Using Plex on Hetzner with Wireguard VPN (Docker). First, thanks to ShipkaChalk (https://gist.github.com/ShipkaChalk/629fdc42dad781776d2007fc502188f3) and his original tutorial that helped me a lot to get the client part. With this tutorial, you can route all Plex traffic via Wireguard out of another VPS (2$ IONOS Ubuntu VPS), this can be used for any container but here to bypass the Hetzner block by Plex.
-
Get yourself a Linux VPS (ex : Ubuntu 22.04)
-
Make all updates :
sudo apt update
sudo apt upgrade
- Install the Wireguard installer from angristan (https://github.com/angristan/wireguard-install) :
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
./wireguard-install.sh
You should get a Q&A, here is mine, you can do the same :
Welcome to the WireGuard installer!
The git repository is available at: https://github.com/angristan/wireguard-install
I need to ask you a few questions before starting the setup.
You can keep the default options and just press enter if you are ok with them.
IPv4 or IPv6 public address: VPS_IP
Public interface: ens6 #This shlould be automatic reply but you can verify by doing 'ifconfig' on another ssh session
WireGuard interface name: wg0
Server WireGuard IPv4: 10.13.13.1 #Modify default to this to match client config from ShipkaChalk
Server WireGuard IPv6: fd42:42:42::1
Server WireGuard port [1-65535]: 51820
First DNS resolver to use for the clients: 1.1.1.1
Second DNS resolver to use for the clients (optional): 1.0.0.1
The client name must consist of alphanumeric character(s). It may also include underscores or dashes and can't exceed 15 chars.
Client name: Plex1
Client WireGuard IPv4: 10.13.13.2
Client WireGuard IPv6: fd42:42:42::2
- Installer should have created a server config and a client config, you can verify by running the command (verify on text showed after entering the last command):
systemctl status [email protected]
- Stop the Wireguard server :
systemctl stop [email protected]
- Open the wg0.conf (server config) and paste the 2 lines that have comments at the end "#IP Of peer below":
nano /etc/wireguard/wg0.conf
[Interface]
Address = 10.13.13.1/24,fd42:42:42::1/64
ListenPort = 51820
PrivateKey = PRIVATEKEY
PostUp = iptables -I INPUT -p udp --dport 51820 -j ACCEPT
PostUp = iptables -I FORWARD -i ens6 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 #IP Of peer below
PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i ens6 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PostDown = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 #IP Of peer below
### Client Plex1
[Peer]
PublicKey = PUBLICKEY
PresharedKey = PRESHAREDKEY
AllowedIPs = 10.13.13.2/32,fd42:42:42::2/128
-> To save and quit : CTRL+S & CTRL+X
- Start the Wireguard server :
systemctl start [email protected]
Now server is running fine
- Open the client wg0-client-Plex1.conf (client config) and copy all the text, we'll need it later, this should be the same name, you can verify on the text showed after creating the Wireguard Server :
nano /root/wg0-client-Plex1.conf
- You're done with the VPS
On the Hetzner Server
- Make all updates :
sudo apt update
sudo apt upgrade
- Install docker, docker-compose plugin & portainer to get a GUI for beginners :
Docker
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Portainer
docker volume create portainer_data
docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest
- Create a directory to hold the files, I created /PlexWireguard
mkdir /PlexWireguard
- Create
/PlexWireguard/wireguard-client/wg_confs/wg0.conf
mkdir /PlexWireguard/wireguard-client
mkdir /PlexWireguard/wireguard-client/wg_confs
nano /PlexWireguard/wireguard-client/wg_confs/wg0.conf
- Paste the text you copied from VPS for the client (7. above), you just need to add in the
PostUp
,PreDown
,PostUp
andPreDown
:
[Interface]
Address = 10.13.13.2
PrivateKey = PRIVATEKEY
ListenPort = 51820
DNS = 10.13.13.1
PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
PostUp = FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;
PreDown = FORWARDEDPORT=32400; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;
[Peer]
PublicKey = PUBLICKEY
PresharedKey = PRESHAREDKEY
Endpoint = VPS_IP:51820
AllowedIPs = 0.0.0.0/0 #Remove ", ::/0" if you have issues using IPv6
- Create the
docker-compose.yml
cd /
nano docker-compose.yml
- Paste this and make sure your volumes in plex and wireguard line up :
services:
wireguard:
image: lscr.io/linuxserver/wireguard
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000 #Change if not correct, just type "id" in a new ssh session to get this
- PGID=1000 #Change if not correct, just type "id" in a new ssh session to get this
- TZ=Europe/Paris #Change if not correct
- PEERDNS=1.1.1.1
volumes:
- /PlexWireguard/wireguard-client:/config
- /lib/modules:/lib/modules
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
ports:
- 32400:32400
restart: unless-stopped
plex:
image: linuxserver/plex
container_name: plex
shm_size: '32gb' #OPTIONAL Transcoding temp files to ram makes this parameter needed
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Paris
- VERSION=docker
volumes:
- /PlexWireguard/config:/config
- /path/to/data:/media #Put here the path to your media library
- /dev/shm:/transcode #OPTIONAL Transcoding temp files to ram makes this parameter needed
devices:
- /dev/dri:/dev/dri #OPTIONAL If you have Intel GPU, this is necessary
privileged: true #OPTIONAL Not sure if need for the transcode
network_mode: service:wireguard
restart: unless-stopped
Info : If you still can't get transcoding working, try chmod -R 777 /dev/dri
- Launch this up and visit http://VPS_IP:32400 and you’ll see your Plex.
docker-compose -f docker-compose.yml up
Troubleshooting
Follow the steps below in order, post a comment saying where you get to if it fails.
Get into the containers on Hetzner.
- Plex Container :
docker exec -it plex /bin/bash
1.a. Do curl localhost:32400
: you should see some html coming back. If it's not plex isn't up.
1.b. Do curl icanhazip.com
to make sure it's returning the VPS_IP. If it's not then your wireguard tunnel is not connected.
- Wireguard Container :
`docker exec -it wireguard /bin/bash`
2.a. Do curl localhost:32400 you should see some html coming back. If it's not then the plex container is not connected to the wireguard container.
2.b. Do curl icanhazip.com to make sure it's returning the VPS ip. If it's not then your wireguard tunnel is not connected.
- Verify Firewall and ports on the Hetzner Panel and check ufw :
ufw status
Get into the VPS.
-
Do
ifconf
to see if you can see thewg0
interface -
If yes, do
wg show
look to see if the peer has connected. -
If not, the server is not up, do
systemctl status [email protected]
, if it's started, restart usingsystemctl restart [email protected]
and then check usingsystemctl status [email protected]
(verify if @wg0.service is the correct name of your wireguard server) -
Verify Firewall and open the ports on the VPS Provider Panel (here IONOS) and check ufw :
ufw status
On your home machine.
- Visit http://VPS_IP:32400 you should get to plex, if not create a ssh tunnel to verify if all good :
ssh USER@HETZNER_IP -L 8888:localhost:32400
and then visit http://localhost:8888
Bro, I told you
DNS = 10.66.66.1 #YOU PUTTED CLOUDFLARE, NEED TO BE **THE WIREGUARD SERVER IP** NOT THE IPV4
Careful, edit your message, Private key leaked.