How exactly does remote access work without opening incoming firewall connections?

Hi.

I am running PMS behind a Fortigate firewall where I’ve only opened incoming access to my Wireguard server. How in this scenario is the access to my library (both video and music) working?

I’ve noticed that from my mobile phone I can stream both movies and music only if the Wireguard tunnel is active. Same goes for my laptop (when I’m remote).

Am I right understanding that this way it’s not possible to access my media library in any other way than using Wireguard tunnel? Which would also mean that if I share my library with another Plex user, he/she won’t be able to access any of my content?

TIA,
F.

Plex Relay.

You can use the Plex relay but it limits the quality of the media.

https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/

To support higher quality playback remotely you need to use either port forwarding or a tunnel.

OK, so you confirm that with my actual setup (no port forwarding, just Wireguard tunnel on some of my mobile devices) nobody can access my media library.

Correct, unless you use the Plex Relay or add them to Wireguard.

I use WireGuard for both access to our NAS Lab and for others.

When I sign into the NAS lab, I get an IP address on that LAN.
It’s a tunneled DIRECT connection.

The same is true of others who connect to my Wireguard server.
They are assigned local LAN IP addresses.

They are LOCAL to my LAN even though distant.

PMS sees them as LOCAL.

That’s what I’m not yet doing: one of my friends has added me on his PMS and I can see/stream his library, but I believe he can’t do anything with mine (I’ve added him as well as a PMS friend)?!

No one can access your server remotely unless have done one of two things:

• Enabled remote access and forwarded an external port (any unprivileged port) to port 32400 (TCP) to your server’s internal IP address.
• And/or enabled Plex relay to allow access to your server to be proxied through Plex’s server’s (which, as mentioned above, will cap the stream bandwidth to either 1 Mbps or 2 Mbps, depending on whether or not you subscribe to a Plex Pass).

In either case, they’ll need to be logging into an account to which you have granted access to your server. Simply accessing your server by its IP does not give them access; rather, it just allows them to load the Plex web interface (if accessed via browser). They still need explicit sharing permissions to view your media.

So, you won’t likely accidentally allow someone access to your media.

Therefore I could just “disable remote access” from here, right?

image997×447 37.2 KB

Yes. In that case, remote access will be completely unavailable (even via Plex relay).

Isnt it a pain in the … to get Wireguard on Syno boxes?

Not at all! There’s a Docker Container for it called wg-easy.

If you can’t find the instructions, let me know and I might be a bit of help…

Agree. wg easy is the way to go in a container.

I have one on my workstation to our NAS lab.

[chuck@lizum databases.2025.05.17.2010]$ ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.2.15.100  netmask 255.255.255.255  destination 10.2.15.100
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 8  dropped 0 overruns 0  carrier 0  collisions 0

[chuck@lizum databases.2025.05.17.2011]$ 

Where wireguard becomes a pain is if you want to grant remote access to your PMS for friends and family, as they need to install and configure a wireguard client on their devices. It’s easier, particularly for technically challenged friends and family just to enable remote access via a port forward and send them an invitation through Plex.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.