Jellyfin over the internet
-
I’m fidgeting with Tailscale right now, only to stream on a AppleTV at a friend house. So far no luck but that’s not me that set up Infuse, so could be an operator error on my friend part
I tried tailscale first but to be honest wasn't a fan. I moved to Twingate and found it much simpler to set up
-
I tried tailscale first but to be honest wasn't a fan. I moved to Twingate and found it much simpler to set up
Will look into it, thanks !
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it's set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)
-
Use a reverse proxy (caddy or nginx proxy manager) with a subdomain, like myservice.mydomain.com (maybe even configure a subdir too, so …domain.com/guessthis/). Don’t put anything on the main domain / root dir / the IP address.
If you’re still unsure setup Knockd to whitelist only IP addresses that touch certain one or two random ports first.
So security through obscurity
But good luck for the bots to figure all that out.VPN is of course the actually secure option, I’d vote for Tailscale.
I kept the main domain open, but redirected it to a rickroll
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I rent a cheap $5/mo VPS and use it to run a wireguard server with wgeasy and nginx proxy manager. Everything else runs on my home server connected by wireguard.
-
SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it's set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)
That’s probably this type of setup I would want but I miss the technical know how, so if you have a cool beginner guide
-
I’ll try looking into that
Just remember to test with something better than your phone, T-Mobile aggressively filters VPNs. Try a coffee shop.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I don't use jellyfin but my general approach is either:
- Expose it over a VPN only. I usually use Tailscale for this so that I can expose individual machines but you do you
- Cloudflare tunnel that exposes a single port on a single internal machine to a subdomain I own
There are obviously ways to do this all on your own but... if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.
-
Nobody here with a tailscale funnel?? It's such a simple way to get https access from anywhere without being on the tailnet.
Is the funnel URL accessible by everyone who knows it? I.e what are the chances someone finds the URL and gets access to it?
-
Just remember to test with something better than your phone, T-Mobile aggressively filters VPNs. Try a coffee shop.
Not in the US, most providers are asshole-y but seems less asshole that T-Mobile
-
I don't use jellyfin but my general approach is either:
- Expose it over a VPN only. I usually use Tailscale for this so that I can expose individual machines but you do you
- Cloudflare tunnel that exposes a single port on a single internal machine to a subdomain I own
There are obviously ways to do this all on your own but... if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.
That’s my feeling too
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
no idea how safe or secure but i use cloudflare tunnel to point my jellyfin port on my computer
-
I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
Change the port it runs on to be stupid high and they won't bother.
-
I’m fidgeting with Tailscale right now, only to stream on a AppleTV at a friend house. So far no luck but that’s not me that set up Infuse, so could be an operator error on my friend part
The way I do it for a family member with Tailscale is them having a couple of boxes down there (n100 with their Jellyfin server, and a RPI4 with a TVHServer) with my Tailnet signed in, and those boxes running both a "subnet router" and an "exit node"that both me and said fam member can use.
This means she has permissions to use the exit node wherever like I do to my own local LAN, to connect to her LAN and access things locally since you can assign them via the ACL's / device perms.
I know reading docs can suck sometimes but honest to god the ones that Tailscale put up are pretty awesome.
Along with all the YT videos about it I didn't even have to go nagging on forums to get it to work, and that's a general first for me.
-
That’s my feeling too
I would look into Tailscale based on your responses here. I don’t know what your use case is exactly but you set TS up on your server and then again on your phone/laptop and you can connect them through the vpn directly. No extra exposed ports or making a domain or whatnot.
If you want other people to access the server they will need to make a TS account and you can authorize them.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
wrote last edited by [email protected]I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don't see a realistic risk in exposing Jellyfin directly to the internet.
It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore.(See Edit 2)In my setup, which I've been running for some time, I've port-forwarded only Jellyfin's HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I've also changed the Jellyfin's default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.
Anyone wanna yell at me for being an idiot and doing everything wrong? I'm genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I'm not entirely sure why.
Edit: Thank you everyone for your responses. While I don't agree with everything, the new insight is appreciated.
Edit 2: I've been informed that infact the support for HTTPS will be removed in a future version. From v10.11 release notes:
Deprecation Notice: Jellyfin’s internal handling of TLS/SSL certificates and configuration in the web server will be removed in a future version. No changes to the current system have been made in 10.11, however future versions will remove the current system and instead will provide advanced instructions to configure the Kestrel webserver directly for this relatively niche usecase. We strongly advise anyone using the current TLS options to use a Reverse Proxy for TLS termination instead if at all possible, as this provides a number of benefits
-
I rent a cheap $5/mo VPS and use it to run a wireguard server with wgeasy and nginx proxy manager. Everything else runs on my home server connected by wireguard.
This is 99% my setup, just with a traefik container attached to my wifeguard container.
Can recommend especially because I can move apartments any time, not care about CGNAT (my current situation which I predicted would be the case), and easily switch to any backup by sticking my boxes on any network with DHCP that can reach the Internet (like a 4G hotspot or a nanobeam pointed at a public wifi down the road) in a pinch without reconfiguring anything.
-
no idea how safe or secure but i use cloudflare tunnel to point my jellyfin port on my computer
Someone mentioned above that cloudflare will ban you for streaming through their tunnel. Just be warned.
-
I’ve look a little on it, didn’t understand most of it. I’m looking for a comprehensive beginner guide before going foward
wrote last edited by [email protected]This isn't a guide, but any reverse proxy allows you to limit open ports on your network (router) by using subdomains (thisPart.website.com) to route connections to an internal port.
So you setup a rev proxy for jellyfin.website.com that points to the port that jf wants to use. So when someone connects to the subdomain, the reverse proxy is hit, and it reads your configuration for that subdomain, and since it's now connected to your internal network (via the proxy) it is routed to the port, and jf "just works".
There's an ssl cert involved but that's the basic understanding. Then you can add Some Other Services at whatever.website.com and rinse and repeat. Now you can host multiple services, without exposing the open ports directly, and it's easy for users as there is nothing "confusing" like port numbers, IP addresses, etc.
-
I rent a cheap $5/mo VPS and use it to run a wireguard server with wgeasy and nginx proxy manager. Everything else runs on my home server connected by wireguard.
Is Nginx Proxy Manager running on the VPS itself and then the proxy routes across the wireguard to your home server? Or is the VPS just port forwarding to your home server which runs the proxy?
