Plex is locking remote streaming behind a subscription in April
-
Hmm i need to revisit it again. Thanks!
I just confirmed it has it. You need to be on the same subnet, which is why VPN won't work. But then everything shows up as castable
-
I think I represent a huge portion of Plex users; I am tech savvy enough to follow a simple walkthrough on YouTube to get my server setup. But the arrs, jellyfin, and docker both look like graduate level chemistry to me.
Plex has been around for ages and they have put money into making things easier for users like me to understand with events such as Pro Week and directly paying content creators to dumb things down for me.
It's quite easy without docker to get lots of it running with a dietpi install. Runs on rpi and alike, but also on any "normal" old low end pc. Just select jellyfin, arrs, ... It handles it all for you, no need to learn Docker (I know people will argue about the advantages of docker, which are valid points, but ease of installation is more important to many people). The only difficulty remains the streaming outside your own LAN (because it's risky). VPN, tailscale, ... there's options but it always keeps on feeling risky to open up outside LAN. Local setup for jellyfin can be really really easy tho, if it's just for yourself and you mostly watch at home anyway... And in some jellyfin compatible app like Finamp and Streamyfin you can just download a few music albums, episodes or movies to your phone before you travel...
-
You don’t need to manually setup port forwarding with plex and if you want access off your network (such as when traveling) or to let others in it gets way more complicated.
That ease of outside LAN access poses a big risk tho. Plex can and eventually probably will share, be forced to share, get hacked etc Those cloud accounts imply the possibility of very detailed reports about who's streaming what, when, where, from which source...
-
Thanks for the info! How is your experience with using the app? Is it buggy? Does it need frequent updates?
I've only personally used it a couple times, but my relatives have used it a bunch with no reported issues. I have not had to update it yet, but it's only been a few months. Definitely not frequent updates. My jellyfin server has had one update since then, but even the server updates aren't coming in on a weekly basis, so I don't expect their client will break anytime soon.
-
You are, authentication on the VPS, you're relying on Jellyfin authentication against the internet. Correct me if I'm wrong, but this is your suggested setup: [home server] Jellyfin -> [remote server] Reverse Proxy -> [remote machine] users. Let's imagine a scenario where Jellyfin has a bug that if you leave the password empty it logs you in (I know, it's an exaggeration but just for the sake of argument, an SQL injection or other similar attacks would be more plausible but I'm trying to keep things simple), on your setup now anyone can log into your Jellyfin and from there it's one jump to your home server. On Plex's solution even if Plex authentication gets compromised the attacker only got access to the remote server, and would now need to find another vulnerability to jump to your Plex at home.
Putting something like Authelia/Authentik on a VPS in front of Jellyfin is a similar approach, but the Jellyfin client can't handle third party authentication AFAIK
My interpretation of your linked instruction (granted, I haven't tried plex) is that it's the same two scenarios.
Your plex client app login talks directly to your server login. The client app meeting the server is arranged by the plex relay server and nothing more. There is no 'logging in' to the plex relay server; it's function is to arrange a meeting of two tunnels and that's it, much like a tailscale derp server.
The relay server is serving the same function as caddy on a VPS, hell, they could even be using tailscale under the hood and it'd look exactly the same to a user.
Anyway, attack vectors even with a public facing jellyfin are mitigated because
a) jellyfin is running in a docker container = a successful attacker would only be able to trash my jellyfin container, which ultimately is not that big of a deal (unless there is a different docker exploit that enables access to the server itself, which is an entirely different issue and larger than a jellyfin/plex discussion)
b) fail2ban in conjunction with a reverse proxy bans malicious ip addresses that come back with too many errors too many times (errors that you, the admin, specify) So, for example, brute force login attacks are mitigated.
c) the reverse proxy itself allows access to only one specified internal ip address/port combination. Pending a caddy exploit (again, a different discussion) it is not possible to fish for acrive ip addresses or port scan my internal network.
-
That ease of outside LAN access poses a big risk tho. Plex can and eventually probably will share, be forced to share, get hacked etc Those cloud accounts imply the possibility of very detailed reports about who's streaming what, when, where, from which source...
If you are someone on this community or is just generally tech savvy enough to host Jellyfin you should. I don’t advocate for plex for people who don’t need it. But a lot of people are not knowledgeable enough for Jellyfin or are just nervous about it
-
Docker isn’t hard if you use a compose file. It’s easy to read syntax.
This is giving me "yaml isn't hard to use if you use a compose file!" It is, actually. It's easy for you because you understand the technology. The vast majority of people do not.
Of course. But if you managed to setup Plex then you've already shown you have willing to learn...
-
I keep a Jellyfin instance running as a hedge. Here's the thing with Plex (and actually a lot of companies set up similarly): those "lifetime" memberships are a trap. Think about it: Plex gets your money ONCE but they have ongoing expenses. Sooner or later, they'll have spent every single cent made by a lifetime membership unless they either get more folks OR squeeze everyone a bit more.
Once they started adding their own shows and making strange UI decisions, I could sense the end was coming. A move like this brings it up fast. Jellyfin is not nearly as good as Plex in a lot of ways, but it's really Open Source.
Anyway, a lot of rambling, but in short: when there is a "lifetime" subscription, watch out!
Pcloud will probably go this way.
-
Wireguard so you are always seen as being on the local network. This bit of assholery is easily defeated.
Or morally better than breaking TOS, use a FOOS alternative like Jellyfin.
-
We are also changing how remote playback works for streaming personal media (that is, playback when not on the same local network as the server). The reality is that we need more resources to continue putting forth the best personal media experience, and as a result, we will no longer offer remote playback as a free feature. This—alongside the new Plex Pass pricing—will help provide those resources. This change will apply to the future release of our new Plex experience for mobile and other platforms.
A big part of the appeal with Plex is that you can run a server and friends can sign up for a FREE account and stream remotely. When you take this away, you're going to just kneecap the whole offering. This is such an arrogant move from Plex: they are thinking that when this change goes live they will get a flood of subscriptions. The more likely outcome is they will get a few subscriptions and a lot more angry and frustrated people that walk away.
-
My interpretation of your linked instruction (granted, I haven't tried plex) is that it's the same two scenarios.
Your plex client app login talks directly to your server login. The client app meeting the server is arranged by the plex relay server and nothing more. There is no 'logging in' to the plex relay server; it's function is to arrange a meeting of two tunnels and that's it, much like a tailscale derp server.
The relay server is serving the same function as caddy on a VPS, hell, they could even be using tailscale under the hood and it'd look exactly the same to a user.
Anyway, attack vectors even with a public facing jellyfin are mitigated because
a) jellyfin is running in a docker container = a successful attacker would only be able to trash my jellyfin container, which ultimately is not that big of a deal (unless there is a different docker exploit that enables access to the server itself, which is an entirely different issue and larger than a jellyfin/plex discussion)
b) fail2ban in conjunction with a reverse proxy bans malicious ip addresses that come back with too many errors too many times (errors that you, the admin, specify) So, for example, brute force login attacks are mitigated.
c) the reverse proxy itself allows access to only one specified internal ip address/port combination. Pending a caddy exploit (again, a different discussion) it is not possible to fish for acrive ip addresses or port scan my internal network.
First of all I agree with most of your a, b and c points, just would like to point out that while it's true that Docker containers provide an extra level of security they're not as closed down as people sometimes believe, but as a general rule I agree with everything you said.
But you're wrong about the way Plex works, this is a quote from their documentation:
So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.
If that's not clear enough:
Your security and privacy is important to us. When you have enabled secure connections on your Plex Media Server, then your streaming will continue to be secure and encrypted even when using our Relay feature. (When using secure connections, the content is encrypted end-to-end and tunneled through our Relay. The connection is not terminated on our servers and only your Plex Media Server has the certificate.)
So it's very clear data is streaming through their relay server, which goes back to my original point of I expect that to be a paid feature, it's using bandwidth from their relay servers.
As for the security again you're wrong, authentication happens on the Plex remote server, not on your local one, which is why you can't use Plex without internet (part of my dislike for them). So you connect to Plex remote server and authenticate there, you then get a client that's talking to the remote server, even if someone was able to bypass that login they would be inside a Plex owned server, not yours, they would need to then exploit whatever API exists between your home server and that one to jump to your machine, so it's an extra jump needed, again similarly to having Authelia/Authentik in front of Jellyfin.
-
But what infrastructure does this feature require? I'm direct connecting to my own personal server with perhaps credential handling and a handshake handled by Plex servers to connect. None of the media is passing through their servers - or it shouldn't be if it is.
In a nutshell, if your app isn’t able to make a direct connection to your Plex Media Server when you’re away from home, we can act as sort of a middle man and “relay” the stream from your server to your app. To accomplish this, your Plex Media Server establishes a secure connection to one of our Relay servers. Your app then also connects securely to the same Relay server and accesses the stream from your Plex Media Server. (In technical terms, the content is tunneled through.)
So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.
Source: https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/
It's not a requirement to stream and it's sort of dumb they are lumping this relay service as a part of the remote streaming. Remote streaming should be allowed for free - if you are not a subscriber. The relay should just be a paid service, which makes sense. But if it's a direct connection to my server, it should be free.
That being said, I understand how Plex may have built some technical debt into this relay system. It might be hard for them to decouple the relay from the remote streaming. What they should have done is:
We are removing the relay service as a free service, but you can still do remote streaming with a direct connection.
And they should have built their architecture in a way that's easy to decouple the two services.
-
not if you’re behind VPN
Well that’s a very unexpected dealbreaker for me
Yes, it does introduce insecurity, so not for everyone. I have it behind a domain on cloudflare (let's encrypt cert) with nginx reverse proxy
-
Yes, it does introduce insecurity, so not for everyone. I have it behind a domain on cloudflare (let's encrypt cert) with nginx reverse proxy
And that’s where the extent of my technical knowledge smashes into a wall lol
-
Judging by the rest of the thread I'm going to get downvoted for this, but what the hell:
I'm sure I'll switch to Jellyfin eventually but I tried it out a few weeks ago to see what all the hype was about and it just... wasn't great. It was difficult to setup, with way too many overly-complicated settings, and then it refused to play one of the two test files I tried. Like it or not there's a reason that Plex is the dominant player in the game, and a large part of that reason is that it verges on plug-and-play for simplicity of both setup and use.
Yes, it sucks that they're removing remote streaming for free users, but I imagine there's a significant chunk of users who don't know or care how to properly open their server up to the world and are relying on the Plex proxies for their streams (which happens entirely in the background), and those aren't going to be cheap to run. Maybe putting them behind a paywall will provide the resources to make them faster.
I did buy a lifetime pass last time they announced a price hike; it's honestly paid for itself many times over, and I've been encouraging other users I know to do the same before this next one, because yes, it is a significant hike this time around. That said, while I wouldn't pay monthly for it, I do still feel like the lifetime pass is tremendous value for such a polished product. It's a shame they've had to do it at all, but I don't begrudge them for it.
I imagine there’s a significant chunk of users who don’t know or care how to properly open their server up to the world and are relying on the Plex proxies
That seems like the obvious place to put a subscription that won’t get people upset. Or maybe it’s in the presentation.
When HomeAssistant started a subscription, they renewed their commitment to opensource, added remote features under subscription while still letting you do it yourself, plus made it clear this funded continued opensource development. I happily pay this and haven’t been disappointed. Did Plex fumble a similar opportunity?
-
I used to use Plex, then one day my internet was down and since Plex couldn't phone home, it wouldn't let me log in to watch media ON MY LAN.
So yeah it's inherently broken. That's before you even consider the licensing.
Depending on setup this can be true with Jellyfin, too. I have a domain registered, use dynamic DNS, and have Traefik direct a subdomain to my Jellyfin server. My mobile clients are configured using that. My local clients use the local static IP.
If my internet goes down, my mobile clients can’t connect, even on the LAN.
-
It has to do with the app used. I think it will work with web player and maybe the windows app, but it won't work on Android/iOS.
oh okay, interesting. well, you could always use the web browser on your phone/ipad i guess. not a great experience but i know for a fact that plex works on ios in chrome at the very least.
-
I think I represent a huge portion of Plex users; I am tech savvy enough to follow a simple walkthrough on YouTube to get my server setup. But the arrs, jellyfin, and docker both look like graduate level chemistry to me.
Plex has been around for ages and they have put money into making things easier for users like me to understand with events such as Pro Week and directly paying content creators to dumb things down for me.
I've got to admit that I've never used Plex (I'm a cantankerous open software fanatic), but how do you get your media on there? You're hosting your own server so presumably you're downloading the media somehow. Are you doing it manually? If so, you can do the same with Jellyfin. Is it automated with some tool built into Plex?
-
And that’s where the extent of my technical knowledge smashes into a wall lol
Yes, it took me a long time to figure it out. Which is why Plex feels comfortable charging for it
-
In a nutshell, if your app isn’t able to make a direct connection to your Plex Media Server when you’re away from home, we can act as sort of a middle man and “relay” the stream from your server to your app. To accomplish this, your Plex Media Server establishes a secure connection to one of our Relay servers. Your app then also connects securely to the same Relay server and accesses the stream from your Plex Media Server. (In technical terms, the content is tunneled through.)
So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.
Source: https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/
It's not a requirement to stream and it's sort of dumb they are lumping this relay service as a part of the remote streaming. Remote streaming should be allowed for free - if you are not a subscriber. The relay should just be a paid service, which makes sense. But if it's a direct connection to my server, it should be free.
That being said, I understand how Plex may have built some technical debt into this relay system. It might be hard for them to decouple the relay from the remote streaming. What they should have done is:
We are removing the relay service as a free service, but you can still do remote streaming with a direct connection.
And they should have built their architecture in a way that's easy to decouple the two services.
Thanks for that - I wasn't aware of the relay service, but completely agree that this is what they should be charging for and not the remote play feature in its entirety. I'll probably drag it out for a while by refusing to update the app and server... Might be able to make it work with Tailscale as others have suggested.
In the past I've paid for a month or two when I wanted to download to my devices remotely (and I think that's the singular feature that I've ever cared about in the Plex pass). But to take features away and then try and charge me for them is a bridge too far, I can't support that bad behavior.
