Jellyfin over the internet
-
Do you at least have it on a VLAN?
wrote last edited by [email protected]I dunno. It’s plugged in directly to the modem/router provided by my ISP while my wifi is provided by a separate mesh setup, which is also plugged in to the modem/router
️ -
I dunno. It’s plugged in directly to the modem/router provided by my ISP while my wifi is provided by a separate mesh setup, which is also plugged in to the modem/router
️Yeah, you’ll definitely want to make sure that computer is isolated. It doesn’t sound like it’s currently on a VLAN. The real danger isn’t just someone messing up that one machine, once they’re in, they’re behind your firewall and can potentially access anything else on your network. Smart home devices are often the next targets, things like light bulbs, security cameras, and especially Windows computers, which are usually easy to compromise if they’re on the same network.
You might be wondering, “How likely is that?” Honestly, very likely. Back when my website was online, it would get hit by hackers, mostly script kiddies, several times an hour.
-
Specifically these issues: https://github.com/jellyfin/jellyfin/issues/5415
The big one is that video/audio playing endpoints can be used without authentication. However, you have to guess a UUID. If Jellyfin is using UUIDv4 (fully random), then this shouldn't be an issue; the search space is too big. However, many of the other types of UUIDs could hypothetically be enumerated through brute force. I'm not sure what Jellyfin uses for UUIDs.
They don't. Ids in Jellyfin are based on the path of the file, so easily guessable with a sufficiently large rainbow table
-
You can also use a router that can run wireguard/openvpn and have that run the tunnel back to home for you. I've got a portable GL-Inet router with OpenWRT that I use for this when I'm on the road
or that yes, but I often don't want to give the whole network access to my home network for security reasons, so that's something to consider
-
How would you do this off network?
what do you mean by off network? on the wifi of a different home's network, that has internet access?
the wireguard client on your laptop is supposed to give the laptop (and the laptop only) access to your home network, and the reverse proxy running on the laptop is supposed to give local devices access to services at home selectively, by listening on port 443 on the local network, and processing requests to services that you defined, by forwarding them through the vpn tunnel.
this requires that a machine at home runs a wireguard server, and that its port is forwarded in your router -
Even more secure is having a VPS and self hosting Heascale, even better is Wireguard
I'm trying to move away from needing a VPN to connect to make it simpler for less technically inclined family members
-
Not so much a fight as an exercise in futility lol
Well, I might as well put a dog in the fight. I'm considering my final, actually secure deployment of nextcloud.
This discussion has convinced me that a vpn is the only answer.
And almost everyone says wireguard.K. Thats what I will build.
-
Well, I might as well put a dog in the fight. I'm considering my final, actually secure deployment of nextcloud.
This discussion has convinced me that a vpn is the only answer.
And almost everyone says wireguard.K. Thats what I will build.
It’s not the only answer, but it’s the one that will get you the most secure with the least amount of effort.
-
I'm trying to move away from needing a VPN to connect to make it simpler for less technically inclined family members
Usually just needs to be set up once. A small price to pay for security.
-
It’s not the only answer, but it’s the one that will get you the most secure with the least amount of effort.
wrote last edited by [email protected]Ya. I understand VPN. I do enterprise IT stuff. The things I build assume a secure environment. VPN is step one.
Nailing down a web server on the internet tho ... there's so many ways to attack. There's so many things to secure. And its a bit complex to manage all that.
The nextcloud site covers hardening the server, but doesn't even mention vpn.
I've been watching threads like this. I'm pretty convinced vpn is the answer. -
Ya. I understand VPN. I do enterprise IT stuff. The things I build assume a secure environment. VPN is step one.
Nailing down a web server on the internet tho ... there's so many ways to attack. There's so many things to secure. And its a bit complex to manage all that.
The nextcloud site covers hardening the server, but doesn't even mention vpn.
I've been watching threads like this. I'm pretty convinced vpn is the answer.Yeah Nextcloud won’t mention VPN for hardening because the assumption is you want it publicly accessible.
I have a number of things publicly accessible and there are a number of things I do to secure them. crowdsec monitoring and blocking, a reverse proxy with OIDC for authentication, a WAF in front of it all. But those are only for the things I have exposed because I want other people to use them. If it’s something just for me, I don’t bother with all that and just access it via VPN.
-
Someone mentioned above that cloudflare will ban you for streaming through their tunnel. Just be warned.
yeah it’s in the terms of service but my usage will be so small it’s not even going to register on their charts so i’m happy with the risk.
-
Yeah Nextcloud won’t mention VPN for hardening because the assumption is you want it publicly accessible.
I have a number of things publicly accessible and there are a number of things I do to secure them. crowdsec monitoring and blocking, a reverse proxy with OIDC for authentication, a WAF in front of it all. But those are only for the things I have exposed because I want other people to use them. If it’s something just for me, I don’t bother with all that and just access it via VPN.
Ok. Yes, my use case is a private document and media store. I'm ungoogling.
VPN seems like a good place to start. But I'd like a simple answer, and I expect there are none to be had. As you've illustrated here, I'll find a reason to punch holes in the firewall. And then I'm going to need to secure a web server. Life happens. I'll keep it simple for now while I sort things. Thanks for your perspective. -
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I keep jellyfin up to date in a container and forward tcp/8920 on my router to the container. Easy and plenty secure. People in this thread are wildly overthinking it.
