Plex Premium Hack

This repository contains a "mock" proxy that sits in your network and tricks Plex into thinking you have a Plex Premium subscription.

Requirements

• A router that can redirect traffic (i.e. OPNsense, pfSense, DD-WRT...)
• (alternative) a DNS server that can redirect traffic (some apps won't work due to DNS pinning)
• A reverse proxy (i.e. Traefik, Nginx, Caddy...)

How to setup ?

Due to the nature of this hack, you'll have to :

• generate a new certificate authority (CA) for the proxy
• trust or patch the CA on clients and/or apps that will connect to your Plex server

1. Generate a new Certificate Authority (CA)

in writing...

2. Setup reverse proxy

In my case I'm using Traefik, so here is an example configuration :

tls:
  certificates:
    # use certificates generated in step 1
    - certFile: /etc/traefik/ssl/custom/plexfakeclients.crt
      keyFile: /etc/traefik/ssl/custom/plexfakeclients.key

http:
  routers:
    plex:
      entryPoints:
        - https
      service: plex
      rule: Host(`plex.<your-domain>.com`)
      # you may want to use TLS here too (don't use the custom CA cert generated in step 1)
    plex_proxy:
      entryPoints:
        - https
      service: plex_proxy
      rule: Host(`clients.plex.tv`) || Host(`plex.tv`)
      tls: { }

  services:
    plex:
      loadBalancer:
        servers:
          - url: http://<plex-machine-ip>:32400
    plex_proxy:
      loadBalancer:
        servers:
          - url: http://<machine-where-proxy-is>:8000

3. Redirect traffic

For this to work we need to redirect the domain clients.plex.tv and plex.tv to our proxy. This is easily done if you own a router that can do this but might be tricky if you don't.

Important

Mobile/desktop apps tends to use hardcoded DNS servers so if you don't have a router that can redirect traffic, you will not be able to use this hack. It might be possible to patch the app to use a custom DNS server but the apps are usually obfuscated and it's not easy to do so.

OPNsense / pfSense

First, find the IP address behind the plex domains.

dig clients.plex.tv +short
# 172.64.151.205
# 104.18.36.51

dig plex.tv +short
# 52.17.59.150
# 52.49.56.127

Then go into Firewall > Aliases and create two aliases:

• plex_ips
  • Type: Host(s)
  • Content: <the 4 IPs you found above>
• plex_do_not_proxy
  • Type: Host(s)
  • Content: and

Then go into Firewall > NAT > Port Forward and create a new rule:

• Interface: LAN
• Protocol: TCP
• Source / Invert: [☑️]
• Source: (select alias) plex_do_not_proxy
• Source Port Range: any
• Destination: (select alias) plex_ips
• Destination Port Range: 443
• Redirect Target IP: <your proxy server IP>
• Redirect Target Port: 443

Finally go to Firewall > NAT > Outbound and create a new rule (select Hybrid mode if needed):

• Interface: LAN
• TCP/IP Version: IPv4
• Protocol: any
• Source address: any
• Destination address:
• Destination port : 443
• Translation / target: Interface address

Test the redirection

Now if you try to go to https://clients.plex.tv/api/hack you should see a JSON response along the lines of :

{
  "status": "OK, Plex Pass features proxy enabled"
}

If you see the Plex "Oops, 404" page then something is wrong with your redirection or proxy.

Patch PlexAmp