Table of Contents
How to access a Plex Server behind CGNAT with ngrok
One of the key benefits of running your own Plex Server is to have full control over your content as well as not having to pay any subscription fees.* You may also want to be able to remotely access your files, which is easy, as long as you are able to connect to your home network.
*Assumes that you have not subscribed to the Plex Pass.
- macOS or;
- Linux or;
- Windows (with PowerShell)
Unfortunately it has become increasingly common nowadays not to have direct access to your home network, unless you pay for a static IP address which can be pricey in the long run.
What happens is that ISP’s bundle together the IP addresses of multiple households into one single external address through something called Carrier Grade Network Address Translation (CGNAT). This is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network.
The main use of CGNAT is to limit the number of public IP addresses an organisation can use, for both economic or security purposes, and is more common if you live in an apartment block.
So what options are available to Plex users who are behind CGNAT?
The easiest, but most expensive option, is to pay for a static IP address which can be port-forwarded from your router.
Another option, which we are going to present here, is to download the free third party tool ngrok, which behaves like an SSH tunnel that is able to bypass NAT Mapping and firewall restrictions by creating a long-lived TCP tunnel from a randomly generated subdomain on ngrok.com.
At only 25MB, ngrok is a lightweight application and does not even come with an installer. The only requirement is to sign up for a free account, and of course, to download the software from ngrok’s website. Go to www.ngrok.com.
Navigate to the download section and select your platform (Mac/Windows/Linux/etc). Then click on the big red/orange download button.
Depending on your chosen platform, you should now have a file called ngrok-stable-xxx-xxx.zip in your download folder. Unzip it with any file extraction tool. In many cases you should just be able to double-click or right-click on the file.
The extracted file is named ngrok and runs from any directory. We recommend, however, that you move the file into your applications directory. For macOS users the recommended location is /Applications.
In order to fully take advantage of the features that ngrok has to offer it is recommended to sign up for a free account. This will give access to a personalised dashboard which lists active tunnels, as well as giving you the benefit of longer sessions between tunnel timeouts.
Follow this link to the signup page and use any of the following sign up methods: Email, GitHub or Google.
We will then reach the main dashboard.
In the left hand side menu, click on the Auth button and take a note of your unique authentication token (highlighted in red) which we will use in the next step.
As we will shortly demonstrate, using ngrok cannot be simpler. Make sure that you have navigated to your installation directory by typing the following command in a shell. (We will use macOS in our example, but the same workflow applies to Linux and Windows PowerShell users.)
$ cd /Applications
We will then run the following command to add our authentication token to the ngrok.yml configuration file. (Replace the many xxx’s with your own unique token).
$ ./ngrok authtoken xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Authtoken saved to configuration file: /Users/geek/.ngrok2/ngrok.yml
We are now ready to use ngrok and will type the following command,
./ngrok tcp 32400, to start a TCP tunnel
from our internal Plex Server port. The default port number for Plex is usually 32400.
$ ./ngrok tcp 32400 ngrok by @inconshreveable (Ctrl+C to quit) Session Status online Account Example (Plan: Free) Version 2.3.35 Region United States (us) Web Interface http://127.0.0.1:4040 Forwarding tcp://0.tcp.ngrok.io:11648 -> localhost:32400 Connections ttl opn rt1 rt5 p50 p90 0 0 0.00 0.00 0.00 0.00
Take a note of the output log which tells us that a public URL has been forwarded from our internal IP address. In our example above, next to Forwarding, the public URL is tcp://0.tcp.ngrok.io and the port is 11648.
By default, all ngrok tunnels will connect through servers in the United States, but if you are based in another country, it might be preferable to use a server closer to home instead.
The –region flag helps us in this instance by telling ngrok which server it should connect to. If you are based in Europe, the command would instead look like this.
$ ./ngrok tcp 32400 --region eu ngrok by @inconshreveable (Ctrl+C to quit) Session Status online Account Example (Plan: Free) Version 2.3.35 Region Europe (eu) Web Interface http://127.0.0.1:4040 Forwarding tcp://0.tcp.eu.ngrok.io:11648 -> localhost:32400 Connections ttl opn rt1 rt5 p50 p90 0 0 0.00 0.00 0.00 0.00
We will now use this information to add our external IP address to Plex Server. Due to restrictions in their software we are only allowed to enter IP addresses and will therefore have to convert our URL into an IP address. Linux (or macOS) provides several ways to do this. Listed below are two commonly used commands. If you prefer, you can also use any free web service to achieve this. Hint: search “url to ip” in any search engine.
$ dig +short tcp://0.tcp.ngrok.io 126.96.36.199
$ nslookup tcp://0.tcp.ngrok.io Server: fe80::1%7 Address: fe80::1%7#53 Non-authoritative answer: Name: tcp://0.tcp.ngrok.io Address: 188.8.131.52
The external URL, in this example, is resolved to 184.108.40.206. Armed with this information we will now launch Plex Server. In a web browser, type the following address.
On the Plex Server landing page, navigate to the Settings page by clicking on the toolbar icon in the upper right hand corner. Then in the left hand side column, scroll down to the Network section and locate the field labelled Custom server access URLs.
Enter the external IP address and port number. In our example we will write:
(Optional: For increased security you may want to use an https address instead.)
Please note that you do not need to enable Remote Access because this feature is only supported by port forwarding and does not work with CGNAT.
We are now ready to test if the setup actually works. From any external web browser, i.e. a location outside your home network, type in the IP address that was entered under the Custom server access URLs section, i.e. 220.127.116.11:11648.
If everything works correctly, you should now see Plex Server’s familiar dashboard. If you are using Plex’s native mobile app, there is nothing more that you need to do as it will automatically redirect you to a login page were you will be required to sign in to gain access to your account. After this you should be able to access your content as normal.
One limitation of the free plan is that you will be assigned a random port number each time ngrok is restarted. This means that you will have to update your Plex Server settings as well, every single time! If this becomes a hassle, a subscription to ngrok’s paid service might be worthwhile because it will give you the additional benefit of reserving port numbers.
There you have it. Even when you are not able to directly connect to your home Plex Server, due to CGNAT restrictions, it is still possible to work around the problem by using ngrok’s tunneling feature.
For more information on how to use ngrok, type
$ ./ngrok help NAME: ngrok - tunnel local ports to public URLs and inspect traffic DESCRIPTION: ngrok exposes local networked services behinds NATs and firewalls to the public internet over a secure tunnel. Share local websites, build/test webhook consumers and self-host personal services. Detailed help for each command is available with 'ngrok help <command>'. Open http://localhost:4040 for ngrok's web interface to inspect traffic. EXAMPLES: ngrok http 80 # secure public URL for port 80 web server ngrok http -subdomain=baz 8080 # port 8080 available at baz.ngrok.io ngrok http foo.dev:80 # tunnel to host:port instead of localhost ngrok http https://localhost # expose a local https server ngrok tcp 22 # tunnel arbitrary TCP traffic to port 22 ngrok tls -hostname=foo.com 443 # TLS traffic for foo.com to port 443 ngrok start foo bar baz # start tunnels from the configuration file VERSION: 2.3.35 AUTHOR: inconshreveable - <email@example.com> COMMANDS: authtoken save authtoken to configuration file credits prints author and licensing information http start an HTTP tunnel start start tunnels by name from the configuration file tcp start a TCP tunnel tls start a TLS tunnel update update ngrok to the latest version version print the version string help Shows a list of commands or help for one command
comments powered by Disqus
- 10 Influential Pixel Artists
- How to customise the bash prompt
- Merge and Rebase in Git
- How to add new PDF compression filters for the Preview tool on Mac
- How to create PDFs with the Preview tool on Mac
- How to install Homebrew for Mac
- How to find out which shell I am running?
- Syncing files with lftp
- How to mirror drives with rsync
- How to install a Samsung ML-191x 252x Series printer with AirPrint support on a Raspberry Pi