Routing plex traffic through an SSH tunnel

README.md

Routing plex traffic through an SSH tunnel

This guide creates a reverse SSH tunnel to route all Plex server traffic through it.

Step 2 is done on the tunnel, all other steps are done on the plex server.

1. Setup SSH keys (if you already have key based authenthication setup skip to step 2)

On plex server:

1a. Create SSH key

root@ubuntu:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.

Passaphrase must be empy for autossh to work!

1b. Copy SSH key

root@ubuntu:~# ssh-copy-id root@TUNNELIP
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@TUNNELIP's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@TUNNELIP'"
and check to make sure that only the key(s) you wanted were added.

1c. Connect to tunnel

root@ubuntu:~$ ssh root@TUNNELIP
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.9.7-x86_64-linode80 x86_64)
Last login: Wed Feb 22 03:49:58 2017
root@ubuntu:~#

You should not be promted for a password

2. Edit tunnel's SSH server configuration

2a. Add "Gatewayports yes" to sshd_config

root@ubuntu:~# nano /etc/ssh/sshd_config

Change:

...
Port 22
...

To:

...
Port 22
GatewayPorts yes
...

2b. restart sshd

sudo service ssh restart

3. Install autossh and create systemd service:

3a. Install autossh

sudo apt install autossh

3b. Create systemd service file

sudo nano /etc/systemd/system/autossh-plex-tunnel.service

Contents:

[Unit]
Description=AutoSSH tunnel service Plex on local port 32400
After=network.target

[Service]
Environment="AUTOSSH_GATETIME=0"

ExecStart=/usr/bin/autossh -M 40584 -o "compression=no" -o "cipher=aes128-gcm@openssh.com" -o "ServerAliveInterval 30" -o   "ServerAliveCountMax 3" -NR 32400:localhost:32400 root@TUNNELIP
User=changeme
[Install]
WantedBy=multi-user.target

4. Enable and start service

sudo systemctl enable autossh-plex-tunnel
sudo systemctl start autossh-plex-tunnel

4b. Check SSH tunnel

sudo systemctl status autossh-plex-tunnel

If tunnel was created successfully output should look something like this:

autossh-plex-tunnel.service - AutoSSH tunnel service Plex on local port 32400
   Loaded: loaded (/etc/systemd/system/autossh-plex-tunnel.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2017-02-20 03:11:14 CET; 2 days ago
 Main PID: 32570 (autossh)
   CGroup: /system.slice/autossh-plex-tunnel.service
           ├─32570 /usr/lib/autossh/autossh -M 40584 -o compression=no -o cipher=aes128-gcm@openssh.com -o ServerAliveInterval 30 -o ServerAliveCountMax 3 -NR 32400:localhost:32400 root@TUNNELIP
           └─32574 /usr/bin/ssh -L 40584:127.0.0.1:40584 -R 40584:127.0.0.1:40585 -o compression=no -o cipher=aes128-gcm@openssh.com -o ServerAliveInterval 30 -o ServerAliveCountMax 3 -NR 32400:localhost:32400 root@TUNNELIP

Feb 20 03:11:14 Hetzner systemd[1]: Started AutoSSH tunnel service Plex on local port 32400.
Feb 20 03:11:14 Hetzner autossh[32570]: starting ssh (count 1)
Feb 20 03:11:14 Hetzner autossh[32570]: ssh child pid is 32574

go to http://TUNNELIP:32400 on your browser, if it does not load the tunnel was not setup correctly

5. Point plex.tv to correct ip

Plex.TV Web App > Settings > Server > Network > Custom server access URLs

https://TUNNELIP:32400,http://TUNNELIP:32400

6. Only allow local connections to port 32400

sudo iptables -A INPUT -p tcp -s localhost --dport 32400 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 32400 -j DROP
sudo iptables-save > /etc/iptables.rules

7. Make iptables rules apply at startup

edit /etc/network/interfaces

Change

auto  eth0
iface eth0 inet static
  address   xxx.xxx.xxx.xxx

To:

auto  eth0
iface eth0 inet static
 pre-up iptables-restore < /etc/iptables.rules
  address   xxx.xxx.xxx.xxx

Done!

Feel free to leave a comment with your questions or suggestions.

autossh-plex-tunnel.service

[Unit]
Description=AutoSSH tunnel service Plex on local port 32400
After=network.target

[Service]
Environment="AUTOSSH_GATETIME=0"

ExecStart=/usr/bin/autossh -M 40584 -o "compression=no" -o "cipher=aes128-gcm@openssh.com" -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -NR 32400:localhost:32400 root@TUNNELIP
User=root
[Install]
WantedBy=multi-user.target

This worked great!! Using a Hetzner dedicated server and an OVH VPS. Thanks so much!

This worked great!! Using a Hetzner dedicated server and an OVH VPS. Thanks so much!

@losjax - So basically you have a Hetzner dedicated server that holds your plex install & media and an ovh VPS (£2.99) which only serves to send traffic between your plex server and your plex client (phone, rasplex, laptop etc etc etc)?
What OS/services are installed on the VPS?

@losjax - So basically you have a Hetzner dedicated server that holds your plex install & media and an ovh VPS (£2.99) which only serves to send traffic between your plex server and your plex client (phone, rasplex, laptop etc etc etc)?
What OS/services are installed on the VPS?

That is correct. Hetzner has the actual plex server and media and OVH is only for the traffic. I use Ubuntu 17.04 on the Hetzner server and Ubuntu 16.04 on the OVH VPS. It's unbelievable how well it works. I can stream 4k video to my laptop during peak hours. Plex on my AppleTV and XBox direct stream 1080p no problem at all.

That is correct. Hetzner has the actual plex server and media and OVH is only for the traffic. I use Ubuntu 17.04 on the Hetzner server and Ubuntu 16.04 on the OVH VPS. It's unbelievable how well it works. I can stream 4k video to my laptop during peak hours. Plex on my AppleTV and XBox direct stream 1080p no problem at all.

AFAIU this is only if you're not getting high speeds from the Hetzner server right?
Also what are the specs of the server that can transcode 4k video?

AFAIU this is only if you're not getting high speeds from the Hetzner server right?
Also what are the specs of the server that can transcode 4k video?

@amaklp yes and if you are playing 4K you should NOT be transcoding it. 3770 auction server will do it fine though.

@amaklp yes and if you are playing 4K you should NOT be transcoding it. 3770 auction server will do it fine though.

@MarMed tunnel is running but never connects to plex via browser on PC. Any recommendations? Have re-installed the process 3-4 times just to be sure. ssh connects from plex server to tunnel just fine but connecting to tunnel:32400 just infinitely loads (on my pc)

@MarMed tunnel is running but never connects to plex via browser on PC. Any recommendations? Have re-installed the process 3-4 times just to be sure. ssh connects from plex server to tunnel just fine but connecting to tunnel:32400 just infinitely loads (on my pc)

@MarMed Is it possible to run two tunnels? Say one to Singapore and one to NA? Or is it possible to Have one tunnel running to OCE and allow in some way people in EU to connect to plex without using the tunnel?

@MarMed Is it possible to run two tunnels? Say one to Singapore and one to NA? Or is it possible to Have one tunnel running to OCE and allow in some way people in EU to connect to plex without using the tunnel?

I keep getting these errors, anyone know why? I'm running on ubuntu 16.04

I keep getting these errors, anyone know why? I'm running on ubuntu 16.04

Jan 31 04:05:41 vps autossh[27762]: starting ssh (count 13)
Jan 31 04:05:41 vps autossh[27762]: ssh child pid is 27913
Jan 31 04:05:41 vps autossh[27762]: Host key verification failed.
Jan 31 04:05:41 vps autossh[27762]: ssh exited with error status 255; restarting ssh
Jan 31 04:07:13 vps systemd[1]: Started AutoSSH tunnel service Plex on local port 32400.
Jan 31 04:07:41 vps systemd[1]: Started AutoSSH tunnel service Plex on local port 32400.
Jan 31 04:07:49 vps autossh[27762]: starting ssh (count 14)
Jan 31 04:07:49 vps autossh[27762]: ssh child pid is 27960
Jan 31 04:07:49 vps autossh[27762]: Host key verification failed.
Jan 31 04:07:49 vps autossh[27762]: ssh exited with error status 255; restarting ssh

Jan 31 04:05:41 vps autossh[27762]: starting ssh (count 13)
Jan 31 04:05:41 vps autossh[27762]: ssh child pid is 27913
Jan 31 04:05:41 vps autossh[27762]: Host key verification failed.
Jan 31 04:05:41 vps autossh[27762]: ssh exited with error status 255; restarting ssh
Jan 31 04:07:13 vps systemd[1]: Started AutoSSH tunnel service Plex on local port 32400.
Jan 31 04:07:41 vps systemd[1]: Started AutoSSH tunnel service Plex on local port 32400.
Jan 31 04:07:49 vps autossh[27762]: starting ssh (count 14)
Jan 31 04:07:49 vps autossh[27762]: ssh child pid is 27960
Jan 31 04:07:49 vps autossh[27762]: Host key verification failed.
Jan 31 04:07:49 vps autossh[27762]: ssh exited with error status 255; restarting ssh

I'd like to create a setup like this with multiple tunnel boxes. I wonder if I just packed more urls into Plex.TV Web App > Settings > Server > Network > Custom server access URLs if it would work correctly? I'm guessing not.

I'd like to create a setup like this with multiple tunnel boxes. I wonder if I just packed more urls into Plex.TV Web App > Settings > Server > Network > Custom server access URLs if it would work correctly? I'm guessing not.

@MonkeyCoin If you ran ssh-keygen -t rsa as root, add the folder directory of root's .ssh folder to the autossh line. E.g. I ran as root, so my ExecStart line is as follows:

ExecStart=/usr/bin/autossh -M 40584 -o "compression=no" -o "cipher=aes128-gcm@openssh.com" -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -NR 32400:localhost:32400 root@TUNNELIP -i /root/.ssh/id_rsa

Also want to mention that you should disable remote access under Settings > Remote Access. Even after I added the iptables rules, content wasn't flowing through the tunnel. If I restart the server, that would've probably fixed my problems, but remote access should be disabled regardless.

@MonkeyCoin If you ran ssh-keygen -t rsa as root, add the folder directory of root's .ssh folder to the autossh line. E.g. I ran as root, so my ExecStart line is as follows:

ExecStart=/usr/bin/autossh -M 40584 -o "compression=no" -o "cipher=aes128-gcm@openssh.com" -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -NR 32400:localhost:32400 root@TUNNELIP -i /root/.ssh/id_rsa

Also want to mention that you should disable remote access under Settings > Remote Access. Even after I added the iptables rules, content wasn't flowing through the tunnel. If I restart the server, that would've probably fixed my problems, but remote access should be disabled regardless.

I got to the end of this guide, however my entire server (not just Plex) became totally unreachable, even after disabling remote access.
When I logged into the server, I couldn't reach Google's homepage. I'm thinking this is a firewall issue but I don't know why exactly.

Is there something else besides editing /etc/network/interfaces I need to do?

I got to the end of this guide, however my entire server (not just Plex) became totally unreachable, even after disabling remote access.
When I logged into the server, I couldn't reach Google's homepage. I'm thinking this is a firewall issue but I don't know why exactly.

Is there something else besides editing /etc/network/interfaces I need to do?