I just got remote access to work, but I’m unfamiliar with the security implications of allowing my router to hold an open port. What issues may I encounter? Is it best to leave the public port closed unless I need to access Plex?
The only reason I have to allow a public port is Plex, but I understand that what I did allows a public port directly to my router. That doesn’t seem secure, but then I’m not familiar with this. Would some of you please provide some input? For security reasons I’m wondering if it is best to keep the port closed?
Pretty much any non-trivial software either has or is susceptible to having security vulnerabilities. If you open a port allowing the rest of the Internet to initiate connections forwarded to software on your local network, you thus increase the risk that an attacker might successfully exploit a vulnerability on such software. The more open ports and corresponding software, the wider the attack surface that you’re presenting to attackers.
So yes, when you don’t need remote access to your Plex media server, it would be better to disable the port forwarding rule (or Plex remote access, or both, but arguably closing the port is better if you just want to do one thing for convenience).
Alternatively, you could setup a VPN on your router or a device on your network like a Raspberry Pi, then use the VPN to gain access to your local network so you can use Plex. You will still need an open port, but the advantage is that VPN software is security software, so in theory the developers will put far more effort into securing it than the Plex developers can put into securing Plex media server (i.e., Plex being secure is important, but they also need to devote resources into building stuff that brings in the money), and where you might have needed to open multiple ports, now you only need to open one.
Yet another option would be to use a VPN service like Tailscale that wouldn’t even require opening a port, and that can bypass issues with double NAT/CGNAT. But then you rely on the service being up for some functionality.
When browsing the internet or making other connections these days, everyone wants to make sure that the communication taking place is secure and encrypted. Plex has teamed up with Let’s Encrypt to provide our users with high-quality secure certificates for your media servers, at no cost to you. There’s no need to set up VPNs and no need to create and install your own certs. You can safely and securely connect to your media no matter where you are.
I believe NordVPN’s flagship service is meant more for accessing the Internet as if you were from a different location, disguising your IP address for privacy, that sort of thing. The kind of VPN I’m talking about is for accessing devices on a local network from the Internet as if you were on the local network. See NordVPN’s article on this:
NordVPN does offer a service that’s more like Tailscale, and in fact it uses the same underlying VPN tech:
Is there a way to do as you described with Tailscale?
I suggest reading more at the NordVPN or Tailscale websites, whichever you choose.
If I used Raspberry Pi, would that then provide the same function as Nord, but without an annual subscription?
Effectively yes, but you will have one more device to maintain, and still need an open port, but you won’t need to rely on yet another external service.
Ultimately, if all you want to do for remote access is to access your Plex media server remotely, then it isn’t necessarily all that bad to use Plex’s remote access method with port forwarding, as long as you keep your Plex server updated. But without the private tunnel of a VPN, your connection to your Plex server would be insecure, and that’s where JohnAlex’s link to Plex’s article on secure server connections becomes important (but you can still use it when connecting locally, and hence when connecting using a remote access VPN too).
