LXD? LXC? Docker? Indirect access, no matter what

I have tried literally everything I could think of, but no dice.
So. I’ve been a Linux user/server admin for 15 years or so. Docker and LXD are both new territories for me, but I have done my best to learn every tiny bit about it in the past week. And anything I fire up with them works great. Emby, a LAMP stack, whatever I want. They work perfectly. I can reach them outside, I can use them, they have great performance.

But Plex.
I set up Plex, let’s say with Docker. I use either the official image, or the Linuxserver.io image. They start up. I can reach my deployed Plex through SSH forward. Superb. I add my content, match what’s mismatched, it’s perfect. I try to run the desktop Win10 app, or my phone app, or the website… “Connection indirect”.
LXC is really the same.

• Grab LXD from snap.
• lxd.migrate
• lxd init
• lxd launch
• go into the container with exec (bash)
• install plex
• stop container
• add port forward + directory “forward”
• start container

The ports are forwarded.

• The VM has ALL ports enabled.
• There is no separate firewall on VM.
• I tried host, macvlan, port-by-port forward with Docker.
• tried LXD’s own port forward + iptables.

And as I said, ANYTHING ELSE works SUPERB. Great. Amazing.
Except Plex. It’s Indirect.

Any clues?
Really, ANY?

• I have about ~200 Google searches in the past few days regarding Plex + indirect.
• I have tried to ask Discord, IRC.
• Tried to ask all friends who work as sysadmin/devops, if anyone has any clue.
  None.

There was ONE tip on IRC, by a kind fella, who said I should add the local subnet to the “allowed external IP” to Plex’s server config. Added it, still Indirect. So that didn’t work.

What OS did I use?

• Ubuntu 18.04 and Ubuntu 19.04

What setup do you have?
I tried to set this up on a dedicated server as direct container. I tried to set it up as a Hyper-V guest with an external IP + separate MAC (ie.: a 100% outside internet connection). I tried to set this up on Vultr with a brand new VM.
All other applications I ran worked great on all of these setups.

How much time did you spend on your router and DNS? Plex wants to redirect plex.tv to your public IP, if DNS blocks it (local connection) or your port forwards (remote) can’t get back to your server then the connection is indirect. It could be DNS server, router could have dns rebinding protection, and on the low probability the router’s NAT implementation might need some tweaking.

https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/

Also verify your DNS resolver (modem/router) allows private domain plex.direct
If it does not, it will be indirect.

Lastly, internal firewall ports for discovery and 32400 must be open on the host.
If these are not open, it will indirect every time.

Ports are open, of course. All the other apps function properly through the ports I forward. Port forward is perfect.

Router: Well what do you mean by “private domain plex.direct”? This is a dedicated server. I have it set to resolve through Cloudflare. The host has it’s own public rDNS entry, and it resolves properly and all.

Like I mean there is an entry, I have to add to my DNS, I am down with that, just let me know what domain it’s looking for. Cause I am not really getting what you mean by “plex.direct”…

On a LAN, one method of host resolution is via private domain membership.
Plex uses hostname.plex.direct for internal purposes.

Many routers have a feature which prevents DNS Rebinding .
Plex’s use of a private, secondary, LAN domain in addition to your LAN’s domain is seen by some routers/DNS resolvers as a DNS Rebinding attack (spoofing) and blocks it.

On pfSense, all which need be done is to allow the exception to the DNS Resolver service.

Screenshot from 2019-06-29 12-40-50.png976×165 6.31 KB

Well, there is no router whatsoever in place here, it’s a server.

So, the setup is like this. The setup that I wanted to run Plex mainly:

• Host: Server 2019 Windows + Hyper-V
• Guest: Ubuntu 18.04 - with a bridged adapter from Hyper-V that uses it’s own separate MAC, and gets his own IP.

So this far means, the Guest - has it’s own IP, own thing going on. The host interferes none.
The guest, has LXD, or Docker going on - I tried both. Both runs fine, I see the port forward, but the server remains indirect.

There is a firewall on Hetzner. But, it has the rule set up for this external, guest IP, that anything that comes this way - it will allow it through.
Again, this setup works wonderfully for any application, except Plex.

Now you could say, well, it can Hetzner. No.
I tried to set up this on Vultr with a new VM. I tried OneProvider with an i5. Same result. So different providers, different firewall/setup, nothing. No dice.

I am thinking it can be Docker. Or LXD. But that’s the question.
What do I do to these, to make them work?
In the official Docker Hub, at the official Plex image, all I see is… well, the commands and that I run them. I do. I get the plex docker. It sees the folders I mount up and I can reach it via SSH forward. But, remains Indirect.

Is there a directive I gotta add Docker?
Some kernel parameter I gotta change?
Maybe mess with LXD’s network configuration?
Change netplan somehow? Use ifup?
I am all out of clues… cause… there is no router here. It’s not a home setup. This is as raw, pure, as it gets.

Ps.: Thank you all for taking the time to answer my question. I will be really glad if I/we can make this work out somehow. I swear I’ll spread the word on how to get Plex + LXD/Docker set up all proper.

I’m sorry but I can’t help. i have zero knowledge of Hyper V and how it behaves.

Plex in Docker on Windows is unstable / unreliable due to file locking from within the container. Engineering has made great strides but there’s still a missing element in the Docker/Windows API layer which is lacking.

Containers don’t have kernels. They use the host OS kernel. This is the problem.

Linux app lib API calls -> Linux-like Docker container -> translation layer in Windows -> WIndows kernel. It has historically always failed at the docker-windows interface

I run the Docker/LXD inside Ubuntu 18.04 - on a machine [ vm ].
But, I tried to run Docker/LXD on a fresh Vultr VM with Ubuntu 18.04/Debian 9, and I tried it on a 100% dedicated raw baremetal machine too at OneProvider.

So I never tried to run it on Windows, and it just doesn’t seem to work.

You have a Linux machine -> VM -> Docker -> PMS?

If the provider doesn’t allow UPNP to operate, (which is all you need fir ‘Direct’ access), it’s time to speak to the hosting provider. They often have an administrative layer which prevents you inbound.

Well I can forward any port, there is no firewall, I am 100% in control. But I forwarded each and every port that the Docker image mentions and no dice, still indirect. I tried the whitelist thing that the user on IRC mentioned, no dice.

And you know, the Plex Server Settings, when I go there with SSH forward, it says the public IP is right (it shows the correct IP), the port is forwarded correctly, everything.

At this point I really have no clue what am I missing. I mean I read what you wrote, tried to Google it and all, but like, this is 100% an open internet machine, with no firewall, no nothing. Only LXD or Docker on it. (I tried both.)
For example…

• I reinstall this machine
• I use ubuntu server 18.04 live iso
• update, dist-upgrade, get fail2ban up, the usual fluff
• grab lxd
• use the commands I found on the LXD forum to forward port + folder, ie.:
  – lxc config device add first mydirectory disk source=/home/user/LXDSHARED path=/LXDSHARED
  – lxc config device add first plex1_32400 proxy listen=tcp:0.0.0.0:32400 connect=tcp:127.0.0.1:32400
• I install the plex .deb, restart the LXC container, and ssh forward works, but it’s Indirect.
• You would think it’s the port. But I install Emby, for example, or Nginx, or Apache, they all work. They all load, serve, function superb. Perfect. Plex? Indirect.

Same with Docker.

• Redeploy 18.04. Same live image.
• Update, dist-upgrade, grab Docker using the official guide/way.
• Try both of the official, and the linuxserver.io image (for Plex).
• Launch either, doesn’t matter which.
• I can reach it through SSH, but it’s Indirect again on Plex.tv interface.
• Try editing the docker deploy script by using the direct port forwards, or macvlan networking. Same thing.

Everything I try, everywhere I go, it’s Indirect. How? Is beyond me. Port is forwarded. It’s there. So how it can be indirect?

How about we take this down to bare minimums and make that work. No Proxy and No containers. That’s too many variables in flight when trying to get the base working.

I recommend this because, on 18.04, bare machine, it just works.
If, by doing this, it won’t give you direct then you need to ask the provider why. There is only one port you’ll want open anyway – the port forwarded port.

I recommend:

1. Download the main Plex for Ubuntu from plex.tv/downloads (we don’t want the snap version)
2. Remove any other plex instances on the machine
3. sudo userdel plex
4. sudo rm -rf /var/lib/plexmediaserver
5. restart the host
6. Now install dpkg -i plex_package.deb
7. In the ssh tunnel ( ssh -L 8888:127.0.0.1:32400 ip.addr.of.host - signed in and idle)
8. sign out the local browser
9. Open incognito window
10. Take the tunnel to it ( http://127.0.0.1:8888/web)
11. Setup a basic, one directory, one library machine, taking the defaults for everything including allowing remote access
12. When you arrive at the dashboard, after a minute or two, check to see if it has remote access Green (direct)
13. From a different window/browser: Access the host directly by IP:forwarded-port/web , verify that works. Playing from there should be flawless. Please confirm this.

After it’s working, if you want to add layers, you can but at least you’ll have a working baseline in hand to fall back on for comparison

Well, this is another case you can file under the PEBKAC category.

I spent hours and hours ever since I last posted, and of course, since I started this project. And it never worked. Like in the past few hours I deployed VMs all over the providers and none functioned correctly. Same issue.

Then I step back and realize I never tested another PC. So I connect to this remote cloud machine that has a GUI. I log in. It works. Wow. So what now? What can cause this? I do use two routers at home, so I am like behind NAT (double nat), but that shouldn’t be an issue at all.
Why? First, I have the second-router in DMZ. Then, the second router does not have any special firewall rules. Or so I thought.

tl;dr/result:

• Months ago I ran Plex on my own PC.
• Set it up with a NAT forward rule in Mikrotik, but it was a bit lacking in terms of filtering.
• Forgot about it since the project never materialized, I just wanted to use a server for Plex.
• Well, it turns out, the rule was a bit broad and broke :32400 connections. Broke as in, no Direct connection. Removed the rule, all is great.

Moral of the story:

• Try ChuckPA’s tip. Deploy a new clear Plex over a fresh VPS. It costs cents only.
• Make sure to try Plex on some other device, on some other network.

Pps.: This topic could be removed, cause people will flock here thinking it’s about an LXD/Docker problem and such, they would hope for a fix. While it was all just a big user issue.

To add to this, if I may;

I always use the K.I.S.S. principle when first doing anything (Keep It Simple )

When a task isn’t mapped out in advance, in writing, oversights creep in and steps forgotten.
Also, over time, evolving without updating info, is a killer.

This tidbit comes from countless hours (probably thousands) of figuring out what I forgot or someone else did without documenting it correctly.