Plex is locking remote streaming behind a subscription in April
-
Wireguard so you are always seen as being on the local network. This bit of assholery is easily defeated.
Or morally better than breaking TOS, use a FOOS alternative like Jellyfin.
-
We are also changing how remote playback works for streaming personal media (that is, playback when not on the same local network as the server). The reality is that we need more resources to continue putting forth the best personal media experience, and as a result, we will no longer offer remote playback as a free feature. This—alongside the new Plex Pass pricing—will help provide those resources. This change will apply to the future release of our new Plex experience for mobile and other platforms.
A big part of the appeal with Plex is that you can run a server and friends can sign up for a FREE account and stream remotely. When you take this away, you're going to just kneecap the whole offering. This is such an arrogant move from Plex: they are thinking that when this change goes live they will get a flood of subscriptions. The more likely outcome is they will get a few subscriptions and a lot more angry and frustrated people that walk away.
-
My interpretation of your linked instruction (granted, I haven't tried plex) is that it's the same two scenarios.
Your plex client app login talks directly to your server login. The client app meeting the server is arranged by the plex relay server and nothing more. There is no 'logging in' to the plex relay server; it's function is to arrange a meeting of two tunnels and that's it, much like a tailscale derp server.
The relay server is serving the same function as caddy on a VPS, hell, they could even be using tailscale under the hood and it'd look exactly the same to a user.
Anyway, attack vectors even with a public facing jellyfin are mitigated because
a) jellyfin is running in a docker container = a successful attacker would only be able to trash my jellyfin container, which ultimately is not that big of a deal (unless there is a different docker exploit that enables access to the server itself, which is an entirely different issue and larger than a jellyfin/plex discussion)
b) fail2ban in conjunction with a reverse proxy bans malicious ip addresses that come back with too many errors too many times (errors that you, the admin, specify) So, for example, brute force login attacks are mitigated.
c) the reverse proxy itself allows access to only one specified internal ip address/port combination. Pending a caddy exploit (again, a different discussion) it is not possible to fish for acrive ip addresses or port scan my internal network.
First of all I agree with most of your a, b and c points, just would like to point out that while it's true that Docker containers provide an extra level of security they're not as closed down as people sometimes believe, but as a general rule I agree with everything you said.
But you're wrong about the way Plex works, this is a quote from their documentation:
So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.
If that's not clear enough:
Your security and privacy is important to us. When you have enabled secure connections on your Plex Media Server, then your streaming will continue to be secure and encrypted even when using our Relay feature. (When using secure connections, the content is encrypted end-to-end and tunneled through our Relay. The connection is not terminated on our servers and only your Plex Media Server has the certificate.)
So it's very clear data is streaming through their relay server, which goes back to my original point of I expect that to be a paid feature, it's using bandwidth from their relay servers.
As for the security again you're wrong, authentication happens on the Plex remote server, not on your local one, which is why you can't use Plex without internet (part of my dislike for them). So you connect to Plex remote server and authenticate there, you then get a client that's talking to the remote server, even if someone was able to bypass that login they would be inside a Plex owned server, not yours, they would need to then exploit whatever API exists between your home server and that one to jump to your machine, so it's an extra jump needed, again similarly to having Authelia/Authentik in front of Jellyfin.
-
But what infrastructure does this feature require? I'm direct connecting to my own personal server with perhaps credential handling and a handshake handled by Plex servers to connect. None of the media is passing through their servers - or it shouldn't be if it is.
In a nutshell, if your app isn’t able to make a direct connection to your Plex Media Server when you’re away from home, we can act as sort of a middle man and “relay” the stream from your server to your app. To accomplish this, your Plex Media Server establishes a secure connection to one of our Relay servers. Your app then also connects securely to the same Relay server and accesses the stream from your Plex Media Server. (In technical terms, the content is tunneled through.)
So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.
Source: https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/
It's not a requirement to stream and it's sort of dumb they are lumping this relay service as a part of the remote streaming. Remote streaming should be allowed for free - if you are not a subscriber. The relay should just be a paid service, which makes sense. But if it's a direct connection to my server, it should be free.
That being said, I understand how Plex may have built some technical debt into this relay system. It might be hard for them to decouple the relay from the remote streaming. What they should have done is:
We are removing the relay service as a free service, but you can still do remote streaming with a direct connection.
And they should have built their architecture in a way that's easy to decouple the two services.
-
not if you’re behind VPN
Well that’s a very unexpected dealbreaker for me
Yes, it does introduce insecurity, so not for everyone. I have it behind a domain on cloudflare (let's encrypt cert) with nginx reverse proxy
-
Yes, it does introduce insecurity, so not for everyone. I have it behind a domain on cloudflare (let's encrypt cert) with nginx reverse proxy
And that’s where the extent of my technical knowledge smashes into a wall lol
-
Judging by the rest of the thread I'm going to get downvoted for this, but what the hell:
I'm sure I'll switch to Jellyfin eventually but I tried it out a few weeks ago to see what all the hype was about and it just... wasn't great. It was difficult to setup, with way too many overly-complicated settings, and then it refused to play one of the two test files I tried. Like it or not there's a reason that Plex is the dominant player in the game, and a large part of that reason is that it verges on plug-and-play for simplicity of both setup and use.
Yes, it sucks that they're removing remote streaming for free users, but I imagine there's a significant chunk of users who don't know or care how to properly open their server up to the world and are relying on the Plex proxies for their streams (which happens entirely in the background), and those aren't going to be cheap to run. Maybe putting them behind a paywall will provide the resources to make them faster.
I did buy a lifetime pass last time they announced a price hike; it's honestly paid for itself many times over, and I've been encouraging other users I know to do the same before this next one, because yes, it is a significant hike this time around. That said, while I wouldn't pay monthly for it, I do still feel like the lifetime pass is tremendous value for such a polished product. It's a shame they've had to do it at all, but I don't begrudge them for it.
I imagine there’s a significant chunk of users who don’t know or care how to properly open their server up to the world and are relying on the Plex proxies
That seems like the obvious place to put a subscription that won’t get people upset. Or maybe it’s in the presentation.
When HomeAssistant started a subscription, they renewed their commitment to opensource, added remote features under subscription while still letting you do it yourself, plus made it clear this funded continued opensource development. I happily pay this and haven’t been disappointed. Did Plex fumble a similar opportunity?
-
I used to use Plex, then one day my internet was down and since Plex couldn't phone home, it wouldn't let me log in to watch media ON MY LAN.
So yeah it's inherently broken. That's before you even consider the licensing.
Depending on setup this can be true with Jellyfin, too. I have a domain registered, use dynamic DNS, and have Traefik direct a subdomain to my Jellyfin server. My mobile clients are configured using that. My local clients use the local static IP.
If my internet goes down, my mobile clients can’t connect, even on the LAN.
-
It has to do with the app used. I think it will work with web player and maybe the windows app, but it won't work on Android/iOS.
-
I think I represent a huge portion of Plex users; I am tech savvy enough to follow a simple walkthrough on YouTube to get my server setup. But the arrs, jellyfin, and docker both look like graduate level chemistry to me.
Plex has been around for ages and they have put money into making things easier for users like me to understand with events such as Pro Week and directly paying content creators to dumb things down for me.
I've got to admit that I've never used Plex (I'm a cantankerous open software fanatic), but how do you get your media on there? You're hosting your own server so presumably you're downloading the media somehow. Are you doing it manually? If so, you can do the same with Jellyfin. Is it automated with some tool built into Plex?
-
And that’s where the extent of my technical knowledge smashes into a wall lol
Yes, it took me a long time to figure it out. Which is why Plex feels comfortable charging for it
-
In a nutshell, if your app isn’t able to make a direct connection to your Plex Media Server when you’re away from home, we can act as sort of a middle man and “relay” the stream from your server to your app. To accomplish this, your Plex Media Server establishes a secure connection to one of our Relay servers. Your app then also connects securely to the same Relay server and accesses the stream from your Plex Media Server. (In technical terms, the content is tunneled through.)
So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.
Source: https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/
It's not a requirement to stream and it's sort of dumb they are lumping this relay service as a part of the remote streaming. Remote streaming should be allowed for free - if you are not a subscriber. The relay should just be a paid service, which makes sense. But if it's a direct connection to my server, it should be free.
That being said, I understand how Plex may have built some technical debt into this relay system. It might be hard for them to decouple the relay from the remote streaming. What they should have done is:
We are removing the relay service as a free service, but you can still do remote streaming with a direct connection.
And they should have built their architecture in a way that's easy to decouple the two services.
Thanks for that - I wasn't aware of the relay service, but completely agree that this is what they should be charging for and not the remote play feature in its entirety. I'll probably drag it out for a while by refusing to update the app and server... Might be able to make it work with Tailscale as others have suggested.
In the past I've paid for a month or two when I wanted to download to my devices remotely (and I think that's the singular feature that I've ever cared about in the Plex pass). But to take features away and then try and charge me for them is a bridge too far, I can't support that bad behavior.
-
Thanks for that - I wasn't aware of the relay service, but completely agree that this is what they should be charging for and not the remote play feature in its entirety. I'll probably drag it out for a while by refusing to update the app and server... Might be able to make it work with Tailscale as others have suggested.
In the past I've paid for a month or two when I wanted to download to my devices remotely (and I think that's the singular feature that I've ever cared about in the Plex pass). But to take features away and then try and charge me for them is a bridge too far, I can't support that bad behavior.
-
I paid for the lifetime membership ~6 years ago so I'm going to stick with it. Plus I just use it for my own home. It's not like I'm serving a bunch of other clients. But I'll switch to Jellyfin if the lifetime membership ever gets taken away.
I considered it when they warned about the increase and offered it at $75, but I just didn't have the money to spend back then. Felt pretty stupid for not doing it, but I don't even know what paid features they offer, and I'm clearly not missing them.
99% of my usage is at home as well, so this is unlikely to affect me - until that random 1% anyhow.
-
i'm not sure why it would do this, i've never had any issues with watching plex while the internet is down (in fact that was one of my original uses for it, to have movies and tv in a building without internet). I don't have it turned on but I do know you can go into server settings -> network and set a list of IPs/subnets that can access without any authorization at all. That lets you use plex without even having a plex account afaik.
This is provably what I would have needed. But since I couldn't log in, I couldn't do anything.
-
Yes, it took me a long time to figure it out. Which is why Plex feels comfortable charging for it
I really, really wish I could competently set up and maintain a Jellyfin server. But even if I could, I have to get my wife comfortable with interfacing with it too. She has really enjoyed using Plex because it basically slots right in any lineup of the major streaming services
-
I consider myself pretty tech savvy but after I got Jellyfin set up I accidentally broke it within weeks, I wasn’t even able to get it consistently playing outside of my home network to my devices. Some ISP’s also make it hard to tinker with their modems/routers, and let’s not forget that most people when they set up their Internet just use whatever the ISP provides for them.
Ok, that is a totally different use case than mine. I'm one of those guys browsing a selfhosting community on the fediverse and I only want to stream my own stuff to my mobile and provide my wife with audiobooks. If you're providing a bigger group of people with streaming services, who are not tech savvy, another software might be the better solution. But that doesn't mean that Jellyfin is bad - it's just another use case with different requirements
-
Ok, that is a totally different use case than mine. I'm one of those guys browsing a selfhosting community on the fediverse and I only want to stream my own stuff to my mobile and provide my wife with audiobooks. If you're providing a bigger group of people with streaming services, who are not tech savvy, another software might be the better solution. But that doesn't mean that Jellyfin is bad - it's just another use case with different requirements
I don’t think I called Jellyfin bad or anything like bad in a single comment I wrote
-
First of all I agree with most of your a, b and c points, just would like to point out that while it's true that Docker containers provide an extra level of security they're not as closed down as people sometimes believe, but as a general rule I agree with everything you said.
But you're wrong about the way Plex works, this is a quote from their documentation:
So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.
If that's not clear enough:
Your security and privacy is important to us. When you have enabled secure connections on your Plex Media Server, then your streaming will continue to be secure and encrypted even when using our Relay feature. (When using secure connections, the content is encrypted end-to-end and tunneled through our Relay. The connection is not terminated on our servers and only your Plex Media Server has the certificate.)
So it's very clear data is streaming through their relay server, which goes back to my original point of I expect that to be a paid feature, it's using bandwidth from their relay servers.
As for the security again you're wrong, authentication happens on the Plex remote server, not on your local one, which is why you can't use Plex without internet (part of my dislike for them). So you connect to Plex remote server and authenticate there, you then get a client that's talking to the remote server, even if someone was able to bypass that login they would be inside a Plex owned server, not yours, they would need to then exploit whatever API exists between your home server and that one to jump to your machine, so it's an extra jump needed, again similarly to having Authelia/Authentik in front of Jellyfin.
Okay. I finally understand what you mean 🥲
Authenticate a self hosted software stack in someone else's cloud
That is a wild design choice. Glad it works for some...
Anyway... apologies for being ignorant
-
Okay. I finally understand what you mean 🥲
Authenticate a self hosted software stack in someone else's cloud
That is a wild design choice. Glad it works for some...
Anyway... apologies for being ignorant
No need to apologize, it's a weird choice from Plex, I would have never guessed that this is how it works if I hadn't suffered outages myself, and I'm amazed that not many people call them out on this, it seems completely against what most self-hosting people are looking for, but they seem to defend Plex with teeth and nails.
