Server Version#: 1.16.4.1469
Player Version#: 3.100.1
I have a dedicated VPN server, DNS and OpenLDAP on my network already, I don’t need further auth handled by plex actually.
this is all hosted on different VPS, the dedicated VPN server is also where I do DNS/Firewalling/IDS/IDP and basically all my routing happens there.
One VPS has Plex installed in it, It’s got it’s internal DNS mapping and it’s a VPN client.
that VPS also has other services and those service need access to the internet via that VPS public IP, plex IS NOT amongst those, I want it to be accessible only via VPN
The firewall on that machine allow all the ports that plex need to communicate with clients but only on the internal VPN network, on the public IP side I do not want to allow any streaming/communication to and from plex.
after bieng forced to put my browser and my server on the same network at least once for setup I basically have it working the way I want with the web client, but I’m having a tough time wrapping my head around a couple of things:
how do I bind plex to an IP? where’s that setting? right now I’m just relying on the firewall to prevent access to plex from the public IP, I can’t find that option.
is there any way I can get the official plex client app for linux to connect to a custom IP/domain that my own internal DNS will map to the VPN plex IP?
for number two I know already that one obstacle is that the official client app requires https, hence working certificates, and I could get those via let’s encrypt, but since I want to access plex ONLY via VPN I really don’t need https, http is more than enough (btw does the internal plex webserver uses http2?), any way around this?
besides the certificate issue I can’t find any way to make the official plex client app connect to my plex server without going through plex.tv, any way to do this?
That url is what’s gonna be put into the ssl certificate from the plex.tv chain, correct?
so I really don’t need to provide my own certificates for this to work, do I?
because I did and I think that’s why.
I provided a self signed certificate the client didn’t recognize it and dind’t connect to the server.
See I already have a private CA and it’s installed on all the web browsers on my clients, but that’s obviously not what the official native client uses, any way to add my own CA there?
so if I use the plex.tv certificate chain providing only my custom mapped domain as you said it should work and the plex client should be able to authenticate on plex.tv via it’s own internet connection, get the correct redirect to the address I set there and hence connect via the VPN, correct?
and this should work even if the server is NOT remotely accessible, correct?
When a player looks for your server, It contacts Plex.tv. Plex.tv responds with the access URL you gave it. “Server is here: URL”
You don’t need a cert because each player and each server communicate with Plex.tv via Plex’s cert.
Your own certed domain is always problematic. The issue here is one of prioritization.
You add your cert to PMS so it knows how to deal with it. (on the same referenced page above).
Should your domain cert supersede Plex’s cert, Plex.tv will not respond to it. Plex.tv must see its cert (standard private-public pairing) first. PMS can accept requests from systems with your cert but it must be aware of it. (from above)
To answer part of your earlier question: PMS does not support local authentication. All authentication is done by plex.tv. Local authentication is very much requested however Engineering has never provided such a functionality. Constant internet connection is required.
So there is no way for me to use anything beside the webplayer or third party player to access my private plex server.
I am forced to keep a port open at all time for my not-so-private-anymore server to handle login via plex.tv if I want to use your official client, which is the best way browse my server, I mean if I can only access it via VLC or a third party app I’m better off using any lighweight DLNA server and that’s it.
this is a deal breaker for me, I want to host a private server, on a VPN (but it’s the same scenario on a home lan actually), and not being forced to leave a port open to be scanned by malicious actors and trust in your implementation of authentication, it’s not even logging failed auth attempt properly so that I could at least mitigate the risk by putting fail2ban in front of it.
Since at least one CVE exists for an older version can you guys assure me there’s not another way to circumvent login and for malicious actors to get access to my private server?
You know if they were to use that access to then conduct illegal hacking activities I’d be liable, and I host this on somewhat powerful VPS that have access to fast connection and huge resources, making them a juicy target.
And this would be the case even if I was to buy a pass, I am ok with you guys having a business model, but since it is possible to implement local authentication without giving us access to functionalities that require a pass this is just forcing me and all your customers to host a public server even if we don’t want to.
