Plex Media Server Remote Access with Public Ipv6 on Windows

pem2pfx.ps1

openssl pkcs12 -export -out C:\Users\yourusername\Desktop\plex\plex.yourdomain.com.pfx -in C:\Users\yourusername\Desktop\plex\plex.yourdomain.com-crt.pem -inkey C:\Users\yourusername\Desktop\plex\plex.yourdomain.com-key.pem -certfile C:\Users\yourusername\Desktop\plex\plex.yourdomain.com-chain.pem -passout pass:123456 -passin pass:123456 -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256

Plex-ipv6-ddns-windows.md

Plex Media Server Remote Access with Public Ipv6 on Windows

Plex remote access works out of the box with public IPv4 address and UPnP supported router. However, if you have only public IPv6 address, you may have trouble accessing your Plex server remotely. This guide will show you how to set up Plex remote access with a public IPv6 address on Windows.

Who is this guide for?

1. You have Plex Media Server running on Windows and you want to stream movies outside of home.
2. Your ISP uses CGNAT for IPv4. Read Detecting Double-NAT for steps to check if you are behind CGNAT or Double NAT. No need to pay for a static public IPv4.
3. Your ISP assigns public IPv6 address. Major ISPs including Jio and ACT in India provide public IPv6 addresses.

Temporary Solution without TLS

1. In home router's admin panel, allow inbound TCP port 32400 on IPv6 firewall settings.
2. Open Command Prompt and run ipconfig /all. Note down the IPv6 address of the network adapter connected to the internet.
3. In Plex Media Server settings, navigate to "Network" tab. Under "Custom server access URLs", enter http://[your_ipv6_address]:32400 and save.
4. You should now be able to access your library from Plex apps outside of home network.
5. Whenever your IPv6 address changes, you will have to update the URL in Plex settings manually.

Persistent Solution with TLS

This solution requires you to purchase a domain name and setup Let's Encrypt SSL certificate.

Prerequisites

1. Administrator access on Windows.
2. A domain name with access to manage DNS records.
3. Cloudflare account, free plan is sufficient.

Setup DDNS with Plex

1. In home router's admin panel, allow inbound TCP port 32400 on IPv6 firewall settings.
2. Use Cloudflare to manage DNS records for your domain. If you purchased domain from other registrar, follow this guide to switch to Cloudflare nameservers. Wait for your domain to be active on Cloudflare.
3. Open Command Prompt and run ipconfig /all. Note down the IPv6 address of the network adapter connected to the internet.
4. In Cloudflare dashboard, navigate to DNS settings. Add an AAAA record with following details:

   Name: plex
   IPv6 address: Your public IPv6 address
   TTL: 5 min
   Proxy status: DNS only
   

5. In Plex Media Server settings, navigate to "Network" tab. Under "Custom server access URLs", enter https://plex.yourdomain.com:32400 and save.
6. Setup DDNS tool to automatically update the AAAA record whenever your IPv6 address changes using below steps:
   • Create a Cloudflare API token with Zone:DNS:Edit permission by following this guide. Note down the API token.
   • Install DnsTube by following the steps in README. You may need to download and install dotnet from here for DnsTube to work.
   • Extract the DnsTube package to a folder of your choice. Open a command prompt as Administrator and install the service using install-service.bat.
   • Once the service has started you can view the UI at the URL http://localhost:5666/index.html.
   • In DnsTube UI "Settings" tab, enter the following details and save:

     Email: Your Cloudflare account email
     Authorization Token: Your Cloudflare API token
     Protocol: IPv6
     Update Interval: 300 min (how likely you think your IPv6 is going to change)
     Network Adapter: select the adapter connected to Internet, typically Wi-Fi.
     

   • In DnsTube UI "Home" tab, wait for it to load DNS entries and select the checkbox next to the plex.yourdomain.com record you just created in Cloudflare dashboard.
7. Setup Let's Encrypt SSL certificate with auto-renewal:
   • Run the commands in Powershell to install win-acme.

     dotnet nuget add source "https://api.nuget.org/v3/index.json" --name "nuget.org"
     dotnet tool install win-acme --global
     

   • Follow the steps in win-acme documentation to setup Cloudflare plugin. Create another Cloudflare API token as per this documentation and note it down.
   • Download the pem2pfx.ps1 file from this gist and save it to C:\Users\yourusername\Desktop\plex\pem2pfx.ps1.
   • Edit pem2pfx.ps1 file. Replace path to desktop. Replace all occurences of plex.yourdomain.com with your domain name accordingly. Replace all occurences of 123456 with a new password you want to use for the PFX file.
   • Open Powershell as Administrator. Run the command wacs to start the win-acme client.
   • Select the following options in win-acme TUI:

     N: Create certificate (default settings)
     2: Manual input
     Host: type "plex.yourdomain.com" and enter
     6: [dns] Create verification records in Cloudflare DNS
     <Type Cloudflare API token in next menu and save it to vault>
     2: PEM encoded files (Apache, nginx, etc.)
     File Path: C:\Users\yourusername\Desktop\plex\
     <Type the password in console and save it to vault, this password should be the same as one in pem2pfx.ps1>
     2: Start external script or program
     File: C:\Users\yourusername\Desktop\plex\pem2pfx.ps1
     

   • By now, you should have a plex.yourdomain.com.pfx file in C:\Users\yourusername\Desktop\plex\ folder.
   • In Plex Media Server settings, navigate to "Network" tab. Set the following options and save:

     Custom certificate location: C:\Users\yourusername\Desktop\plex\plex.yourdomain.com.pfx
     Custom certificate password: 123456
     Custom certificate domain: plex.yourdomain.com
     

   • Ensure wacs says "Scheduled task looks healthy" on startup.

Stopping and Starting DnsTube service

When you don't want dynamic DNS to run in the background, you can stop the DnsTube service. Open a command prompt as Administrator in DnsTube folder,

1. To stop the service, run stop-service.bat.
2. To start the service, run start-service.bat.

Uninstalling DnsTube and win-acme

Open a command prompt as Administrator in DnsTube folder, run uninstall-service.bat.
For win-acme, launch Powershell as Administrator and start 'wacs'. Follow the TUI to revoke the certificates.

Hello,

not sure if this is the right channel but anyway. I am having troubles and have no idea what the problem is. It is not possible for me, to successfully follow this manual.

Specifically these steps

This one is only possible, if I start wacs with the argument --validation cloudflare
6: [dns] Create verification records in Cloudflare DNS

This part never comes, no matter what I do. It is completely skipped and for that reason, everything that relies on these files fails
_2: PEM encoded files (Apache, nginx, etc.)
File Path: C:\Users\BingBong\Desktop\plex_
<Type the password in console and save it to vault, this password should be the same as one in pem2pfx.ps1>

The external script also only works if I set the path for OpenSSL at the start of the powershell session
$env:path = $env:path + ";C:\Program Files\OpenSSL-Win64\bin"

2: Start external script or program
File: C:\Users\BingBong\Desktop\plex\pem2pfx.ps1

On another PC I tried as well but had to install .net first because this part here. Otherwise I had receive a cmdlet error
dotnet nuget add source "https://api.nuget.org/v3/index.json" --name "nuget.org"

I once did it get to work in the past but never again and that PC it worked on is gone. Is there another manual that covers this process on a virgin windows setup?

Thanks in advance.

Cheers

We have hit the "works on my machine" scenario.

This one is only possible, if I start wacs with the argument --validation cloudflare
6: [dns] Create verification records in Cloudflare DNS

Where you unpack your cloudflare plugin changes if you installed win-acme as a dotnet tool as mentioned in first paragraph here. Also, starting wacs.exe with --validation cloudflare --cloudflareapitoken <token> is another way to setup cloudflare plugin if that works for you.

The external script also only works if I set the path for OpenSSL at the start of the powershell session
$env:path = $env:path + ";C:\Program Files\OpenSSL-Win64\bin"

Will adding OpenSSL to PATH help?

First of all, let me thank you for this manual. It is exactly what I needed for my use-case. Your manual worked just fine on my old ass PC but that one had so so so many other programs and what not installed on it over the years it must have been "built differently".

I went the .NET installation route for wacs on my freshly installed PC (Plex Server). I also ran the verbose command to verify the cloudflare plugin is listed and it was. Getting blocked by LetsEncrypt temporarily for too many attempts did not help either in my case.

Eventually, I had to create the PEM files via the manual steps seperately in wacs and with the OpenSSL path set, running the line from the .ps1 file directly in the consoled gave my the cert I needed.

I am running the latest Win11 Pro 22H2 install. Maybe it is related to a fresh Win11 22H2 installation. The previous computer was a five year old Win10 installation that I updated to Win11, hence my question if there may be a details missing.

Good to know you got the cert finally. I am also not sure what could be the issue.

Same for me, the PEM part never shows...

2: PEM encoded files (Apache, nginx, etc.)