Skip to content

Instantly share code, notes, and snippets.

@jsturgis
Forked from sovajri7/Plex_Hetzner_Wireguard.md
Created September 26, 2024 16:52
Show Gist options
  • Save jsturgis/bfb57d076bbac7c194f58b338b9d8d3b to your computer and use it in GitHub Desktop.
Save jsturgis/bfb57d076bbac7c194f58b338b9d8d3b to your computer and use it in GitHub Desktop.
Using Plex on Hetzner with Wireguard VPN (Docker).

Using Plex on Hetzner with Wireguard VPN (Docker). First, thanks to ShipkaChalk (https://gist.github.com/ShipkaChalk/629fdc42dad781776d2007fc502188f3) and his original tutorial that helped me a lot to get the client part. With this tutorial, you can route all Plex traffic via Wireguard out of another VPS (2$ IONOS Ubuntu VPS), this can be used for any container but here to bypass the Hetzner block by Plex.

  1. Get yourself a Linux VPS (ex : Ubuntu 22.04)

  2. Make all updates :

sudo apt update

sudo apt upgrade

  1. Install the Wireguard installer from angristan (https://github.com/angristan/wireguard-install) :

curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh

chmod +x wireguard-install.sh

./wireguard-install.sh

You should get a Q&A, here is mine, you can do the same :

Welcome to the WireGuard installer!
The git repository is available at: https://github.com/angristan/wireguard-install

I need to ask you a few questions before starting the setup.
You can keep the default options and just press enter if you are ok with them.

IPv4 or IPv6 public address: VPS_IP
Public interface: ens6 #This shlould be automatic reply but you can verify by doing 'ifconfig' on another ssh session
WireGuard interface name: wg0
Server WireGuard IPv4: 10.13.13.1 #Modify default to this to match client config from ShipkaChalk
Server WireGuard IPv6: fd42:42:42::1 
Server WireGuard port [1-65535]: 51820
First DNS resolver to use for the clients: 1.1.1.1
Second DNS resolver to use for the clients (optional): 1.0.0.1

The client name must consist of alphanumeric character(s). It may also include underscores or dashes and can't exceed 15 chars.
Client name: Plex1
Client WireGuard IPv4: 10.13.13.2 
Client WireGuard IPv6: fd42:42:42::2
  1. Installer should have created a server config and a client config, you can verify by running the command (verify on text showed after entering the last command):

systemctl status [email protected]

  1. Stop the Wireguard server :

systemctl stop [email protected]

  1. Open the wg0.conf (server config) and paste the 2 lines that have comments at the end "#IP Of peer below":

nano /etc/wireguard/wg0.conf

[Interface]
Address = 10.13.13.1/24,fd42:42:42::1/64
ListenPort = 51820
PrivateKey = PRIVATEKEY
PostUp = iptables -I INPUT -p udp --dport 51820 -j ACCEPT
PostUp = iptables -I FORWARD -i ens6 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens6 -j MASQUERADE
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 #IP Of peer below
PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i ens6 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens6 -j MASQUERADE
PostDown = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 #IP Of peer below

### Client Plex1
[Peer]
PublicKey = PUBLICKEY
PresharedKey = PRESHAREDKEY
AllowedIPs = 10.13.13.2/32,fd42:42:42::2/128

-> To save and quit : CTRL+S & CTRL+X

  1. Start the Wireguard server :

systemctl start [email protected] Now server is running fine

  1. Open the client wg0-client-Plex1.conf (client config) and copy all the text, we'll need it later, this should be the same name, you can verify on the text showed after creating the Wireguard Server :

nano /root/wg0-client-Plex1.conf

  1. You're done with the VPS

On the Hetzner Server

  1. Make all updates :

sudo apt update

sudo apt upgrade

  1. Install docker, docker-compose plugin & portainer to get a GUI for beginners :

Docker

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Portainer

docker volume create portainer_data

docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

  1. Create a directory to hold the files, I created /PlexWireguard

mkdir /PlexWireguard

  1. Create /PlexWireguard/wireguard-client/wg_confs/wg0.conf

mkdir /PlexWireguard/wireguard-client

mkdir /PlexWireguard/wireguard-client/wg_confs

nano /PlexWireguard/wireguard-client/wg_confs/wg0.conf

  1. Paste the text you copied from VPS for the client (7. above), you just need to add in the PostUp, PreDown , PostUp and PreDown :
[Interface]
Address = 10.13.13.2
PrivateKey = PRIVATEKEY
ListenPort = 51820
DNS = 10.13.13.1

PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
PostUp = FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;
PreDown = FORWARDEDPORT=32400; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;

[Peer]
PublicKey = PUBLICKEY
PresharedKey = PRESHAREDKEY
Endpoint = VPS_IP:51820
AllowedIPs = 0.0.0.0/0 #Remove ", ::/0" if you have issues using IPv6
  1. Create the docker-compose.yml

cd /

nano docker-compose.yml

  1. Paste this and make sure your volumes in plex and wireguard line up :
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000 #Change if not correct, just type "id" in a new ssh session to get this
      - PGID=1000 #Change if not correct, just type "id" in a new ssh session to get this
      - TZ=Europe/Paris #Change if not correct
      - PEERDNS=1.1.1.1
    volumes:
      - /PlexWireguard/wireguard-client:/config
      - /lib/modules:/lib/modules
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    ports:
      - 32400:32400
    restart: unless-stopped

  plex:
    image: linuxserver/plex
    container_name: plex
    shm_size: '32gb' #OPTIONAL Transcoding temp files to ram makes this parameter needed
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Paris
      - VERSION=docker
    volumes:
      - /PlexWireguard/config:/config
      - /path/to/data:/media #Put here the path to your media library
      - /dev/shm:/transcode #OPTIONAL Transcoding temp files to ram makes this parameter needed
    devices:
      - /dev/dri:/dev/dri #OPTIONAL If you have Intel GPU, this is necessary
    privileged: true #OPTIONAL Not sure if need for the transcode
    network_mode: service:wireguard
    restart: unless-stopped

Info : If you still can't get transcoding working, try chmod -R 777 /dev/dri

  1. Launch this up and visit http://VPS_IP:32400 and you’ll see your Plex.

docker-compose -f docker-compose.yml up

Troubleshooting

Follow the steps below in order, post a comment saying where you get to if it fails.

Get into the containers on Hetzner.

  1. Plex Container : docker exec -it plex /bin/bash

1.a. Do curl localhost:32400 : you should see some html coming back. If it's not plex isn't up.

1.b. Do curl icanhazip.com to make sure it's returning the VPS_IP. If it's not then your wireguard tunnel is not connected.

  1. Wireguard Container :
`docker exec -it wireguard /bin/bash`

2.a. Do curl localhost:32400 you should see some html coming back. If it's not then the plex container is not connected to the wireguard container.

2.b. Do curl icanhazip.com to make sure it's returning the VPS ip. If it's not then your wireguard tunnel is not connected.

  1. Verify Firewall and ports on the Hetzner Panel and check ufw : ufw status

Get into the VPS.

  1. Do ifconf to see if you can see the wg0 interface

  2. If yes, do wg show look to see if the peer has connected.

  3. If not, the server is not up, do systemctl status [email protected], if it's started, restart using systemctl restart [email protected] and then check using systemctl status [email protected] (verify if @wg0.service is the correct name of your wireguard server)

  4. Verify Firewall and open the ports on the VPS Provider Panel (here IONOS) and check ufw : ufw status

On your home machine.

  1. Visit http://VPS_IP:32400 you should get to plex, if not create a ssh tunnel to verify if all good : ssh USER@HETZNER_IP -L 8888:localhost:32400 and then visit http://localhost:8888
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment