Didn’t want to self-snitch and risk this getting patched, but oh well, if they do, I’ll switch to Jellyfin. Otherwise, I plan to eventually buy a lifetime Plex Pass anyway, when I get approved for disability.
Preface: I am not formally educated, and i’m not a professional (far from it, I hardly know what i’m doing, I basically stumbled my way into getting this all to work). My post may contain inaccuracies, and this setup may have security concerns, be suboptimal, or need refinement. I am open to corrections for the post, as well as suggestions for additional information to add to the post or changes to make to my setup. Regardless, my current setup most definitely works for bypassing the subscription requirements for remote streaming and doesn’t require complex remote client configuration or setup like with using Tailscale, it just simply works for remote users. This post is meant to seek advice and feedback just as much as it is to share information and my experience.
My setup, which I had configured this way before the recent changes, incidentally allows remote users to stream from my Plex server without any of us having Plex Pass or Remote Access Pass. Here’s how I have it set up:
- Plex is served through a custom Cloudflare domain (e.g., plex.mydomain.com) configured in the Plex settings.
- I use local DNS routing (with my Pi-hole) so that LAN clients bypass the tunnel and connect directly, saving wireless bandwidth and ensuring local access even if the internet is down.
- All external and local access goes through an Nginx reverse proxy. I have IP tables set so that only the localhost can access Plex’s default port.
- A Cloudflared tunnel forwards requests from the public domain to the reverse proxy.
So, a remote client connects like this:
Remote Client -> Cloudflared tunnel -> Nginx reverse proxy -> Plex (localhost)
(Local client connects like this):
Local Client -> (local DNS reroute) -> Nginx reverse proxy -> Plex (localhost)
When Plex made the subscription change for remote access, this setup just kept working. No Plex Pass is required because the clients are connecting via a secure direct connection, not using Plex’s relay infrastructure. The Plex server sees all connections as local, even if they’re remote.
Plex treats connections through this setup as direct, not remote, which is why it doesn’t enforce subscription checks.
Important notes: - If using Cloudflare, add a Page Rule in the cloudflared dashboard for your Plex domain to set Cache Level: Bypass to prevent playback cutting out. - You may need to disable Remote Access auto-config in the Plex server’s settings to prevent it from falling back to their relay servers. - Do not expose Plex directly to the internet without a reverse proxy and proper access controls. - Use HTTPS (TLS) to encrypt traffic between clients and your server. This should be handled by your Cloudflared tunnel and your reverse proxy. It protects user credentials and ensures compatibility with all Plex clients. - You must use a valid TLS certificate (e.g., via Let’s Encrypt) if using a custom domain. Plex’s default certificate is only valid for plex.direct and will not work with a reverse proxy or Cloudflared tunnel using a different domain. This should be configured in the reverse proxy, leave ‘Custom certificate location’ blank in the Plex server’s settings. - Recommend that remote users set a strong, unique password on their Plex account and enable two-factor authentication (2FA) for security. - While this setup essentially requires a custom domain to be purchased, the cloudflared free plan is more than sufficient. Cloudflare charges (usually, depending on domain and TLD) $10/year for a custom domain, and it can be used for far more than just Plex, like for other services, sites, and for custom email domains. - The custom domain is technically not strictly necessary; a setup that enables a direct secure connection (e.g., forwarded IP and port) can work, but it’s not optimal or practical due to TLS certification complexities. I won’t get in to this but if you don’t know what these complexities might consist of, just use a custom domain.
Not sure if this bypass was intentional (since it avoids load on their relay servers) or if it’s just an oversight. Either way, it works, and it doesn’t require any complex setup or configuration on the remote client’s side. This setup makes it so that no additional configuration is needed on the remote client side, unlike with using Tailscale.
If there is demand, I can write up a rough tutorial with example configurations, but I would like to be peer reviewed by more educated people first.
TLDR:
You can bypass Plex’s Remote Access Pass by serving Plex through a custom Cloudflare domain (e.g., plex.mydomain.com) using a Cloudflared tunnel, with all traffic routed through an Nginx reverse proxy and Plex bound to localhost only. LAN clients connect directly using local DNS overrides (e.g., Pi-hole), while remote clients go through the tunnel. This setup makes Plex treat all connections as direct, so no Plex Pass or Remote Access Pass is enforced.
Conectar
![[link]](https://i.redd.it/5c1udr3ed62f1.jpeg){kind=link}
