Skip to content

Instantly share code, notes, and snippets.

@sovajri7
Created November 4, 2023 18:26
Show Gist options
  • Save sovajri7/856f75833f3d8764c5dc36e19ff5d0aa to your computer and use it in GitHub Desktop.
Save sovajri7/856f75833f3d8764c5dc36e19ff5d0aa to your computer and use it in GitHub Desktop.
Using Plex on Hetzner with Wireguard VPN (Docker).

Using Plex on Hetzner with Wireguard VPN (Docker). First, thanks to ShipkaChalk (https://gist.github.com/ShipkaChalk/629fdc42dad781776d2007fc502188f3) and his original tutorial that helped me a lot to get the client part. With this tutorial, you can route all Plex traffic via Wireguard out of another VPS (2$ IONOS Ubuntu VPS), this can be used for any container but here to bypass the Hetzner block by Plex.

  1. Get yourself a Linux VPS (ex : Ubuntu 22.04)

  2. Make all updates :

sudo apt update

sudo apt upgrade

  1. Install the Wireguard installer from angristan (https://github.com/angristan/wireguard-install) :

curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh

chmod +x wireguard-install.sh

./wireguard-install.sh

You should get a Q&A, here is mine, you can do the same :

Welcome to the WireGuard installer!
The git repository is available at: https://github.com/angristan/wireguard-install

I need to ask you a few questions before starting the setup.
You can keep the default options and just press enter if you are ok with them.

IPv4 or IPv6 public address: VPS_IP
Public interface: ens6 #This shlould be automatic reply but you can verify by doing 'ifconfig' on another ssh session
WireGuard interface name: wg0
Server WireGuard IPv4: 10.13.13.1 #Modify default to this to match client config from ShipkaChalk
Server WireGuard IPv6: fd42:42:42::1 
Server WireGuard port [1-65535]: 51820
First DNS resolver to use for the clients: 1.1.1.1
Second DNS resolver to use for the clients (optional): 1.0.0.1

The client name must consist of alphanumeric character(s). It may also include underscores or dashes and can't exceed 15 chars.
Client name: Plex1
Client WireGuard IPv4: 10.13.13.2 
Client WireGuard IPv6: fd42:42:42::2
  1. Installer should have created a server config and a client config, you can verify by running the command (verify on text showed after entering the last command):

systemctl status [email protected]

  1. Stop the Wireguard server :

systemctl stop [email protected]

  1. Open the wg0.conf (server config) and paste the 2 lines that have comments at the end "#IP Of peer below":

nano /etc/wireguard/wg0.conf

[Interface]
Address = 10.13.13.1/24,fd42:42:42::1/64
ListenPort = 51820
PrivateKey = PRIVATEKEY
PostUp = iptables -I INPUT -p udp --dport 51820 -j ACCEPT
PostUp = iptables -I FORWARD -i ens6 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 #IP Of peer below
PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i ens6 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PostDown = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 #IP Of peer below

### Client Plex1
[Peer]
PublicKey = PUBLICKEY
PresharedKey = PRESHAREDKEY
AllowedIPs = 10.13.13.2/32,fd42:42:42::2/128

-> To save and quit : CTRL+S & CTRL+X

  1. Start the Wireguard server :

systemctl start [email protected] Now server is running fine

  1. Open the client wg0-client-Plex1.conf (client config) and copy all the text, we'll need it later, this should be the same name, you can verify on the text showed after creating the Wireguard Server :

nano /root/wg0-client-Plex1.conf

  1. You're done with the VPS

On the Hetzner Server

  1. Make all updates :

sudo apt update

sudo apt upgrade

  1. Install docker, docker-compose plugin & portainer to get a GUI for beginners :

Docker

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Portainer

docker volume create portainer_data

docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

  1. Create a directory to hold the files, I created /PlexWireguard

mkdir /PlexWireguard

  1. Create /PlexWireguard/wireguard-client/wg_confs/wg0.conf

mkdir /PlexWireguard/wireguard-client

mkdir /PlexWireguard/wireguard-client/wg_confs

nano /PlexWireguard/wireguard-client/wg_confs/wg0.conf

  1. Paste the text you copied from VPS for the client (7. above), you just need to add in the PostUp, PreDown , PostUp and PreDown :
[Interface]
Address = 10.13.13.2
PrivateKey = PRIVATEKEY
ListenPort = 51820
DNS = 10.13.13.1

PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
PostUp = FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;
PreDown = FORWARDEDPORT=32400; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;

[Peer]
PublicKey = PUBLICKEY
PresharedKey = PRESHAREDKEY
Endpoint = VPS_IP:51820
AllowedIPs = 0.0.0.0/0 #Remove ", ::/0" if you have issues using IPv6
  1. Create the docker-compose.yml

cd /

nano docker-compose.yml

  1. Paste this and make sure your volumes in plex and wireguard line up :
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000 #Change if not correct, just type "id" in a new ssh session to get this
      - PGID=1000 #Change if not correct, just type "id" in a new ssh session to get this
      - TZ=Europe/Paris #Change if not correct
      - PEERDNS=1.1.1.1
    volumes:
      - /PlexWireguard/wireguard-client:/config
      - /lib/modules:/lib/modules
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    ports:
      - 32400:32400
    restart: unless-stopped

  plex:
    image: linuxserver/plex
    container_name: plex
    shm_size: '32gb' #OPTIONAL Transcoding temp files to ram makes this parameter needed
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Paris
      - VERSION=docker
    volumes:
      - /PlexWireguard/config:/config
      - /path/to/data:/media #Put here the path to your media library
      - /dev/shm:/transcode #OPTIONAL Transcoding temp files to ram makes this parameter needed
    devices:
      - /dev/dri:/dev/dri #OPTIONAL If you have Intel GPU, this is necessary
    privileged: true #OPTIONAL Not sure if need for the transcode
    network_mode: service:wireguard
    restart: unless-stopped

Info : If you still can't get transcoding working, try chmod -R 777 /dev/dri

  1. Launch this up and visit http://VPS_IP:32400 and you’ll see your Plex.

docker-compose -f docker-compose.yml up

Troubleshooting

Follow the steps below in order, post a comment saying where you get to if it fails.

Get into the containers on Hetzner.

  1. Plex Container : docker exec -it plex /bin/bash

1.a. Do curl localhost:32400 : you should see some html coming back. If it's not plex isn't up.

1.b. Do curl icanhazip.com to make sure it's returning the VPS_IP. If it's not then your wireguard tunnel is not connected.

  1. Wireguard Container :
`docker exec -it wireguard /bin/bash`

2.a. Do curl localhost:32400 you should see some html coming back. If it's not then the plex container is not connected to the wireguard container.

2.b. Do curl icanhazip.com to make sure it's returning the VPS ip. If it's not then your wireguard tunnel is not connected.

  1. Verify Firewall and ports on the Hetzner Panel and check ufw : ufw status

Get into the VPS.

  1. Do ifconf to see if you can see the wg0 interface

  2. If yes, do wg show look to see if the peer has connected.

  3. If not, the server is not up, do systemctl status [email protected], if it's started, restart using systemctl restart [email protected] and then check using systemctl status [email protected] (verify if @wg0.service is the correct name of your wireguard server)

  4. Verify Firewall and open the ports on the VPS Provider Panel (here IONOS) and check ufw : ufw status

On your home machine.

  1. Visit http://VPS_IP:32400 you should get to plex, if not create a ssh tunnel to verify if all good : ssh USER@HETZNER_IP -L 8888:localhost:32400 and then visit http://localhost:8888
@sovajri7
Copy link
Author

sovajri7 commented Mar 9, 2024

Bro, I told you DNS = 10.66.66.1 #YOU PUTTED CLOUDFLARE, NEED TO BE **THE WIREGUARD SERVER IP** NOT THE IPV4

Careful, edit your message, Private key leaked.

@Iliannnn
Copy link

Iliannnn commented Mar 9, 2024

Bro, I told you DNS = 10.66.66.1 #YOU PUTTED CLOUDFLARE, NEED TO BE **THE WIREGUARD SERVER IP** NOT THE IPV4

Careful, edit your message, Private key leaked.

Huh, what is the wireguard server IP supposed to be? Isn't it the VPS IP on which Wireguard is running (in my case Racknerd VPS)

@sovajri7
Copy link
Author

sovajri7 commented Mar 9, 2024

I've written it for you but you modified, it's : 10.66.66.1

You can see it here : /etc/wireguard/wg0.conf

@Iliannnn
Copy link

Iliannnn commented Mar 9, 2024

I've written it for you but you modified, it's : 10.66.66.1

You can see it here : /etc/wireguard/wg0.conf

Ooooh. I will try now.

@Iliannnn
Copy link

Iliannnn commented Mar 9, 2024

Modified it:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.66.66.2/32
DNS = 10.66.66.1

PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
PostUp = FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg>PreDown = FORWARDEDPORT=32400; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i w>

[Peer]
PublicKey = RvpjXK/aAPxKiQT8F3fcZwDQslRc7OKuOCOxx0haskY=
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Endpoint = xx.xxx.xxx.xxx:51820 # VPS IP
AllowedIPs = 0.0.0.0/0

Still the same issue.

@felikcat
Copy link

felikcat commented Jun 21, 2024

There's a couple small improvements that can be made to the guide.

  1. sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
mkdir /PlexWireguard/wireguard-client

mkdir /PlexWireguard/wireguard-client/wg_confs
  • This can be shortened to:
    mkdir -p /PlexWireguard/wireguard-client/wg_confs
  1. docker-compose -f docker-compose.yml up can cause a problem when trying to claim your Plex server, use this instead (while in the same directory as docker-compose.yml): docker compose -p examplename up -d

Thank you for the guide, it works well for me and even works remotely.

@barrahlad
Copy link

barrahlad commented Aug 26, 2024

getting this error when I docker compose -f docker-compose.yml up

Error response from daemon: driver failed programming external connectivity on endpoint wireguard (65561e3e178c8775ee15e446bcbbe92104114d82d6012ea2f67a756bc9752fbc): failed to bind port 0.0.0.0:32400/tcp: Error starting userland proxy: listen tcp4 0.0.0.0:32400: bind: address already in use

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment