At the very minimum stick a reverse proxy in front like caddy, nginx, or Traefik. Then have some middleware like crowdsec to inspect what’s going on. Then whitelist the IP or the country IP block.

There is much more but those would be the bare minimum.

I agree with reverse proxy + middleware. I’d also suggest something like Jellyswarm as the front end. That way I can connect to other friends’ servers too.

Meh. If someone hacks my server and watches TV then idc, have at it. They earned it

EDIT: the downvotes are warranted but they change nothing

Reverse proxy with auth in front of the actual jellyfin login. Like pangolin.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

11 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.

[Thread #311 for this comm, first seen 23rd May 2026, 22:30] [FAQ] [Full list] [Contact] [Source code]

See if there are any apps that will handle the VPN tunneling transparently, then provide the web interface, all in one.

If you can’t find any that work like you want, I would put an authenticating reverse proxy in front of jellyfin. But last time I tried that, it only half worked. I don’t know if that’s changed.

Worst case, a reverse proxy that only exposes the necessary endpoints. Or a WAF that can block known attacks.

In any case, you should have a firewall rule as narrow as possible to only limit access to them. Static IP address if possible, then subnet, then ASN. Whatever is the most restrictive but still works.

Why no VPN?

How much access do you have to their system? I would set up a script on their end to poll ipv4.icanhazip.com and send you their IP. I would then trigger a firewall rule change on your end to that information. This keeps the access to only their IP, with maybe a few minutes between polls where it might be different.

you don’t.

if you’re intent on “spreading your legs” to the world, get a WAF.

edit: don’t get mad about the analogy, it’s apt.

when you open your local network to public access without protection, you’re bound to have a couple “accidents” and “infections”.

protect your local network with at least a proper firewall and segmented network.

a properly configured WAF is better than any reverse proxy you could use.

Does Tailscale count as a VPN for you? It’s how I roll. Well, I run my own headscale server, but the free Tailscale tier is going to be fine for any reasonably sized personal project.

If they could be using web UI (I’m not sure how a client would work with auth like that) then it kind of depends on how much hassle they can live with and how secure you want to be

Simplest would be to use https://doc.traefik.io/traefik/reference/routing-configuration/http/middlewares/basicauth/
You set up username and password and share those with the user. But it can be brute-forced

Something more secure but also a bit more demanding would be some kind of email otp https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_email/
Set up authentik to send time-limited link to their email that well let them through. But they would have to authenticate every time they access

Adding onto the other comments, if you have admin access to your network router/firewall you can configure the incoming port forward itself to only allow specific IP addresses while dropping traffic from any other internet WAN IPs. It’s a bit like using the Jellyfin whitelist/blacklist but doing it at the network level. This drops all unwanted internet traffic to that port at the firewall before ever reaching the Jellyfin software. Downside is having to occasionally update the firewall whenever there are IP address changes.

This is probably only feasible if you only have some specific Jellyfin clients in mind to accept connections from, not any random person from any random WAN IP address.

call me crazy but I just use a couldflare tunnel since my domain is already provided through them. They make it really easy to add sub-domains attached to specific ports on the local machine and automatically adds the proper DNS entries. Additionally they have a ton of domain security/anti-bot measures you can set up.

Reverse proxy with fail2ban or crowdsec. It’s possible to set up things like Pangolin which ultimately use a VPN between external and internal access points but not at the client, though it takes more setup if you want to use apps over pangolin instead of just the browser.

if theyre close, add them to your tailscale, if not and you have a web serve, use a reverse proxy.

for tailscale, you’d probably have to walk them through setting it up but then its one and done

Ask them to use the Jellyfin web, and you expose it to the public via Netbird / Pangolin locked behind SSO

Depends on what you mean by “secure.” My personal setup is Jellyfin LXC on proxmox –> Wireguard to VPS -> Nginx reverse proxy on VPS.

This setup relies somewhat on Jellyfin’s auth, but I’m comfortable with that risk. The LXC is blocked from sending local traffic on my network by firewall rules. Yes, someone could exploit a vulnerability in Jellyfin (though looking through the CVEs I’m not overly worried about that), then escape the LXC and fuck with my server. But that’s a lot of work for no profit.

For more protection (in sense of reducing traffic that even interacts with your server), I’d recommend getting a wildcard cert for the domain so that the actual subdomain jellyfin is on is undisclosed to anyone not using your service.

Security isn’t about making everything impregnable, it’s about making attacks more trouble than they’re worth. Otherwise, we’d all live in fortified bunkers surrounded by landmines. 🙃

I agree with the folks saying reverse proxy of some kind + WAF. That way end users don’t have to deal with the VPN, but your home system is not directly exposed.

I’ve been doing something similar with SSH local port forwarding and a $5/month VPS. Haven’t come anywhere close to my network quotas, and performance has not been an issue for home use with 2-5 concurrent users most of the time. I forward the local caddy ports to unprivileged ports/user on the VPS, then use the firewall on the VPS to forward that port to 443 and lock down the rest.

best practice states security through obscurity is not to be relied upon, but compare ssh logs after one year on the default port vs a non-standard port and you’ll immediately see why you want to use a non-standard https port for non-professional services. it cuts 99.9% of the noise/attempts.

Secure is relative, you should be aware that jellyfin itself has security issues github.com/jellyfin/jellyfin/issues/5415 most of which are harmless, but at least one is fairly serious and allows people to watch your media without authentication, and adding an extra layer of authentication on the proxy would likely cause issues with clients.

That being said, if you’re okay with those security issues what I would do is have a cheap VPS, connect both machines to tailscale, and have something like Caddy on the VPS to do the forwarding.

afaik but I’m not sure, Jellyfin lacks support for OIDC AuthN which is a clear sign that you cannot expose this publicly.

I use a Wireguard tunnel to a VPS and fail2ban with geoblocking: codeberg.org/skjalli/jellyfin-vps-setup

I toyed with the idea of exposing ports and decided against it. I don’t understand networking well enough yet. For me specifically, VPN access has been perfectly workable in the US with both speed and ease of access.

Can you use fail2ban on Jellyfin? That might be a wise step.

Tailscale or cloudflare

Not at all, there’s legal risk if you’re hosting your blurays. Cloudflare even explicitly forbids such use. VPN or nothing imo.

Set up a reverse proxy with https always on. And get a good (physical) firewall, preferably something akin to opnsense, pfsense, openwrt. Exposing is always a risk, and if you do want it, you have to bear the responsibility for your own security. Keep things up to date, set up monitoring and a good logging system (Wazuh) comes to mind.

Exposure means a security risk. How you deal with that security risk is your choice.

Cloudflare and the likes forbid usage of their stuff for these things.

For a remote and non-technical user I would say IP whitelisting offers a decent tradeoff.

On your end you expose your jellyfin port to internet, but restrict at the router level to your user’s client IP address as soon as you have it. Obviously in practice this works best if the address does not change often.

If anyone has any tips for getting Tailscale running via Docker on my Openmediavault machine, I’m open to it. Everyone lauds it for being dead simple and I cannot for the life of me get it running on the machine it needs to be. Not sure my wife can/will handle anything more complicated.

Ask them to visit ipv4.icanhazip.com and give you back the number, then whitelist in your webserver, as well as your LAN/VPN range, deny rest. Explain they can only reach jellyfin from their home internet. Repeat if they get 403 forbidden after they get a new WAN IP.

That or VPN like openziti, wireguard but gets more complicated.

Perhaps (and I know I might be weird) running pangolin on something like hetzner? (Which I do)

Run the jellyfin in a container that only has read privileges to the videos ( make sure you can’t get out to your whole NAS from there), put that behind a Cloudflaired tunnel.

It’s not technically secure, but if they can’t get a foothold in your network and the only thing they can access is your video catalog, that’s a reasonable amount of risk.