from Charger8232@lemmy.ml to selfhosted@lemmy.world on 09 Apr 18:30
https://lemmy.ml/post/28360538
Please take this discussion to this post: lemmy.ml/post/28376589
Main content
Selfhosting is always a dilemma in terms of security for a lot of reasons. Nevertheless, I have one simple goal: selfhost a Jellyfin instance in the most secure way possible. I don’t plan to access it anywhere but home. # TL;DR I want the highest degree of security possible, but my hard limits are: - No custom DNS - Always-on VPN - No self-signed certificates (unless there is no risk of MITM) - No external server # Full explanation I want to be able to access it from multiple devices, so it can’t be a local-only instance. I have a Raspberry Pi 5 that I want to host it on. That means I will not be hosting it on an external server, and I will only be able to run something light like securecore rather than something heavy like Qubes OS. Eventually I would like to use GrapheneOS to host it, once Android’s virtual machine management app becomes more stable. It’s still crazy to me that 2TB microSDXC cards are a real thing. I would like to avoid subscription costs such as the cost of buying a domain or the cost of paying for a VPN, however I prioritize security over cost. It is truly annoying that Jellyfin clients seldom support self-signed certificates, meaning the only way to get proper E2EE is by buying a domain and using a certificate authority. I wouldn’t want to use a self-signed certificate anyways, due to the risk of MITM attacks. I am a penetration tester, so I have tested attacks by injecting malicious certificates before. It is possible to add self-signed certificates as trusted certificates for each system, but I haven’t been able to get that to work since it seems clients don’t trust them anyways. Buying a domain also runs many privacy risks, since it’s difficult to buy domains without handing over personal information. I do not want to change my DNS, since that risks browser fingerprinting if it differs from the VPN provider. I always use a VPN (currently ProtonVPN) for my devices. If I pay for ProtonVPN (or other providers) it is possible to allow LAN connections, which would help significantly, but the issue of self-signed certificates still lingers. With that said, it seems my options are very limited.
threaded - newest
Just run it on the LAN and don’t expose it to the Internet. That’s 99% of the way there. HTTPS only secures the connection, and I doubt you’re sending any sensitive info to or from Jellyfin (but you can still run it in docker and use caddy or something with Let’s Encrypt).
The bigger target is making sure jellyfin itself and the host it runs on are updated and protected. You could use a WAF too.
This would require paying for a VPN to allow LAN connections, which is an option but not my preferred one.
This is a matter of threat model, and I would prefer not to expose my TV preferences unencrypted over the network.
Does Caddy require a custom DNS in order to point the domain to a local IP address?
This is easy with securecore, since it updates daily. The rest of the semantics for the actual hosting side aren’t too difficult.
But if you don’t plan to access it anywhere but home (your words), then it doesn’t have outside access, and putting it on your LAN is done.
Edit: if you do want to access it from outside, running a wire guard vpn locally is pretty easy to do.
I still want security in transit, no matter where it is being broadcast from.
You don’t trust your home network?
You do‽ I know the person who runs it and they’re completely inept! /s
Yeah, but the user is also inept, so it evens out.
Honestly though, they could run a pair of docker containers, one with jellyfin one with wire guard and only have access to the jellyfin instance when logged into the micro sized vpn? (I think docker will let you play with networks that way, I’m experienced enough to be dangerous but not useful)
<img alt="" src="https://lemmy.world/pictrs/image/f6c3bd20-2ba0-43b0-a591-94749fc27c0c.jpeg">
You could do a vpn hosting by yourself.
Meaning your server is basically a vpn tunnel server and you can connect from the Internet to it. Once you are in the encrypted vpn connection you have access to the local network.
If you have dynamic ip you need dns though. But no one can connect just because they know the ip)/dns
I’m uneasy about this, because I don’t trust myself to do it securely. VPNs are a very complex piece of software, so I highly prefer to stick with widely used setups (i.e. “stock” VPN software such as ProtonVPN, Mullvad VPN, etc.)
A self-hosted VPN is the most secure free way to host your Jellyfin. I’ve had to learn the hard way over the years, but all the features and control you gain for hosting services yourself comes with all the same responsibilities and risk that the provider would be taking on for you.
The money you spend on their service is the alternative to the many hours it takes to learn how to properly host your own server.
You can definitely learn how to do it and it will be difficult and confusing at times, but that’s what the community is there for. I recommend joining a Matrix server or similar so you can get more real-time feedback for when you’re just getting started.
Totally understand not wanting to take the risk, though. Just something worth considering.
Wireguard was written with the explicit goal of having sane, secure defaults. I totally feel you w.r.t. openvpn or ipsec, since it's easy to do something wrong. Wireguard is much easier because it simply refuses to give you the choice to do things incorrectly.
w.r.t. the certificate thing, you could set up a reverse proxy and do HSTS to ensure nobody can load up a rogue CA on your devices. HSTS has the issue that SSH has (trust on first use or whatever it's called), but you just need to make sure nobody is MITM you for that first connecting and then you'll be good to go. This would let you use a self-signed certificate if you do desired.
Security my beloved
This is one reason I’ve avoided selfhosting for this long. I am not a network engineer, and I have no plans to be. That means if I am managing an entire server from my physical home location, that’s a recipe for disaster. There’s simply no way to ensure you’ve done things correctly, especially since a lot of the selfhosting community has an… aversion to good security practices (which is why I had to make this post to begin with).
Would that work while having ProtonVPN still enabled?
My favorite food
Jellyfin clients don’t accept self-signed certificates, as I mentioned. Is there a way around that (or does HSTS somehow solve it)? From what I’ve learned about HSTS up until know, it is simply there to require the use of proper certificates and HTTPS. Am I wrong about that?
What jellyfin client are you using that doesn’t support self signed certificates?
You don’t need a VPN for LAN connections. You’re already on the LAN. You’d only need it for access from the WAN.
If you’re using Let’s Encrypt, you should probably purchase a domain. I don’t think they support .internal domains. Or you could set up your own CA and run it however you want, even issuing certs to access by IP address if you wanted.
ProtonVPN by default blocks LAN connections, and can only be changed using their paid tier.
For that aspect, I would recommend changing to a provider that doesn’t have such ridiculous restrictions.
The only other providers I would use are Mullvad VPN or IVPN, both of which are paid.
I agree it is ridiculous.
Wait you’re seriously using a free VPN?
Being concerned about security while using free VPN sounds like an oxymoron.
Is there any reason to think the free Proton VPN is somehow insecure?
Not “insecure” in the sense that they’re shoddy with their encryption, no. But being free could possibly mean their incentives are not necessarily aligned with that of the free users.
In security speak, the CIA triad stands for Confidentiality, Integrity, and Availability. I’m not going to unduly impugn Proton VPN’s credentials on data confidentiality and data integrity, but availability can be a legit security concern.
For example, if push comes to shove and Proton VPN is hit with a DDoS attack, would free tier users be the first to be disconnected to free up capacity? Alternatively, suppose the price for IP transit shoots through the roof due to weird global economics and ProtonVPN has to throttle the free tier to 10 Mbps. All VPN operators share these possibilities, but however well-meaning Proton VPN and the non-profit behind them are, economic factors can force changes that aren’t great for the free users.
Now, the obv solution at such a time would be to then switch to being a paid customer. And that might be fine for lots of customers, if that ever comes to pass. But Murphy’s Law makes it a habit that this scenario would play out when users are least able to prepare for it, possibly leading to some amount of unavailability.
So yes, a holistic analysis of failure points is precisely what proper security calls for. Proton VPN free tier may very well be inappropriate. But whether it rises to a serious concern or just warrants an “FYI”, that will vary based on individual circumstances.
I kind of get it from Proton’s POV. If they have a free tier that allows a limited number of devices they’ll want to make sure you don’t tunnel all you devices through that one.
.
Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That’s the simplest.
A better option would be getting an OpenWRT router and start building proper infrastructure for doing something like this. You’ll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.
I have no idea how to do this. Do you have any resources? Does it cost a subscription fee?
This is what I have planned. OpenWrt Two my beloved
I also don’t know how to do this. Resources are much appreciated :)
Okay, so let me explain a bit:
Tailscale is a commercial client that is semi-FOSS. It’s built on Wireguard, which is FOSS, but the cloud hosted architecture does cost money after I think 5 clients.
Headscale is a FOSS implementation of Tailscale, and totally free to host, skipping the above.
Tailscale itself is super easy to use, and you just install it on a node, register it, and then it has access to any other device on that secured network. So if you install it on your Jellyfin machine at home behind your normal firewall, then install it on your phone, you’ll be able to connect to it without forwarding ports for messing around with much.
It should be that simple.
Does Headscale conflict with ProtonVPN/Mullvad VPN (i.e. can I use those alongside Headscale)? Android has a limited number of VPN slots, so that’s why I ask.
Nope. Wireguard runs outside the same protocols.
Just give Tailscale a try first because it’s essentially free for a few nodes. If you need more and don’t want to pay, then investigate Headscale.
So:
Always-on VPNenabledBlock connections without VPNenabledAnd that will work? It will be encrypted during transit? And only run on the LAN? Does ProtonVPN need to allow LAN connections (I assume it does)?
Sorry, it may be confusing, but Headscale is ONLY the free server component. The client is still Tailscale’s open client. That’s why I’m saying just sign up and try it first with Tailscale, and then if you need more connections without paying, create a Headscale server and re-register your clients to that to skip charges.
Alright, I’m slowly learning, bare with me here:
ProtonVPN is always-on and blocks connections without VPN
Jellyfin and Headscale are hosted on the Pi (or does Headscale need its own server?)
Tailscale and a Jellyfin client are installed on the phone
Will that will run fully on the LAN?
Will it be encrypted during transit?
Does ProtonVPN need to allow LAN connections?
Okay, so you might be unfamiliar with networking, so maybe some extra confusion there. Let me try to explain that a bit.
The Jellyfin server runs on LAN like normal. No need to use Tailscale if you’re just using your Wi-Fi or Ethernet.
Tailscale/Headscale creates it’s own VPN network which will need its own IP space. Same as any other VPN. It’s just a setting in the config, and the routing is pretty simplistic and mostly automatic.
Tailscale/Headscale can run anywhere. Doesn’t need to be on that Pi, but that Pi will need a Tailscale client to be on the “Tailnet” and communicate with other devices also connected to it.
ProtonVPN clients have their own IP space and network that go elsewhere. That’s its own separate thing.
I’m familiar with some parts of networking, but selfhosted VPNs are something I am unfamiliar with, so thank you for helping me out!
I want it to be encrypted during transit, even if it is over the LAN.
This is what I was afraid of, because this means it probably can’t run alongside ProtonVPN, since it would fill up the VPN slot on Android, right?
If so, it means we’ve come full circle. Unless there is a way to use Tailscale alongside ProtonVPN or a way to get Jellyfin clients to trust self-signed certificates, I don’t see any other option than buying a domain and exposing the server to the internet. Am I missing something?
No, it can run along anything, as long as you don’t conflict the IP space assigned to a VPN. It creates it’s own IP network space when running, so just don’t overlap with your other VPN software. Using it while at home is a bit wasteful on effort and power, but just use the Jellyfin LetsEncrypt setup and it’s the same thing.
You are missing a lot here. I think you’re confused on the difference between your LAN security, and how that fits into network connections. You don’t need an SSL cert to say that something is secure, that’s just one method of PUBLICLY securing something. Every connection on Tailscale is secure end-to-end, so if you run it on your Pi, any client that can connect to it is secured. No open ports, no lapses in security. The encryption happens between each client and the server. You’re secure.
I tried Tailscale on Android, and it isn’t working because it requires the active VPN slot occupied by ProtonVPN.
Android only allows one active VPN per Profile. So as OP said, running Tailscale and Proton in parallel is not possible.
Iirc it supports 100 clients on the free tier, but even that is a soft limit – I’ve heard that they will accommodate more devices if you ask (and you’re in a non-commercial setting)
I can’t answer your question as I rely on Plex rather than fooling around with my own security, but I’d suggest reconsidering the Pi and a microSD to host Jellyfin. Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files. Beyond that, SD cards are terrible for this kind of task and you’d be much better served with an SSD as your boot/data drive for robustness. I can’t even count the number of failed SD cards I’ve had over the years.
It’s what I have on hand at the moment. I don’t have proper server hardware yet.
I will keep this in mind, thank you!
I haven’t tried playing videos from my Raspberry Pi, but I’ve been able to run extremely modern video codecs on some pretty old hardware without any issues. Since I’ve never had issues with video codecs, I’m not experienced in what hardware can and can’t handle it.
A micro sized PC with an i5 and 8gb or ram can cost under 100€, and it’s way more powerful compared to a pi. Power efficient too. That’s what I used for a long time for my jellyfin server.
Thank you! I’d like to avoid extra costs, since I already have the Pi on hand, but when I have the money I will switch to a proper server.
Can I run it via PoE?
I don’t think so, but don’t quote me on that. My machines come with a 65w charger.
It cannot.
While used equipment is more powerful then a Pi, it doesn’t always fit everyone’s use case and I hate it when people have a “one size fits all” solution.
I agree with you, but this was specifically about jellyfin.
If you’re running externally, use a cloudflare tunnel.
No ports exposed = no attack surface. This is 99% of security.
HTTPS is provided by CF although only secures comms between your devices to CF, not CF to your Pi, meaning CF can see clear text technically.
If that’s not good enough then use a VPN server like PiVPN and put it on your pi and OpenVPN on your devices. *This has nothing to do with paid VPN Client subscriptions like Tunnelbear or Proton or whatever. *
You will be running a VPN server on your pi to which you will connect from your devices on which you want to watch JF by downloading a device profile to your devices and opening it in the OpenVPN app.
You do not need to pay for anything at all anywhere ever (other than something for DDNS and a domain name), use a strong password and make sure your JF is updated if there’s any CVE. Expose nothing else to the internet.
You don’t even need HTTPS at that point or any certs, a VPN will encrypt your traffic anyway. The only cleartext you’ll have is between your VPN and your JF, and if both are on the pi then the only MITM vector is literally inside your Pi which is unlikely to have any issues.
Your post is very confusing. You want to use it only locally (on your home), but it can’t be a local-only instance.
You want to e2ee everything, but fail to mention why. There is no reason to do that on your own network.
I do not know why you want to use a VPN and what you want to do with it. Where do you want to connect to?
What is the attack vector you’re worried about? Are there malicious entities on your network?
By “local-only” I meant on-device
Privacy and security.
Networks are not a trusted party in any capacity.
A VPN such as ProtonVPN or Mullvad VPN are used to displace trust from your ISP into your VPN provider and obscure your IP address while web browsing (among other benefits that I don’t utilize).
These are good questions but not ones I can answer briefly.
My short answer: you’re overthinking it way too hard and I think sticking that microSD-Card into the device you want to watch on is your best bet.
You’re chasing ghosts.
If you don’t trust the devices inside your own house, no amount of VPNs or e2ee are going to help.
If it’s entirely on your lan, your isp isn’t involved and a VPN is just adding unnecessary complications.
Fwiw jellyfin apps don’t even allow you to use a self signed cert.
I know. It’s very unfortunate, but I understand why.
Okay so what’s all this faffing about for? Just don’t open it up to the internet and access it with your servers local ip address on your home network
I wish it were that simple, but as I mentioned that would require paying for ProtonVPN to allow LAN connections (which isn’t the worst thing in the world, but I’d prefer to avoid subscriptions where possible) and clients don’t allow self-signed certificates.
Look into Tailscale. Its free
What are you talking about. Please clarify if this is actually true:
This would mean that you only want to access Jellyfin when you, and the device you are watching your show/movie on, are at home, where the Pi/server also is.
Is this correct?
If so, then questions about VPN, Certificates, DNS,… do not matter.
Now you can access it at home, and only at home. I honestly fail to see where a VPN would even come into the equation here (again, if you wish to ONLY watch when you are at home, as you’ve said).
Yes.
They do, because if ProtonVPN blocks LAN connections then the only other option is exposing the server to the WAN
This does not encrypt during transit, and my network is not a trusted party.
I, like many others, use my devices for more than just accessing my LAN while I am on my home network.
.
Part of my threat model is essentially “anything that can connect to the internet poses a security risk”. Since networks are the literal gateway to the internet, it is reasonable not to trust them. Routers don’t run as secure operating systems as Qubes OS, secureblue, or GrapheneOS. If a malicious party found a way to connect to the network, all unencrypted activities can be intercepted. If the router itself has malicious code, any unencrypted traffic can be sent to a third party. Those are just the basics, but trying to put band-aid solutions on a fundamentally broken system is a losing battle.
GrapheneOS distrusts networks as much as possible, so I do too. Even if I own the network, I am not a network engineer, so the chances of fault are high. In the simplest case, the network is a gateway to all activity that happens on the LAN, and it only takes one zero day to make that happen. The best mitigation is proper encryption and no self-signed certificates (where possible).
Then honestly, you have other problems than setting up Jellyfin.
For real though, if you think someone is (or might be) listening in on your local network, i.e. have physical access or compromised one of your machines, then the Jellyfin traffic is the least of your problems. Pick your battles. What’s the worst that could happen here - someone gets to know your favorite show?
Ah, I see. On your PC you should just be able to set a static route over the physical interface for 192.168.0.0/24 (or whatever your local network is) which takes precedence over the VPN. For android… Oof, no idea. Probably need root.
A bad router + bad ISP combo means I get ratted out for copyrighted material (that I don’t have… I only host creative commons videos on my Jellyfin server, of course…)
This isn’t really true. Even IF your router would fail catastrophically in the right way to expose your Server to the internet, or of it actually “ratted your traffic out” to the ISP and the ISP cared (which it does not), it’s not illegal to hist Jellyfin, or put media on it which you own (which is not discernible from just… Media being streamed).
Also your ISP has no part in your local network traffic.
Sounds far more likely that either someone misunderstood that residential IPs change frequently/may be shared by multiple subscribers or the ISP made an error when responding to a subpeana and provided the incorrect IP. Unfortunately both are all too common with privacy enforcement
If you really think the ISP router is snooping and can’t by bypassed you could simply double-NAT your network with a trusted router and call it a day. Much less VPNing and much less unusual decisions of trust and threat model involved then
OPs problem is that proton blocks Lan connections when connected and require you to pay them if you want to unblock it
Smh. I get wanting to be connected to a VPN, but being locked out of your own local network is just stupid.
Then he should use Mullvad.
What the f
Idk if proton allows you to download config files on a free account but if they do then you could use those to manually split tunnel your local internet
Edit: if they don’t then the “most secure” (and cheapest) option is to pay for a VPN that allows Lan connections
I remember a time a few years ago when I managed to do something similar… I’ll look into this!
Edit: It seems so
protonvpn.com/support/vpn-config-download/
protonvpn.com/support/wireguard-configurations/
Hang on.
Would it not be better to run a VPN server on your router to force all WAN-bound traffic through the VPN? This way, you could still access your local devices.
Good eye! I’d like to avoid trusting my network, but I did consider this option. It also becomes a hassle to enable my VPN per-device each time I leave my house and connect to another network. This still doesn’t solve the problem of encrypting Jellyfin in transit over the LAN.
Jellyfin has https support built in, you just have to enable it in settings. I just made a self-signed cert with openssl and use that
I think the easiest way would be to have two vlans on your local network. One that is connected to the internet and another that is local only. I think you’d have to switch networks when wanting to access the jellyfin server in that instance, but would negate the main issue, which is your VPN.
Edit: that’s about the most secure you can get I think. If you bought a different physical router to host it, you’d have about as secure a setup as possible.
This is fair, and does solve the problem. I didn’t explicitly state that I needed it to be convenient, so you’re right. Having one network that is LAN only and switching to it to use Jellyfin, and having a second network that is WAN only and using ProtonVPN there would probably be the most secure setup. Unfortunately, it still doesn’t solve the issue of encryption in transit over the LAN, but that might be fixable with Tailscale. The LAN could even be ethernet-only, to mitigate wireless attacks.
That makes me wonder if there’s a way I could simply plug an ethernet cord from my phone to the airgapped Pi and use it that way. Is that possible? Surely it is. Could ProtonVPN be used on the phone even while the phone is connected physically to the Pi?
How i do it:
Wireguard for VPN endpoint on the pi and device that I have root on, secure, fast to setup and doesn’t add a lot of overhead
For access outside of VPN:
You might have to pay for a domain name if you dont have a static IP, which is relatively cheap.
You can manually allow trusted IP to access the service in your firewall which nullify surface of attack if done perfectly but is really an hassle to setup and maintain. I’m looking to setup Keycloack for a strong pre-auth that I can share between services and that is also lightweight (Authentik is not lightweight, Authelia seems to be i’d like to try it aswell) This coupled with firewall rules and/or fail2ban like service should be more than enough for a private server I think.
After reviewing the entire thread, I have to say that this is quite an interesting question. In a departure from most other people’s threat models, your LAN is not considered trusted. In addition, you’re seeking a solution that minimizes subscription costs, yet you already have a VPN provider, one which has a – IMO, illogical – paid tier to allow LAN access. In my book, paying more money for a basic feature is akin to hostage-taking. But I digress.
The hard requirement to avoid self-signed certificates is understandable, although I would be of the opinion that Jellyfin clients that use pinned root certificates are faulty, if they do not have an option to manage those pinned certificates to add a new one. Such certificate pinning only makes sense when the client knows that it would only connect to a known, finite list of domains, and thus is out-of-place for Jellyfin, as it might have to connect to new servers in future. For the most part, the OS root certificates can generally be relied upon, unless even the OS is not trusted.
A domain name is highly advised, even for internal use, as you can always issue subdomains for different logical network groupings. Or maybe even ask a friend for a subdomain delegation off of their domain. As you’ve found, without a domain, TLS certificates can’t be issued and that closes off the easy way to enable HTTPS for use on your untrusted LAN.
But supposing you absolutely do not want to tack on additional costs, then the only solution I see that remains is to set up a private VPN network, one which only connects your trusted devices. This would be secure when on your untrusted LAN, but would be unavailable when awat from home. So when you’re out and about, you might still need a commercial VPN provider. What I wouldn’t recommend is to nest your private VPN inside of the commercial VPN; the performance is likely abysmal.
Traditionally this would be performed by creating a dedicated network of trusted devices. Most commonly via a VLAN for ease of configuration. Set the switch ports that the trusted devices are connected to to use that vlan and badabing badaboom you’re there. For external access using Tailscale or one of the many similar services/solutions (such as headscale, netbird, etc.) with either the client on every device or using subnet routing features to access your trusted network, and of course configure firewalls as desired
I had a small typo where “untrusted” was written as “I trusted”. That said, I think we’re suggesting different strategies to address OP’s quandary, and either (or both!) would be valid.
My suggestion was for encrypted L3 tunneling between end-devices which are trusted, so that even an untrustworthy L2 network would present no issue. With technologies like WireGuard, this isn’t too hard to do for mobile phone clients, and it’s well supported for Linux clients.
If I understand your suggestion, it is to improve the LAN so that it can be trusted, by way of segmentation into VLANs which separate the trusted devices from the rest. The problem I see with this is that per-port VLANs alone do not address the possibility of physical wire-tapping, which I presumed was why OP does not trust their own LAN. Perhaps they’re running cable through a space shared with other tenants, or something like that. VLANs help, but MACsec encryption on the wire paired with 802.1x device certificate for authentication is the gold standard for L2 security.
But seeing as that’s primarily the domain of enterprise switches, the L3 solution in software using WireGuard or other tunneling technologies seems more reasonable. That said, the principle of Defense In Depth means both should be considered.
Physical wire tapping would be mostly mitigated by setting every port on the switch to be a physical vlan, especially if the switch does the VLAN routing. Sure someone could splice an ethernet cable, which would really only be mitigated by 802.1x like you already said, but every part of this threat model makes zero sense. You ultimately have to trust something (and apparently in OP’s case that’s a third party VPN provider that charges extra to not block LAN access while connected and they remain entirely on the free tier of)
But at the very least, not trusting everything on the network is a very enterprise kind of threat model, so using standard enterprise practices of network segmentation, firewalling, and potentially MAC-binding and 802.1x if so desired isn’t a bad idea, if for no other reason than it might lead to a career in network administration. And honestly I mostly want to get OP to not think of VPNs like a magical silver bullet and see what other tools exist in the toolbox
Can you clarify on this point? I’m not sure what a “physical VLAN” would be. Is that like only handling tagged traffic?
I’m otherwise in total agreement that the threat model is certainly not typical. But I can imagine a scenario like a college dorm where the L2 network is owned by a university, and thus considered “hostile” to OP somehow. OP presented their requirements, so good advice has to at least try to come up with solutions within those parameters.
Y’know what that was terrible writing on my part. Where I put “physical vlan” I just meant specifying each port be a specific vlan rather than a trunk port that has multiple clans on in
I should probably proofread more and write less when tired
This is one of the funniest posts I’ve seen here so far. Thanks for that! I unfortunately don’t otherwise have anything to add that hasn’t already been said, just wanted you to know that I enjoyed it a lot :)
Hi. I am a software engineer with a background in IT security. My girlfriend is a literal network security engineer.
I showed her this thread and she said: don’t bother, just use http on your local network.
Anyways, I am going to disengage from this thread now. Skepticism against things one doesn’t fully understand can be healthy, but this is an insane mix of paranoia and naïveté.
You are not a target; the things you are afraid of will never happen; and if they did, they would not have the consequences you think they would.
Your router will NOT magically expose your traffic to the internet (what would that even mean?? Like, if it spontaneously started port forwarding to your Jellyfin server (how? By just randomly guessing the port and IP???), someone would still need to actively request that traffic, AND know your login credentials, AND CARE).
Your ISP does not give a shit about you owning or streaming copyrighted material over your local network. It has no stake in that.
Graphene is not an ultimate arbiter of IT security, but the reason it “distrusts networks” is because you take your phone with you, constantly moving into actual untrusted networks (i.e. ones you do not own).
Hosting Jellyfin on Graphene will not make it more secure, whatsoever.
If every device is assumed compromised, and compromising devices with knowledge that you watch media is a threat in your model, then even putting an SD card with media in your phone and clicking play is dangerous. Which is stupid.
If you actually assume your router is malicious, then please assume that when you initially downloaded your VPN client, it was also compromised and your VPN is not trustworthy.
The way I see it, you have two options:
I’m interested in you and your girlfriend’s thoughts on my new post about this issue.
P.S. She’s a keeper. Marry her already!
Hi again. Sorry for being so rude yesterday. Your new post actually clears the situation up a lot.
We might have an idea for you, will comment on the new post.
Regarding the ‘taking your phone with and joining untrusted networks,’ you can set up WireGuard to auto join your vpn on any network you haven’t whitelisted, including your cellular network.
I applaud your accomplishment as a penetration tester. I am disappointed at your lack of understanding regarding non-public networking.
Move your VPN to your router. Don’t bother with HTTPS on anything not exposed to the Internet.
If that does not satisfy your concerns, you may want to give up using electronic devices.
There is a huge reason to use HTTPS inside the LAN - so many browsers and other client software show HTTPS connections as more secure, with a nice padlock. For me, this was worth the minor inconvenience of setting up DNS-challenge with let’s encrypt with a domain I already had.
Your huge reason is the padlock in the browser bar? I’m not against TLS internally. I do it myself with my own CA. For this particular instance and the unique requirements, it seemed easiest to avoid TLS.
Yes it is. I got so annoyed by seeing it unlocked.
No reason not to have both. Things like vaultwarden do warrant an extra layer so setup wildcard domain for internal services x.local.example.com and then normal certs for external stuff like y.example.com.
To get internal stuff you then need your vpn as well to access it. You can now easily choose what risk you want on a per app basis.
Technotim has a good video on this
You’re overthinking. Just host it on any server with a domain name and use let’s encrypt certs if you want to access it from anywhere. TLS offers good encryption, I don’t get how you need a VPN on top of that.
For local access only, I’d just host it on a machine over the lan, self-signed certs for TLS, hell I would even settle with http in this case. As for your VPN app preventing you to access a local resource on your lan, if true, you should get rid of that nonsense.
.
So you want a self hosted jellyfin instance that you only plan to access at home, as secure and simply as possible?
Buy an HDMI splitter.
Your options are only as limited as your imagination and complexity of your requirements.
If you’re only using it on your network, just use HTTP with mdns (or have static routes from your router or something, but you said you don’t want that) so you don’t have to remember IP addresses. If you want TLS, you can borrow someone else’s domain with a service like FreeDNS.afraid.org (5 free subdomains). Or if you control the devices completely, you can make a root CA and add that to each device’s trusted CA list, and then sign your own certs and eliminate MITM attacks.
You have options, and most are overkill. The simplest, secure solution is HTTP on your local network or over a VPN you trust (if you have a publicly accessible IP, just host your own WireGuard server on/via your router).
If you are willing to swap to mullvad then you can also install tailscale. You can then choose to connect to your jellyfin server (over LAN) or (over tailscale-wireguard tunnel over LAN) while the rest of the traffic flows through mullvad.
Why not just skip that and just use a wire guard tunnel?
a wireguard tunnel over a forced NordVPN tunnel will mean that all his traffic will flow all the way to the NordVPN node and all the way back for a LAN connection.
a properly configured wireguard tunnel is harder to configure than a tailscale network with a mullvad exit node. (I think)
a wireguard tunnel can only connect one device to the Jellyfin Server (or router if it supports it)
WG Ez worked fine for me? Basically just VPNs me right into my LAN.
OH I’m an idiot, I forgot I connect to my domain for the wire guard connection lmao
Though I did mean just tunnel into the Lan then the vpn is applied on outbound connections on the Lan using something like Gluetun or w/e
You can also add a second network interface to the computer that needs to access the jellyfin server over LAN.
I’m not taking this to lemmyml