Ok just added that I forgot to add due to trouble shooting tries :

PostUp = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 # IP Of peer 
PostDown = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 # IP Of peer 

On the wg0.conf on IONOS and now Plex is OK !

Just to resume, I've followed the tutorial above for the client but for the server I've used this : https://github.com/angristan/wireguard-install
wg0.conf of this tutorial is located here : /etc/wireguard/wg0.conf

When I try to run the docker compose up, it shows that port 32400 is used by my plexmedia server

ERROR: for a28edff848c9_wireguard Cannot start service wireguard: driver failed programming external connectivity on endpoint wireguard (15e3aeea3f62afbde25c12bc57baa61e531b76982e43e89302a6b737279465c0): Error starting userland proxy: listen tcp4 0.0.0.0:32400: bind: address already in use ERROR: for wireguard Cannot start service wireguard: driver failed programming external connectivity on endpoint wireguard (15e3aeea3f62afbde25c12bc57baa61e531b76982e43e89302a6b737279465c0): Error starting userland proxy: listen tcp4 0.0.0.0:32400: bind: address already in use ERROR: Encountered errors while bringing up the project

Seems like my plex media server is using that port according to: sudo netstat -peanut | grep ":32400" tcp6 0 0 :::32400 :::* LISTEN 998 297594579 226669/Plex Media S

Can I just use fill in another port on the docker-compose file (hetzner server)

Also another question, how do I actually view my downloaded movies etc? Do I need to manually add all the libraries again? And if so how do I actually make the content pop up because whenever I add a folder and scan it for media files it stays empty.

Thankyou

You're missing something on the tutorial so because wireguard and plex have to be launched together using docker-compose.

When creating a new plex server yes you need to add libraries again, if nothing pop :
Check if when you add the folder to PMS, he can see the files if yes, just let him cook
If not, check folder permissions
Check if you added correctly the folder to docker-compose too.

You're missing something on the tutorial so because wireguard and plex have to be launched together using docker-compose.

When I changed all the "32400" fields to "31400" I did get it working and plex launched. But I couldn't get it to recognize videos even though the correct folders were selected with correct permissions

You're missing something on the tutorial so because wireguard and plex have to be launched together using docker-compose.

When I changed all the "32400" fields to "31400" I did get it working and plex launched. But I couldn't get it to recognize videos even though the correct folders were selected with correct permissions

This a Plex problem now, go on their support forum.

I started everything from scratch again but I still can't get it working on port 32400. I've tried killing the process running on that port but that just disables PMS all together.

Error response from daemon: driver failed programming external connectivity on endpoint wireguard (4daf05049ae5dbef5eb76a3ff145c8f4659ce452e95fafe52d06ae422e5e0cd3): Error starting userland proxy: listen tcp4 0.0.0.0:32400: bind: address already in use

This is the error I keep getting

I started everything from scratch again but I still can't get it working on port 32400. I've tried killing the process running on that port but that just disables PMS all together.

Error response from daemon: driver failed programming external connectivity on endpoint wireguard (4daf05049ae5dbef5eb76a3ff145c8f4659ce452e95fafe52d06ae422e5e0cd3): Error starting userland proxy: listen tcp4 0.0.0.0:32400: bind: address already in use

This is the error I keep getting

I managed to fix this. I was using swizzin before so plexmediaserver kept running in the background and using the 32400 port.

For future readers you can fix this error by;
sudo service plexmediaserver stop

If you're using swizzin you should use their box commands to control it. I believe turning off the service will also work, but if can also just do sudo box uninstall plex. Then it's removed properly based on how you installed it.

set PEERDNS=auto, it didn't work for me without it.

Thank you for offering your help. I followed your instructions, but Im not yet able to connect to plex. Going through the troubleshooting, Im running into problems starting at 1.

1.a I am getting xml data instead of html

<?xml version="1.0" encoding="UTF-8"?>
<MediaContainer size="24" allowCameraUpload="0" allowChannelAccess="1" allowMediaDeletion="1" allowSharing="1" allowSync="0" allowTuners="0" backgroundProcessing="1" companionProxy="1" countryCode="" diagnostics="logs,databases,streaminglogs" eventStream="1" friendlyName="66633dcda674" hubSearch="1" itemClusters="1" livetv="7" machineIdentifier="a7d10623cf088b7eaebbc422c8e95afc8f9c59ed" mediaProviders="1" multiuser="1" musicAnalysis="2" myPlex="1" myPlexMappingState="unknown" myPlexSigninState="none" myPlexSubscription="0" platform="Linux" platformVersion="5.15.0-86-generic" pluginHost="1" pushNotifications="0" readOnlyLibraries="0" streamingBrainVersion="2" sync="1" transcoderActiveVideoSessions="0" transcoderAudio="1" transcoderLyrics="1" transcoderPhoto="1" transcoderSubtitles="1" transcoderVideo="1" transcoderVideoBitrates="64,96,208,320,720,1500,2000,3000,4000,8000,10000,12000,20000" transcoderVideoQualities="0,1,2,3,4,5,6,7,8,9,10,11,12" transcoderVideoResolutions="128,128,160,240,320,480,768,720,720,1080,1080,1080,1080" updatedAt="1700222866" updater="1" version="1.32.7.7621-871adbd44" voiceSearch="1">
<Directory count="1" key="actions" title="actions" />
<Directory count="1" key="activities" title="activities" />
<Directory count="1" key="butler" title="butler" />
<Directory count="1" key="channels" title="channels" />
<Directory count="1" key="clients" title="clients" />
<Directory count="1" key="devices" title="devices" />
<Directory count="1" key="diagnostics" title="diagnostics" />
<Directory count="1" key="hubs" title="hubs" />
<Directory count="3" key="library" title="library" />
<Directory count="3" key="livetv" title="livetv" />
<Directory count="3" key="media" title="media" />
<Directory count="3" key="metadata" title="metadata" />
<Directory count="1" key="neighborhood" title="neighborhood" />
<Directory count="1" key="playQueues" title="playQueues" />
<Directory count="1" key="playlists" title="playlists" />
<Directory count="1" key="resources" title="resources" />
<Directory count="1" key="search" title="search" />
<Directory count="1" key="server" title="server" />
<Directory count="1" key="servers" title="servers" />
<Directory count="1" key="statistics" title="statistics" />
<Directory count="1" key="system" title="system" />
<Directory count="1" key="transcode" title="transcode" />
<Directory count="1" key="updater" title="updater" />
<Directory count="1" key="user" title="user" />
</MediaContainer>

1.b
curl: (6) Could not resolve host: icanhazip.com

1.c
curl 8.8.8.8 returns nothing. Prompt does not return unless I ctrl-c

Thank you for offering your help. I followed your instructions, but Im not yet able to connect to plex. Going through the troubleshooting, Im running into problems starting at 1.

1.a I am getting xml data instead of html

<?xml version="1.0" encoding="UTF-8"?>
<MediaContainer size="24" allowCameraUpload="0" allowChannelAccess="1" allowMediaDeletion="1" allowSharing="1" allowSync="0" allowTuners="0" backgroundProcessing="1" companionProxy="1" countryCode="" diagnostics="logs,databases,streaminglogs" eventStream="1" friendlyName="66633dcda674" hubSearch="1" itemClusters="1" livetv="7" machineIdentifier="a7d10623cf088b7eaebbc422c8e95afc8f9c59ed" mediaProviders="1" multiuser="1" musicAnalysis="2" myPlex="1" myPlexMappingState="unknown" myPlexSigninState="none" myPlexSubscription="0" platform="Linux" platformVersion="5.15.0-86-generic" pluginHost="1" pushNotifications="0" readOnlyLibraries="0" streamingBrainVersion="2" sync="1" transcoderActiveVideoSessions="0" transcoderAudio="1" transcoderLyrics="1" transcoderPhoto="1" transcoderSubtitles="1" transcoderVideo="1" transcoderVideoBitrates="64,96,208,320,720,1500,2000,3000,4000,8000,10000,12000,20000" transcoderVideoQualities="0,1,2,3,4,5,6,7,8,9,10,11,12" transcoderVideoResolutions="128,128,160,240,320,480,768,720,720,1080,1080,1080,1080" updatedAt="1700222866" updater="1" version="1.32.7.7621-871adbd44" voiceSearch="1">
<Directory count="1" key="actions" title="actions" />
<Directory count="1" key="activities" title="activities" />
<Directory count="1" key="butler" title="butler" />
<Directory count="1" key="channels" title="channels" />
<Directory count="1" key="clients" title="clients" />
<Directory count="1" key="devices" title="devices" />
<Directory count="1" key="diagnostics" title="diagnostics" />
<Directory count="1" key="hubs" title="hubs" />
<Directory count="3" key="library" title="library" />
<Directory count="3" key="livetv" title="livetv" />
<Directory count="3" key="media" title="media" />
<Directory count="3" key="metadata" title="metadata" />
<Directory count="1" key="neighborhood" title="neighborhood" />
<Directory count="1" key="playQueues" title="playQueues" />
<Directory count="1" key="playlists" title="playlists" />
<Directory count="1" key="resources" title="resources" />
<Directory count="1" key="search" title="search" />
<Directory count="1" key="server" title="server" />
<Directory count="1" key="servers" title="servers" />
<Directory count="1" key="statistics" title="statistics" />
<Directory count="1" key="system" title="system" />
<Directory count="1" key="transcode" title="transcode" />
<Directory count="1" key="updater" title="updater" />
<Directory count="1" key="user" title="user" />
</MediaContainer>

1.b curl: (6) Could not resolve host: icanhazip.com

1.c curl 8.8.8.8 returns nothing. Prompt does not return unless I ctrl-c

Hi, I've written a gist update of this because I was unable to get this working using wireguard container on server machine, you should take a look and lmk if still not working : https://gist.github.com/sovajri7/856f75833f3d8764c5dc36e19ff5d0aa

Hey @sovajri7. I just followed your gist update. Its well written and very comprehensive. Unfortunately though Im still not able to get plex running. When I try to reach my VPS at port 32400 the connection times out. Through troubleshooting I can see that a from from within the plex container curl icanhazip.com throws: curl: (7) Couldn't connect to server
curling localhost:32400 returns xml data.

EDIT: From looking at the logs when starting wireguard I found an error: RTNETLINK answers: Permission denied
Searching for it online, some was hinting that adding the following to /etc/sysctl.conf would solve the problem. In my case this did not help either:

net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0

Update the 10.13.13.2 in the above to be the IP of your peer_plexServer. This will forward port traffic from 32400 to that internal peer.

Just to make sure, are we talking about the public, or the internal IP address @ShipkaChalk?

Update the 10.13.13.2 in the above to be the IP of your peer_plexServer. This will forward port traffic from 32400 to that internal peer.

Just to make sure, are we talking about the public, or the internal IP address @ShipkaChalk?

It's the IP address in your peer config.
Try connecting with your peer config on your windows/mac wireguard client.

Your ports are probably blocked. Send all the configs here.

Thanks @parnexcodes
Here are my configs:

VPS (Server)
compose

version: '3'
services:
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SERVERURL=HETZNER_IP # Replace with your server's public domain or IP
      - SERVERPORT=51820
      - PEERS=plexServer # Replace with peer names, this is chosen by you. Do not use any special characters like _
      - PEERDNS=9.9.9.9
      - INTERNAL_SUBNET=10.13.13.0
      - LOG_CONFS=true
    ports:
      - "51820:51820/udp"
      - "32400:32400"
    volumes:
      - /home/user/repos/plexwireguard/config:/config
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

wg0

[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = ServerPrivateKey

PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 # IP Of peer below

PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.13.13.2 # IP Of peer below

[Peer]
# peer_plexServer
PublicKey = HetznerPublicKey
PresharedKey = PresharedKey
AllowedIPs = 10.13.13.2/32

Hetzner (Client)
compose

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
    volumes:
      - /home/user/plexwireguard/wireguard-client:/config
      - /lib/modules:/lib/modules
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    ports:
      - 32400:32400
    restart: unless-stopped

  plex:
    image: linuxserver/plex
    container_name: plex
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - VERSION=docker
      - PLEX_CLAIM= #lasts 4 minutes get from plex.tv/claim
    volumes:
      - /home/user/plexwireguard/plex/config:/config
      - /mnt/gmedia:/gmedia
    network_mode: service:wireguard
    restart: unless-stopped

wg0

[Interface]
Address = 10.13.13.2
PrivateKey = HetznerPrivateKey
ListenPort = 51820
DNS = 8.8.8.8

PostUp = iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o wg+ -j MASQUERADE
PostUp = FORWARDEDPORT=32400; iptables -A INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -A INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;
PreDown = FORWARDEDPORT=32400; iptables -D INPUT -i wg0 -p udp --dport $FORWARDEDPORT -j ACCEPT; iptables -D INPUT -i wg0 -p tcp --dport $FORWARDEDPORT -j ACCEPT;

[Peer]
PublicKey = ServerPublicKey
PresharedKey = PresharedKey
Endpoint = VPS_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0

I basically cannot reach the internet from within the containers. Neither icanhazip nor 8.8.8.8 can successfully be curled.

If you can't reach the internet from within the Wireguard container on the VPS then you have a problem as this should always get out to the internet. Looks like an issue on step 3 of the troubleshooting.

If you're on a box with other items on, make sure you don't have any firewalls etc breaking it. I'd recommend spinning up a quick box on something like digital ocean and test if you can get it working there.

No sorry I should have described this better. Wireguard on the VPS can reach the internet from within Docker without an issue.
My problems are on the Hetzner side. As VPS:32400 (from my home computer) leads to a timeout I tend to check the Plex container on Hetzner to curl domains and IPs for troubleshooting.

EDIT: Are we actually talking about pinging or curling 8.8.8.8 (from within VPS wg container)?
The latter just waits for further input it seems, pinging is successful with 0% packets lost.

I don't know enough about DNS's but it's possible that as you're using PEERDNS=9.9.9.9 it won't let you hit 8.8.8.8. Did you try with PEERDNS=auto? If you can ping Icanhazip and you get the IP back then your VPS Should be okay.

What you need to do now is check that the wireguard on your home machine is connected with the VPS. You can do this by going to the VPS and exec'ing into the container, sudo wg show wg0 should then hopefully show your home vps trying to connect, if you see nothing then it looks like it's just not being connected to.

What you can try for debugging if connecting directly to the vps from your home machine using the wire guard client you can either create a new config with PEERS=plexServer,homeMachine or try and use the plex server config.

If your home machine can connect and your ip is changed to the VPS then we can narrow down the issue to the docker containers on your home machine.

Okay, so I tried to connect to wg from my home computer with windows: as soon as I connect to the network my internet connection is gone.
Apart from that I found out that ionos has a hardware firewall in place that you need to configure via the cloudpanel. I did, however I am still now able to connect to plex via browser at ionos_ip:32400.
Troubleshooting throught your points @ShipkaChalk I am now only left with one problem on the VPS side (3c): if I exec into the wg container on the vps, I cannot curl localhost:32400. Getting a curl: (7) Failed to connect to localhost port 32400 after 0 ms: Couldn't connect to server.
When Im testing, I actually uninstall ufw, and allow all traffic through iptables, flushing any residual rules. So at this point I have no idea why port 32400 is not accessible.

Well if you connected to wg from your home machine and lost internet connection then it means your WG on the VPS is not working.

Please try on another VPS, you can spin up a digital ocean for an hour for pennies.

Can anyone comment on upgrading? I thought it was as simple as stopping and starting the container but that didnt work. I did the docker pull and it seems to have grabbed the latest but doesnt seem to be using it. Looks like there was a 2/24/2024 update im not able to apply.

@dmnchild
run

docker compose pull

docker compose down

docker compose up

It can take a few minutes for plex to come back due to the reconnection with the wireguard.

@ShipkaChalk
edit: docker compose -p plex pull worked. seems all good, thanks for setting me in right direction!

Hey, I have some questions. I've never done something like this.

So, in step three:

• What should SERVERURL be set to? Should this be set to the VPS IP or the Hetzner server IP?
• Should INTERNAL_SUBNET=10.13.13.0 be changed to another value because this IP gets copied over in the wg0.conf file, if yes to which IP?

In step four:

• What IP should come after --to-destination? The VPS IP or the Hetzner IP?
• The following PostUp and PostDown lines are in the wg0.conf file by default under PrivateKey, should those be replace by the ones mentioned in step four or should those stay there?

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

Thank you for the help in advance

@Iliannnn maybe my gist will help you better as I modified it a little bit to be easier for beginners, just copy/paste and fill your informations : https://gist.github.com/sovajri7/856f75833f3d8764c5dc36e19ff5d0aa

@Iliannnn maybe my gist will help you better as I modified it a little bit to be easier for beginners, just copy/paste and fill your informations : https://gist.github.com/sovajri7/856f75833f3d8764c5dc36e19ff5d0aa

I will check it out, thank you!

I love you

And I love you random citizen!

Can i use this with swizzin, or is there another way in swizzin?

Yes and no. There is no built in Swizzin plugin but you can do it as that is what I use.

You'll need to disable / remove plex from swizzin and install it using the above setup. The rest of swizzin can work as normal.

Can i use this with swizzin, or is there another way in swizzin?

I'd suggest using docker image + gluetun.

sudo su -
. /etc/swizzin/sources/globals.sh
. /etc/swizzin/sources/functions/utils
mkdir /home/$(_get_master_username)/.docker

/home/username/.docker/docker-compose.yml

# /home/username/.docker/docker-compose.yml
services:
  gluetun:
    image: qmcgaw/gluetun:latest
    # line above must be uncommented to allow external containers to connect. See https://github.com/qdm12/gluetun/wiki/Connect-a-container-to-gluetun#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 127.0.0.1:32400:32400 # Plex
    environment:
      # See https://github.com/qdm12/gluetun/wiki
      - VPN_SERVICE_PROVIDER=private internet access
      - OPENVPN_USER=username
      - OPENVPN_PASSWORD=password
      #- VPN_TYPE=openvpn
      - SERVER_REGIONS=
      - TZ=Etc/UTC
      - DOT=on
      - DOT_PROVIDERS=cloudflare
      - DOT_CACHING=on
      - DNS_ADDRESS=127.0.0.1
    labels: [ "com.centurylinklabs.watchtower.scope=username" ]
  plex:
    image: ghcr.io/hotio/plex:latest
    container_name: plex.username
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=002
      - TZ="Etc/UTC"
      - PLEX_CLAIM_TOKEN=
      - PLEX_ADVERTISE_URL=https://username.domain.com
    group_add:
      - '1005'
    labels: [ "com.centurylinklabs.watchtower.scope=username" ]
    devices:
      - /dev/dri:/dev/dri
    volumes:
      - /home/username/.docker/plex/Library/Application Support/Plex Media Server/:/config
      - /home/username/media/:/home/username/media
      - /tmp/plex/:/transcode
    depends_on:
       - gluetun
    restart: on-failure
    network_mode: "service:gluetun"
  watchtower:
    image: containrrr/watchtower
    volumes: [ "/var/run/docker.sock:/var/run/docker.sock" ]
    command: -s '00 07 * * *' --scope username
    labels: [ "com.centurylinklabs.watchtower.scope=username" ]

Generate letsencrypt certs, then place file below at /etc/nginx/sites-enabled/plex.conf

upstream plex {
    server 127.0.0.1:32400; # Change this to where plex is running
    keepalive 32;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # Generate TLS Certificate for media.domain.com via `box install letsencrypt` and answer `n` to both questions

    server_name media.*;
    ssl_certificate /etc/nginx/ssl/media.domain.com/fullchain.pem; 
    ssl_certificate_key /etc/nginx/ssl/media.domain.com/key.pem;
    include snippets/ssl-params.conf;

    client_max_body_size 0;
    proxy_headers_hash_bucket_size 256;
    proxy_headers_hash_max_size 2048;
    proxy_buffers 128 8k;
    aio threads;
    directio 1M;
    output_buffers 3 1M;
    ssl_session_timeout 1d;
    sendfile on;
    sendfile_max_chunk 0;

  location / {
    proxy_pass https://plex;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_ssl_verify off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_read_timeout 86400;
    proxy_buffering off;
    proxy_redirect off;
  }
}

Restart nginx.

Change plex to gluetun in all cases for the gluetun service file.

[Unit]
Description=Plex for %i
After=docker.service nginx.service gluetun@%i.service
Requires=docker.service nginx.service gluetun@%i.service
StartLimitBurst=3
StartLimitIntervalSec=30
 
[Service]
RestartSec=5
TimeoutStartSec=0
Restart=always
ExecStart=/usr/bin/docker compose -f /home/%i/.docker/docker-compose.yml up plex
ExecStop=/usr/bin/docker compose -f /home/%i/.docker/docker-compose.yml stop plex
ExecReload=/usr/bin/docker compose -f /home/%i/.docker/docker-compose.yml pull --quiet --ignore-pull-failures
ExecReload=/usr/bin/docker compose -f /home/%i/.docker/docker-compose.yml up plex -d

[Install]
WantedBy=multi-user.target

To add to panel:

# /opt/swizzin/core/custom/profiles.py
# Append to file only.

class pms_meta():
    name = "plex"
    pretty_name = "Plex"
    urloverride = "https://app.plex.tv"
    systemd = "plex-docker@"
    img = "plex"
    multiuser = True

touch /install/.pms.lock && systemctl restart panel