Comment on How do I securely host Jellyfin? (Part 2)
smiletolerantly@awful.systems 1 week ago
Hi again.
How about the following idea:
Set up ProtonVPN on the raspberry pi.
On all other devices (or at least those you want to use Jellyfin on), switch from using Proton to using Wireguard. Unlike your phone, the raspberry pi has no trouble running multiple VPNs. I think the ProtonVPN limitations in regard to not allowing split tunneling don’t apply here, since all outgoing traffic will still go via Proton.
Essentially, the Pi would function as a proxy for all of your traffic, “and also” host Jellyfin. You would still connect to 192.168.20.10:8096 (or whatever) on your devices, but that address would only resolve to anything when you are connected to the pi via Wireguard. No HTTPs, but “HTTP over Wireguard”, if you will.
Nots that this requires you trusting the pi to the same degree that you trust your phone.
For your static devices (PC, TV) this should solve the problem. Devices which you take with you, like your phone, unfortunately will loose internet connectivity when you leave your home until you switch off Wireguard, and switch on Proton, and not be able to connect to Jellyfin when you return home, until you switch them back.
Essentially, you would have a “home” VPN and a “on the go” VPN, though you never need to connect to both. There might be ways to automate this based on WiFi SSID on Android, but I have not looked into it.
The Pros:
- this should meet all your requirements. No additional expenses, no domain, no dynDNS; no selfsigned certificate or custom CA; traffic is never unencrypted; works on all common devices.
- Wireguard is sufficiently lightweight to not bog down the pi, normally
- this is actually well within the intended use-cases for Wireguard, so no “black magic” required in configuring it
- if you ever do decide to get a domain, you can configure everything to always be connected to your pi via Wireguard, even on the go! Not required though.
The Cons:
- when you are new to selfhosting, Wireguard is a bit daunting to set up. It is not the easiest to debug (don’t worry, it’s easy to tell IF it is working, but not always WHY it isn’t working). Some manual route handling is probably also required on the pi. It should definitely be doable though, but might turn this Jellyfin thing from a weekend project to a 2 week project…
- I have no experience with how well the pi runs Jellyfin. If the answer is “barely”, then adding multiple concurrent Wireguard sessions might be a bad experience. Though in this case, you could only switch Proton to Wireguard whenever you want to watch Jellyfin.
- the manual switching might be annoying, but that is the price to pay here, so to speak
Charger8232@lemmy.ml 1 week ago
Hi there!
I’m actually surprised nobody suggested simply using the Pi with OpenWrt as my own router. Though, that would make it hard to host Jellyfin.
For the most part, I trust the security of my Pi. I can hold it in my hand and see every line of code, after all!
I plan to post a tutorial about how to securely host Jellyfin. Another user gave a solution to this problem that I absolutely love, and I’ll showcase it there. I don’t want to spoil it :)
Could you explain Wireguard vs. Tailscale in this scenario?
Thank you all so much for your help! This is likely the solution I will go with, combined with another one, so again thank you so much!
P.S. I don’t care if you wrap an ethernet cord around her finger, get going!
melmi@lemmy.blahaj.zone 1 week ago
Tailscale is just a bunch of extra fancy stuff on top of Wireguard. If you don’t need the fancy stuff, using raw Wireguard can be more lightweight, but might require more networking knowledge.
The biggest thing Tailscale brings you the table is NAT traversal. On top of that it uses direct Wireguard tunnels as necessary instead of creating a mesh like you usually would if you were using raw Wireguard. It also offers convenient bits of sugar like internal DNS, and it handles key exchanges for you so it’s just generally easier to configure. When you do raw Wireguard you’re doing all the config yourself, which could be a pro or a con depending on your needs—and you’ll be editing config files, unlike Tailscale which has a GUI for most things. It also supports some more detailed security options like ACLs and I think SSO, while Wireguard is reliant on your existing firewall for that.
Here’s what Tailscale has to say about it: tailscale.com/compare/wireguard
I’ve messed around with Tailscale myself, but ultimately settled on running Wireguard. The reason I do that though is because I trust my LAN, and I only run Wireguard at the edge. Tailscale really wants to be run on every node, which in turn is something that raw Wireguard theoretically can do but would be onerous to maintain. If I didn’t trust my LAN, I’d probably switch to Tailscale.
smiletolerantly@awful.systems 1 week ago
A brief internet search shows that surprisingly, hosting Jellyfin on OpenWRT should work… No idea how well though. Come to think of it, having OpenWRT on the pi might make it a lot easier to configure, with graphical settings available and so on.
I’ve never used tailscale, I’m afraid. Normally I would say: just use whatever seems easier to set up on your device/network; however, note that tailscale needs a “coordinate server”. No actual traffic ever goes through it, it just facilitates key exchanges and the like (from what I understand), but regardless, it’s a server outside your control which is involved in some way. You can selfhost this server, but that is additional work, of course…
Glad I could help, after being so unhelpful yesterday :)
Eh… Marriage is not really common in either of our families. We agreed to go sign the papers if there ever is a tax reason, lol. Sorry if that’s a bit unromantic :D Nice rings though ^^
Charger8232@lemmy.ml 1 week ago
I still find it hilarious that since dd-wrt and OpenWrt are just… Linux, you could install Super Mario Bros on there. I checked, nobody seems to have tried.
Ah, that make sense. Is Wireguard P2P?
Don’t beat yourself up, you were fine. Because I’m big on privacy, when I ask for help I have a bad habit of leaving out the “why” behind my choices, so it’s understandable that people weren’t happy with what I needed.
I need to go make a petition to raise taxes then! /s
You both are perfect for each other, so don’t screw it up!
smiletolerantly@awful.systems 1 week ago
Oh, definitely, but there are varying degrees of difficulty, esp. with what kinds of packages / package management you have available :D
Yes, in the sense that each node/device is a peer. But the way I’d suggest you configure it in your case is more akin to a client/server setup - your devices forward all traffic to the “server”, but it never takes initiative to talk “back” to them, and they do not attempt to communicate with each other. Unless you have a separate usecase for that, of course.
❤️
Closing in on 8 years