verify that the incoming port forwarding via WAN is working even with the VPN client running. Find out your external IPv4 address, you should be able to find it somewhere within your ISP gateway if you don't want to disable the VPN, and on your phone while on data try to connect to that address and port manually in your web browser, same as trying to use the web app but you're skipping Emby Connect here, you're just trying to connect directly. Be sure to specify http:// when entering the address since the web browser may try https automatically. If that works, then you know your port forwarding is working and just have to fix advertisement for Emby Connect.

A possible solution is to use DDNS. If it is not possible to run the DDNS client on your networking equipment (my ISP gateway offers DynDNS and NoIP, my pfSense has a ton more services available, I use NoIP on pfSense) you should be able to run it on your server device as long as you split tunnel it.

I understand wanting to remain behind a VPN, my entire network is behind one, it just exists at a different point in the network path. Given your stance on needing a VPN with your internet connectivity the best place to have it would be at a more forward point in your network, but you'd need additional equipment for that and you shouldn't need that equipment to achieve remote access while running a VPN client.

[Lessaj 467]

EDIT: Somehow it double posted, no idea why. This post can be deleted.

Edited January 11 by Lessaj

[TMCsw 247]

1 hour ago, Lessaj said:

I think this is referring to incoming port forwarding via the VPN, and not incoming port forwarding via WAN,

That is probably correct, but the fact remains that the VPN is active on the local IP address that the server is running on.

I do use a VPN (NordVPN, not recommending it, but I chose it because it’s cheap for the long term).

But to allow Emby access, I also run an LXC container without a VPN, with an NGINX reverse proxy that forwards traffic to my local IP (192.168.x.y), which I can tell Nord not to block for LAN access. (No VPN on this LXC, not needed, and uses SSL)

I believe that Tailscale is probably easier for most people.

But if you have a better way …

[Lessaj 467]

4 minutes ago, TMCsw said:

That is probably correct, but the fact remains that the VPN is active on the local IP address that the server is running on.

I do use a VPN (NordVPN, not recommending it, but I chose it because it’s cheap for the long term).

But to allow Emby access, I also run an LXC container without a VPN, with an NGINX reverse proxy that forwards traffic to my local IP (192.168.x.y), which I can tell Nord not to block for LAN access. (No VPN on this LXC, not needed, and uses SSL)

I believe that Tailscale is probably easier for most people.

But if you have a better way …

My experience with VPN clients is limited since it's on my firewall - I've only used the OpenVPN client on Windows and Linux otherwise. Yes it would still need to bind itself to a local interface, but it should create another network adapter which has the VPN client IP associated with it. If those client programs are also interfering with incoming traffic destined for the LAN address then they are missing the needed rules to reply on the same interface that the traffic was sent to.

I was just investigating something similar today, I have a VM that runs my Unifi Network Controller and after I migrated the VM to new infrastructure it got a new IP in a different VLAN and the traffic is being tagged by the hypervisor, it appears that because return traffic being tagged the switch was just dropping it so I could see the SYN and SYN-ACK but no ACK. I had to add another interface which has the old IP address and ends up not being tagged by the hypervisor but then still had an issue with connectivity from various devices. Both addresses are otherwise open but it wasn't replying on the right interface so I could ping one address but not the other, and some VMs could ping one address but not the other so I had hit and miss connectivity. I had to add some rules to make it reply from the interface the traffic came from so now I can reach both addresses properly but I still have to leave the second interface specifically for the switch to connect to the Unifi Network Controller because of the tagged traffic.

[hawkguru 4]

just remember ur not interested in port forwarding your vpn connection but ur original isp connection - so u exclude emby so its not behind vpn and then go to router settings amd port forward- hopefully you dont have isp supplied router but a proper one not saying it wont work with isp router but always a dedicated router better i find-also if ur router is connected to isp router you may have to do two levels of portforearding

easier than what i make it sound to be honest

Edited January 13 by hawkguru