Tvheadend

SSTP or L2TP can be alternative.

You need to add ssh options. You can add configure ssh (see here: [[https://patrickmn.com/aside/how-to-keep-alive-ssh-sessions/]])
or add it to the autossh command:

autossh -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" 

But, streaming video via ssh is probably not a good idea. You would probably get much better performance using a UDP VPN.

Thanks. I know that streaming over ssh is not the best way, but VPN is not really an option. Will see how ssh performs and consider VPN with UDP than. I don't want to tunnel all the traffic between remote and local, only the stream from Tvheadend. Maybe it can be done with VPN too?

Stunell as alternative
https://www.stunnel.org/

Gurabli Gurabli wrote:

Thanks. I know that streaming over ssh is not the best way, but VPN is not really an option. Will see how ssh performs and consider VPN with UDP than. I don't want to tunnel all the traffic between remote and local, only the stream from Tvheadend. Maybe it can be done with VPN too?

If using ssh, probably also best to make sure compression is disabled and use a weak cipher for best performance - like arcfour128 or arcfour256.
[[https://blog.famzah.net/2010/06/11/openssh-ciphers-performance-benchmark/]]
(Check that they are not disabled in the ssh/sshd configs...)

autossh -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "Compression no" -c arcfour128

For VPN, not setting it as the default gateway is probably enough, but it also can be configured to be used just for specific hosts/ports.

Thanks for the weak cipher tipp. I tried, but the SSHd on the server seams to be built without the weak arcfour cipher support, can't make it work. I will disable compression and try to use the quickest, still available cipher.
Will see how it performs.

VPN would be probably the best, but in my case it would probably complicate things a lot. Anyway, many people use direct webui access remotely (I also tried that) and it works perfectly fine. I do not like the idea to don't have any form of encryption (user/pass going over plain http,stream too). Will see jow it performs once I move the backend to its remote position.

saen acro wrote:

Stunell as alternative
https://www.stunnel.org/

stunnel does look like a fine alternative. However, I wonder what is the difference in using stunnel compared to ssh tunnel? Not sure about this.

Gurabli Gurabli wrote:

saen acro wrote:

Stunell as alternative
https://www.stunnel.org/

stunnel does look like a fine alternative. However, I wonder what is the difference in using stunnel compared to ssh tunnel? Not sure about this.

it is same as http :80 site vs https :443
no difference in client just traffic is behind ssl encryption

Many thanks! I will certainly give it a try.
Do you know if there is a version for arm devices available (for Armbian, Libreelec where no apt manager is available), to run on RPi and other clones?

Gurabli Gurabli wrote:

Thanks for the weak cipher tipp. I tried, but the SSHd on the server seams to be built without the weak arcfour cipher support, can't make it work. I will disable compression and try to use the quickest, still available cipher.

Might just be that it is not be enabled in sshd_config on the server.

VPN would be probably the best, but in my case it would probably complicate things a lot. Anyway, many people use direct webui access remotely (I also tried that) and it works perfectly fine. I do not like the idea to don't have any form of encryption (user/pass going over plain http,stream too). Will see jow it performs once I move the backend to its remote position.

In Configuration->General->Base make sure "Authentication type" is set to "Digest", then the user/pass will always be encrypted.

Ok, I managed to configure AutoSSH and it works great. Even the stream is perfect, using for one day bit not a single glitch.
I'm having some hard time to figure out how to set cipher for the connection with AutoSSH? And to disable compression? Do you know how can I do that? I know with ssh. Thanks!

So I finally had some time to check few things. It turns out that connecting two remote Tvheadend servers is best using IPTV. To be on a safe side, I tunnel everything over SSH using AutoSSH, as described above (mapping the two ports).
Than an m3u playlist file is generated from the remote Tvheadend instance, edit the playlist with adding username and password, and changing the address to the local mapped IP. Import this to local Tvheadend, scan, map, and ready to go. It is really safe, since everything is over ssh (no worries about password or anything, of course, with no open ports at all in router), no need for VPN or anything else. And it plays really nice, and even the recordings are done on the local box from the remote. And the EPG is there too automatically. Testing for two days now, without a single glitch. Just make sure the upload and download are sufficient for HD channels. I have 100 Mbit upload at remote, and 300 download at local. It is more than enough for 10-14 Mbit HD streams without anything being saturated. I use gigabit connection to max out the 100 Mbit upload, and of course, to make use of the 300 Mbit download.

No need to modify playlist, there is two way to do that
1. make * user limited by IP
2. use persistent authentication

saen acro wrote:

No need to modify playlist, there is two way to do that
1. make * user limited by IP
2. use persistent authentication

Thanks, great suggestions. Will look into this. I don't want to use IP, but maybe it would be smart. Then no user/pass is required, I just limit the access to the local server IP (which is fix ip) and thats it, correct?

Persistent authentication is new to me, now I see it was started about 8 months ago. Quickly reading over, I don't get it why is it better than password? Could you please explain a bit? Thanks

saen acro wrote:

No need to modify playlist, there is two way to do that
1. make * user limited by IP
2. use persistent authentication

Can you please give me a url sample line how to get the m3u playlist file for user test and password test with persistent authentication enabled? The one that I could import to local Tvheadend server as IPTV playlist. Thanks

Enable in passwords tab persistent authentication

http://user:[email protected]:9981/playlist/auth/channels

saen acro wrote:

Enable in passwords tab persistent authentication

[...]

This is what I tried, but when I try to download the m3u playlist in browser, I get 403 Forbidden error.

Version of TVH?

saen acro wrote:

Version of TVH?

Latest 4.3 in official repo.

Gurabli Gurabli wrote:

Latest 4.3 in official repo.

4.3-1793

and enabled persistent authentication?

saen acro wrote:

Gurabli Gurabli wrote:

Latest 4.3 in official repo.

4.3-1793

and enabled persistent authentication?

4.3-1793~gbc769bf and yes, persistent authentication enabled for test user.

post result of

http://user:[email protected]:9981/playlist/auth/channels

saen acro wrote:

post result of
[...]

I got it working! For some reason it always gave 403 Forbidden error when using new tab in Chrome. I tried in ff and it worked immediately. I even turned back auth to Digest only (not that it matters a lot, since I'm over ssh tunnel and no open ports).

So I just put the new m3u playlist with persistent auth as IPTV Automatic Network and this should work, really nice. Any particular setting you would recommend, like to keep EPG up to date on locale server?

Thanks for your help!