What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Jellyfin over the internet
Submitted 1 month ago by TribblesBestFriend@startrek.website to selfhosted@lemmy.world
https://startrek.website/pictrs/image/6d04a3f3-79ec-44cb-9f2e-926280a658f4.png
Comments
nutbutter@discuss.tchncs.de 1 month ago
blah3166@piefed.social 1 month ago
good article! thanks for that
bmcgonag@lemmy.world 1 month ago
Cheap VPS with Pangolin for Wireguard and reverse proving through the tunnel.
Darkassassin07@lemmy.ca 1 month ago
An $11/yr domain pointed at my IP. Port 443 is open to nginx, which proxies to the desired service depending on subdomain. (and explicitly drops any connection that uses my raw ip or an unrecognized name to connect, without responding at all)
ACME.sh automatically refreshes my free ssl certificate every ~2months via DNS-01 verification and letsencrypt.
And finally, I’ve got a dynamic IP, so DDClient keeps my domain pointed at the correct IP when/if it changes.
There’s also pihole on the local network, replacing the WAN IP from external DNS, with the servers local IP, for LAN devices to use. But that’s very much optional, especially if your router performs NAT Hairpinning.
This setup covers all ~24 of the services/web applications I host, though most other services have some additional configuration to make them only accessible from LAN/VPN despite using the same ports and nginx service. I can go into that if there’s interest.
Only Emby/Jellyfin, Ombi, and Filebrowser are made accessible from WAN; so I can easily share those with friends/family.
josefo@leminal.space 1 month ago
This is an interesting setup
hellequin67@lemmy.zip 1 month ago
Personally I use twingate, free for 5 users and relatively straightforward to set up.
TribblesBestFriend@startrek.website 1 month ago
I’m fidgeting with Tailscale right now, only to stream on a AppleTV at a friend house. So far no luck but that’s not me that set up Infuse, so could be an operator error on my friend part
ladfrombrad@lemdro.id 1 month ago
The way I do it for a family member with Tailscale is them having a couple of boxes down there (n100 with their Jellyfin server, and a RPI4 with a TVHServer) with my Tailnet signed in, and those boxes running both a “subnet router” and an "exit node"that both me and said fam member can use.
This means she has permissions to use the exit node wherever like I do to my own local LAN, to connect to her LAN and access things locally since you can assign them via the ACL’s / device perms.
I know reading docs can suck sometimes but honest to god the ones that Tailscale put up are pretty awesome.
Along with all the YT videos about it I didn’t even have to go nagging on forums to get it to work, and that’s a general first for me.
hellequin67@lemmy.zip 1 month ago
I tried tailscale first but to be honest wasn’t a fan. I moved to Twingate and found it much simpler to set up
Decipher0771@lemmy.ca 1 month ago
Jellyfin through a traefik proxy, with a WAF as middleware and brute force login protected by fail2ban
thenose@lemmy.world 1 month ago
I just use tailscale. I am thinking about external share options but for me and my closests just plain simple tailscale
chug-capture-ahoy@piefed.social 1 month ago
Tailscale - funnel
Just that
borax7385@lemmy.world 1 month ago
I have had Jellyfin directly open to the Internet with a reverse proxy for years. No problems.
pHr34kY@lemmy.world 1 month ago
If your reverse proxy only acknowledges jellyfin exists if the hostname is correct, you won’t get discovered by an IP scanner.
Mine’s on jellyfin.[domain].com and you get a completely different page if you hit it by IP address.
If it does get found, there’s also a fail2ban to rate-limit someone brute-forcing a login.
I’ve always exposed my home IP to the internet. Haven’t had an issue in the last 15 years.
douglasg14b@lemmy.world 1 month ago
Please to see: github.com/jellyfin/jellyfin/issues/5415
Someone doesn’t necessarily have to brute Force a login if they know about pre-existing vulnerabilities, that may be exploited in unexpected ways
NuXCOM_90Percent@lemmy.zip 1 month ago
I don’t use jellyfin but my general approach is either:
- Expose it over a VPN only. I usually use Tailscale for this so that I can expose individual machines but you do you
- Cloudflare tunnel that exposes a single port on a single internal machine to a subdomain I own
There are obviously ways to do this all on your own but… if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.
TribblesBestFriend@startrek.website 1 month ago
That’s my feeling too
SmoothLiquidation@lemmy.world 1 month ago
I would look into Tailscale based on your responses here. I don’t know what your use case is exactly but you set TS up on your server and then again on your phone/laptop and you can connect them through the vpn directly. No extra exposed ports or making a domain or whatnot.
If you want other people to access the server they will need to make a TS account and you can authorize them.
cupcakezealot@piefed.blahaj.zone 1 month ago
for me i just needed a basic system so my family could share so I have it on my pc, then I registered a subdomain and pointed it to my existing ec2 server with apache using a proxy which points to my local ip and port then I opened the jellyfin port on my router
femtech@midwest.social 1 month ago
Who are you using for your domain? I was told if I used cloudfair they would ban me for having streaming traffic over their DNS.
Darkassassin07@lemmy.ca 1 month ago
You can use cloudflares DNS and not use their WAF (the proxy bit) just fine. I have been for almost a decade.
superglue@lemmy.dbzer0.com 1 month ago
That would only be if you use their cloudflare tunnel feature
cupcakezealot@piefed.blahaj.zone 1 month ago
for me I just registered through route 53 its a subdomain of my personal domain.
Netrunner@programming.dev 1 month ago
Sad that mTLS support is non existent because it solves this problem.
rumba@lemmy.zip 1 month ago
It would cover all phones, pcs and maybe Android TVs.
The barrier to entry would be having to replace the cert every year since we now made that a thing. Maybe spin up a self-sign shirt server and start issuing people 10 years certs
bitwolf@sh.itjust.works 1 month ago
Is putting it behind an Oauth2 proxy and running the server in a rootless container enough?
somewa@suppo.fi 1 month ago
Tailscale + Caddy (automatic certificates FTW).
Sgt_choke_n_stroke@lemmy.world 1 month ago
Synology worked for me. They have built in reverse proxy. As well as good documentation to install it on their machine. Just gotta configure your wifi router to port forward your device and bam you’re ready to rock and roll
TribblesBestFriend@startrek.website 1 month ago
Didn’t they patch their things now that your stuck in their bubble/environment now or something like that ?
Sgt_choke_n_stroke@lemmy.world 1 month ago
Not sure what what you mean. Plex has a bubble you can get stuck in. Jellyfin is free and open source
spacemanspiffy@lemmy.world 1 month ago
OpenVPN into my router
potentiallynotfelix@lemmy.fish 1 month ago
VPN or Tailscale
JiveTurkey@lemmy.world 1 month ago
I’m using jf on unraid. I’m allowing remote https only access with Nginx Proxy Manager in a docker container.
Alk@sh.itjust.works 1 month ago
SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it’s set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)
iAmTheTot@sh.itjust.works 1 month ago
What’s the point of authentik when Jellyfin already has authentication?
Alk@sh.itjust.works 1 month ago
While technically not strictly necessary, it adds more robust authentication methods, and makes it easier to build out other apps if you want to in the future without having to re-do the sign-in process for all of your users. You can have things like 2fa and other things that make it harder for bots to get in and easier for users to stay in. It also makes it easier to keep track of login attempts and notice compromised accounts.
TribblesBestFriend@startrek.website 1 month ago
That’s probably this type of setup I would want but I miss the technical know how, so if you have a cool beginner guide
Alk@sh.itjust.works 1 month ago
Here is the video I followed for SWAG. Note that this (and most of IBRACORP’s guides, which are all fantastic) uses Unraid as the OS, which automates a lot of the processes.
And here is a written guide by the same group to go with or replace the video if this is more your speed: docs.ibracorp.io/swag-2/
Alk@sh.itjust.works 1 month ago
I used several separate guides plus help from a friend. Check out space invader one’s YouTube channel. I’m not at my pc right now but I can gather some of the tutorials I used when I get back.
HeyJoe@lemmy.world 1 month ago
Synology with Emby (do not use the connect service they offer) running behind my fortinet firewall. DDNS with my own domain name and ssl cert. Open 1 custom port (not 443) for it, and that’s it. Geoblock every country but my own, which basically eliminated all random traffic that was hitting hit. I’ve been running it this way for 5 years now and have no issues to report.
AMillionMonkeys@lemmy.world 1 month ago
How are you geoblocking?
HeyJoe@lemmy.world 1 month ago
Sadly, it may not be an option for a lot of people, but on the fortinet firewall you can make policies and set up geoblocking.
dataprolet@lemmy.dbzer0.com 1 month ago
I’m using a cheap VPS that connects over Tailscale to my home server. The VPS runs Nginx Proxy Manager, has a firewall and the provider offers DDOS protection and that’s it.
cloudless@piefed.social 1 month ago
Unifi teleport. A zero configuration VPN to my home network.
TribblesBestFriend@startrek.website 1 month ago
I’m fidgeting with Tailscale but I find this solution some what lacking
confusedbytheBasics@lemmy.world 1 month ago
I keep jellyfin up to date in a container and forward tcp/8920 on my router to the container. Easy and plenty secure. People in this thread are wildly overthinking it.
TheFANUM@lemmy.world 1 month ago
Or you could use Plex and jump through zero of these hoops
essell@lemmy.world 1 month ago
I think paying for remote access counts as a hoop.
As in “that’s a pain in my hoop”
TribblesBestFriend@startrek.website 1 month ago
Plex is slowly changing is terms & conditions to sell more and more of our data. That’s kind of a no no for me
fmstrat@lemmy.nowsci.com 1 month ago
Either comment OP hasn’t followed the news, or they forgot this was the Fediverse.
RememberTheApollo_@lemmy.world 1 month ago
OpenVPN into my own LAN. Stream from there to my device.
Bruhh@lemmy.world 1 month ago
I’m trying to self host navidrome in docker with a cloudflare domain and reverse proxy on the same network. Still fiddling myself since I keep getting a 403 cloudflare no access error.
Essentially, using cert provided by cloudflare where they proxy to my ip. From there the reverse proxy routes to my service. If I’m understanding it right, anyone with my domain would only see cloudflare ip instead of my own. Someone correct me if I’m wrong. I’m still learning this stuff as well.
Prior to this, I was using tailscale which worked fine but I’d have to connect via tailscale everytime and some instances, it wouldn’t connect properly at all.
lycanrising@lemmy.world 1 month ago
no idea how safe or secure but i use cloudflare tunnel to point my jellyfin port on my computer
StopSpazzing@lemmy.world 1 month ago
Someone mentioned above that cloudflare will ban you for streaming through their tunnel. Just be warned.
lycanrising@lemmy.world 1 month ago
yeah it’s in the terms of service but my usage will be so small it’s not even going to register on their charts so i’m happy with the risk.
bjoern_tantau@swg-empire.de 1 month ago
My router has a VPN server built-in. I usually use that.
johannes@lemmy.jhjacobs.nl 1 month ago
With wireguard i set up an easy VPN, then vpn to the home network and use jellyfin.
If i cant use vpn, i have Jellyfin behind a caddy server with automatic https and some security settings.
KingThrillgore@lemmy.ml 1 month ago
Set up a VPN, use PiVPN
TribblesBestFriend@startrek.website 1 month ago
I’ll try looking into that
KingThrillgore@lemmy.ml 1 month ago
Just remember to test with something better than your phone, T-Mobile aggressively filters VPNs. Try a coffee shop.
Takios@discuss.tchncs.de 1 month ago
Wireguard VPN to my fritzbox lets me access my jellyfin.