I love selfhosting my own services, especially services like Plex and the *arr stack that can often be resource intensive resulting in expensive bills when using Cloud Providers.
I have a Mini PC and an external drive that I use to host my Plex installation alongside many other services however my ISP support port forwarding making it difficult to access these services when myself or friends would like to watch something on Plex without being physically here.
You can do this using something like Tailscale which creates a network between devices you’ve set up using the program so they can interact as if they were on the same physical network - This works great however:
- Plex still alerts you that remote access is unavailable
- Not every device supports Tailscale
- Not everyone wants to install an extra app just to connect to your Plex server.
So after a fair amount of research and head-scratching I finally found a couple of reliable solutions that allow you to do this.
Proxy your Plex server through a VPS
This is what I did for a while to okay results. I created a VPS on a platform such as AWS Lightsail or Hetzner, connected my home server to it using an SSH tunnel or Tailscale and then used a reverse proxy such as Nginx Proxy Manager or Caddy.
This guide will show you how to do this on a Debian-based server (I like Ubuntu 20.04) using Tailscale and Nginx Proxy Manager in a Docker container.
Please make sure you have Docker with the Docker Compose plugin set up before following this guide.
1. - Setup your Tailscale account
Go to Tailscale and get started adn Log in with Google, Microsoft or Github.
You’ll then be shown this screen:
Your account is now set up and we can get started.
2. - Install Tailscale on your VPS and Homeserver
Log in to your VPS and run the following command:
$ curl -fsSL https://tailscale.com/install.sh | sh
This will install Tailscale automatically - if you have any problems follow the manual installation guide
When you see the following output and returned back to your terminal Tailscale has been installed.
Installation complete! Log in to start using Tailscale by running: tailscale up
Then do what the prompt suggests - Run
$ tailscale up
It’ll then return a link to log in like the following:
To authenticate, visit: https://login.tailscale.com/a/137nr938hr32f23g
Go to this link on a local browser and log in with your account.
Then repeat the above steps on your homeserver
3. Get the Tailscale IP of your homeserver
Run the following command on your homeserver to get your Tailscale IP
$ tailscale ip
It should return something like the following:
Make note of this first IP (100.67.71.58) - you’ll need it for later
4. Set up Nginx Proxy Manager
Paste the following content into a file called
docker-compose.yml in a new, blank directory
version: '3' services: app: image: 'jc21/nginx-proxy-manager:latest' restart: unless-stopped ports: - '80:80' - '81:81' - '443:443' volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt
Then start the container detached.
$ docker compose up -d
If you go to your VPS’s IP on port 81 in your browser you should see the Nginx Proxy Manager Admin Interface
Log in with the default credentials:
Email: [email protected] Password: changeme
and make sure to instantly change them to keep other people out of your admin interface!
5. Add your domain
Hosts > Proxy Hosts on Nginx Proxy Manager
Add Proxy Host and add in the following:
- Domain Names
- A domain record pointed at the public IP of your VPS. I chose plex.mydomain.com
- Forward Hostname / IP
- Your homeserver’s Tailscale IP you got in step 3
- Turn on
Block Common Exploitsand
Then go to the
SSL tab and select:
- SSL Certificate
- Request a new SSL Certificate
- Force SSL
- HTTP/2 Support
- Type in your email under
Email Address for Let's Encryptso you can be notified to renew your SSL certificate
- Then agree to the Let’s Encrypt Terms of Service (Obviously after you’ve read it all first 😉)
- Then click save
If all went right you should be able to access Plex at
This is my preferred method as it ensures plex remote access works well although you do need a VPN - Luckily as I pay for one anyway this was done for no extra cost to me.
I recommend Mullvad for this as it’s €5/month nomatter how long you buy it for, it supports 5 devices, has pretty good speeds and most importantly supports IP forwarding.
The first couple steps will be how to set up port forwarding on Mullvad. You’ll have to find a different guide or work out how to do this on other VPN providers. Skip here
1. Create a Mullvad account
Go to Mullvad and create an account
Click generate account number - It’ll be something like
0117232244133488 - This is your login for Mullvad. Don’t lose it.
Add time to your account. You can do this in many ways. Use credit card or PayPal for ease of use but if you want to be more sure that your identity can’t be linked to this account use a Cryptocurrency like Bitcoin or Monero (You also get a 10% discount).
2. Create a wireguard configuration
Go to the WireGuard configuration file generator
Generate Key - This will create a new device on your Mullvad account.
Select a country, city and server. I recommend choosing one closest to you for the best speeds. Check the servers page to get a more detailed list of each server and filter it to suit your needs.
Then download the file - You’ll need this later.
3. Create a forwarded port on Mullvad
Go to the devices page and find the device you created earlier.
add port and select your City. Then click add port.
It’ll then add a forwarded port to the list below. You can have up to 5.
Mine looks like this:
57788 is the Mullvad forwarded port.
4. Add gluetun to your docker compose file
Add the following lines to your
gluetun: image: qmcgaw/gluetun cap_add: - NET_ADMIN environment: - VPN_SERVICE_PROVIDER=mullvad - VPN_TYPE=wireguard - WIREGUARD_PRIVATE_KEY= # PrivateKey in your .conf file you downloaded in step 2 - WIREGUARD_ADDRESSES= # Address in the .conf file. Only paste in the first one e.g. 10.64.192.251/32 - SERVER_HOSTNAMES= # Mullvad server name, e.g. gb17-wireguard. - FIREWALL_VPN_INPUT_PORTS= # Mullvad forwarded port, e.g. 57788 ports: - 32400:32400/tcp # Your plex ports - copy this from your existing setup. - 3005:3005/tcp - 8324:8324/tcp - 32469:32469/tcp - 1900:1900/udp - 32410:32410/udp - 32412:32412/udp - 32413:32413/udp - 32414:32414/udp
network_mode: "service:gluetun" to your plex container and remove the
ports section from your plex container.
This may be all you need to do but if you’re using a provider like Mullvad where the port you get probably won’t be
32400 you’ll need to reroute this port locally.
5. Reroute the local port
We’re going to use socat for this.
Add in the following to your docker compose file.
socat: network_mode: "service:gluetun" image: alpine/socat command: "TCP-LISTEN:57788,fork,reuseaddr TCP-CONNECT:localhost:32400" restart: always
57788 with your forwarded port
Then start the container
docker compose up -d
It should output the following after a few seconds
[+] Running 3/0 ⠿ Container plex-gluetun-1 Running 0.0s ⠿ Container plex-socat-1 Running 0.0s ⠿ Container plex Running 0.0s
However - We might not know the IP the gluetun is connecting to
6. Get the VPN IP
Run the following command
$ docker exec -it plex-gluetun-1 wget -qO- ip.jck.cx
It should then return the IP of your VPN server.
Then go to the VPN server’s IP on the forwarded port
If this shows your plex installation it’s all worked!
Go to the remote access page on plex and set the manual port to your forwarded port if you’ve having any issues with plex saying it’s not working.