Hi all. I’m hosting an Emby Media Server on TrueNAS Scale and want to give remote access to a family member. My ISP uses CGNAT, so no port forwarding if I wanted to. I have pfSense with Tailscale configured as a subnet router along with my own DNS entries and Nginx Proxy Manager for access via https://media.my.domain. This works great for remote access via devices with Tailscale installed. However, my relative uses a Roku which of course doesn’t have a Tailscale client.
My current solution is a Raspberry Pi with Tailscale, IP forwarding enabled, an iptables masquerade rule, and a static route on my relative’s router. I can simply point the Roku app to the local IP address for Emby, the static route sends the traffic to the Pi, and Tailscale does the rest. This works, but doesn’t provide the DNS entries to support my custom domain with HTTPS. Not a big deal since it’s all going over the VPN and you never have to enter the IP address after the initial Emby app setup. However, I’m trying to think of ways to add HTTPS domain support without redoing my relative’s network. He might access it on his laptop as well, which is much nicer with the HTTPS domain.
Some options I’ve thought of are:
-
Set up a pfSense box as my relative’s router. I could install Tailscale there and easily add my DNS entries. However, this would be overkill and more costly than I’d like. I would be on the hook for any future issues that might arise, rather than him just being able to reset or replace his current consumer grade router.
-
Set up Pi-Hole or AdGuard on the Pi to add the DNS entries. I did try this and it worked… until it didn’t. I set his router to use the Pi as the primary DNS and Quad9 as the secondary. I don’t want him being unable to access the Internet if the Pi were to die. His router would sometimes use Quad9 even though the Pi was up and running. It didn’t behave in a failover fashion like I would have expected. Roku doesn’t let you define your DNS servers, so I can’t just set it there.
-
Use NextDNS with custom entries. Haven’t actually tried this yet, but the only supported setup method would be IP linking. His ISP also uses CGNAT and I’ve read that this will cause issues with that, as one would expect.
-
Add public DNS records that point to the private IP for Emby. This would be the simplest option, but I don’t like the idea of doing that. I know that it’s not really giving potential attackers any valuable intel, but still.
-
Skip Tailscale and use Cloudflare Tunnels. I’ve read too much about accounts getting suspended because of the video traffic and I just don’t want to worry about that.
-
My ISP doesn’t support IPv6.
So, those are the only options I’m aware of and I’ve shot them all down. Just using the IP address with HTTP will be good enough I think, but thought I’d check here to see if folks have different ideas. Thanks for any suggestions!