Using Plex on Hetzner with Wireguard VPN (Docker).

Plex_Hetzner_Wireguard.md

Using Plex on Hetzner with Wireguard VPN (Docker). First, thanks to ShipkaChalk (https://gist.github.com/ShipkaChalk/629fdc42dad781776d2007fc502188f3) and his original tutorial that helped me a lot to get the client part. With this tutorial, you can route all Plex traffic via Wireguard out of another VPS (2$ IONOS Ubuntu VPS), this can be used for any container but here to bypass the Hetzner block by Plex.

1. Get yourself a Linux VPS (ex : Ubuntu 22.04)

2. Make all updates :

sudo apt update

sudo apt upgrade

3. Install the Wireguard installer from angristan (https://github.com/angristan/wireguard-install) :

curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh

chmod +x wireguard-install.sh

./wireguard-install.sh

You should get a Q&A, here is mine, you can do the same :

Welcome to the WireGuard installer!
The git repository is available at: https://github.com/angristan/wireguard-install

I need to ask you a few questions before starting the setup.
You can keep the default options and just press enter if you are ok with them.

IPv4 or IPv6 public address: VPS_IP
Public interface: ens6 #This shlould be automatic reply but you can verify by doing 'ifconfig' on another ssh session
WireGuard interface name: wg0
Server WireGuard IPv4: 10.13.13.1 #Modify default to this to match client config from ShipkaChalk
Server WireGuard IPv6: fd42:42:42::1 
Server WireGuard port [1-65535]: 51820
First DNS resolver to use for the clients: 1.1.1.1
Second DNS resolver to use for the clients (optional): 1.0.0.1

The client name must consist of alphanumeric character(s). It may also include underscores or dashes and can't exceed 15 chars.
Client name: Plex1
Client WireGuard IPv4: 10.13.13.2 
Client WireGuard IPv6: fd42:42:42::2

4. Installer should have created a server config and a client config, you can verify by running the command (verify on text showed after entering the last command):

systemctl status [email protected]

5. Stop the Wireguard server :

systemctl stop [email protected]

6. Open the wg0.conf (server config) and paste the 2 lines that have comments at the end "#IP Of peer below":

nano /etc/wireguard/wg0.conf

[Interface]
Address = 10.13.13.1/24,fd42:42:42::1/64
ListenPort = 51820
PrivateKey = PRIVATEKEY
PostUp = iptables -I INPUT -p udp --dport 51820 -j ACCEPT
PostUp = iptables -I FORWARD -i ens6 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 #IP Of peer below
PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i ens6 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PostDown = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 #IP Of peer below

### Client Plex1
[Peer]
PublicKey = PUBLICKEY
PresharedKey = PRESHAREDKEY
AllowedIPs = 10.13.13.2/32,fd42:42:42::2/128

-> To save and quit : CTRL+S & CTRL+X

7. Start the Wireguard server :

systemctl start [email protected] Now server is running fine

8. Open the client wg0-client-Plex1.conf (client config) and copy all the text, we'll need it later, this should be the same name, you can verify on the text showed after creating the Wireguard Server :

nano /root/wg0-client-Plex1.conf

9. You're done with the VPS

On the Hetzner Server

1. Make all updates :

sudo apt update

sudo apt upgrade

2. Install docker, docker-compose plugin & portainer to get a GUI for beginners :

Docker

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Portainer

docker volume create portainer_data

docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

3. Create a directory to hold the files, I created /PlexWireguard

mkdir /PlexWireguard

4. Create /PlexWireguard/wireguard-client/wg_confs/wg0.conf

mkdir /PlexWireguard/wireguard-client

mkdir /PlexWireguard/wireguard-client/wg_confs

nano /PlexWireguard/wireguard-client/wg_confs/wg0.conf

5. Paste the text you copied from VPS for the client (7. above), you just need to add in the PostUp, PreDown , PostUp and PreDown :

[Interface]
Address = 10.13.13.2
PrivateKey = PRIVATEKEY
ListenPort = 51820
DNS = 10.13.13.1

PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
PostUp = FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;
PreDown = FORWARDEDPORT=32400; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;

[Peer]
PublicKey = PUBLICKEY
PresharedKey = PRESHAREDKEY
Endpoint = VPS_IP:51820
AllowedIPs = 0.0.0.0/0 #Remove ", ::/0" if you have issues using IPv6

6. Create the docker-compose.yml

cd /

nano docker-compose.yml

7. Paste this and make sure your volumes in plex and wireguard line up :

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000 #Change if not correct, just type "id" in a new ssh session to get this
      - PGID=1000 #Change if not correct, just type "id" in a new ssh session to get this
      - TZ=Europe/Paris #Change if not correct
      - PEERDNS=1.1.1.1
    volumes:
      - /PlexWireguard/wireguard-client:/config
      - /lib/modules:/lib/modules
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    ports:
      - 32400:32400
    restart: unless-stopped

  plex:
    image: linuxserver/plex
    container_name: plex
    shm_size: '32gb' #OPTIONAL Transcoding temp files to ram makes this parameter needed
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Paris
      - VERSION=docker
    volumes:
      - /PlexWireguard/config:/config
      - /path/to/data:/media #Put here the path to your media library
      - /dev/shm:/transcode #OPTIONAL Transcoding temp files to ram makes this parameter needed
    devices:
      - /dev/dri:/dev/dri #OPTIONAL If you have Intel GPU, this is necessary
    privileged: true #OPTIONAL Not sure if need for the transcode
    network_mode: service:wireguard
    restart: unless-stopped

Info : If you still can't get transcoding working, try chmod -R 777 /dev/dri

8. Launch this up and visit http://VPS_IP:32400 and you’ll see your Plex.

docker-compose -f docker-compose.yml up

Troubleshooting

Follow the steps below in order, post a comment saying where you get to if it fails.

Get into the containers on Hetzner.

1. Plex Container : docker exec -it plex /bin/bash

1.a. Do curl localhost:32400 : you should see some html coming back. If it's not plex isn't up.

1.b. Do curl icanhazip.com to make sure it's returning the VPS_IP. If it's not then your wireguard tunnel is not connected.

2. Wireguard Container :

`docker exec -it wireguard /bin/bash`

2.a. Do curl localhost:32400 you should see some html coming back. If it's not then the plex container is not connected to the wireguard container.

2.b. Do curl icanhazip.com to make sure it's returning the VPS ip. If it's not then your wireguard tunnel is not connected.

3. Verify Firewall and ports on the Hetzner Panel and check ufw : ufw status

Get into the VPS.

4. Do ifconf to see if you can see the wg0 interface

5. If yes, do wg show look to see if the peer has connected.

6. If not, the server is not up, do systemctl status [email protected], if it's started, restart using systemctl restart [email protected] and then check using systemctl status [email protected] (verify if @wg0.service is the correct name of your wireguard server)

7. Verify Firewall and open the ports on the VPS Provider Panel (here IONOS) and check ufw : ufw status

On your home machine.

8. Visit http://VPS_IP:32400 you should get to plex, if not create a ssh tunnel to verify if all good : ssh USER@HETZNER_IP -L 8888:localhost:32400 and then visit http://localhost:8888

yes replace the PUID and PGID on the docker compose with PUID and PGID the "id" gave you

This site can’t be reached
xx.xxx.xxx.xxx:32400 took too long to respond.

Still not working, running troubleshooting again:

# Hetzner
➜  ~ docker exec -it plex /bin/bash
root@05de354b43c8:/# curl localhost:32400
<?xml version="1.0" encoding="UTF-8"?>
<MediaContainer size="24" allowCameraUpload="0" allowChannelAccess="1" allowMediaDeletion="1" allowSharing="1" allowSync="0" allowTuners="1" backgroundProcessing="1" companionProxy="1" countryCode="" diagnostics="logs,databases,streaminglogs" eventStream="1" friendlyName="05de354b43c8" hubSearch="1" itemClusters="1" livetv="7" machineIdentifier="d19ffbd23e2b2f61c1fb7b9c1532b135e6f6186e" mediaProviders="1" multiuser="1" musicAnalysis="2" myPlex="1" myPlexMappingState="unknown" myPlexSigninState="none" myPlexSubscription="0" ownerFeatures="06d14b9e-2af8-4c2b-a4a1-ea9d5c515824,1417df52-986e-4e4b-8dcd-3997fbc5c976,22b27e12-472e-4383-92ea-2ec3976d8e72,24b4cf36-b296-4002-86b7-f1adb657e76a,2ea0e464-ea4f-4be2-97c1-ce6ed4b377dd,300231e0-69aa-4dce-97f4-52d8c00e3e8c,34e182bd-2f62-4678-a9e9-d13b3e25019d,39dbdd84-8339-4736-96a1-0eb105cc2e08,3f6baa76-7488-479a-9e4f-49ff2c0d3711,4b522f91-ae89-4f62-af9c-76f44d8ef61c,547514ab-3284-46e5-af77-bbaff247e3fc,567033ef-ffee-44fb-8f90-f678077445f9,5d819d02-5d04-4116-8eec-f49def4e2d6f,5e2a89ec-fb26-4234-b66e-14d37f35dff2,64adaa4e-aa7e-457d-b385-51438216d7fe,65685ff8-4375-4e4c-a806-ec1f0b4a8b7f,68747f3a-ce13-46ce-9274-1e0544c9f500,6b85840c-d79d-40c2-8d8f-dfc0b7d26776,6c4d66d9-729d-49dc-b70d-ab2652abf15a,6d7be725-9a96-42c7-8af4-01e735138822,7f46bf17-fabf-4f96-99a2-cf374f6eed71,81c8d5fa-8d90-4833-aa10-a31a51310e2f,849433b0-ef60-4a71-9dd9-939bc01f5362,85ebfb7b-77fb-4afd-bb1a-2fe2fefdddbe,86da2200-58db-4d78-ba46-f146ba25906b,96cac76e-c5bc-4596-87eb-4fdfef9aaa11,9e93f8a8-7ccd-4d15-99fa-76a158027660,a3d2d5c4-46a0-436e-a2d6-80d26f32b369,abd37b14-706c-461f-8255-fa9563882af3,adaptive_bitrate,b227c158-e062-4ff1-95d8-8ed11cecafb1,b2403ac6-4885-4971-8b96-59353fd87c72,b46d16ae-cbd6-4226-8ee9-ab2b27e5dd42,b5874ecb-6610-47b2-8906-1b5a897acb02,b77e6744-c18d-415a-8e7c-7aac5d7a7750,bec2ba97-4b25-472b-9cfc-674f5c68c2ae,c36a6985-eee3-4400-a394-c5787fad15b5,c7ae6f8f-05e6-48bb-9024-c05c1dc3c43e,c9d9b7ee-fdd9-474e-b143-5039c04e9b9b,cb151c05-1943-408a-b37c-06f7d409d6bb,ce8f644e-87ce-4ba5-b165-fadd69778019,collections,d29f0ee0-3d3a-46c3-b582-4bc69bc17c29,dab501df-5d99-48ef-afc2-3e839e4ddc9a,de65add8-2782-4bb8-b156-e0b57a844479,e4a9fd6f-4105-476b-bc57-adccd009323b,f1ac7a53-c524-4311-9a27-713562fc24fa,f83450e2-759a-4de4-8b31-e4a163896d43,fec722a0-a6d4-4fbd-96dc-4ffb02b072c5,federated-auth,home,kevin-bacon,livetv,radio,tuner-sharing,unsupportedtuners" platform="Linux" platformVersion="6.1.0-13-amd64" pluginHost="1" pushNotifications="0" readOnlyLibraries="0" streamingBrainABRVersion="3" streamingBrainVersion="2" sync="1" transcoderActiveVideoSessions="0" transcoderAudio="1" transcoderLyrics="1" transcoderPhoto="1" transcoderSubtitles="1" transcoderVideo="1" transcoderVideoBitrates="64,96,208,320,720,1500,2000,3000,4000,8000,10000,12000,20000" transcoderVideoQualities="0,1,2,3,4,5,6,7,8,9,10,11,12" transcoderVideoResolutions="128,128,160,240,320,480,768,720,720,1080,1080,1080,1080" updatedAt="1710011683" updater="1" version="1.40.0.7998-c29d4c0c8" voiceSearch="1">
<Directory count="1" key="actions" title="actions" />
<Directory count="1" key="activities" title="activities" />
<Directory count="1" key="butler" title="butler" />
<Directory count="1" key="channels" title="channels" />
<Directory count="1" key="clients" title="clients" />
<Directory count="1" key="devices" title="devices" />
<Directory count="1" key="diagnostics" title="diagnostics" />
<Directory count="1" key="hubs" title="hubs" />
<Directory count="3" key="library" title="library" />
<Directory count="3" key="livetv" title="livetv" />
<Directory count="3" key="media" title="media" />
<Directory count="3" key="metadata" title="metadata" />
<Directory count="1" key="neighborhood" title="neighborhood" />
<Directory count="1" key="playQueues" title="playQueues" />
<Directory count="1" key="playlists" title="playlists" />
<Directory count="1" key="resources" title="resources" />
<Directory count="1" key="search" title="search" />
<Directory count="1" key="server" title="server" />
<Directory count="1" key="servers" title="servers" />
<Directory count="1" key="statistics" title="statistics" />
<Directory count="1" key="system" title="system" />
<Directory count="1" key="transcode" title="transcode" />
<Directory count="1" key="updater" title="updater" />
<Directory count="1" key="user" title="user" />
</MediaContainer>
root@05de354b43c8:/# curl icanhazip.com
xx.xxx.xxx.xxx (correct VPS IP)

➜  ~ docker exec -it wireguard /bin/bash
root@05de354b43c8:/# curl localhost:32400
<?xml version="1.0" encoding="UTF-8"?>
<MediaContainer size="24" allowCameraUpload="0" allowChannelAccess="1" allowMediaDeletion="1" allowSharing="1" allowSync="0" allowTuners="1" backgroundProcessing="1" companionProxy="1" countryCode="" diagnostics="logs,databases,streaminglogs" eventStream="1" friendlyName="05de354b43c8" hubSearch="1" itemClusters="1" livetv="7" machineIdentifier="d19ffbd23e2b2f61c1fb7b9c1532b135e6f6186e" mediaProviders="1" multiuser="1" musicAnalysis="2" myPlex="1" myPlexMappingState="unknown" myPlexSigninState="none" myPlexSubscription="0" ownerFeatures="06d14b9e-2af8-4c2b-a4a1-ea9d5c515824,1417df52-986e-4e4b-8dcd-3997fbc5c976,22b27e12-472e-4383-92ea-2ec3976d8e72,24b4cf36-b296-4002-86b7-f1adb657e76a,2ea0e464-ea4f-4be2-97c1-ce6ed4b377dd,300231e0-69aa-4dce-97f4-52d8c00e3e8c,34e182bd-2f62-4678-a9e9-d13b3e25019d,39dbdd84-8339-4736-96a1-0eb105cc2e08,3f6baa76-7488-479a-9e4f-49ff2c0d3711,4b522f91-ae89-4f62-af9c-76f44d8ef61c,547514ab-3284-46e5-af77-bbaff247e3fc,567033ef-ffee-44fb-8f90-f678077445f9,5d819d02-5d04-4116-8eec-f49def4e2d6f,5e2a89ec-fb26-4234-b66e-14d37f35dff2,64adaa4e-aa7e-457d-b385-51438216d7fe,65685ff8-4375-4e4c-a806-ec1f0b4a8b7f,68747f3a-ce13-46ce-9274-1e0544c9f500,6b85840c-d79d-40c2-8d8f-dfc0b7d26776,6c4d66d9-729d-49dc-b70d-ab2652abf15a,6d7be725-9a96-42c7-8af4-01e735138822,7f46bf17-fabf-4f96-99a2-cf374f6eed71,81c8d5fa-8d90-4833-aa10-a31a51310e2f,849433b0-ef60-4a71-9dd9-939bc01f5362,85ebfb7b-77fb-4afd-bb1a-2fe2fefdddbe,86da2200-58db-4d78-ba46-f146ba25906b,96cac76e-c5bc-4596-87eb-4fdfef9aaa11,9e93f8a8-7ccd-4d15-99fa-76a158027660,a3d2d5c4-46a0-436e-a2d6-80d26f32b369,abd37b14-706c-461f-8255-fa9563882af3,adaptive_bitrate,b227c158-e062-4ff1-95d8-8ed11cecafb1,b2403ac6-4885-4971-8b96-59353fd87c72,b46d16ae-cbd6-4226-8ee9-ab2b27e5dd42,b5874ecb-6610-47b2-8906-1b5a897acb02,b77e6744-c18d-415a-8e7c-7aac5d7a7750,bec2ba97-4b25-472b-9cfc-674f5c68c2ae,c36a6985-eee3-4400-a394-c5787fad15b5,c7ae6f8f-05e6-48bb-9024-c05c1dc3c43e,c9d9b7ee-fdd9-474e-b143-5039c04e9b9b,cb151c05-1943-408a-b37c-06f7d409d6bb,ce8f644e-87ce-4ba5-b165-fadd69778019,collections,d29f0ee0-3d3a-46c3-b582-4bc69bc17c29,dab501df-5d99-48ef-afc2-3e839e4ddc9a,de65add8-2782-4bb8-b156-e0b57a844479,e4a9fd6f-4105-476b-bc57-adccd009323b,f1ac7a53-c524-4311-9a27-713562fc24fa,f83450e2-759a-4de4-8b31-e4a163896d43,fec722a0-a6d4-4fbd-96dc-4ffb02b072c5,federated-auth,home,kevin-bacon,livetv,radio,tuner-sharing,unsupportedtuners" platform="Linux" platformVersion="6.1.0-13-amd64" pluginHost="1" pushNotifications="0" readOnlyLibraries="0" streamingBrainABRVersion="3" streamingBrainVersion="2" sync="1" transcoderActiveVideoSessions="0" transcoderAudio="1" transcoderLyrics="1" transcoderPhoto="1" transcoderSubtitles="1" transcoderVideo="1" transcoderVideoBitrates="64,96,208,320,720,1500,2000,3000,4000,8000,10000,12000,20000" transcoderVideoQualities="0,1,2,3,4,5,6,7,8,9,10,11,12" transcoderVideoResolutions="128,128,160,240,320,480,768,720,720,1080,1080,1080,1080" updatedAt="1710011683" updater="1" version="1.40.0.7998-c29d4c0c8" voiceSearch="1">
<Directory count="1" key="actions" title="actions" />
<Directory count="1" key="activities" title="activities" />
<Directory count="1" key="butler" title="butler" />
<Directory count="1" key="channels" title="channels" />
<Directory count="1" key="clients" title="clients" />
<Directory count="1" key="devices" title="devices" />
<Directory count="1" key="diagnostics" title="diagnostics" />
<Directory count="1" key="hubs" title="hubs" />
<Directory count="3" key="library" title="library" />
<Directory count="3" key="livetv" title="livetv" />
<Directory count="3" key="media" title="media" />
<Directory count="3" key="metadata" title="metadata" />
<Directory count="1" key="neighborhood" title="neighborhood" />
<Directory count="1" key="playQueues" title="playQueues" />
<Directory count="1" key="playlists" title="playlists" />
<Directory count="1" key="resources" title="resources" />
<Directory count="1" key="search" title="search" />
<Directory count="1" key="server" title="server" />
<Directory count="1" key="servers" title="servers" />
<Directory count="1" key="statistics" title="statistics" />
<Directory count="1" key="system" title="system" />
<Directory count="1" key="transcode" title="transcode" />
<Directory count="1" key="updater" title="updater" />
<Directory count="1" key="user" title="user" />
</MediaContainer>
root@05de354b43c8:/# curl icanhazip.com
xx.xxx.xxx.xxx (correct VPS IP)

➜  ~ ufw status
Status: inactive

# VPS

root@vps:~# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:0f:1a:fc:ba  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet xx.xxx.xxx.xxx (correct VPS IP) netmask 255.255.255.0  broadcast xx.xxx.xxx.xxx (correct VPS IP)
        inet6 fe80::216:3cff:febe:8257  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3c:be:82:57  txqueuelen 1000  (Ethernet)
        RX packets 1530020  bytes 161808285 (154.3 MiB)
        RX errors 0  dropped 8  overruns 0  frame 0
        TX packets 11535  bytes 1305593 (1.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.66.66.1  netmask 255.255.255.0  destination 10.66.66.1
        inet6 fd42:42:42::1  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 173  bytes 26172 (25.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 173  bytes 68700 (67.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@vps:~# wg show
interface: wg0
  public key: RvpjXK/aAPxKiQT8F3fcZwDQslRc7OKuOCOxx0haskY=
  private key: (hidden)
  listening port: 51820

peer: ReUEqt+Gmo2V/y6/CIust1242S7nNVS9o+3lV+PqTDc=
  preshared key: (hidden)
  endpoint: xx.xx.xx.xx:44856 (correct Hetzner IP)
  allowed ips: 10.66.66.2/32, fd42:42:42::2/128
  latest handshake: 6 minutes, 37 seconds ago
  transfer: 25.56 KiB received, 68.54 KiB sent
  
root@vps:~# ufw status
Status: inactive

When running ssh root@dedi -L 8888:localhost:32400, then visiting localhost:8888 I can access Plex just fine. Just not on VPS_IP:32400. I am using a Racknerd VPS (2.5 GB KVM VPS (Black Friday 2023))

maybe that's why it's not working as each VPS config is different, I only use IONOS, maybe you can try using it ?

but first just send me back all configs (hetzner + vps + compose) need to check if redirect is ok

maybe that's why it's not working as each VPS config is different, I only use IONOS, maybe you can try using it ?

but first just send me back all configs (hetzner + vps + compose) need to check if redirect is ok

I just bought this VPN, and people told me this will work just fine.

I will send you the configs.

Nice :)

Hetzner

/root/plexwireguard/wireguard-client/wg_confs/wg0.conf

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.66.66.2/32
DNS = 1.1.1.1,1.0.0.1

PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
PostUp = FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;
PreDown = FORWARDEDPORT=32400; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;

[Peer]
PublicKey = RvpjXK/aAPxKiQT8F3fcZwDQslRc7OKuOCOxx0haskY=
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Endpoint = xx.xxx.xxx.xxx:51820 # Hetzner IP
AllowedIPs = 0.0.0.0/0

/root/plexwireguard/docker-compose.yml

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
      - PEERDNS=1.1.1.1
    volumes:
      - /root/plexwireguard/wireguard-client:/config
      - /lib/modules:/lib/modules
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    ports:
      - 32400:32400
    restart: unless-stopped

  plex:
    image: linuxserver/plex
    container_name: plex
    environment:
      - PUID=0
      - PGID=0
      - TZ=Europe/Brussels
      - VERSION=docker
    volumes:
      - /root/plex/config:/config
      - /root/tubearchivist/media:/media
      - /root/plex/transcode:/transcode
    devices:
      - /dev/dri:/dev/dri
    privileged: true
    network_mode: service:wireguard
    restart: unless-stopped

Plex container logs

[migrations] started
[migrations] no migrations found
───────────────────────────────────────
      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝
   Brought to you by linuxserver.io
───────────────────────────────────────
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID:    0
User GID:    0
───────────────────────────────────────
**** Server is unclaimed, but no claim token has been set ****
Docker is used for versioning skip update check
[custom-init] No custom files found, skipping...
Starting Plex Media Server. . . (you can ignore the libusb_init error)
[ls.io-init] done.

Wireguard container logs

[migrations] started
[migrations] no migrations found
───────────────────────────────────────
      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝
   Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID:    1000
User GID:    1000
───────────────────────────────────────
Uname info: Linux 05de354b43c8 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg0.conf ****
Warning: `/config/wg_confs/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.66.66.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
s6-rc: fatal: unable to take locks: Resource busy
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
[#] iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
[#] FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;
**** All tunnels are now active ****
[ls.io-init] done.

Racknerd VPS

/root/wg0-client-Plex1.conf

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = 1.1.1.1,1.0.0.1

[Peer]
PublicKey = RvpjXK/aAPxKiQT8F3fcZwDQslRc7OKuOCOxx0haskY=
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Endpoint = xx.xxx.xxx.xxx:51820 # Racknerd VPS IP
AllowedIPs = 0.0.0.0/0,::/0

/etc/wireguard/wg0.conf

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 51820
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
PostUp = iptables -I INPUT -p udp --dport 51820 -j ACCEPT
PostUp = iptables -I FORWARD -i eth0 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2
PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2

### Client Plex1
[Peer]
PublicKey = ReUEqt+Gmo2V/y6/CIust1242S7nNVS9o+3lV+PqTDc=
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

systemctl status [email protected]

● [email protected] - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
   Active: active (exited) since Sat 2024-03-09 08:59:58 EST; 6h ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
 Main PID: 6549 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 2926)
   Memory: 0B
   CGroup: /system.slice/system-wg\x2dquick.slice/[email protected]

Mar 09 08:59:58 vps wg-quick[6549]: [#] ip -6 address add fd42:42:42::1/64 dev wg0
Mar 09 08:59:58 vps wg-quick[6549]: [#] ip link set mtu 1420 up dev wg0
Mar 09 08:59:58 vps wg-quick[6549]: [#] iptables -I INPUT -p udp --dport 51820 -j ACCEPT
Mar 09 08:59:58 vps wg-quick[6549]: [#] iptables -I FORWARD -i eth0 -o wg0 -j ACCEPT
Mar 09 08:59:58 vps wg-quick[6549]: [#] iptables -I FORWARD -i wg0 -j ACCEPT
Mar 09 08:59:58 vps wg-quick[6549]: [#] iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Mar 09 08:59:58 vps wg-quick[6549]: [#] ip6tables -I FORWARD -i wg0 -j ACCEPT
Mar 09 08:59:58 vps wg-quick[6549]: [#] ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Mar 09 08:59:58 vps wg-quick[6549]: [#] iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2
Mar 09 08:59:58 vps systemd[1]: Started WireGuard via wg-quick(8) for wg0.

/root/plexwireguard/wireguard-client/wg_confs/wg0.conf is wrong :

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.66.66.2/32
DNS = 10.66.66.1 #YOU PUTTED CLOUDFLARE, NEED TO BE THE WIREGUARD SERVER IP

PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
PostUp = FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;
PreDown = FORWARDEDPORT=32400; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;

[Peer]
PublicKey = RvpjXK/aAPxKiQT8F3fcZwDQslRc7OKuOCOxx0haskY=
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Endpoint = xx.xxx.xxx.xxx:51820 #NEED TO BE THE VPS_IP NOT HETZNER IP
AllowedIPs = 0.0.0.0/0

/root/plexwireguard/docker-compose.yml

PUID & PGID for Plex container still not good, you need to put the same as your Wireguard container :

      - PUID=1000
      - PGID=1000

Try this and tell me.

Same issue.

Changed /root/plexwireguard/wireguard-client/wg_confs/wg0.conf to this, is that correct?

[Interface]
PrivateKey = 
Address = 10.66.66.2/32
DNS = xx.xxx.xxx.xxx # Rackhead VPS IP

PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
PostUp = FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg>PreDown = FORWARDEDPORT=32400; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i w>
[Peer]
PublicKey = RvpjXK/aAPxKiQT8F3fcZwDQslRc7OKuOCOxx0haskY=
PresharedKey = 
Endpoint = xx.xxx.xxx.xxx:51820 # Rackhead VPS IP
AllowedIPs = 0.0.0.0/0

Docker compose now:

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
      - PEERDNS=1.1.1.1
    volumes:
      - /root/plexwireguard/wireguard-client:/config
      - /lib/modules:/lib/modules
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    ports:
      - 32400:32400
    restart: unless-stopped

  plex:
    image: linuxserver/plex
    container_name: plex
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Brussels
      - VERSION=docker
    volumes:
      - /root/plex/config:/config
      - /root/tubearchivist/media:/media
      - /root/plex/transcode:/transcode
    devices:
      - /dev/dri:/dev/dri
    privileged: true
    network_mode: service:wireguard
    restart: unless-stopped

Plex logs:

[migrations] started
[migrations] no migrations found
usermod: no changes
───────────────────────────────────────
      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝
   Brought to you by linuxserver.io
───────────────────────────────────────
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID:    1000
User GID:    1000
───────────────────────────────────────
**** Server is unclaimed, but no claim token has been set ****
Docker is used for versioning skip update check
[custom-init] No custom files found, skipping...
Starting Plex Media Server. . . (you can ignore the libusb_init error)
[ls.io-init] done.

Wireguard logs:

[migrations] started
[migrations] no migrations found
───────────────────────────────────────
      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝
   Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID:    1000
User GID:    1000
───────────────────────────────────────
Uname info: Linux 446fff933f0e 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg0.conf ****
Warning: `/config/wg_confs/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.66.66.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
s6-rc: fatal: unable to take locks: Resource busy
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
[#] iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
[#] FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;
**** All tunnels are now active ****
[ls.io-init] done.

Bro, I told you DNS = 10.66.66.1 #YOU PUTTED CLOUDFLARE, NEED TO BE **THE WIREGUARD SERVER IP** NOT THE IPV4

Careful, edit your message, Private key leaked.

Bro, I told you DNS = 10.66.66.1 #YOU PUTTED CLOUDFLARE, NEED TO BE **THE WIREGUARD SERVER IP** NOT THE IPV4

Careful, edit your message, Private key leaked.

Huh, what is the wireguard server IP supposed to be? Isn't it the VPS IP on which Wireguard is running (in my case Racknerd VPS)

I've written it for you but you modified, it's : 10.66.66.1

You can see it here : /etc/wireguard/wg0.conf

I've written it for you but you modified, it's : 10.66.66.1

You can see it here : /etc/wireguard/wg0.conf

Ooooh. I will try now.

Modified it:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.66.66.2/32
DNS = 10.66.66.1

PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
PostUp = FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg>PreDown = FORWARDEDPORT=32400; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i w>

[Peer]
PublicKey = RvpjXK/aAPxKiQT8F3fcZwDQslRc7OKuOCOxx0haskY=
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Endpoint = xx.xxx.xxx.xxx:51820 # VPS IP
AllowedIPs = 0.0.0.0/0

Still the same issue.

There's a couple small improvements that can be made to the guide.

1. sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

• This should link to https://docs.docker.com/engine/install/debian/#install-using-the-repository instead, as these packages aren't available by default.

mkdir /PlexWireguard/wireguard-client

mkdir /PlexWireguard/wireguard-client/wg_confs

• This can be shortened to:
  mkdir -p /PlexWireguard/wireguard-client/wg_confs

3. docker-compose -f docker-compose.yml up can cause a problem when trying to claim your Plex server, use this instead (while in the same directory as docker-compose.yml): docker compose -p examplename up -d

Thank you for the guide, it works well for me and even works remotely.

getting this error when I docker compose -f docker-compose.yml up

Error response from daemon: driver failed programming external connectivity on endpoint wireguard (65561e3e178c8775ee15e446bcbbe92104114d82d6012ea2f67a756bc9752fbc): failed to bind port 0.0.0.0:32400/tcp: Error starting userland proxy: listen tcp4 0.0.0.0:32400: bind: address already in use