Looking for a way to identify and allow traffic that is coming from a remote plex application either on a phone or TV. Trying to setup a cloudflare policy that only allows traffic to the plex local service from a remote application and nothing else, regardless of IP/location ect. I would do this based on IP however the remote IPs are dynamic which makes this difficult to enforce without some type of DDNS, which is hard to implement on remote networks i dont control.
Setup something like WireGuard VPN server.
Now you have positive identification of each person connected because there is key exchange performed and they get the IP address you assign them.
Now, if you want to put them into a subnet or DMZ as further, you can .
That would mean each device would need to connect to the VPN before trying to access the Plex service eg every phone, smart TV. Im wondering if there is a way to do it without a VPN.
What you have described is essentially what i would do worst case, all VPN users into the DMZ then internal ACL and policy to only allow access to the Plex service on the internal IP/port, stoping lateral movement.
You can use Plex’s Remote Access …
It makes them sign into their Plex account.
They then have automatic brokering to your IP.
It’s still remote access – without all the fuss.
You control who you give access to.
The Plex Dashboard will show you what’s going on.
If you want further details “Tautulli” will give you even more.
You will find that using Cloudflare for Plex on a free account will likely result in Cloudflare restricting access. Their Terms of Service are quite clear that “Cloudflare offers specific Paid Services (e.g., the Developer Platform, Images, and Stream) that you must use in order to serve video and other large files via the CDN”. They have been actively enforcing this based on posts I seen across various forums.
This would be the easiest way to manage as it is built into all of the Plex apps. @hoochbanks if you are concerned about opening ports in your firewall to the entire internet, you could potentially allow a smaller range of ports. For example, just those from your country, plus the Plex Sidekiq servers, or if you know the ISP that they connect to then potentially IP range for those.
Cloudflare is just a test for now to figure out what is possible, i have not decided what the plan is in the long term.
This isnt ideal as that would assume that there nothing malicious in the entire IP range. I would rather just do it based on a public IP and change/add to it if required, just annoying.
Then you’re pretty much restricted to a VPN, but then even that requires exposing the VPN service to the broader internet.
agree, however probably better then standard port foward of reverese proxy.
I did find this site which does run through how to set up Plex via Cloudflare Zero Trust, and on review I do agree with their position that the use of Plex through ZT may be permitted (although it remains to be seen what CF would do).
That would at least have some of CF’s protections from your Plex server.
However, it probably doesn’t allow you to restrict you clients down to the individual varying IP without putting an application policy that would require verification via email code to gain access. That wouldn’t be suitable for TVs which would have no way of doing it.
You may be able to use the application policy parameters to lock it down a little more.
If you’re worried, potentially put your Plex server in a DMZ, enable remote access, and lock down the IP ranges that can access to minimise the footprint.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
