I am running Plex in Docker. I have Tailscale on the host. I also have Tailscale on my iPhone. Tailscale is a VPN (in the traditional sense of allowing remote devices to access the LAN even when not connected to it).
When I am out the house I can access Plex on my home server using Safari on my phone despite not being on the LAN as Tailscale invisibly routes the network traffic back to my server. I have many other self hosted Docker containers on that server and I can access all of them remotely too over Tailscale, no problem.
The only exception is the Plex iOS app. I have added my server’s Tailscale IP address under Advanced>Server Connections but it gives me a 401 error message.
I am logged in to the app and it works fine automatically on the LAN using autodiscover but it won’t let me add the server by IP address and it doesn’t work remotely.
I am aware Plex has an integrated remote access solution but I already have Tailscale for this purpose and it has no bandwidth limits so I disabled remote access. This should make no difference as Tailscale is on the host and it works remotely in Safari, but as a test I tried enabling remote access. This didn’t work and it showed a red X in the settings page next to my IP address - I think this is because it assumes remote access will be over my public IP (where I have not opened the port) rather than through Tailscale (which has a different IP address) and I can’t see any setting to tell it what IP address to use.
This is NOT a Tailscale specific question as proven by the fact that it works remotely in Safari on the phone. Also the 401 error implies that it is connecting, just not authenticating (it gives a different error when can’t connect (1004)).
In Settings>Network I have whitelisted the entire Tailscale IP range and added the server’s Tailscale IP address to the custom server addresses.
This seems to be a bug with the IOS app or with the magic Plex tries to do to make its integrated remote access work - I just want Plex to stay out the way and let me route the traffic myself! This works when viewing my Plex server in Safari and with Jellyfin and all other apps. Is this possible?
undocumented Plex ‘feature’ where non private IP ranges are silently not accepted in the whitelist ‘List of IP addresses and networks that are allowed without auth’ which is a problem as Tailscale is using the 100.64.0.0/10 space
I fixed it as suggested in the link by having my proxy replace the headers with a local IP address to fool Plex into thinking it’s local. It’s insane that this is required. I think I will stick with Jellyfin - ironically it has better support. Plex’s lack of support seems inexplicable for a fairly expensive paid app, and while it’s a bit slicker in places there’s also a lot of cruft.
I have no problems at at all using iOS Plex and iOS Plexamp on the road through Tailscale.
I can‘t remember doing some esoteric settings or installing third party tools to make this happen, it worked out of the box. This should be a good message — it will work. Somehow…
What are your network settings in Plex Server? Do you allow external access?
Thanks. What setting do you mean by external access? Do you mean Settings>Remote Access? I have enabled that but that settings page shows ‘Not available outside your network’ because it is not available on my public (non tailscale) IP address.
Under Settings>Network, are the following settings:
Secure connections: Preferred
Strict TLS: On
Local network discovery: On
Relay: Off (I don’t want to use Plex’s relay servers)
Preferred network interface: Any
Custom server access URLs: I have added my tailscale IP address
List of IP addresses without auth: I have added the Tailscale range but it seems to ignore it
It seems to work using my earlier workaround and I am ok with that, given I am running the proxy (Caddy server) anyway for my other containers.
It may be relevant that I am using Docker and bridged networking. I note that under ‘Preferred network interface’ the only other option is eth0 with the Docker IP address.
