What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
You must log in or register to comment.
Wireguard VPN to my fritzbox lets me access my jellyfin.
I think my approach is probably the most insane one, reading this thread…
So the only thing I expose to the public internet is a homemade reverse proxy application which supports both form based and basic authentication. The only thing anonymous users have access to is the form login page. I’m on top of security updates with its dependencies and thus far I haven’t had any issues, ever. It runs in a docker container, on a VM, on Proxmox. My Jellyfin instance is in k8s.
My mum wanted to watch some stuff on my Jellyfin instance on her Chromecast With Google TV, plugged into her ancient Dumb TV. There is a Jellyfin Android TV app. I couldn’t think of a nice way to run a VPN on Android TV or on any of her (non-existent) network infra.
So instead I forked the Jellyfin Android TV app codebase. I found all the places where the API calls are made to the backend (there are multiple). I slapped in basic auth credentials. Recompiled the app. Deployed it to her Chromecast via developer mode.
Solid af so far. I haven’t updated Jellyfin since then (6 months), but when I need to, I’ll update the fork and redeploy it on her Chromecast.
I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I’ve restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there…
I use a wire guard tunnel into my Fritz box and from there I just log in because I’m in my local network.
VPN or Tailscale
Full guide to setting up Jellyfin with Reverse Proxy using Caddy and DuckDNS
I followed this video and modified some things like ports
I host it publicly accessible behind a proper firewall and reverse proxy setup.
If you are only ever using Jellyfin from your own, wireguard configured phone, then that’s great; but there’s nothing wrong with hosting Jellyfin publicly.
I think one of these days I need to make a “myth-busting” post about this topic.
Please do so, it’ll be very useful
If it’s just so you personally can access it away from home, use tailscale. Less risky than running a publicly exposed server.
Jellyfin isn’t secure and is full of holes.
That said, here’s how to host it anyway.
- Wireguard tunnel, be it tailscale, netbird, innernet, whatever
- A vps with a proxy on it, I like Caddy
- A PC at home with Jellyfin running on a port, sure, 8096
If you aren’t using Tailscale, make your VPS your main hub for whatever you choose, pihole, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.
Since Jellyfin isn’t exactly secure, secure it. Give it its own user and make sure your media isn’t writable by the user. Inconvenient for deleting movies in the app, but better for security.
more…
Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin’s host for failures and block ips automatically.
More!
Use Anubis and yes, I can confirm Anubis doesn’t intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.
MORE!
SELinux. Lock Jellyfin down. Lock the system down. It’s work but it’s worth it.
I SAID MORE!
There’s a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin’s access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone’s IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.
Again, don’t do any of this and just use Jellyfin over wireguard like everyone else does(they don’t).
i would also love more details about accomplishing some of that stuff
Wow, a “for dummies” guide for doing all this would be great 😊 know of any?
If you aren’t already familiarized with the Docker Engine - you can use Play With Docker to fiddle around, spin up a container or two using the
docker runcommand, once you get comfortable with the command structure you can move into Docker Compose which makes handling multiple containers easy using.ymlfiles.Once you’re comfortable with compose I suggest working into Reverse Proxying with something like SWAG or Traefik which let you put an domain behind the IP, ssl certificates and offer plugins that give you more control on how requests are handled.
There really is no “guide for dummies” here, you’ve got to rely on the documentation provided by these services.
Or you could use Plex and jump through zero of these hoops
I think paying for remote access counts as a hoop.
As in “that’s a pain in my hoop”
Is putting it behind an Oauth2 proxy and running the server in a rootless container enough?
OpenVPN into my own LAN. Stream from there to my device.
Tailscale + Caddy (automatic certificates FTW).
Synology worked for me. They have built in reverse proxy. As well as good documentation to install it on their machine. Just gotta configure your wifi router to port forward your device and bam you’re ready to rock and roll
Didn’t they patch their things now that your stuck in their bubble/environment now or something like that ?
good article! thanks for that
