Skip to content

Instantly share code, notes, and snippets.

@MarMed

MarMed/README.md

Last active December 16, 2024 14:47
Show Gist options
  • Save MarMed/94b5537a9fb61cf7212808692bbef14d to your computer and use it in GitHub Desktop.
Save MarMed/94b5537a9fb61cf7212808692bbef14d to your computer and use it in GitHub Desktop.
Download ZIP
Routing plex traffic through an SSH tunnel
Raw
README.md

Routing plex traffic through an SSH tunnel

This guide creates a reverse SSH tunnel to route all Plex server traffic through it.

Step 2 is done on the tunnel, all other steps are done on the plex server.

1. Setup SSH keys (if you already have key based authenthication setup skip to step 2)

On plex server:

1a. Create SSH key

root@ubuntu:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.

Passaphrase must be empy for autossh to work!

1b. Copy SSH key

root@ubuntu:~# ssh-copy-id root@TUNNELIP
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@TUNNELIP's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@TUNNELIP'"
and check to make sure that only the key(s) you wanted were added.

1c. Connect to tunnel

root@ubuntu:~$ ssh root@TUNNELIP
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.9.7-x86_64-linode80 x86_64)
Last login: Wed Feb 22 03:49:58 2017
root@ubuntu:~#

You should not be promted for a password

2. Edit tunnel's SSH server configuration

2a. Add "Gatewayports yes" to sshd_config

root@ubuntu:~# nano /etc/ssh/sshd_config

Change:

...
Port 22
...

To:

...
Port 22
GatewayPorts yes
...

2b. restart sshd

sudo service ssh restart

3. Install autossh and create systemd service:

3a. Install autossh

sudo apt install autossh

3b. Create systemd service file

sudo nano /etc/systemd/system/autossh-plex-tunnel.service

Contents:

[Unit]
Description=AutoSSH tunnel service Plex on local port 32400
After=network.target

[Service]
Environment="AUTOSSH_GATETIME=0"

ExecStart=/usr/bin/autossh -M 40584 -o "compression=no" -o "cipher=aes128-gcm@openssh.com" -o "ServerAliveInterval 30" -o   "ServerAliveCountMax 3" -NR 32400:localhost:32400 root@TUNNELIP
User=changeme
[Install]
WantedBy=multi-user.target

4. Enable and start service

sudo systemctl enable autossh-plex-tunnel
sudo systemctl start autossh-plex-tunnel

4b. Check SSH tunnel

sudo systemctl status autossh-plex-tunnel

If tunnel was created successfully output should look something like this:

autossh-plex-tunnel.service - AutoSSH tunnel service Plex on local port 32400
   Loaded: loaded (/etc/systemd/system/autossh-plex-tunnel.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2017-02-20 03:11:14 CET; 2 days ago
 Main PID: 32570 (autossh)
   CGroup: /system.slice/autossh-plex-tunnel.service
           ├─32570 /usr/lib/autossh/autossh -M 40584 -o compression=no -o cipher=aes128-gcm@openssh.com -o ServerAliveInterval 30 -o ServerAliveCountMax 3 -NR 32400:localhost:32400 root@TUNNELIP
           └─32574 /usr/bin/ssh -L 40584:127.0.0.1:40584 -R 40584:127.0.0.1:40585 -o compression=no -o cipher=aes128-gcm@openssh.com -o ServerAliveInterval 30 -o ServerAliveCountMax 3 -NR 32400:localhost:32400 root@TUNNELIP

Feb 20 03:11:14 Hetzner systemd[1]: Started AutoSSH tunnel service Plex on local port 32400.
Feb 20 03:11:14 Hetzner autossh[32570]: starting ssh (count 1)
Feb 20 03:11:14 Hetzner autossh[32570]: ssh child pid is 32574

go to http://TUNNELIP:32400 on your browser, if it does not load the tunnel was not setup correctly

5. Point plex.tv to correct ip

Plex.TV Web App > Settings > Server > Network > Custom server access URLs

https://TUNNELIP:32400,http://TUNNELIP:32400

6. Only allow local connections to port 32400

sudo iptables -A INPUT -p tcp -s localhost --dport 32400 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 32400 -j DROP
sudo iptables-save > /etc/iptables.rules

7. Make iptables rules apply at startup

edit /etc/network/interfaces

Change

auto  eth0
iface eth0 inet static
  address   xxx.xxx.xxx.xxx

To:

auto  eth0
iface eth0 inet static
 pre-up iptables-restore < /etc/iptables.rules
  address   xxx.xxx.xxx.xxx

Done!

Feel free to leave a comment with your questions or suggestions.

Raw
autossh-plex-tunnel.service
[Unit]
Description=AutoSSH tunnel service Plex on local port 32400
After=network.target
[Service]
Environment="AUTOSSH_GATETIME=0"
ExecStart=/usr/bin/autossh -M 40584 -o "compression=no" -o "cipher=aes128-gcm@openssh.com" -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -NR 32400:localhost:32400 root@TUNNELIP
User=root
[Install]
WantedBy=multi-user.target
@BEisem
Copy link

BEisem commented Oct 24, 2021

Noob guide : sudo apt update sudo apt install nginx-full sudo nano /etc/nginx/sites-enabled/plex.conf Paste my config in this after you have modified it to your needs , ctrl + o to save and then ctrl+x to exit. sudo nginx -t You should get a successful message here. sudo systemctl restart nginx.service And viola its not the local address anymore that shows up.

I know this is a 2-year old comment, so I don't know if you're still following this. I've tried this and I'm still getting local IPs in Tautulli. In fact according to the Tautulli developer, Tautulli gets all information from Plex. So if Plex is reporting local IPs, I don't see how Tautulli would report something else.

Just not sure if I'm missing something, because as it stands, I've followed these steps but can't get Tautulli to report anything other than the local IP.

@BEisem
Copy link

BEisem commented Nov 9, 2021

Me again ... /etc/network/interfaces no longer exists for modern versions of Ubuntu. It has been replaced by netplan.io. Does anyone know how to complete Step 7 using the newer netplan.io in Ubuntu 20.06?

@D34DC3N73R
Copy link

My box is still running ubuntu 18, which also has netoplan and I use a package called iptables-persistent to apply the rules on boot. There's also nftables which is relatively new.

@BEisem
Copy link

BEisem commented Nov 9, 2021

My box is still running ubuntu 18, which also has netoplan and I use a package called iptables-persistent to apply the rules on boot. There's also nftables which is relatively new.

Thanks, I also found iptables-persistent and installed it. I’ve got this working, but the only thing that isn’t working for me is the reverse proxy described here: https://gist.github.com/MarMed/94b5537a9fb61cf7212808692bbef14d#gistcomment-3087342. I really want to pass correct IPs to Plex, but they are still showing as local.

@ShipkaChalk
Copy link

Took some inspiration from this and created a dockerised version which uses Wireguard: https://gist.github.com/ShipkaChalk/629fdc42dad781776d2007fc502188f3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment