Update README with instructions on how to setup a secure remote connection to your mpv instance

[varenc]

The current guidance in the README for setting up a remote connection is insecure. mpv supports a run input command that allows executing arbitrary commands, meaning anyone with access to the exposed port could run echo "run <any_command>" | nc <your_ip> 2352 to execute commands on your system.

For a trusted local network that's not a huge deal... but unless your security stance trusts everything on your LAN and you never leave it, it still doesn't make sense. If you had it running on a laptop while connected to some public WiFi networks, your computer would could be easily pwn'd by anyone. (fortunately this is obscure enough that most people aren't looking for it)

This update provides guidance on how to achieve the same remote connection securely using socat with SSH port forwarding. I've implemented this solution myself and can confirm it works great!

btw, thank you so much for making this project. I love mpv, and I love home assistant, and now I get to combine my interests!

[varenc]

also my example script might be overly complicated with all the variables and the use of trap "kill 0" .... That part exists because socat is run in the background since both commands must run simultaneously, and the use of trap kills socat when the script exits. But I run it in a separate daemon and not with mpv ... --script=..., so it might be totally unnecessary. A simpler example minimal script could just be:

#!/bin/bash
socat TCP-LISTEN:2352,reuseaddr,fork UNIX-CONNECT:/path/to/mpv-socket &  # <-- run socat in the background
ssh -N -R 2352:localhost:2352 [email protected]

This does the same thing without all the extra setup, just hardcoded paths. Might be easier for folks to understand at a glance.

[varenc]

just updated the PR in line with this!

[varenc]

had to add back a check for duplicate instances of the script. seems that mpv --script=something.run actually leaves the script running in the background even after mpv exists so even using trap doesn't work. The script now just uses nc to check if the port is open and if it is it exits.

Sorry the script got so complicated but don't think I can avoid it. Classic usability vs security challenges. Also this made me realize that your prior example probably causes a new background instance of socat to be left running every time mpv is opened.