Comment

Comment on How do I host Jellyfin in the most secure manner possible?

I wish it were that simple, but as I mentioned that would require paying for ProtonVPN to allow LAN connections (which isn’t the worst thing in the world, but I’d prefer to avoid subscriptions where possible) and clients don’t allow self-signed certificates.

source

Sort:hotnew top

DesolateMood@lemm.ee ⁨11⁩ ⁨months⁩ ago
Idk if proton allows you to download config files on a free account but if they do then you could use those to manually split tunnel your local internet

source
- Charger8232@lemmy.ml ⁨11⁩ ⁨months⁩ ago
  
  Idk if proton allows you to download config files on a free account
  
  I remember a time a few years ago when I managed to do something similar… I’ll look into this!
  
  source
smiletolerantly@awful.systems ⁨11⁩ ⁨months⁩ ago
What are you talking about. Please clarify if this is actually true:

I don’t plan to access it anywhere but home.

This would mean that you only want to access Jellyfin when you, and the device you are watching your show/movie on, are at home, where the Pi/server also is.

Is this correct?

If so, then questions about VPN, Certificates, DNS,… do not matter.

host Jellyfin on the Pi, e.g. with IP 192.168.10.20 on your local network

open the Jellyfin app on your TV/Phone/PC, connect to 192.168.10.20:8096

done

Now you can access it at home, and only at home. I honestly fail to see where a VPN would even come into the equation here (again, if you wish to ONLY watch when you are at home, as you’ve said).
source
- DesolateMood@lemm.ee ⁨11⁩ ⁨months⁩ ago
  OPs problem is that proton blocks Lan connections when connected and require you to pay them if you want to unblock it
  
  source
  - lefixxx@lemmy.world ⁨11⁩ ⁨months⁩ ago
    What the f
    
    source
  - littleomid@feddit.org ⁨11⁩ ⁨months⁩ ago
    Then he should use Mullvad.
    
    source
  - smiletolerantly@awful.systems ⁨11⁩ ⁨months⁩ ago
    Smh. I get wanting to be connected to a wifi, but being locked out of your own local network is just stupid.
    
    source
- Charger8232@lemmy.ml ⁨11⁩ ⁨months⁩ ago
  
  This would mean that you only want to access Jellyfin when you, and the device you are watching your show/movie on, are at home, where the Pi/server also is.
  
  Is this correct?
  
  Yes.
  
  If so, then questions about VPN, Certificates, DNS,… do not matter.
  
  They do, because if ProtonVPN blocks LAN connections then the only other option is exposing the server to the WAN
  
  open the Jellyfin app on your TV/Phone/PC, connect to 192.168.10.20:8096
  
  This does not encrypt during transit, and my network is not a trusted party.
  
  I honestly fail to see where a VPN would even come into the equation here
  
  I, like many others, use my devices for more than just accessing my LAN while I am on my home network.
  
  source
  - smiletolerantly@awful.systems ⁨11⁩ ⁨months⁩ ago
    
    This does not encrypt during transit, and my network is not a trusted party.
    
    Then honestly, you have other problems than setting up Jellyfin.
    
    For real though, if you think someone is (or might be) listening in on your local network, i.e. have physical access or compromised one of your machines, then the Jellyfin traffic is the least of your problems. Pick your battles. What’s the worst that could happen here - someone gets to know your favorite show?
    
    They do, because if ProtonVPN blocks LAN connections then the only other option is exposing the server to the WAN
    
    Ah, I see. On your PC you should just be able to set a static route over the physical interface for 192.168.0.0/24 (or whatever your local network is) which takes precedence over the VPN. For android… Oof, no idea. Probably need root.
    
    source
    Charger8232@lemmy.ml ⁨11⁩ ⁨months⁩ ago
    
    For real though, if you think someone is (or might be) listening in on your local network, i.e. have physical access or compromised one of your machines, then the Jellyfin traffic is the least of your problems. Pick your battles. What’s the worst that could happen here - someone gets to know your favorite show?
    
    A bad router + bad ISP combo means I get ratted out for copyrighted material (that I don’t have… I only host creative commons videos on my Jellyfin server, of course…)
    
    source
    -> View More Comments
  - skizzles@lemmy.world ⁨11⁩ ⁨months⁩ ago
    [deleted]
    source
    Charger8232@lemmy.ml ⁨11⁩ ⁨months⁩ ago
    
    Just out of curiosity, why is your network not a trusted party?
    
    Part of my threat model is essentially “anything that can connect to the internet poses a security risk”. Since networks are the literal gateway to the internet, it is reasonable not to trust them. Routers don’t run as secure operating systems as Qubes OS, secureblue, or GrapheneOS. If a malicious party found a way to connect to the network, all unencrypted activities can be intercepted. If the router itself has malicious code, any unencrypted traffic can be sent to a third party. Those are just the basics, but trying to put band-aid solutions on a fundamentally broken system is a losing battle.
    
    GrapheneOS distrusts networks as much as possible, so I do too. Even if I own the network, I am not a network engineer, so the chances of fault are high. In the simplest case, the network is a gateway to all activity that happens on the LAN, and it only takes one zero day to make that happen. The best mitigation is proper encryption and no self-signed certificates (where possible).
    
    source
tacostrange@lemmy.ml ⁨11⁩ ⁨months⁩ ago
Look into Tailscale. Its free

source