as a noob, should I connect jellyfin with tailscale using OIDC?

Submitted ⁨⁨2⁩ ⁨days⁩ ago⁩ by ⁨Sirius006@sh.itjust.works⁩ to ⁨selfhosted@lemmy.world@lemmy.world⁩

Hello everyone,

I want to create a Tailscale account to access my Jellyfin server from outside my home, but I’m already stuck at the first step: to create an account, you need either a GAFAM account or OIDC. I don’t have any personal accounts with GAFAM because of Lemmy’s bad influence. My emails are on Tuta. I don’t want to overcomplicate things as I’m a noob, but after spending 30 minutes researching OIDC, I still don’t know where to start… I don’t work in IT (at all).

Is it better to just give up and create a throwaway account with a GAFAM platform, or is there a simple way to do this with OIDC? If so, can anyone point me the way? Is there a free reliable OIDC provider? Will that make things complicated afterward with tail scale?

For more context: I turned my old gaming PC into a media center running Fedora and a Jellyfin server that I access locally. I was surprised by how relatively simple it all was, especially getting Jellyfin to work locally.

Obviously, I wanted to use Tailscale to connect to Jellyfin remotely, but I never had time to look into it. I was told this morning that I’m going to undergo major surgery with a significant recovery period ahead, so suddenly this has become urgent…

source

Comments

Sort:hotnew top

hendrik@palaver.p3x.de ⁨2⁩ ⁨days⁩ ago
If Tailscale doesn’t suit you, maybe try one of the alternatives. There’s Pangolin or plain old Wireguard tunnels.

source
- Sirius006@sh.itjust.works ⁨2⁩ ⁨days⁩ ago
  They all seem self hosted and I am not yet to the point where I feel at ease with that as it seems to be “exposed” (I don’t really know what it means to be honest). I do intend to get into this kind of stuff later though.
  
  source
  - hendrik@palaver.p3x.de ⁨2⁩ ⁨days⁩ ago
    Sure, sorry, you’re in the selfhosted community, so I sent some self hosted options 😆 If you own one of the internet/wifi routers with Wireguard built in (FritzBox, MikroTik, etc…) that might be an option as well. Other than that, I never tried any of the more commercial options, so I don’t know much about it.
    
    source
    -> View More Comments
  - prenatal_confusion@feddit.org ⁨1⁩ ⁨day⁩ ago
    I was very skeptical because I didn’t want to punch holes into that nice safe lan. Pangolin got me in the end after I left tail scale with its easy docker for a cheap vps (1GB ram) and its approach in general.
    
    For example I am running my services locally in a docker via compose. I add a newt endpoint (pangolin talk) that is a docker container with some with info for my pangolin instance ton said compose and I have only the content of said docker compose connected via wireguard.
    
    Next step is exposing a public resource where you choose a specific service and port to map to a public URL.
    
    It is all so compartmentalized its fantastic and makes me feel good about that public service.
    
    Securing that service itself is possible with an additional auth layer.
    
    source
  - habitualTartare@lemmy.world ⁨2⁩ ⁨days⁩ ago
    wireguard is self hosted and you do have to “expose” one UDP port. From the outside it’s difficult to detect that this “opening” exists because wireguard just listens and ignores everything unless you send the encrypted credentials. Compared to hosting a webpage or jellyfin directly this is much more secure. As long as you keep wireguard relatively up to date you don’t really have to worry much about it.
    
    I personally use wg-easy. It’s designed to be deployed into docker (using docker compose is by far the easiest).
    
    Then you can either use your IP address, or ideally a dynamic DNS provider so you’d connect to myexample.com:51820. Duckdns is free, otherwise options are available like cloudflare. If you can get jellyfin working, this should be relatively straightforward.
    
    source
Decronym@lemmy.decronym.xyz ⁨1⁩ ⁨day⁩ ago
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters

DNS Domain Name Service/System

NAT Network Address Translation

UDP User Datagram Protocol, for real-time communications

VPN Virtual Private Network

[Thread #7 for this comm, first seen 9th Jun 2026, 20:20] [FAQ] [Full list] [Contact] [Source code]

source
- febrile@lemmy.world ⁨12⁩ ⁨hours⁩ ago
  You missed GAFAM and OIDC
  
  source
talkingpumpkin@lemmy.world ⁨2⁩ ⁨days⁩ ago
Setting up an OIDC provider isn’t particularly difficult, but you’ll have to run it as a publicly accessible server in order for tailscale to interact with it.

It looks like you can register at netbird.io with email and password.

In your shoes I’d setup that for now, and later look into OIDC or (probably better) into self-hosting nebula (or maybe netbird).

source
- Sirius006@sh.itjust.works ⁨2⁩ ⁨days⁩ ago
  Netbird has a free tier that they host, It seems simple enough and it is open source! That’s a lot of perks. I’ll start by trying that !
  
  source
dieTasse@feddit.org ⁨1⁩ ⁨day⁩ ago
You can create an accout using trow away gafam account. Create network, then invite yourself over email. When invited you can actually make an account using only passkey. So create second account with passkey, you can leave the invited-to network and create new one completely separately from the first one. You can delete the first account and the gafam account. Job done 😀 (and yes I did exactly this) 😀

source
- Sirius006@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
  Ok, I guess it’s not stupid if it works! And it seems easy. I’ll try netbird first (recommended below), as their tutorial on how to setup jellyfin seems pretty comprehensive. If I fail this is number two on my list !
  
  source
Postmortal_Pop@lemmy.world ⁨2⁩ ⁨days⁩ ago
I actually found it far easier to connect it through cloudflared tunnel service. Grab a cheap domain name through them and then just follow the guide on their website. Took me longer to type this message than it did to get running and I’ve managed to fail at setting up the Arr suite 3 times now despite it basically being copy paste.

I paid maybe 15 bucks total to have someone else doing all the hard work for the next 5 years and all I have to do is go to my website and log in. No VPN, no port forwarding, and it works on every platform.

source
- eager_eagle@lemmy.world ⁨2⁩ ⁨days⁩ ago
  worth mentioning the old TOS banned video streaming across cloudflare products, but I don’t see a similar umbrella restriction in the current base terms, or in the terms of cloudflare zero trust.
  
  also, make sure you have the rights to transmit the content and are not infringing anyone’s intellectual property rights, ofc 😇
  
  source
- lemmyvore@feddit.nl ⁨2⁩ ⁨days⁩ ago
  CF tunnels are a way to bypass NAT but they are not really secure. There’s no authentication, just a WAF and some bot detection. It’s not really comparable with a VPN or Tailscale.
  
  source
  - KairuByte@lemmy.dbzer0.com ⁨2⁩ ⁨days⁩ ago
    Cloudflare tunnels have a zero trust option to them. You can authenticate through a number of sources, including arbitrary OIDC.
    
    source
  - eager_eagle@lemmy.world ⁨2⁩ ⁨days⁩ ago
    not true, you can enable authentication
    
    source
- irmadlad@lemmy.world ⁨2⁩ ⁨days⁩ ago
  Jellyfin and Cloudflare Tunnels/Zero Trust might present some problems. Yes, it will undoubtedly work, however, streaming video through Cloudflare Tunnels/Zero Trust is against the TOS. Now, I suspect that if you had one user, you’d probably slide by. 10 users streaming large video files at a sustained rate would probably raise a red flag. I stream audio through Cloudflare Tunnels/Zero Trust and have had no issues, tho I am the only user. There are other alternatives to Cloudflare Tunnels/Zero Trust such as NetBird, ZeroTier, Headscale, or Tailscale. Just something to consider.
  
  source
  - eager_eagle@lemmy.world ⁨2⁩ ⁨days⁩ ago
    I believe that’s not in their terms for years now, at least in my untrained eyes
    
    source
    -> View More Comments
Scrath@lemmy.dbzer0.com ⁨2⁩ ⁨days⁩ ago
Depending on what router you use, setting up a VPN connection into your own home network may be the simplest solution and possibly also the most secure.

In germany at least, FritzBox seems to be the dominant router and they offer a very simple VPN setup which utilizes their own domain to initiate a connection.

I personally use a MikroTik router at home (still not sure if that was the best idea…) and they have a similar thing called Back To Home VPN. The Fritzbox gave me less trouble setting up though.

source
kuroshido@ani.social ⁨2⁩ ⁨days⁩ ago
I use GitHub to authenticate. It’s easy enough and signup on GitHub is straightforward.

source
- Sirius006@sh.itjust.works ⁨2⁩ ⁨days⁩ ago
  Github appears to be owned by microsoft so I’d rather avoid that if possible (on principle), but if the rest fails I’ll fall back to that !
  
  source

Fewer Letters	More Letters
DNS	Domain Name Service/System
NAT	Network Address Translation
UDP	User Datagram Protocol, for real-time communications
VPN	Virtual Private Network