habitualTartare

@habitualTartare@lemmy.world

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Using a SSH tunnel/ port forward to connect a TV?⁩ ⁨⁨19⁩ ⁨hours⁩ ago⁩:
I’m not entirely sure about the technical differences but from my understanding VPN connections are preferred. From a security perspective, ssh has some more considerations since it’s easier to detect it’s open, and you should lock down root access and other privileged accounts. but SSH seems simpler to actually get working vs a VPN solution which would probably require a reverse proxy or something to get the TV working.

For example, compromising a ssh service gives you access to the shell immediately vs wireguard or similar that historically (from my knowledge) has had fewer critical vulnerabilities that could lead to remote code injection or access. This is also why many corporate and best practices recommend layering ssh through a private VPN like IPsec, OpenVPN, wireguard, etc.

in practice it’s most likely fine as long as
- you don’t use root or an account with sudo to do the ssh forwarding
- require a ssh key for all connections (at minimum any remote/internet connections)
- update the system regularly. you can automate security updates with unattended upgrades on debian-based systems.
⁨Comment⁩ on ⁨Using a SSH tunnel/ port forward to connect a TV?⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
Are you connecting from a public network or something? like a hotel wifi or other?

The easiest solution would be to setup the pi as your router and use a VPN like wireguard (wg-easy) or tailscale.

if it is a public network, you can double NAT. There’s dedicated boxes like the GL.inet travel routers that support wireguard/openVPN and beta for tailscale. they have some features that work well with captive portals.

If it’s a home network, you can probably use your PI as a entry/exit node or VPN client instead of using ssh.
⁨Comment⁩ on ⁨as a noob, should I connect jellyfin with tailscale using OIDC?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
wireguard is self hosted and you do have to “expose” one UDP port. From the outside it’s difficult to detect that this “opening” exists because wireguard just listens and ignores everything unless you send the encrypted credentials. Compared to hosting a webpage or jellyfin directly this is much more secure. As long as you keep wireguard relatively up to date you don’t really have to worry much about it.

I personally use wg-easy. It’s designed to be deployed into docker (using docker compose is by far the easiest).

Then you can either use your IP address, or ideally a dynamic DNS provider so you’d connect to myexample.com:51820. Duckdns is free, otherwise options are available like cloudflare. If you can get jellyfin working, this should be relatively straightforward.