What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I’m using jf on unraid. I’m allowing remote https only access with Nginx Proxy Manager in a docker container.
For my travel devices, I use Tailscale to talk to the server. For raw internet, I use their funnel feature to expose the service over HTTPS. Then just have fail2ban watching the port to make sure no shenanigans or have the entire service offlined until I can check it.
I have had Jellyfin directly open to the Internet with a reverse proxy for years. No problems.
If your reverse proxy only acknowledges jellyfin exists if the hostname is correct, you won’t get discovered by an IP scanner.
Mine’s on jellyfin.[domain].com and you get a completely different page if you hit it by IP address.
If it does get found, there’s also a fail2ban to rate-limit someone brute-forcing a login.
I’ve always exposed my home IP to the internet. Haven’t had an issue in the last 15 years. I’m running about 10 public-facing services including NTP and SMTP.
Please to see: https://github.com/jellyfin/jellyfin/issues/5415
Someone doesn’t necessarily have to brute Force a login if they know about pre-existing vulnerabilities, that may be exploited in unexpected ways
OpenVPN into my own LAN. Stream from there to my device.
With wireguard i set up an easy VPN, then vpn to the home network and use jellyfin.
If i cant use vpn, i have Jellyfin behind a caddy server with automatic https and some security settings.
Cheap VPS with Pangolin for Wireguard and reverse proving through the tunnel.
I use a VPS and a wiregusrd tunnel.
I’m currently using CF Tunnels and I’m thinking about this (I have pretty good offers for VPS as low as $4 a month)
Can you comment on bandwidth expectations? My concern is that I also tunnel Nextcloud and my offsite backups and I may exceed the VPS bandwidth restrictions.
BTW I’m testing Pangolin which looks AWESOME so far.
I am using the free Oracle VPS offer until they block me, so far I have no issue. Alzernatively I wanted to check out IONOS, since you dont have a bandwidth limit there.
WOW! That’s one hell of a deal. You’ve convinced me XD I’m installing pangolin Right now. The hell with Cloudflare and their evil ways
I use mTLS by adding a reverse proxy between Jellyfin and the Inet. This makes it hard to use the app, but works perfect with a browser. If you still want to use the app. There is a solution by using stunnel (termux) between te app and the Inet or better, a wireguard VPN.
I keep jellyfin up to date in a container and forward tcp/8920 on my router to the container. Easy and plenty secure. People in this thread are wildly overthinking it.
Synology with Emby (do not use the connect service they offer) running behind my fortinet firewall. DDNS with my own domain name and ssl cert. Open 1 custom port (not 443) for it, and that’s it. Geoblock every country but my own, which basically eliminated all random traffic that was hitting hit. I’ve been running it this way for 5 years now and have no issues to report.
How are you geoblocking?
Sadly, it may not be an option for a lot of people, but on the fortinet firewall you can make policies and set up geoblocking.
Headscale server on cheap vps with tailscale clients.
Synology worked for me. They have built in reverse proxy. As well as good documentation to install it on their machine. Just gotta configure your wifi router to port forward your device and bam you’re ready to rock and roll
Didn’t they patch their things now that your stuck in their bubble/environment now or something like that ?
Not sure what what you mean. Plex has a bubble you can get stuck in. Jellyfin is free and open source
Talking about Synology, if I’m not mistaken you’ll have to buy all from their store now : Synology Hardrive and such
O yea I bought a synology before all of that crap. I still have wd drives in there. I don’t plan on any updates to ensure I don’t have to deal with that
OpenVPN into my router
I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I’ve restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there…
This is the biggest weakness of Jellyfin. Native OIDC support would really be a no brainer at this point.
Its very easy to deploy fail2ban for Jellyfin: https://jellyfin.org/docs/general/post-install/networking/advanced/fail2ban/
Indeed a good recommendation. I’ve not set it up yet but I’m probably going to do so in the near future.
It is possible if you get something like an nvidia shield tho. But of course not everyone has it or the money for it
