Using Plex on Hetzner with Wireguard VPN (Docker).

Plex_Hetzner_Wireguard.md

Using Plex on Hetzner with Wireguard VPN (Docker).

With this tutorial, you can route all Plex traffic via Wireguard out of another VPS (2$ IONOS Ubuntu VPS), this can be used for any container but here to bypass the Hetzner block by Plex.

First, thanks to ShipkaChalk (https://gist.github.com/ShipkaChalk/629fdc42dad781776d2007fc502188f3) and his original tutorial that helped me a lot to get the client part.

1. Get yourself a Linux VPS (ex : Ubuntu 22.04)

2. Make all updates :

sudo apt update

sudo apt upgrade

3. Install the Wireguard installer from angristan (https://github.com/angristan/wireguard-install) :

curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh

chmod +x wireguard-install.sh

./wireguard-install.sh

You should get a Q&A, here is mine, you can do the same :

Welcome to the WireGuard installer!
The git repository is available at: https://github.com/angristan/wireguard-install

I need to ask you a few questions before starting the setup.
You can keep the default options and just press enter if you are ok with them.

IPv4 or IPv6 public address: VPS_IP
Public interface: ens6 #This shlould be automatic reply but you can verify by doing 'ifconfig' on another ssh session
WireGuard interface name: wg0
Server WireGuard IPv4: 10.13.13.1 #Modify default to this to match client config from ShipkaChalk
Server WireGuard IPv6: fd42:42:42::1 
Server WireGuard port [1-65535]: 51820
First DNS resolver to use for the clients: 1.1.1.1
Second DNS resolver to use for the clients (optional): 1.0.0.1

The client name must consist of alphanumeric character(s). It may also include underscores or dashes and can't exceed 15 chars.
Client name: Plex1
Client WireGuard IPv4: 10.13.13.2 
Client WireGuard IPv6: fd42:42:42::2

4. Installer should have created a server config and a client config, you can verify by running the command (verify on text showed after entering the last command):

systemctl status [email protected]

5. Stop the Wireguard server :

systemctl stop [email protected]

6. Open the wg0.conf (server config) and paste the 2 lines that have comments at the end "#IP Of peer below":

nano /etc/wireguard/wg0.conf

[Interface]
Address = 10.13.13.1/24,fd42:42:42::1/64
ListenPort = 51820
PrivateKey = PRIVATEKEY
PostUp = iptables -I INPUT -p udp --dport 51820 -j ACCEPT
PostUp = iptables -I FORWARD -i ens6 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 #IP Of peer below
PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i ens6 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PostDown = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 #IP Of peer below

### Client Plex1
[Peer]
PublicKey = PUBLICKEY
PresharedKey = PRESHAREDKEY
AllowedIPs = 10.13.13.2/32,fd42:42:42::2/128

-> To save and quit : CTRL+S & CTRL+X

7. Start the Wireguard server :

systemctl start [email protected] Now server is running fine

8. Open the client wg0-client-Plex1.conf (client config) and copy all the text, we'll need it later, this should be the same name, you can verify on the text shown after creating the Wireguard Server :

nano /root/wg0-client-Plex1.conf

9. You're done with the VPS

On the Hetzner Server

1. Make all updates :

sudo apt update

sudo apt upgrade

2. Install docker, docker-compose plugin & portainer to get a GUI for beginners :

Docker

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Portainer

docker volume create portainer_data

docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

3. Create a directory to hold the files, I created /PlexWireguard

mkdir /PlexWireguard

4. Create /PlexWireguard/wireguard-client/wg_confs/wg0.conf

mkdir /PlexWireguard/wireguard-client

mkdir /PlexWireguard/wireguard-client/wg_confs

nano /PlexWireguard/wireguard-client/wg_confs/wg0.conf

5. Paste the text you copied from VPS for the client (7. above), you just need to add in the PostUp, PreDown , PostUp and PreDown :

[Interface]
Address = 10.13.13.2
PrivateKey = PRIVATEKEY
ListenPort = 51820
DNS = 10.13.13.1

PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
PostUp = FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;
PreDown = FORWARDEDPORT=32400; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;

[Peer]
PublicKey = PUBLICKEY
PresharedKey = PRESHAREDKEY
Endpoint = VPS_IP:51820
AllowedIPs = 0.0.0.0/0 #Remove ", ::/0" if you have issues using IPv6

6. Create the docker-compose.yml

cd /

nano docker-compose.yml

7. Paste this and make sure your volumes in plex and wireguard line up :

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000 #Change if not correct, just type "id" in a new ssh session to get this
      - PGID=1000 #Change if not correct, just type "id" in a new ssh session to get this
      - TZ=Europe/Paris #Change if not correct
      - PEERDNS=1.1.1.1
    volumes:
      - /PlexWireguard/wireguard-client:/config
      - /lib/modules:/lib/modules
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    ports:
      - 32400:32400
    restart: unless-stopped

  plex:
    image: linuxserver/plex
    container_name: plex
    shm_size: '32gb' #OPTIONAL Transcoding temp files to ram makes this parameter needed
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Paris
      - VERSION=docker
    volumes:
      - /PlexWireguard/config:/config
      - /path/to/data:/media #Put here the path to your media library
      - /dev/shm:/transcode #OPTIONAL Transcoding temp files to ram makes this parameter needed
    devices:
      - /dev/dri:/dev/dri #OPTIONAL If you have Intel GPU, this is necessary
    privileged: true #OPTIONAL Not sure if need for the transcode
    network_mode: service:wireguard
    restart: unless-stopped

Info : If you still can't get transcoding working, try chmod -R 777 /dev/dri

8. Launch this up and visit http://VPS_IP:32400 and you’ll see your Plex.

docker-compose -f docker-compose.yml up OR docker compose -p docker-compose up -d

Troubleshooting

Follow the steps below in order, post a comment saying where you get to if it fails.

Get into the containers on Hetzner.

1. Plex Container : docker exec -it plex /bin/bash

1.a. Do curl localhost:32400 : you should see some html coming back. If it's not plex isn't up.

1.b. Do curl icanhazip.com to make sure it's returning the VPS_IP. If it's not then your wireguard tunnel is not connected.

2. Wireguard Container :

`docker exec -it wireguard /bin/bash`

2.a. Do curl localhost:32400 you should see some html coming back. If it's not then the plex container is not connected to the wireguard container.

2.b. Do curl icanhazip.com to make sure it's returning the VPS ip. If it's not then your wireguard tunnel is not connected.

3. Verify Firewall and ports on the Hetzner Panel and check ufw : ufw status

Get into the VPS.

4. Do ifconf to see if you can see the wg0 interface

5. If yes, do wg show look to see if the peer has connected.

6. If not, the server is not up, do systemctl status [email protected], if it's started, restart using systemctl restart [email protected] and then check using systemctl status [email protected] (verify if @wg0.service is the correct name of your wireguard server)

7. Verify Firewall and open the ports on the VPS Provider Panel (here IONOS) and check ufw : ufw status

On your home machine.

8. Visit http://VPS_IP:32400 you should get to plex, if not create a ssh tunnel to verify if all good : ssh USER@HETZNER_IP -L 8888:localhost:32400 and then visit http://localhost:8888

So to summarize

Strato VPS (8core,8gbram,1gbs)
Hetzner (plex and wireguard inside docker compose)
Download: 195.64 Mbps (data used: 350.7 MB) 152.73 ms (jitter: 54.32ms, low: 17.32ms, high: 913.96ms) Upload: 192.61 Mbps (data used: 282.5 MB) 75.37 ms (jitter: 38.32ms, low: 18.00ms, high: 718.25ms) Packet Loss: 7.0%

this is when nothing is playing.

When i play a big uhd movie at home from the server i can see this in the monitoring on the hetzner ubuntu server

why is it sending and receiving?
is this why i'm so limited (250/1000)

is it suppose to going back and forth? or something wrong in my setup?

is this just monitoring the main ethernet nic? and docker has his own virtual one? so the main eth is a bridge?

I've tried everything. the next thing i wanna try =

Wireguard + plex out of docker to native install ( on second dupe server for tests)
And VPS on my own home server ( i have 2.5 nics and 8gb fiber at home)

So i had this working. Plex and wireguard in docker compose on hetzner server. Strato VPS with just wireguard. But the speed and latency is terrible. After a lot of MTU and other settings i can get 170mbps. But most of the time less, and if our family has 2 streams running its already shit.

VPS hosting providers are just bad. Tried two others almost the same.

Now we got 5gb fiber at home. So i put a old pc with Ubuntu in my room and setup the wireguard server (endpoint) on my local network.

Almost full 1gb up and down, so its really the providers throttling udp traffic. But now i cant figure out how to get a stream working from my house.

Other friends and if i use my 5G internet finally works great. Full speed, UHD streams etc.

But everything on my ISP home IP cant get anything. Ofcourse this is because my 192.168.1.* cant get to the public isp ip endpoint my wireguard server uses. It's my own IP.

How to add this exception to my wireguard scripts?

Is it this option in some gui versions?

"block untunneled traffic (kill-switch)"

How to add this manually in the wg0 configs? Or is it the GDM service i need to forward? Or one of the plex settings like add lan ip/subnet in the plex server settings? Or just a ip 4 forward line in the config i missed?

I used this

https://gist.github.com/sovajri7/856f75833f3d8764c5dc36e19ff5d0aa

One other thing i noticed on the hetzner server.
Traffic seems to be going both directions twice?

While streaming a UHD movie

network device 1,

network device 2

network device 3

Is this to be expected? because of how docker networks work? Im a noob, is this just the internal transit? or is it going back and forth 1 extra time?

**` Server: KamaTera, Inc. - Frankfurt (id: 69755)
ISP: Kamatera Inc
Idle Latency: 8.81 ms (jitter: 0.17ms, low: 8.59ms, high: 8.97ms)
Download: 870.19 Mbps (data used: 1.0 GB)
10.88 ms (jitter: 3.01ms, low: 8.67ms, high: 240.67ms)
Upload: 857.77 Mbps (data used: 1.1 GB)
9.54 ms (jitter: 12.35ms, low: 8.51ms, high: 1237.11ms)
Packet Loss: 0.0%

Other VPS provider, all my problems are resolved. It's just cheap ass VPS sellers. After 4 different ones, this one is great, full speed!!

Kamatera!!!**
`

` Server: KamaTera, Inc. - Frankfurt (id: 69755)
ISP: Kamatera Inc
Idle Latency: 8.81 ms (jitter: 0.17ms, low: 8.59ms, high: 8.97ms)
Download: 870.19 Mbps (data used: 1.0 GB)
10.88 ms (jitter: 3.01ms, low: 8.67ms, high: 240.67ms)
Upload: 857.77 Mbps (data used: 1.1 GB)
9.54 ms (jitter: 12.35ms, low: 8.51ms, high: 1237.11ms)
Packet Loss: 0.0%

Other VPS provider, all my problems are resolved. It's just cheap ass VPS sellers. After 4 different ones, this one is great, full speed!!

Kamatera!!!