Enabling Remote Access

Plex Media Server Remote Access
1

Server Version#: 1.40.1.8277
Player Version#: 4.127.1

Issue:
When configuring report access I am using a manually specified port, When testing the server connection, it comes up with ‘Fully accessible’ but moments later ‘Not available outside your network.’

Hardware:
NAS:
With Plex installed and configured. Accessible from the Local Area, and although the port forwarding via the router appears to work, it forces HTTPS and results in an unsigned certificate error even on Firefox.

Ubuntu:
With Plex installed and configured. This machine hosts a web and mail server with registered domain name and Letsencrypt SSL certificate. Ultimate Firewall (UFW) is not active. Ports of web and email forwarded from the Router and everything in that respect works. Plex however, responds on LocalHost:32400 but not to the LAN or WAN.

The Router:
Tp-link Deco X80, less than 1 month old. Manual port is correctly forwarded to both Ubuntu and NAS. Upnp is available, but not enabled. It was originally, but I disabled it when troubleshooting.

What is happening:
Inside the LAN -
Ubuntu
Responds to calls to the domain name, but has unsigned certificate errors when calling the IP address. Plex installation does not respond, but opens on the localhost.
NAS
Responds to calls on the IP address on port 32400 and shows as insecure connection because the certificate is a default unsigned one. However being on the LAN, its not an issue.
Outside the LAN -
Ubuntu
Responds to calls to the domain name and shows secure connection. Using the forwarded port to Plex, there is no response.
NAS
When using the forwarded port to Plex, the response is acknowledged, but the certificate being used is unsigned., and browsers are refusing connections.

Options:
This is how I see them:

  1. Copy the certificate from Ubuntu to NAS (somehow) and use Plex off NAS. Don’t really want to have the additional overhead of updating two copies of the certificate, plus the original is secured and updated. Would rather let that sleeping dog lie.
  2. Register another domain and get a certificate just for the NAS. Extra cost and probably not necessary as the problem is likely to be something simple!
  3. Voice frustration in forum in the hope that someone has a suggestion that works.

I have looked over the items posted on the topic and while informative, nothing worked for me and I thought it might have been due to already having a certificate and multiple installations of Plex.
I’ve tried reinstallations of Plex, restarts of all hardware and various reconfigurations of ports, port scanning, updating etc.

I think what is most frustrating is that when updating the config, Plex advises remote access is enabled, and moments later (about 30 seconds) its not!

I’m firmly looking at the Ubuntu machine for the problem, yet it responds on other open ports happily and there is no other firewall software installed. In fact, the installations are just over two weeks old.

2

@thomm25

How is your certificate defined and signed?

  1. hostname.domain.tld
    -or-
  2. *.domain.tld

Remote Access is only concerned with port forwarding
Plex.tv conducts the test inbound using Plex’s certificate.

The sequence is:

  1. you enable Remote Access

  2. PMS connects to plex.tv, requesting “Connectivity test” using the supplied WAN IP plus port number
    – While waiting, PMS opportunistically turns the indicator green.
    (I would love to see it turn yellow first but that’s not how Engineering wants it)

  3. Plex.tv attempts to connect

  4. If the connection is made,
    – They exchange your FQDN and other info so your “published” is complete.
    – At this point, your server can be reached as you defined it to be.

  5. It plex.tv cannot connect. the test fails. The indicator turns back to :x:

My questions for you

  1. Did you create the P12 to add to Plex and does it contain Cert, Key., and CA?
  2. Did you define a Custom Access URL in the Network → show advanced fields ?
3

Thanks for getting back to me…

Cert is defined an signed for the domain name. so the first one.
Is the second, for all sub names a better way?

Not sure on ‘P12’, but I have a folder with cert.pem, chain.pem, fullchain.pen and privkey.pem files.

No, did not define a custom url.

4

The first form I showed you is for a specific hostname.
It is of the form host.domain-name.tld

The second form is a single certificate which covers all hosts in that domain.
It’s the “Wildcard” domain form.

I use the second form.

In my configuration,

  1. I obtained my domain name. (mydomain.tld)
  2. In my router (pfsense), I use the ACME mechanism to have Let’s Encrypt sign the wildcard (*.mydomain.tld) master certificate.
  3. Here is how I actually create the P12 file for PMS.
#!/bin/sh

# Get current cert & key

scp admin@pfsense:/conf/acme/MyDomain.key  ./MyDomain.key

scp admin@pfsense:/conf/acme/MyDomain.crt  ./MyDomain.crt

openssl pkcs12 -export -out MyDomain.p12 -inkey MyDomain.key -in MyDomain.crt -certfile "Acmecert_+O=Let's+Encrypt,+CN=R3,+C=US.crt"
[chuck@lizum cert.2014]$

At this point, I have a P12 file which PMS can use.
Since my router is also my LAN DNS / hostname master, it can authoritatively assign FQDN hostnames to all my hosts & devices (I have quite a few due to my work for Plex)

At this point, the only thing remaining would be to:

  1. Put the P12 where PMS can read it
  2. Give PMS the path to that P12
  3. Tell it the needed domain & info to use it.

===========================================================

Remote Access is not dependent on you having your own certificate.

Remote Access only requires you define, or allow UPNP / NAT-PMP to, create the port forwarding rule.

Here is how it’s defined in PfSense (every modem/router has their own forms but it all works the same)

  1. Any traffic. coming to my WAN Address, port 17321
  2. Is NAT forwarded to LAN Address 192.168.0.20 (my server), port 32400
  3. I have an additional qualifier on the rule. Only those computers defined in “AllowedRemotes” can access the port.

Screenshot from 2024-03-29 23-49-59
Screenshot from 2024-03-29 23-49-591150×154 19 KB

That’s it.

Whether I have a certificate or not, Plex requests which connect to port 17321 are forwarded to my server. When I enable Remote Access, it’s immediately ON and never fails.

This is how Remote Access is defined and works.

5

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.