Spyke

Syndicated from the fediverse. Read and engage on the original instance.

View original on anarchist.nexus
selfhosted·SelfhostedbyVegan_Joe

Is they're an easy way to make my Jellyfin accessible outside of my home network for free?

I have docker installed, but only have a vague idea of how it works.

Back in the day, I would just port forward, but even then, I would need a static IP somehow.

I have heard a reverse proxy is an option, but that is an entirely new topic to me.

Surely there is an easy way to access Jellyfin outside of my home network that I'm just missing.

*Edit: I am blown away by all the help and support! I currently have tailscale running, and I'm in the process of purchasing a domain.

Thanks everyone!

View original on anarchist.nexus
235

167 replies

programming.dev

Tailscale. It's free. Insanely easy to set up.

Just install on your devices and connect via the given tailscale ip for the jellyfin server.

111
sakphulreply
discuss.tchncs.de

I would also propose going with Tailscale instead If a VPN + DynDNS solution. Imho it is a lot easier to Setup compared to VPN + DynDNS If you are a beginner and just starting out.

If at some point you need more and then is available in the free Tier of Tailscale and you do not want to pay for it (and you have built up some knowledge!) you can switch to something like Headscale or Netbird.

33

I forgot to mention that one because I kinda thought it belongs with radmin and hamachi, but it's my choice as well currently.

I am using it with my own Headscale though, so add a domain to that as well.

And I finally need to switch my vaultwarden to work over tailscale & LAN finally, it's a huge security risk to expose that one.

6

Currently I'm using tailscale. I like it but often switching IP address if I'm at home and I can't use my normal vpn on it. Plus, I'm excited to learn about DNS and cloud flare. Its just very overwhelming haha

2
ragebuttreply
lemmy.dbzer0.com

Or head scale if you don’t want something you don’t control that requires an account with google/apple/microsoft

18

Headscale is great but requires port forwarding which, aside from having its own iasues, is something op wants to avoid.

3
Lka1988reply
lemmy.dbzer0.com

Tailscale. It’s free.

Something about Tailscale rubs me the wrong way. That "free" aspect, specifically. No company ever runs a free service without some sort of compromise somewhere.

2

That's the whole point of a domain. Your IP changes every now and again you need people to know where to reach you. You give them a domain, and you configure the name records so that the domain always points to the right IP address.

Your options:

  • dynamic IP - you keep your setup as is and just periodically tell them the new IP you're on. Annoying and exposed
  • static IP - you buy a static IP (from your ISP) and share it with your friends once. A little bit less annoying and still exposed
  • you use a VPN like hamachi or radmin - your friends install the software, they look for you IP in there, you're done - very secure but also very annoying
  • you buy a domain - you have to configure an IP updater like ddclient or similar, then you jellyfin should be reachable - least annoying for your friends but also slightly less secure

Domain is the cleanest option.

I am telling you how annoying it is because that's how likely your friends are to adopt it and how secure it is because depending on your country you are doing something illegal and you really don't want anyone to find out and you gotta keep it updated more often if you don't want people to exploit it. There's an endless supply of very smart people out there who use known bugs to target public services.

Edit: I forgot DDNS, see below comments.

43
sh.itjust.works

You left out DDNS. It's free, easy to set up with lots of detailed guides online, and works as well as a static IP.

28
Vegan_Joereply
anarchist.nexus

I appreciate your response!

It looks like a VPN is the option I'm leaning towards, but I'll definitely put the idea of buying a domain in my back pocket for a while.

4
Saapasreply
piefed.zip

Some .xyz domains cost less than 1$. Mine is 0,85$/year

6
Saapasreply
piefed.zip

Nah same domain, 0,85$/year. It's 8 numbers + .xyz

5
Saapasreply
piefed.zip

You get to pick your numbers

On June 1, 2017, .XYZ launched the 1.111B class .xyz domains, cheap domains priced at US$0.99 per year and renewed at the same price. The class of domains consists of six-, seven-, eight-, and nine-digit numeric combinations between 000000.xyz and 999999999.xyz. Daniel Negari, CEO of .XYZ, stated that it was meant to bring competition, choice, and innovation to the market

6
thelemmy.club

Thank you. I've bought a domain. I'd like to go with this option. Just researching how to do it on cloud flare

3
lemmy.dbzer0.com

On Cloudflare, you’ll want to set a DNS record to point any relevant subdomains to your current WAN IP address. IPv4 will be an A Name record. IPv6 would be an AAAA Name record, but I’m not going to deal with IPv6 for this… Here is an example of mine, with info blocked out:


So for instance, maybe you have a peepee.example.com subdomain, a poopoo.example.com subdomain, etc which all point to your WAN IP address. That will basically tell Cloudflare’s DNS to forward any traffic for those subdomains to your WAN IP. Each subdomain can also choose whether or not to proxy the content, or just directly send it to your WAN with DNS. Basically, when Cloudflare propagates the DNS records to the various DNS servers, you can choose whether that record has your WAN IP (DNS Only) or one of Cloudflare’s (Proxied). Proxy support means you can take advantage of some additional CF protections, but it also means passing all of the data through CF’s server. In most cases, you’ll want DNS Only. Proxy support will depend on the individual service. Some will work fine with it, some won’t. And it’s also possible that you don’t want services proxied through CF for privacy reasons.

Next, you’ll want to set up a reverse proxy service. This will be something like Nginx Proxy Manager, Caddy, etc that you run on a device on your LAN. It can even be on the same machine running your various services. The big reverse proxies all offer Docker images, so you can incorporate it directly into an existing Docker stack if you already have one. Personally I use NPM, but Caddy is also very popular.

You’ll tell this reverse proxy “when you receive valid traffic addressed to {subdomain}, forward it to {relevant service on your LAN}.” You can also set some additional options for each subdomain, like automatically upgrading to https. For instance, maybe peepee.example.com forwards to 192.168.1.100:42069 on your LAN, and is configured to automatically upgrade any http traffic to https, and to require https.

You can also set up automatic TLS certificate renewal, so https traffic can be properly encrypted. The reverse proxy will need an API key, and it will allow the service to automatically check expiration dates and pull a fresh TLS cert for your domain if the date is coming up soon.

You’ll probably want to use a wildcard certificate, (basically *.example.com) because the TLS certificates are open to the public. So if you do individual certs for all of your various services, bots will scrape the public records and you’ll inevitably get a lot of bot traffic probing your various subdomains. A wildcard domain usually means the bots hit the standard example.com and www.example.com first, which makes them super easy to detect and block. I even have rules set up to automatically block anything that tries to access my www subdomain, because I specifically don’t host a landing page and don’t have anything available there. So I know that any traffic hitting that www subdomain is a bot trying to access common subdomains.

Next, you’ll want to forward ports 80 and 443 to your reverse proxy. Port 80 is the standard port for http traffic, and 443 is the standard port for https traffic. These will be the ports that your reverse proxy actually receives the traffic on, before forwarding it to the various services. Note that lots of lazy devs default to using 80 and 443 for lots of things, so you may want to configure your router to use a different port (like 81 or 444) for its config page if you’re able. Otherwise, you may end up accidentally locking yourself out of your router’s config page, because it will attempt to use 80 to reach the page, then get automatically forwarded to the reverse proxy instead.

Finally, for some ease-of-maintenance, you may want to consider adding a DDNS service (like Cloudflare-DDNS) to your docker stack. This will occasionally check your current WAN IP, and update it with Cloudflare if necessary. For example, if you have an outage and your router gets a new WAN IP when it boots back up again. Normally you would need to manually go to Cloudflare and update the IP info to point at your new address. But DDNS does that automatically.

The way traffic flows when it is all set up is along these lines:

  1. A device wants to access your service at peepee.example.com. It doesn’t know where to find that site, so it asks a DNS server.
  2. Cloudflare has told all of the various DNS servers “hey, peepee.example.com can be found at {your IPv4 WAN address}”.
  3. The device follows that DNS record, and attempts to connect to your IPv4 WAN address, on port 80 or 443. For this example, let’s say it tries to connect on port 80 for standard http traffic. The device knocks on port 80’s door and says “hey, I’m here to access http://peepee.example.com/.”
  4. Your reverse proxy checks the configured list, finds the valid peepee.example.com subdomain, finds it has a valid TLS cert, finds it is configured to automatically upgrade to https, and responds “Yes, please upgrade to https. Http traffic is not allowed.”
  5. The external device knocks again, this time on port 443’s door. It goes “hey, I’m here to access https://peepee.example.com/. Your reverse proxy goes “thank you, here is the TLS cert and my half of the TLS security handshake.”
  6. Your external device uses the data in the TLS cert to validate and complete the TLS handshake with the reverse proxy, and the traffic between the reverse proxy and your external device is now encrypted with https. Your device gets the nice little “secured” padlock icon in your browser. Because the traffic is encrypted, a malicious actor may be able to tell what kind of info you are passing (for example, a video stream will likely have a pretty obvious pattern) but they won’t be able to see what specific data you are passing. They may be able to tell that you’re streaming a video, but they won’t know which video specifically.
  7. The reverse proxy forwards the traffic to the service, configured at 192.168.1.100:42069.
  8. Your service does not ever know the device is being accessed via WAN, because (as far as the service can tell) the traffic is coming from your reverse proxy (also a LAN device). So any “pay to use WAN” services will continue to work for free.
  9. The external device never gets access to info like the specific LAN IP or port number, because it only has access to the reverse proxy. All of the traffic is passing back and forth between the reverse proxy.

But notably, keep in mind that the reverse proxy didn’t do any actual user authentication. If your service has a weak password, a reverse proxy will act as a gateway for any potential hackers to gain access to the service. The same way an open port is a gateway directly to the service, the reverse proxy is now a gateway that simply requires an attacker to use a subdomain instead of an IP and port number. And if you make your subdomain something like jellyfin.example.com it will probably be dead simple for a bot to guess. And any vulnerabilities in the service will still be exploitable via the reverse proxy, because the reverse proxy is simply making sure the request is valid, and then passing the traffic back and forth. It isn’t actually inspecting the content of that traffic, so it’s not going to stop things like attackers. When you hear digital security folks talk about things like attack vectors, this is what they’re referring to. Your reverse proxy is a potential vector of attack for your configured services. Use strong passwords, keep your services updated, etc…

You can technically add authentication to a reverse proxy. So for instance, maybe a service doesn’t have any built-in way to add a password. You can have the reverse proxy act as an authentication gate, so it will prompt the user for a username+password before they can even reach the service. This will make the services more secure (yes, even the ones that already have passwords, as long as you use a different password for your reverse proxy authentication) but it will break most apps that are designed to work with a service. For instance, Jellyfin has several apps that work, but those apps won’t have any way to get past the reverse proxy’s password gate. So those apps will simply break if you add a second layer of authentication with your reverse proxy.

There are also some security options you’ll likely want to enable on Cloudflare’s side, but this comment is already long enough.

3
thelemmy.club

Thank you so much for such a detailed reply. I'm going to print this off and go through it point by point.

I didn't realize how overwhelming this would be, the amount of information is incredible.

I was trying to use the cloud flare ai assistant to set up WARP access to my phone but then I realized its basically another VPN which defeats the whole point on me using the domain because I wanted to be able to use my traditional VPN to stay protected.

I also wanted to be able to log into my server android apps like immich and Joplin but can't do that with authentication as its not a webpage.

I'll print this off and anything I don't understand (most of it at this stage haha) I'll spend some time studying it.

I got a good laugh at peepee poopoo

Thanks again

2

I actually just updated it slightly, and may continue to do so if I think of things. So you may simply want to check back here instead of printing it.

1
irmadladreply
lemmy.world

I didn’t realize how overwhelming this would be, the amount of information is incredible.

Speaking from experience, it was quite overwhelming to me at first as well. It took me a handful of tries to wrap my head around Cloudflare Tunnels/Zero Trust. I persisted tho, and succeeded. It doesn't help much that Cloudflare keeps rearranging their site, making it difficult to find necessary information. I will say, that when I migrated to a new server recently, it was a snap and everything clicked in place. There was no need to set up anything on their side. As I remember, it was a matter of a one liner code sequence they provided, to install the necessary components on my server. Jack's a doughnut, Bob's your uncle.

1
uthrediireply
programming.dev

It has functionality to let you set up a reverse proxy (in beta). But you can access all your services by using the zero trust vpn

7

Nice! Maybe I'll try the beta. Been wanting to tinker around with my set up recently

3

Tailscale has an option for OIDC. That should be avoiding the tech mafia enough no?

2

Yes, it is easier and safer for someone who doesn't know what they are doing to set up.

9
pineapplereply
lemmy.ml

Cheap domains are basically free though so it doesn't count!

14
x00zreply
lemmy.world

And they keep rising in price or you didn't notice the dark pattern where it was actually the price for the first year.

3
0^2reply
lemmy.dbzer0.com

Which is why you migrate to cloudflare for at cost.

1
lemmy.dbzer0.com

Personally I didn’t want to have to hand out VPN credentials to everyone, so I went with a cloudflare tunnel with Authelia as the method of authentication.

26
irmadladreply
lemmy.world

+1 for Cloudflare Tunnels/Zero Trust. The free tier is more than generous for a homelab

15
KairuBytereply
lemmy.dbzer0.com

Not to mention, the amount of data you can run through it is nuts. I’ve been running Stremio web through it for months without issue to watch content at work.

9
irmadladreply
lemmy.world

What are your concerns about Cloudflare and getting 'banned'? There used to be a clause in the TOS that prohibited streaming video. However, as one user here has pointed out, that has been since superseded. Now, I'm not going to tell you that you can share your JF with 20 other users and not raise an eyebrow with Cloudflare. I don't have a clue what they would do in that case. As far as streaming, I run Navidrome around the house from the time I get up in the morning, until I go to bed at night, and have had no issues. There also isn't a bandwidth cap that I can find anywhere in Cloudflare's documentation.

5
irmadladreply
lemmy.world

Like I said, if you've hooked up 20 of your best buds to your JF, then yeah they'd probably have an issue with that. Personal use, I doubt they'd care really.

1

Still only tolerated.
Walking a fime line on getting your account closed/domain banned or at the very least receiving a warning.

Wishing you best of luck not getting banned.

2

I haven’t had any issues with friends streaming 4k! I probably should add a data cap in the Jellyfin settings, though

2

Yup. OP was asking about bandwidth caps, I haven't experienced any, nor can I find any documentation to support bandwidth caps. I stream Navidrome around the house from the time I get up to the time I go to bed and it has worked flawlessly.

3
sh.itjust.works

Can I ask, how much of a limit does the free tier have on bandwidth if you're doing something like hosting Jellyfin?

5
KairuBytereply
lemmy.dbzer0.com

My understanding is that there is no hard limit. At some point they will decide “this is business level traffic” at which point they will start harassing you to purchase a business plan.

That cutover point is unknown. I’ve never even seen an estimation of when it happens, so it could very well be the type of traffic instead of the amount.

They also only allow HTTP traffic for the free tier, which is another way they push you towards business tiers.

6
lemmy.zip

They also only allow HTTP traffic for the free tier, which is another way they push you towards business tiers.

I don't think that's true. I'm pretty certain all of my domains are HTTPS only, but maybe that's because I own the domain? Does cloudflare offer free domain names for tunneled traffic?

2
KairuBytereply
lemmy.dbzer0.com

HTTPS traffic is still HTTP traffic. There’s just an encryption layer in there.

And yes cloudflare absolutely supports https.

3

Okay. Carry on. I was thinking that you meant the free tier didn't support HTTPS encrypted traffic. I didnt want someone to rule out that option based on a false assumption. Sorry for the confusion.

3

On my mobile, but to give you an idea, I stream Navidrome probably 12-15 hours a day. I really don't think they have a bandwidth limit per se, but when I get back to my desktop where I can actually see, lol, I can do some digging for you.

4
happydoorsreply
lemmy.world

While I have similar users here. I noticed that anything I watched on Jellyfin and was connected to cloudflare would give me recommended YouTube shorts on the movies/shows or similar ones I was watching. It is a great free service and I got my domain hooked up through them for $12/year but I feel like it is the leak for my data. I didn’t mind it for a long time because getting shorts served to me that were movie clips was fine with me.

Anyone notice similar behaviors? My paranoia has me wanting to go a different route or lock things down more.

2
irmadladreply
lemmy.world

Well, I don't run the *arr stack or JF, so I cannot comment to your issue.

1
happydoorsreply
lemmy.world

Notice custom ads based on the content you ARE piping through zero trust? Just curious. I realize many users here are probably very avoidant of ads or algorithmic shifts in the first place so it may be unnoticeable

2
irmadladreply
lemmy.world

I'll have to say it has been decades since I've seen an ad show up on my screen. However, as I said, I do not run the *arr stack or JF, so my experience might not be applicable to everyone.

So, you stream a video using JF or other and you are getting ads show up? Like pre-roll ads, or other? That just sounds weird to me. Could you provide a screen capture of said intrusions?

1
happydoorsreply
lemmy.world

It is content recommended on YouTube, essentially. Not the usual long form content but the shorts feed in particular draws specifically from my Jellyfin downloads and views. Not ads, necessarily, but video clips of movies or similar genres in my algorithmic feeds based on apps using zero trust. It is typically a pattern of download a movie(behind mullvad) or watch Jellyfin and then notice similar movie clips by the next morning. I’m not really interested in going over the details on this thread because it’s not the main topic and there are many other ways this type of behavior happens. For instance, I have Jellyfin installed on a google chromecast and that could be enough or the actual leak. I have a pi-hole running and don’t see many traditional ads but YT shorts was an area where I could physically see how my location, travels, and activity on the web in other places changed the clips they served me in realtime. Pretty cool and scary stuff! I’ve been slowly pruning back corporate spyware. Good luck out there.

2

Ok cool. I was just curious. I think you're the first I've heard with this situation so it piqued my interest.

1

@Vegan_Joe — if you’re still stuck, try this: install Tailscale → join your tailnet → expose Jellyfin container port 8096 as 443. That’s it. No nginx, no static IP hunting. I wrote a 3-command cheatsheet here https://cxgo.ai/l/5bwrT9m that I wish existed when I started fumbling with docker-compose overrides. Works on a $20 raspberry pi and a 2014 Mac mini, so your hardware shouldn’t matter.

17
Pikareply
sh.itjust.works

it's actually the recommended way if you use jellyfin, theres a few security/privacy vulnerabilities with publicly exposing the jellyfin server anyway, they are being worked on but, the safest way to do it is just use a vpn regardless.

8

Plus it enables you to access everything. If you have radarr or sonarr or whatever, you can get to those and add media while out and about.

Personally I use Mealie and pull up ingredient lists while I'm im at the grocery store.

2

Just be aware that if you want anyone else to connect to your Jellyfin, you'll still have to route it through a domain and reverse proxy, unless you're comfortable letting them log in to your tailnet.

It's a bit of a fiddle to set up, but once it's done it's quite satisfying.

5

It’s my go to method super easy to set up and use on both the device hosting your JellyFinn server and whatever your steaming on

3
lemmy.zip

Yes, a VPN. And dynamic DNS if you don't have a static IP address.

9
Vegan_Joereply
anarchist.nexus

To be clear, your suggesting I set up my home computer as a virtual private Network server that I would connect to from the TV or device outside of my home network?

2
frongtreply
lemmy.zip

Yes, it works great for me. Probably not for a TV though, for that you'd probably need some travel router VPN client. But I don't know how often you'd be at a random TV and need to get to jellyfin.

9

Yeh, exactly.
And the "dynamic DNS" part handles your public IP address changing with 0 pain.
You either buy a domain (like example.com), or there are free domain name providers that give you a subdomain (like mycooldomain.example.com) of one of their domains.
You then run an additional service on your home server that checks what the current public IP address is. If it changes, it notifies the DNS responsible for your domain/subdomain, which then points to your new public IP.
To connect to your VPN, you only ever care about "mycooldomain.example.com" and never the underlying IP address.

...
As long as your ISP isn't running CG-NAT of course 😵‍💫

5

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer LettersMore Letters
CA(SSL) Certificate Authority
CGNATCarrier-Grade NAT
DHCPDynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network
DNSDomain Name Service/System
ISPInternet Service Provider
NATNetwork Address Translation
PlexBrand of media server package
SSOSingle Sign-On
TLSTransport Layer Security, supersedes SSL
UDPUser Datagram Protocol, for real-time communications
VPNVirtual Private Network
VPSVirtual Private Server (opposed to shared hosting)
nginxPopular HTTP server

[Thread #41 for this comm, first seen 5th Jul 2026, 18:30] [FAQ] [Full list] [Contact] [Source code]

8

for a beginner with just a few remote clients, tailscale all the way.

though I still like doing it the old way with a custom nginx setup, fail2ban and a domain name, but its more work to make it secure and even then it's still somewhat of a liability.

8

How stable is tail scale in teal life? I constantly have issues with relay servers not being available, spontaneous logouts, etc..

I want to use it, but I also want my wife to use it and she will need a "no matter what, it must work" solution or she won't use it

2

I'm using wireguard with wg-easy. It's a gui that let you easely setup wireguard. My isp is giving a fixed ipv4. So i don't have to think about dns or other complicated things. I have Jellyfin and wg-easy installed on truenas as docker apps.

There are official app for any os you want.

https://www.wireguard.com/install/

8

I ended up using duckdns for a free domain. It sucks that I had to tie it to a google account, and maybe one day this might be an area where I buy a proper domain instead.

I have a glinet Flint3 router that makes it easy to spin up Wireguard servers on it. It was a bit more finnicky, but eventually I was able to get into the advanced settings and configure the router to sync the dynamic IP with DuckDNS too.

So I have Wireguard on my phone and my wife's phone. We have one pair of close friends who have a connection on their router too (and vice-versa) and their own Jellyfin server.

7

As others have said, Tailscale is the most pragmatic solution. It's a mesh VPN based on Wireguard. It's implemented in such a way that you don't need a static IP and don't need to open any ports on your firewall. The caveat is that you either need to register an account on tailscale.com (it's free for small-scale use) or set up a self-hosted alternative like Headscale on a VPS. Then you have to install the Tailscale client on each of the hosts you want to access and log into your account.

Tailscale nodes will be accessible using an internal, private address in the 100.64.0.0/10 address space. You can also set up a split DNS that allows you to access your hosts using a DNS name like hostname.your-tailnet-name.ts.net.

6
lemmy.ca

You don't need a static IP, you just have to keep track of what your current dynamic IP is.

You can do this with either a free or a paid DNS service.

There are a few different 'free dns' services that will delegate a subdomain of theirs to you at no cost. Admittedly, I've never actually used one of these so their names escape me. Hopefully someone else can point one of those out if that's what you really want.


I purchased a domain via google domains, when they existed. It's now transferred to squarespace, because they bought out google domains a few years ago.

It was around $13/year when I first got it a decade ago. It's now around $28/year.

This allows me full control over the domain: I can use as many subdomains as I want to give each service I use it's own unique name. (Instead of using their own separate ports that you've gotta remember) My domain will also forward all inbound email to my gmail account; this lets me use email addresses like <servicename>@mydomain.example. This way, I don't share my real email and can immediately tell who sold my info to the highest bidder when I get spam. (I could also host my own email service if I really wanted, but I haven't bothered)

Add Cloudflare ontop (for free); and it can filter out known attacks, ddos attempts, geofence your services to regions you'll actually be in, provide/autorenew ssl certs for https, show you usage analytics, cache static data reducing server/network load, etc.

Ultimately, the paid option is well worth it IMO. $2/month (which I typically pay in 3-10 year blocks) is hardly anything.

/edit; vpns are good and all, but they require you to setup software on the remote device to connect to it, and that typically routes most if not all your traffic back to the vpn server then out to the internet. That can create speed/bandwidth issues.

A domain allows you to access your services from any Internet connection with 0 configuration on the client side. Just accessing it like any other website.

I also host a vpn directly from my network, that I access/find via my domain. This means I'm not dependent on a public service like tailscale, but can still add additional security to access private only services (stuff I don't expose to the open internet)

6
Vegan_Joereply
anarchist.nexus

As averse as I am to spending money on subscription services, having my own domain for less than 30 bucks a year might be worth it.

I think I'm going to try out the tailscale VPN route first before I fully warm up to buying a domain.

*Edit-You've definitely got me sold on getting a domain! Thank you so much for all the info!

5

Glad I could help. I'm not always immediately available, but I don't mind answering questions if you run into troubles. Just send me a DM and I'll do what I can. :)

3
lemmy.today

You don’t need a static IP, you just have to keep track of what your current dynamic IP is.

You still need a public IP address. More and more often, IPv4 services are provided behind CGNAT, which won't be able to work as you describe.

If you don't have a public IPv4 for your LAN you can use IPv6. Or, you can reverse proxy your services through a gateway with a public IPv4.

I use a a reverse proxy (Pangolin) running on a VPS. A Newt tunnel connects my LAN to to Pangolin, exposing my local services via subdomains.

/edit; vpns are good and all, but they require you to setup software on the remote device to connect to it, and that typically routes most if not all your traffic back to the vpn server then out to the internet. That can create speed/bandwidth issues.

Tailscale, ZeroTier, and other similar services generally establish direct tunnels between devices, without a separate VPN server. They use a central service merely as a sort of common meeting point (STUN/TURN) for the devices to figure out how to establish direct tunnel(s).

2

Fair points.

I've been lucky enough to have never been behind cgnat, so I keep forgetting about it.


My bigger concern with tailscale is being required to install software on the client. Not every device I use, I have permission to install a vpn client, nor would I want to.

For example, I have a fileshare using Filebrowser where I store work related files that I don't want to loose access to or need access to from multiple machines (non proprietary info, stuff IT/MGT wouldnt get mad at me for ofc. I've actually cleared it with my managers, so no worries). That's also a handy way to (temporarily) share large files with people or provide a way for friends to upload large files to me.

I also like to access my emby server (using sufficiently limited accounts), from things like the TV in the work break room, or a friends PC while I'm visiting.

Tailscale is a hurdle that I just don't need/want.

2
lemmy.world

I use pangolin and subdomains on my domain. It works really well, and enables SSO login to all services on the network.

6
lemmy.ca

I can't get it working with the app unless I disable auth in pangolin, but it works beautifully with web

1
chellomerereply
lemmy.world

Yeah, for certain apps you may need to do that. I've had to do that with Nextcloud and Linkwarden. But Immich will happily work with a shareable link.

1

I actually commented a solution on a pangolin ticket, and they were like "good idea!" And implemented it, but then made it an enterprise only feature 😭

1

I second this, if it’s only you that needs access then Tailscale will be all that you need. You can use Tailscale funnel if you want it to be available to the wider web, but then you have to manage SSL certificates and it is slightly less secure.

I would caution against port forwarding and leaving your server open to the wider web.

8
lemmy.world

An easy way? I guess the term 'easy' depends on your expertise with networking, firewalls, etc. Sounds like you and I are at about the same level there. In which case the answer is: no, there's no easy way from what I can tell. I've looked into it and it's a lot more involved than, say, Plex (because Plex does a bunch of the routing and stuff for you, but at a cost).

6
tylerreply
programming.dev

Tailscale is incredibly easy. Install, start, sign in on both devices. Boom. Jellyfin from anywhere

5

That is the answer my intuition was leading me to, but I hoped I was wrong. It looks like this is an opportunity to learn something outside of my comfort zone.

3

Personally I purchased a domain, and use Caddy for a reverse proxy. My ISP gives me a static IP for free, but I don't think that makes a difference in this situation. Tailscale would be safer but requires more setup from friends. My friends seem to like how simple the setup is, and I also use requestrr so they can add movies/shows via a discord command.

5

What you want is Tailscale. The downside of Tailscale is that you have to connect to a VPN to access your services, the advantage - it is so easy to set up on the server it feels like magic.

4

If the goal is doing this in a simple fashion, then use Tailscale funnels (https://tailscale.com/docs/features/tailscale-funnel). Funnels automate the process and act as a reverse proxy into specific servers within your tailnet.

The downside is there is no authentication to funnels, so whatever you're running (Jellyfin in this case so that's not an issue) needs it's own authentication setup. You might consider running fail2ban on that machine and have it watch for login attempts, but otherwise that is the simplest setup I think you could do.

4

I forward my port to my bastion host, and reverse tunnel to it when I want to access my stuff.

My router allows you to set a device in the DMZ zone which will let you use your routers IP as its address.

4

There are things like duckdns if you cannot get a static IP, but there are also things like wireguard.

4

Look into nginx proxy manager. Pretty easy to setup and deploy.

3

I have setup NetBird with Authentik. Netbird is on a VPS and authentik on my home server.

NetBird allows to expose a service through a subdomain. Or you can use the netbird client as a VPN and allow peer to peer connection.

3

This is how I started.
I have a dynamic IP and a router provided by my ISP. IP assignations, DHCP, are managed by the router. I went with DuckDNS for a free DNS service. Select a name and you get a myname.duckdns.org that you need to assign to your dynamic IP. duckdns has instructions to create a cronjob to update your dynamic IP on duckdns.org. (Routers come in all shapes and configs, chances are that this won't work for most people) On the router, I assigned a static IP to the server hosting Jellyfin, in case of a reboot Jellyfin would always have the same IP. On the Ports page I opened up the default port for Jellyfin at that IP. I could then access Jellyfin outside of my local network using myname.duckdns.org:1234
This is not what I have right now, but it helped my get started.

3

I mean not for free, but I did it for cheap. A good domain can cost you $5 a year, and you simply route your jellyfin to a sublevel like watch.mydomain.com

Fun part is you can also route your sonarr like sonarr.mydomain.com

3
Vegan_Joereply
anarchist.nexus

Any suggestions on where to start when looking into buying and setting up a domain?

2

A cheap way to start is noip.com. You can get a domain name for free, you just need to check in every 3 months to say you are still using it. It's big enough that many routers support it.

After 2 years of checking in every 3 months I paid for their next tier of service where you don't have to check in and get multiple domains etc. So their free service marketing worked.

5

I've been with NameCheap for over a decade. They're a relatively quiet company that's been around a while.

They've never done anything to make me want to change providers. Have my email through them as well. Good uptime. Ok-ish prices. Good customer service the one time I've needed it. Web site takes some getting used to, but it's also never changed since I started using them.

3

Only thing they did once was lock me out of my account with endless CAPTCHAs, even with 2FA enabled.

Eventually they fixed it

2

I'd recommend buying a domain through Cloudflare. Once you have one, you can create subdomains and point them to services running on your home server. Cloudflare's dashboard makes the DNS side pretty straightforward.

I mean I cheated and used chatgpt to help figure it out. But it's more or less 3 programs max running on whatever server you're using and using the cloudflare UI to redirect the traffic to the right place

2

Domain and vps pointed to your ip. Or if behind cgnat reverse proxy to vps

3
lemmy.world

You can still just open it to the internet. Just do it on IPv6 instead. You won't find it by scanning IP ranges like they do on IPv4. You'll want to set up DNS for it though. Also get a free TLS cert from LetsEncrypt. It's a bit of work initially.

3

Was going to comment something along the lines of “Inb4 someone posts that obscurity will keep you secure” but here you are. No, you won’t be secure just because it’s on IPv6. And TLS certs are open to the public, (they literally have to be, since any device attempting to access your server needs to be able to validate the cert) so bots will scrape them and instantly have whatever you made it for. So it wouldn’t even keep you obscure.

7
frongtreply
lemmy.zip

Assuming their ISP and everything else supports ipv6. An even so it'll still be visible through scanning, through brute force, or if anyone is reading cert transparency reports anf scanning the domains that show up.

7
feddit.nl

This. Better to hide it on a non standard port of an existing domain

1

Used to have a tool specifically to route my dynamic IP to something static, without buying a domain name, back when I first hosted a website on my own regular home PC as a teen called "No-IP."

Not sure if it's still a thing.

2
programming.dev

Free ones are less common now (no-ip went paid.) Afraiddns is still free but requires regular account logins.

2

Afraid requires regular logins? I haven't logged in, in years and it still works.

1
sh.itjust.works

Device -> VPN Tunnel (ideally WireGuard) -> Home Router / Server.

The only port that needs to be opened is your WireGuard server which typically is :51820.

The issue with this is you have explain VPN’s and WireGuard to people which, in my experience turns people away as they see it as a hassle.

Alternatively buy a domain, setup DDNS so that your home IP is associated with your domain, setup a reverse proxy and open port :443 on your router however, I would suggest a blacklist-first approach and only whitelist the few known IP’s you can trust.

2

People's IP addresses usually change so that might be annoying keeping a whitelist up to date.

A good alternative is something like fail2ban to ban ip addresses that spam your server looking for a way in and potentially geo-restricting access to your country.

3
lemmy.world

Free vps in oracle cloud with Pangolin. Never have to worry about explaining VPNs.

3
ohshit604reply
sh.itjust.works

Free vps in oracle cloud with Pangolin

If I’m not mistaken I tried setting up pangolin to work along side my already running Traefik setup and it was just an absolute nightmare.

I just don’t have the time nor energy to reinvent my already running configuration.

3
lemmy.world

I've set it up next to my NPM and it's more complicated, but so much more capable. Traefik is what it uses to proxy things. You're comparing a full suite of tools with just one piece.

1
ohshit604reply
sh.itjust.works

Traefik is what it uses to proxy things. You're comparing a full suite of tools with just one piece.

I mean, that’s debatable. Taking a look at their docker-compose.yml there are 3 containers they recommend running, with a 4 optional container.

  • image: docker.io/fosrl/pangolin:latest # Pangolin itself
  • image: docker.io/fosrl/gerbil:latest # WireGuard server
  • image: docker.io/traefik:v3.6 # Traefik Reverse Proxy
  • image: hhftechnology/middleware-manager:latest # Optional middleware manager for Traefik

To say this is a “full-suite” is a bit much when majority of the heavy lifting is done by Traefik, the middleware’s you assign to Traefik and WireGuard. Pangolin if I’m reading this correctly;

“Pangolin combines reverse proxy and VPN capabilities into one platform.”

Which is great! However as I mentioned previously, does not integrate well when these services are already setup to work standalone.

I suspect the same reaction from folks when they hear “download pangolin from the App Store, and use xyz credentials to connect.” And “download WireGuard from the App Store, and use xyz file to connect.”

2
lemmy.world

Pangolin uses gerbil with newt for those wireguard tunnels. That's a massive improvement already. It also adds a bunch more features like vpn, you can crowdsec, and more that I don't use. To say it's debatable if it's a suite of tools is just wrong.

0
ohshit604reply
sh.itjust.works

To say it's debatable if it's a suite of tools is just wrong.

How is it wrong to say it is debatable when Traefik and WireGuard have quite literally done majority of the development. Pangolin is just a man in the middle.


Pangolin uses gerbil with newt for those wireguard tunnels. That's a massive improvement already. It also adds a bunch more features like vpn.

According to the Newt ReadMe -

Newt is a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. By using Newt, you don't need to manage complex WireGuard tunnels and NATing.

Seems to me that WireGuard is their primary dependency, without WireGuard what use is it?


you can crowdsec

According to Pangolin docs they rely on the Crowdsec middleware offered by Traefik.

By default, Crowdsec is installed with a basic configuration, which includes the Crowdsec Bouncer Traefik plugin

1

Do you not understand what a suite of tools is? It's a curated collection of tools that have been chosen to work together. You're describing the reasons why Pangolin is in fact a full suite. You're right, Pangolin is the bit that orchestrates them and brings them together with an easier way to manage them. That's what a suite of tools does.

1
lemmy.dbzer0.com

I did the last one. Bought a domain for $5 per year from cloudflare and used a cloudflared tunnel to direct traffic to Caddy (reverse proxy). Set up everything as deny-by-default, requiring log in to access things like sonarr, and let things like Jellyfin and Immich bypass the login requirement. Took a bit to get it all figured out, but it worked.

There is also a way to use the cloudflared tunnel for free that gives you a domain as well (sort of anyways).

All of that is run via docker containers, minus the

Documentation on all of this is fragmented and a challenge to figure out. Happy to help anyone who wants to message me about it.

I took this a step further as I use a wireguard tunnel to make use of my router level ad blocking. So I added an entry for my domain to route back to caddy and serve it all locally. This is proving to be a challenge due to the way some browsers handle forced https, but I'm making due.

3
ohshit604reply
sh.itjust.works

and used a cloudflared tunnel to direct traffic to Caddy

There is also a way to use the cloudflared tunnel for free that gives you a domain as well (sort of anyways).

This is DDNS, a popular, free alternative would be ddclient. Essentially updating an A Record so that your dynamic IP is remains associated with your domain.

While cloudflare is also my registrar as well, I don’t use any of the “features” they offer, and opted to use Keycloak for my authentication needs.

3
lemmy.dbzer0.com

I've debated setting up Authelia or something similar because cloudflare is sooo slow to load their login page, but haven't landed on anything yet... Plus I worry I set something up wrong and expose my network

2
ohshit604reply
sh.itjust.works

I can’t be much of a help with Caddy however, for Traefik you can use the OIDC Middleware to forward requests to your authentication service.

Plus I worry I set something up wrong and expose my network

The only port that would need opening is :443, leave port :80 closed so that people cannot connect to your services insecurely. Slap fail2ban or geoblock on it and call it a day. Also, DDNS allowlist for that deny-first approach.

2

The current config routes through the cloudflared tunnel so no ports are open externally at the moment, so that's nice, but yea, I'd have to imagine there's some documentation out there for caddy.

Caddy has been a pain, though, so I might give one of the others a try. Thanks for the tips!

2

I'm currently testing out jellyfin. Have it through my reverse proxy and using the ldap authentication with authentik. Works fine and nice having two-factor authentication.

1
feddit.nl

Consider a Tor Onion Service with client side certs for auth

-2
dogs0nreply
sh.itjust.works

Not 100% sure what you mean, but if you're suggesting making it accessible publicly only through tor, that's a bad idea (not to mention the people running tor don't recommend streaming video through it).

9
feddit.nl

Tor is extremely secure. Onion Services let you auth clients with a certificate. See also how Onion Share works.

Also I don't think Tor etiquette says not to stream video. It says not to torrent.

-1
dogs0nreply
sh.itjust.works

Hm I could be wrong on the streaming videos etiquette, I can't remember nor can I find where I originally heard that from.

Still think it's a bad idea though. As another reason: Won't you have an awfully slow connection to your server (tor is already slow just to access a plain html website)?

6
Helix 🧬reply
feddit.org

Streaming videos puts a huge burden on the TOR network. Please don't do it if you don't need to, setting up a VPN is faster and doesn't slow TOR down.

4
feddit.nl

I was looking for something from torproject.org. an official source.

2

Sadly couldn't find anything. Thing is, if you watch your own media, why use TOR?!

1
Vegan_Joereply
anarchist.nexus

The responses I received were exponentially more helpful than scouring for the information myself (which I had done).

Everyone here had experience and expertise that I did not, and I had a working solution running on my computer within 10 minutes of asking.

Part of the purpose of a community like this is evident in posts like this.

Your response, though funny, is damaging to the community, and unhelpful at best.

I understand where you were coming from, but please don't.

10
Vegan_Joereply
anarchist.nexus

This is how I would have done it in 2001.

It is my understanding that the only reason to go this route in this day and age is if you prefer to survive off the tears of cybersecurity professionals.

12