I have 2 issues with the Plex Media Server relating to network auto discovery of IP addresses and network interfaces.
To start, my Linux server has 2 network interfaces with both a public IP:
ens3 on IP XX.XX.XX.XXX
ppp0 on IP YY.YY.YY.YYY (VPN)
Plex Media Server only detects the first, ens3 in the preferred network interface dropdown in network settings of the server. Why isn’t it detecting the ppp0 interface?
Besides that, Plex Media Server ‘detects’ my public IP on ens3 as my private IP and my 2nd public IP on ppp0 (VPN) as my public IP.
Therefore, both IP’s are used when somebody remotely tries to gain access to my server. Sending requests over VPN (ppp0, this is correct) and directly to the server (ens3, this is what I want to disable / prevent).
This means that using VPN is not adding any value, as Plex Media Server exposes my server over it’s public IPv4 adress next to the VPN IP.
I hope you understand the issue, as now I can’t use Plex Media Server despite it’s performance. It works well, but I don’t want my public IPv4 address of my server swarming the internet. That’s why I installed and connected a VPN, but Plex refuses to detect this correctly
When you say that ens3 has a public IP, do you mean through a router performing NAT, or that it is directly connected to the public Internet; that is, does this interface have a private IP address?
When I’ve seen this in the past it’s been because the interface not shown does not have a default gateway (route) assigned. Is that the case here?
At any rate, you may be misunderstanding the purpose of the “Preferred interface” setting. It defines the interface (rather its IP address) which PMS publishes to Plex’s servers for the purposes of advertising that address to your clients for local access. It matters to remote access only in-as-much as it also represents the IP address to which you would forward traffic in your router.
Having said that, you can likely accomplish what you want by:
What you configure as the custom server access URL will be published to Plex’s servers as the connection URL to be used for remote clients. If you’re not using a custom domain, it should be something like:
https://ip.of.vpn.interface
You can optionally include :port at the end of the URL. If you’re forwarding a different port than 32400 to your VPN.
The ppp0 indeed has not gateway set, so that might be the reason it’s not showing up. It’s still a working network interface though. I don’t understand why PLEX is only loading network interfaces with a route, as for VPN’s this is not a necessarity to function.
Nevertheless, I just want to hide my public IPv4 address from PLEX and only want to distribute my VPN IPv4 address.
I’ve added the custom server access url:
https://YY.YY.YY.YYY:PORT
However, when I disable the remote access, I get this message pop-up:
This server will no longer be accessible outside the local network. You're currently using a remote connection to this server and you may lose access if you continue. Are you sure you want to disable remote access?
Note: This will not affect any custom network configuration or manual port forwarding from your router. Please review your network settings to ensure complete removal of access to this host and port.
When I accept this, the remote access gets disabled and I’m immediately kicked out of the server. I then can’t connect to the server from any client anymore.
You can find your PlexOnlineToken in the Preferences.xml file in the Plex data directory (generally /var/lib/plexmediaserver/Library/Application Support/Plex Media Server/ on Linux).
You should see your server listed along with “Connections” it’s advertising. Do this before and after making the changes I suggested and see what changes. If the “before” view already shows your VPN public IP, the method I suggested may not work.
I see the VPN public IP already among the connections when remote access is still enabled.
I also see my other public IP (which I want to hide as already said). That’s because PLEX uses/handles this as a ‘private IP’, which sadly it’s not. And therefore it’s just broadcasting a Public IPv4 over the internet, exposing my VPS…
After disabling the remote access, I don’t see any custom url reference in the connections list for the server. Only my ‘private IP’ I want to hide, which is the VPS’s public IP…
I’ve disabled remote access as you’ve said, but I’ve modified the custom access url to this format:
https://YY-YY-YY-YYY.<TOKEN>.plex.direct:port
Note: the IP address should be dash separated!
This seems to work well. I can access my server, but the issue is that I’m still receiving inbound traffic on my Public IPv4 address that I want to hide (port 32400). Very annoying, as it’s not even a private network…
Well… It was working before (remote access enabled) but it was also distributing my ‘private’ IPv4 address which is in fact a public IPv4 address.
With remote access disabled and using the custom access url, I can still remotely access my server, but I’m also still receiving incoming requests to the public IPv4 address I don’t want PLEX to use on port 32400…
So, PLEX is still exposing my VPS to the internet, leaking my public IPv4 address…
Did you check the “resources” link after making this change to see if your ens3 interface IP address is still being published? Any chance that clients still have the old information cached? I’m not sure how often they refresh.
Honestly, I’m not sure if it can be prevented, given that IP is the server’s local IP address.
May I ask why you don’t want that IP address published to Plex’s servers? They only hand that information out to logged in clients with access to your server(s). If you want to prevent traffic to that interface you could always firewall access to TCP 32400 (silently drop it).
Plex does not “LEAK” your IP address
Plex.tv will only BROKER the address with those friends YOU share with. Your friends don’t see the IP. They only see your server
You have Public IP addresses. Protect it as such. By having a public IP, you’re far more vulnerable by yourself.
– Setup a NAT FIREWALL and create a Local LAN.
– IF the server is remote from you, Turn on its firewall.
(Your duty as system owner & admin)
It seems to be a little delayed indeed. Right now requests to my public IPv4 address over port 32400 seem to have stopped. I’m going to monitor this, thanks for your help
PLEX does LEAK. Why? Users are sending packets / requests over to my server over public IPv4 while I want to make it use the VPN. That’s the whole point of my VPN, to hide my actual public IPv4. Besides, PLEX is returning this IP if you know the right token through https://plex.tv/api/resources?iX-Plex-Token=<TOKEN>. So yes, PLEX does leak an intended private IP over the public network.
I have a firewall running, that’s why I’m seeing those requests being dropped, which started the whole question
That’s your token for your account. Nobody but you has that token.
Your VPN provider does the same thing embedded in the protocol and it’s FAR easier to sniff and decode the protocol, including the delivery IP (your WAN address) than it is to get to the payload (which is the important part)
I’m not going to discuss this further.
Single WAN IP.
Fully capture the host in the VPN configuration
Ensure all UPNP / LAN discovery is disabled.
Establish the VPN before PMS starts
Yes, it can be done.
You want anonymity while sharing. Please choose one; anonymity or sharing.
Plex is not designed for the usage you seem to want.
As far as I’m aware, no. This API just allows you to view what has been published; the server itself decides what to publish. Your best bet would likely be to firewall those ports which Plex uses so that they are not available for access.
“Customers” implies selling access, which isn’t permitted in the ToS. Just an FYI, I’m not the cops.
Yes, to users with access to the server.
Plex expects to be operated on an RFC1918 home-style network, behind a NAT device/firewall, and it always registers the host’s “actual” interface address so LAN clients can find it. There’s no harm in registering an RFC1918 “private” address.
Plex also attempts to avoid VPN-flavored interfaces.
It’s implemented that way because it makes things simple and a bit magical for the average home user.
To prevent the current public address from being registered at all, don’t let Plex bind to it. Plex doesn’t have a setting for this, so it would need to be managed at the OS level.
Without knowing details of the server, options might include containers or a VM or a network namespace.
