[SOLVED] Secure Remote Access with IPv6 Dual Stack Lite (no public IPv4)

On DS-Lite (Dual Stack-Lite) connections you do not get a public IPv4 address but only a IPv6 one. The reported IPv4 is not publicly accessible.

Sadly Plex always uses IPv4 even when “Enable server support for IPv6” is enabled, thus Remote Access will not work.

To get it working there is a simple solution:

1. Access Secure Plex Web using your servers LAN IP, eg. https://192.168.0.23:32400. Make sure you use https:// and not just http://
2. View the certificate (In Chrome you click on the lock next to the URL, then on certificate)
3. Open the “Details” tab
4. Click on the “Subject” entry in the top half
5. In the bottom half, select and copy the whole plex.direct URL, eg. *.123ab4c5678901234d567890e1f23g45.plex.direct
6. Get to know the public IPv6 address of the device running your Plex Media Server, eg. 1c42:724f:235:211:463a:jack:ab13:c123
   You want to check the network interface information of the device running PMS or your router / gateway.
7. Combine your IPv6 (replace : with -) and your plex.direct URL and your server port, eg. https://1c42-724f-235-211-463a-jack-ab13-c123.123ab4c5678901234d567890e1f23g45.plex.direct:32400
8. Enter that into “Custom server access URLs”

You also need to have incoming TCP traffic on port 32400 allowed on your firewall. Plex isn’t capable yet of asking the router to open a port (through PCP/IGDv2) yet, and most consumer routers don’t support that anyway.

But yes, it’s surprising that in 2020 we still have to do this manually, Plex should push this URL to clients by default. I mean, it’s not particularly hard to detect for Plex that the machine has a public IPv6 address.

You are right. I just assumed that’s self-evident since we had to to that regardless of IPv4 or IPv6 … but yeah, I should have said that too
And while we’re at this: You definitely have to have “Remote Access” enabled in the server settings because only then your Plex Server creates the necessary plex.direct url. Specifying a manual port is not necessary since you already specify the port in the Custom server access URL.
Don’t be confused but your Plex server will sometimes tell you Remote access is working just to tell you 5 seconds later it is not working.

I totally agree with you. Plex should do this automatically!

And add PCP:
https://forums.plex.tv/t/support-for-pcp-port-control-protocol-rfc6887-firewall-traversal/

I’ve just been fighting with this (behind a double NAT on T-Mobile home internet because there are literally no more IPv4 addresses). I do have a public IPv6 address, but when I try to stream something dashboard still says it’s going through the redirect. Oddly, on the bandwidth graph it’s all coming up as Local rather than remote. I’m testing it from my phone (on 5G) which is also T-Mobile, so maybe that’s why.

Still, I can’t get the above URL (from my own certificate and IP) to work in the custom server list. I’ve opened the port on my router etc, though the T-Mobile router is not super clear on what applies to IPv6 or not…

UPDATE: I think my problem is the port forwarding only being for IPv4 (which is dumb because I have no public IPv4 address on TMo). There are conflicting reports from others on TMo’s home internet about IPv6 being accessible from outside (it is a global address), but I’m afraid it’s a T-Mobile thing.

I don’t have T-Mobile at home but Vodafone, only my Smartphone is on T-Mobile and I tested direct access from there on 5G to my server and it worked.

For IPv6 you can’t forward a port, that’s a IPv4 only thing.

Check your servers Network settings, these are mine

image843×593 197 KB

EDIT: Also make sure you used the IPv6 of your Plex Media Server and not the one of your PC. They are different!

It looks like my server is fine, but I believe the T-Mobile home internet router is hard coded to filter all traffic. I’ve disabled every sort of filter it lets me, but no luck. Checking www.ipv6scanner.com gives “filtered” for any IPv6 address on my side of the router, but “closed” for the router itself. Looks like it’s only solvable with a VPN for now. Thanks for your help!

Your router does have its very own IPv6. And so does your PC and your PMS and any other device in your network. That’s why there’s no (need) for port forwarding in IPv6 - because every device has a public ip address.

If you go to eg. http://www.ipv6scanner.com/ it will scan the IPv6 of the device you’re using to access the website.

You want to get the IPv6 of the device running your Plex Media Server.

Yes, that’s what I did. Everything going to my Plex server’s address was “filtered” but if I went to the address of my router it reported the ports as “closed” so it must be the T-Mo router that’s filtering things, but it doesn’t offer any settings that can help.

I hope to goodness this works for what I need.

T-Mobile Home Internet uses double-NAT and thus has no public IPv4. If I could just use IPv6, I think it would eliminate my problem. I’ll have to try this out later and see.

I am trying to get this to work but i have a couple of issues:
1- My connection to PMS through http://192.168.86.151:32400/ is sadly insecure / no lock icon in Chrome browser next to the URL.
2- IPv6 ends at my ISP modem. my ISP only offers IPv6 with 64 bit prefix which is not compatible with Google wifi mesh network. Can i use the routers IPv6 address and use port forwarding to reach my PMS?

1 - this is normal, connecting to a raw ip address is never secure (the Plex certificates are based on domain names, so https://{ip-address-with-dashes}.{server id}.plex.direct:32400/web ). It’s useful for testing though

2- Google wifi will work with a /64 prefix, but not on the secondary guest network (since a /64 allows for only a single subnet)

Anyone maybe know why I am getting only indirect connections when remote using this setup? Im running PMS in a windows VM on Unraid. Have firewall rules for inbound/outbound on 32400 in Windows, have the port listed under IPv6 Port Services on my Linksys router, and am using the IPv6 address from ipv6scanner.com in my setup.

In windows I get four different IPv6 addresses. One named IPv6, two names Temporary IPv6, and a Link-local IPv6. I added all four to my router . One of the temporaries matched the aforementioned website so I used that one in the setup

The temporary ones change every day, and the link-local one isn’t routable to the internet, so no need to add those. It’s the static one you need.

But to test, when you connect from the outside to this address, http://[aaaa:bbbb:cccc:dddd:1111:2222:3333:4444]:32400/web , does that work? (note: you need to allow insecure connections in the PMS Network settings)

So I changed my plex server to use the static IPv6 address as you mentioned; when inside of my network, it still works fine. When using my phone’s data, I am unable to connect to that address via the Chrome app. In the Plex app, I can get an indirect connection still. Maybe it has to do with the ipv6scanner.com address not matching my static ipv6 listed per windows? It instead matches one of the temporary ones…

Temporary addresses are just that, they will change over time. You do not want to use these for any firewall rules or server hosting.

Link Local addresses are also just that, local to the link. You do not want to use these.

The other type that you haven’t mentioned, but I’ll include for the sake of completion, are Unique Local Addresses (ULA), these start with “fd” and are similar to the RFC1918, 192.168 type addresses you know with IPv4. (Except without the NATting to public). You also do not want to use these.

So what IPv6 address do you want to use for server hosting/firewall rules? The public IPs that start with “2” and are not marked “temporary”, is the simple answer, but the longer one is a bit more complicated.
Depending on your operating system, you may not have stable IPv6 addresses by default.

The easiest stable IPv6 address to spot, if your operating system supports it, is the MAC address based ones. You can spot these as they have “ff:fe” in the middle of the 2nd half of the IPv6 address.
e.g. 2001:db8:f2ee:8200:7210:6fff:feca:6910

If you spot an address like that, great, you don’t have to do anything else, just use that.

If you don’t spot that MAC-based IPv6 address, then your operating system may only use privacy addresses. The older variant of these will rotate frequently and are unsuitable for server hosting, but the newer variant are stable when you’re connected to the same network. MacOS will mark these as “secure”, for example.

The last 2 options require you to actually do something.
Option 1) Configure your host with a static IPv6 address, like you would for IPv4.
Option 2) Setup a stateful DHCPv6 server for NA leases (not PD), and enable static lease for the host. MAC-address-based static DHCPv6 leases aren’t impossible, but they’re a bit more complicated than DHCPv4. You generally configure static DHCPv6 leases based on the DUID value of the client. This can be based on the client’s MAC address, but it’s up to the client what they use, so it’s not reliable.

Maybe it has to do with the ipv6scanner.com address not matching my static ipv6 listed per windows? It instead matches one of the temporary ones…

No, this is “as designed” with IPv6. For outgoing connections, like visiting websites, the browser automatically uses the 24h temporary address. This is for privacy considerations, so websites won’t be able to identify you over time just by the IPv6 address.

In principle, your server is accessible over both the temporary and the static address (of course, as long as the firewall allows traffic through), but as you can imagine, for hosting stuff, using the static address is preferable since it’s stable.

When using my phone’s data, I am unable to connect to that address via the Chrome app.

Are you sure that you also have IPv6 on your cellular connection? An IPv4 phone cannot connect to an IPv6 server.

1. Access Secure Plex Web using your servers LAN IP, eg. https://192.168.0.23:32400
2. View the certificate (In Chrome you click on the lock next to the URL, then on certificate)
3. Open the “Details” tab

It is not possible to access this because my server shows as not secure, so I do not get a plex direct URL. How do I get this to work?

It does work. Just make sure to use https://. Your browser will warn you about an unsecure connection but that’s only because the certificate used is not made for the local direct connection. But that is fine since we only need a single information from it.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.