Skip to content

Instantly share code, notes, and snippets.

@ramenhost
Last active March 1, 2025 06:58
Show Gist options
  • Save ramenhost/9d26175abcbebf5c739e8de7d3ec3d13 to your computer and use it in GitHub Desktop.
Save ramenhost/9d26175abcbebf5c739e8de7d3ec3d13 to your computer and use it in GitHub Desktop.
Plex Media Server Remote Access with Public Ipv6 on Windows
openssl pkcs12 -export -out C:\Users\yourusername\Desktop\plex\plex.yourdomain.com.pfx -in C:\Users\yourusername\Desktop\plex\plex.yourdomain.com-crt.pem -inkey C:\Users\yourusername\Desktop\plex\plex.yourdomain.com-key.pem -certfile C:\Users\yourusername\Desktop\plex\plex.yourdomain.com-chain.pem -passout pass:123456 -passin pass:123456 -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256

Plex Media Server Remote Access with Public Ipv6 on Windows

Plex remote access works out of the box with public IPv4 address and UPnP supported router. However, if you have only public IPv6 address, you may have trouble accessing your Plex server remotely. This guide will show you how to set up Plex remote access with a public IPv6 address on Windows.

Who is this guide for?

  1. You have Plex Media Server running on Windows and you want to stream movies outside of home.
  2. Your ISP uses CGNAT for IPv4. Read Detecting Double-NAT for steps to check if you are behind CGNAT or Double NAT. No need to pay for a static public IPv4.
  3. Your ISP assigns public IPv6 address. Major ISPs including Jio and ACT in India provide public IPv6 addresses.

Temporary Solution without TLS

  1. In home router's admin panel, allow inbound TCP port 32400 on IPv6 firewall settings.
  2. Open Command Prompt and run ipconfig /all. Note down the IPv6 address of the network adapter connected to the internet.
  3. In Plex Media Server settings, navigate to "Network" tab. Under "Custom server access URLs", enter http://[your_ipv6_address]:32400 and save.
  4. You should now be able to access your library from Plex apps outside of home network.
  5. Whenever your IPv6 address changes, you will have to update the URL in Plex settings manually.

Persistent Solution with TLS

This solution requires you to purchase a domain name and setup Let's Encrypt SSL certificate.

Prerequisites

  1. Administrator access on Windows.
  2. A domain name with access to manage DNS records.
  3. Cloudflare account, free plan is sufficient.

Setup DDNS with Plex

  1. In home router's admin panel, allow inbound TCP port 32400 on IPv6 firewall settings.
  2. Use Cloudflare to manage DNS records for your domain. If you purchased domain from other registrar, follow this guide to switch to Cloudflare nameservers. Wait for your domain to be active on Cloudflare.
  3. Open Command Prompt and run ipconfig /all. Note down the IPv6 address of the network adapter connected to the internet.
  4. In Cloudflare dashboard, navigate to DNS settings. Add an AAAA record with following details:
    Name: plex
    IPv6 address: Your public IPv6 address
    TTL: 5 min
    Proxy status: DNS only
    
  5. In Plex Media Server settings, navigate to "Network" tab. Under "Custom server access URLs", enter https://plex.yourdomain.com:32400 and save.
  6. Setup DDNS tool to automatically update the AAAA record whenever your IPv6 address changes using below steps:
    • Create a Cloudflare API token with Zone:DNS:Edit permission by following this guide. Note down the API token.
    • Install DnsTube by following the steps in README. You may need to download and install dotnet from here for DnsTube to work.
    • Extract the DnsTube package to a folder of your choice. Open a command prompt as Administrator and install the service using install-service.bat.
    • Once the service has started you can view the UI at the URL http://localhost:5666/index.html.
    • In DnsTube UI "Settings" tab, enter the following details and save:
      Email: Your Cloudflare account email
      Authorization Token: Your Cloudflare API token
      Protocol: IPv6
      Update Interval: 300 min (how likely you think your IPv6 is going to change)
      Network Adapter: select the adapter connected to Internet, typically Wi-Fi.
      
    • In DnsTube UI "Home" tab, wait for it to load DNS entries and select the checkbox next to the plex.yourdomain.com record you just created in Cloudflare dashboard.
  7. Setup Let's Encrypt SSL certificate with auto-renewal:
    • Run the commands in Powershell to install win-acme.
      dotnet nuget add source "https://api.nuget.org/v3/index.json" --name "nuget.org"
      dotnet tool install win-acme --global
      
    • Follow the steps in win-acme documentation to setup Cloudflare plugin. Create another Cloudflare API token as per this documentation and note it down.
    • Download the pem2pfx.ps1 file from this gist and save it to C:\Users\yourusername\Desktop\plex\pem2pfx.ps1.
    • Edit pem2pfx.ps1 file. Replace path to desktop. Replace all occurences of plex.yourdomain.com with your domain name accordingly. Replace all occurences of 123456 with a new password you want to use for the PFX file.
    • Open Powershell as Administrator. Run the command wacs to start the win-acme client.
    • Select the following options in win-acme TUI:
      N: Create certificate (default settings)
      2: Manual input
      Host: type "plex.yourdomain.com" and enter
      6: [dns] Create verification records in Cloudflare DNS
      <Type Cloudflare API token in next menu and save it to vault>
      2: PEM encoded files (Apache, nginx, etc.)
      File Path: C:\Users\yourusername\Desktop\plex\
      <Type the password in console and save it to vault, this password should be the same as one in pem2pfx.ps1>
      2: Start external script or program
      File: C:\Users\yourusername\Desktop\plex\pem2pfx.ps1
      
    • By now, you should have a plex.yourdomain.com.pfx file in C:\Users\yourusername\Desktop\plex\ folder.
    • In Plex Media Server settings, navigate to "Network" tab. Set the following options and save:
      Custom certificate location: C:\Users\yourusername\Desktop\plex\plex.yourdomain.com.pfx
      Custom certificate password: 123456
      Custom certificate domain: plex.yourdomain.com
      
    • Ensure wacs says "Scheduled task looks healthy" on startup.

Stopping and Starting DnsTube service

When you don't want dynamic DNS to run in the background, you can stop the DnsTube service. Open a command prompt as Administrator in DnsTube folder,

  1. To stop the service, run stop-service.bat.
  2. To start the service, run start-service.bat.

Uninstalling DnsTube and win-acme

Open a command prompt as Administrator in DnsTube folder, run uninstall-service.bat.
For win-acme, launch Powershell as Administrator and start 'wacs'. Follow the TUI to revoke the certificates.

@Masterhenky
Copy link

Masterhenky commented Feb 22, 2025

Hello,

not sure if this is the right channel but anyway. I am having troubles and have no idea what the problem is. It is not possible for me, to successfully follow this manual.

Specifically these steps

This one is only possible, if I start wacs with the argument --validation cloudflare
6: [dns] Create verification records in Cloudflare DNS

This part never comes, no matter what I do. It is completely skipped and for that reason, everything that relies on these files fails
_2: PEM encoded files (Apache, nginx, etc.)
File Path: C:\Users\BingBong\Desktop\plex_
<Type the password in console and save it to vault, this password should be the same as one in pem2pfx.ps1>

The external script also only works if I set the path for OpenSSL at the start of the powershell session
$env:path = $env:path + ";C:\Program Files\OpenSSL-Win64\bin"

2: Start external script or program
File: C:\Users\BingBong\Desktop\plex\pem2pfx.ps1

On another PC I tried as well but had to install .net first because this part here. Otherwise I had receive a cmdlet error
dotnet nuget add source "https://api.nuget.org/v3/index.json" --name "nuget.org"

I once did it get to work in the past but never again and that PC it worked on is gone. Is there another manual that covers this process on a virgin windows setup?

Thanks in advance.

Cheers

@ramenhost
Copy link
Author

We have hit the "works on my machine" scenario.

This one is only possible, if I start wacs with the argument --validation cloudflare
6: [dns] Create verification records in Cloudflare DNS

Where you unpack your cloudflare plugin changes if you installed win-acme as a dotnet tool as mentioned in first paragraph here. Also, starting wacs.exe with --validation cloudflare --cloudflareapitoken <token> is another way to setup cloudflare plugin if that works for you.

The external script also only works if I set the path for OpenSSL at the start of the powershell session
$env:path = $env:path + ";C:\Program Files\OpenSSL-Win64\bin"

Will adding OpenSSL to PATH help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment