Is they're an easy way to make my Jellyfin accessible outside of my home network for free?
from Vegan_Joe@anarchist.nexus to selfhosted@lemmy.world on 05 Jul 17:41
https://anarchist.nexus/c/selfhosted/p/773580/is-they-re-an-easy-way-to-make-my-jellyfin-accessible-outside-of-my-home-network-for

I have docker installed, but only have a vague idea of how it works.

Back in the day, I would just port forward, but even then, I would need a static IP somehow.

I have heard a reverse proxy is an option, but that is an entirely new topic to me.

Surely there is an easy way to access Jellyfin outside of my home network that I’m just missing.

*Edit: I am blown away by all the help and support! I currently have tailscale running, and I’m in the process of purchasing a domain.

Thanks everyone!

#selfhosted

threaded - newest

Reannlegge@lemmy.ca on 05 Jul 17:45 next collapse

There are things like duckdns if you cannot get a static IP, but there are also things like wireguard.

ThePowerOfGeek@lemmy.world on 05 Jul 17:46 next collapse

An easy way? I guess the term ‘easy’ depends on your expertise with networking, firewalls, etc. Sounds like you and I are at about the same level there. In which case the answer is: no, there’s no easy way from what I can tell. I’ve looked into it and it’s a lot more involved than, say, Plex (because Plex does a bunch of the routing and stuff for you, but at a cost).

Vegan_Joe@anarchist.nexus on 05 Jul 17:56 next collapse

That is the answer my intuition was leading me to, but I hoped I was wrong. It looks like this is an opportunity to learn something outside of my comfort zone.

breadsmasher@lemmy.world on 05 Jul 18:05 next collapse

consider zerotier or tailscale

tyler@programming.dev on 05 Jul 18:14 collapse

Tailscale is incredibly easy. Install, start, sign in on both devices. Boom. Jellyfin from anywhere

Vegan_Joe@anarchist.nexus on 05 Jul 18:17 collapse

I’m sold! Setting it up now!

tyler@programming.dev on 05 Jul 23:41 collapse

Let me know if you have any trouble!

frongt@lemmy.zip on 05 Jul 17:48 next collapse

Yes, a VPN. And dynamic DNS if you don’t have a static IP address.

Vegan_Joe@anarchist.nexus on 05 Jul 17:52 collapse

To be clear, your suggesting I set up my home computer as a virtual private Network server that I would connect to from the TV or device outside of my home network?

frongt@lemmy.zip on 05 Jul 18:00 next collapse

Yes, it works great for me. Probably not for a TV though, for that you’d probably need some travel router VPN client. But I don’t know how often you’d be at a random TV and need to get to jellyfin.

Vegan_Joe@anarchist.nexus on 05 Jul 18:07 collapse

Got it! I think this is the plan of attack I’m going with

towerful@programming.dev on 05 Jul 19:35 collapse

Yeh, exactly.
And the “dynamic DNS” part handles your public IP address changing with 0 pain.
You either buy a domain (like example.com), or there are free domain name providers that give you a subdomain (like mycooldomain.example.com) of one of their domains.
You then run an additional service on your home server that checks what the current public IP address is. If it changes, it notifies the DNS responsible for your domain/subdomain, which then points to your new public IP.
To connect to your VPN, you only ever care about “mycooldomain.example.com” and never the underlying IP address.


As long as your ISP isn’t running CG-NAT of course 😵‍💫

GeneralDingus@lemmy.cafe on 05 Jul 17:50 next collapse

I forward my port to my bastion host, and reverse tunnel to it when I want to access my stuff.

My router allows you to set a device in the DMZ zone which will let you use your routers IP as its address.

ThatFuckingIdiot@lemmy.today on 05 Jul 17:51 next collapse

A VPN such as Tailscale.

Vegan_Joe@anarchist.nexus on 05 Jul 17:53 next collapse

That is a new concept to me, but I’ll definitely look into it.

Pika@sh.itjust.works on 05 Jul 18:34 next collapse

it’s actually the recommended way if you use jellyfin, theres a few security/privacy vulnerabilities with publicly exposing the jellyfin server anyway, they are being worked on but, the safest way to do it is just use a vpn regardless.

frongt@lemmy.zip on 05 Jul 23:43 collapse

Plus it enables you to access everything. If you have radarr or sonarr or whatever, you can get to those and add media while out and about.

Personally I use Mealie and pull up ingredient lists while I’m im at the grocery store.

djdarren@piefed.social on 05 Jul 21:01 collapse

Just be aware that if you want anyone else to connect to your Jellyfin, you’ll still have to route it through a domain and reverse proxy, unless you’re comfortable letting them log in to your tailnet.

It’s a bit of a fiddle to set up, but once it’s done it’s quite satisfying.

Pacrat173@lemmy.ml on 05 Jul 18:56 collapse

It’s my go to method super easy to set up and use on both the device hosting your JellyFinn server and whatever your steaming on

hoshikarakitaridia@lemmy.world on 05 Jul 17:54 next collapse

That’s the whole point of a domain. Your IP changes every now and again you need people to know where to reach you. You give them a domain, and you configure the name records so that the domain always points to the right IP address.

Your options:

  • dynamic IP - you keep your setup as is and just periodically tell them the new IP you’re on. Annoying and exposed
  • static IP - you buy a static IP (from your ISP) and share it with your friends once. A little bit less annoying and still exposed
  • you use a VPN like hamachi or radmin - your friends install the software, they look for you IP in there, you’re done - very secure but also very annoying
  • you buy a domain - you have to configure an IP updater like ddclient or similar, then you jellyfin should be reachable - least annoying for your friends but also slightly less secure

Domain is the cleanest option.

I am telling you how annoying it is because that’s how likely your friends are to adopt it and how secure it is because depending on your country you are doing something illegal and you really don’t want anyone to find out and you gotta keep it updated more often if you don’t want people to exploit it. There’s an endless supply of very smart people out there who use known bugs to target public services.

Edit: I forgot DDNS, see below comments.

Vegan_Joe@anarchist.nexus on 05 Jul 18:05 next collapse

I appreciate your response!

It looks like a VPN is the option I’m leaning towards, but I’ll definitely put the idea of buying a domain in my back pocket for a while.

Saapas@piefed.zip on 05 Jul 18:15 collapse

Some .xyz domains cost less than 1$. Mine is 0,85$/year

lyralycan@sh.itjust.works on 05 Jul 19:46 collapse

What do you do, randomise it every year?

Saapas@piefed.zip on 05 Jul 19:52 collapse

Nah same domain, 0,85$/year. It’s 8 numbers + .xyz

lyralycan@sh.itjust.works on 05 Jul 19:58 collapse

Wow thanks!! Looks like it works with 6-9 numbers

Saapas@piefed.zip on 05 Jul 20:10 collapse

You get to pick your numbers

On June 1, 2017, .XYZ launched the 1.111B class .xyz domains, cheap domains priced at US$0.99 per year and renewed at the same price. The class of domains consists of six-, seven-, eight-, and nine-digit numeric combinations between 000000.xyz and 999999999.xyz. Daniel Negari, CEO of .XYZ, stated that it was meant to bring competition, choice, and innovation to the market

shroomato@lemmy.world on 06 Jul 16:11 collapse
spaghettiwestern@sh.itjust.works on 05 Jul 18:24 collapse

You left out DDNS. It’s free, easy to set up with lots of detailed guides online, and works as well as a static IP.

hoshikarakitaridia@lemmy.world on 05 Jul 20:50 collapse

I added a reference to your comment

yeah I forgot that one. I had to rush the comment a bit.

wilmo@programming.dev on 05 Jul 18:00 next collapse

Tailscale. It’s free. Insanely easy to set up.

Just install on your devices and connect via the given tailscale ip for the jellyfin server.

sakphul@discuss.tchncs.de on 05 Jul 18:10 next collapse

I would also propose going with Tailscale instead If a VPN + DynDNS solution. Imho it is a lot easier to Setup compared to VPN + DynDNS If you are a beginner and just starting out.

If at some point you need more and then is available in the free Tier of Tailscale and you do not want to pay for it (and you have built up some knowledge!) you can switch to something like Headscale or Netbird.

hoshikarakitaridia@lemmy.world on 05 Jul 20:52 collapse

I forgot to mention that one because I kinda thought it belongs with radmin and hamachi, but it’s my choice as well currently.

I am using it with my own Headscale though, so add a domain to that as well.

And I finally need to switch my vaultwarden to work over tailscale & LAN finally, it’s a huge security risk to expose that one.

ragebutt@lemmy.dbzer0.com on 06 Jul 01:26 collapse

Or head scale if you don’t want something you don’t control that requires an account with google/apple/microsoft

pineapple@lemmy.ml on 06 Jul 08:16 collapse

Headscale is great but requires port forwarding which, aside from having its own iasues, is something op wants to avoid.

lokalhorst@feddit.org on 05 Jul 18:07 next collapse

What you want is Tailscale. The downside of Tailscale is that you have to connect to a VPN to access your services, the advantage - it is so easy to set up on the server it feels like magic.

Darkassassin07@lemmy.ca on 05 Jul 18:10 next collapse

You don’t need a static IP, you just have to keep track of what your current dynamic IP is.

You can do this with either a free or a paid DNS service.

There are a few different ‘free dns’ services that will delegate a subdomain of theirs to you at no cost. Admittedly, I’ve never actually used one of these so their names escape me. Hopefully someone else can point one of those out if that’s what you really want.


I purchased a domain via google domains, when they existed. It’s now transferred to squarespace, because they bought out google domains a few years ago.

It was around $13/year when I first got it a decade ago. It’s now around $28/year.

This allows me full control over the domain: I can use as many subdomains as I want to give each service I use it’s own unique name. (Instead of using their own separate ports that you’ve gotta remember) My domain will also forward all inbound email to my gmail account; this lets me use email addresses like <servicename>@mydomain.example. This way, I don’t share my real email and can immediately tell who sold my info to the highest bidder when I get spam. (I could also host my own email service if I really wanted, but I haven’t bothered)

Add Cloudflare ontop (for free); and it can filter out known attacks, ddos attempts, geofence your services to regions you’ll actually be in, provide/autorenew ssl certs for https, show you usage analytics, cache static data reducing server/network load, etc.

Ultimately, the paid option is well worth it IMO. $2/month (which I typically pay in 3-10 year blocks) is hardly anything.

/edit; vpns are good and all, but they require you to setup software on the remote device to connect to it, and that typically routes most if not all your traffic back to the vpn server then out to the internet. That can create speed/bandwidth issues.

A domain allows you to access your services from any Internet connection with 0 configuration on the client side. Just accessing it like any other website.

I also host a vpn directly from my network, that I access/find via my domain. This means I’m not dependent on a public service like tailscale, but can still add additional security to access private only services (stuff I don’t expose to the open internet)

Vegan_Joe@anarchist.nexus on 05 Jul 18:15 next collapse

As averse as I am to spending money on subscription services, having my own domain for less than 30 bucks a year might be worth it.

I think I’m going to try out the tailscale VPN route first before I fully warm up to buying a domain.

*Edit-You’ve definitely got me sold on getting a domain! Thank you so much for all the info!

Darkassassin07@lemmy.ca on 05 Jul 18:28 collapse

Glad I could help. I’m not always immediately available, but I don’t mind answering questions if you run into troubles. Just send me a DM and I’ll do what I can. :)

Rivalarrival@lemmy.today on 05 Jul 23:48 collapse

You don’t need a static IP, you just have to keep track of what your current dynamic IP is.

You still need a public IP address. More and more often, IPv4 services are provided behind CGNAT, which won’t be able to work as you describe.

If you don’t have a public IPv4 for your LAN you can use IPv6. Or, you can reverse proxy your services through a gateway with a public IPv4.

I use a a reverse proxy (Pangolin) running on a VPS. A Newt tunnel connects my LAN to to Pangolin, exposing my local services via subdomains.

/edit; vpns are good and all, but they require you to setup software on the remote device to connect to it, and that typically routes most if not all your traffic back to the vpn server then out to the internet. That can create speed/bandwidth issues.

Tailscale, ZeroTier, and other similar services generally establish direct tunnels between devices, without a separate VPN server. They use a central service merely as a sort of common meeting point (STUN/TURN) for the devices to figure out how to establish direct tunnel(s).

Darkassassin07@lemmy.ca on 06 Jul 00:13 collapse

Fair points.

I’ve been lucky enough to have never been behind cgnat, so I keep forgetting about it.


My bigger concern with tailscale is being required to install software on the client. Not every device I use, I have permission to install a vpn client, nor would I want to.

For example, I have a fileshare using Filebrowser where I store work related files that I don’t want to loose access to or need access to from multiple machines (non proprietary info, stuff IT/MGT wouldnt get mad at me for ofc. I’ve actually cleared it with my managers, so no worries). That’s also a handy way to (temporarily) share large files with people or provide a way for friends to upload large files to me.

I also like to access my emby server (using sufficiently limited accounts), from things like the TV in the work break room, or a friends PC while I’m visiting.

Tailscale is a hurdle that I just don’t need/want.

StarvingMartist@sh.itjust.works on 05 Jul 18:13 next collapse

I mean not for free, but I did it for cheap. A good domain can cost you $5 a year, and you simply route your jellyfin to a sublevel like watch.mydomain.com

Fun part is you can also route your sonarr like sonarr.mydomain.com

Vegan_Joe@anarchist.nexus on 05 Jul 18:16 collapse

Any suggestions on where to start when looking into buying and setting up a domain?

StarvingMartist@sh.itjust.works on 05 Jul 18:46 next collapse

I’d recommend buying a domain through Cloudflare. Once you have one, you can create subdomains and point them to services running on your home server. Cloudflare’s dashboard makes the DNS side pretty straightforward.

I mean I cheated and used chatgpt to help figure it out. But it’s more or less 3 programs max running on whatever server you’re using and using the cloudflare UI to redirect the traffic to the right place

StrawberryPigtails@discuss.tchncs.de on 05 Jul 18:53 next collapse

I’ve been with NameCheap for over a decade. They’re a relatively quiet company that’s been around a while.

They’ve never done anything to make me want to change providers. Have my email through them as well. Good uptime. Ok-ish prices. Good customer service the one time I’ve needed it. Web site takes some getting used to, but it’s also never changed since I started using them.

quick_snail@feddit.nl on 06 Jul 02:44 collapse

Only thing they did once was lock me out of my account with endless CAPTCHAs, even with 2FA enabled.

Eventually they fixed it

Blue_Morpho@lemmy.world on 05 Jul 19:18 collapse

A cheap way to start is noip.com. You can get a domain name for free, you just need to check in every 3 months to say you are still using it. It’s big enough that many routers support it.

After 2 years of checking in every 3 months I paid for their next tier of service where you don’t have to check in and get multiple domains etc. So their free service marketing worked.

rtxn@lemmy.world on 05 Jul 18:25 next collapse

As others have said, Tailscale is the most pragmatic solution. It’s a mesh VPN based on Wireguard. It’s implemented in such a way that you don’t need a static IP and don’t need to open any ports on your firewall. The caveat is that you either need to register an account on tailscale.com (it’s free for small-scale use) or set up a self-hosted alternative like Headscale on a VPS. Then you have to install the Tailscale client on each of the hosts you want to access and log into your account.

Tailscale nodes will be accessible using an internal, private address in the 100.64.0.0/10 address space. You can also set up a split DNS that allows you to access your hosts using a DNS name like hostname.your-tailnet-name.ts.net.

kokesh@lemmy.world on 05 Jul 18:26 next collapse

Domain and vps pointed to your ip. Or if behind cgnat reverse proxy to vps

Decronym@lemmy.decronym.xyz on 05 Jul 18:30 next collapse

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network
DNS Domain Name Service/System
ISP Internet Service Provider
NAT Network Address Translation
Plex Brand of media server package
SSO Single Sign-On
TLS Transport Layer Security, supersedes SSL
UDP User Datagram Protocol, for real-time communications
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread #41 for this comm, first seen 5th Jul 2026, 18:30] [FAQ] [Full list] [Contact] [Source code]

Kolanaki@pawb.social on 05 Jul 18:53 next collapse

Used to have a tool specifically to route my dynamic IP to something static, without buying a domain name, back when I first hosted a website on my own regular home PC as a teen called “No-IP.”

Not sure if it’s still a thing.

purplemonkeymad@programming.dev on 05 Jul 19:03 collapse

Free ones are less common now (no-ip went paid.) Afraiddns is still free but requires regular account logins.

terrifyingtuba@lemmy.world on 05 Jul 18:53 next collapse

Personally I purchased a domain, and use Caddy for a reverse proxy. My ISP gives me a static IP for free, but I don’t think that makes a difference in this situation. Tailscale would be safer but requires more setup from friends. My friends seem to like how simple the setup is, and I also use requestrr so they can add movies/shows via a discord command.

Morgikan@fedia.io on 05 Jul 19:09 next collapse

If the goal is doing this in a simple fashion, then use Tailscale funnels (https://tailscale.com/docs/features/tailscale-funnel).
Funnels automate the process and act as a reverse proxy into specific servers within your tailnet.

The downside is there is no authentication to funnels, so whatever you're running (Jellyfin in this case so that's not an issue) needs it's own authentication setup. You might consider running fail2ban on that machine and have it watch for login attempts, but otherwise that is the simplest setup I think you could do.

[deleted] on 05 Jul 19:21 next collapse

.

scops@reddthat.com on 05 Jul 19:27 next collapse

Protip: Don’t fucking do this

[deleted] on 05 Jul 20:08 collapse

.

Vegan_Joe@anarchist.nexus on 05 Jul 20:34 next collapse

The responses I received were exponentially more helpful than scouring for the information myself (which I had done).

Everyone here had experience and expertise that I did not, and I had a working solution running on my computer within 10 minutes of asking.

Part of the purpose of a community like this is evident in posts like this.

Your response, though funny, is damaging to the community, and unhelpful at best.

I understand where you were coming from, but please don’t.

[deleted] on 05 Jul 20:44 collapse

.

[deleted] on 05 Jul 22:28 collapse

.

[deleted] on 05 Jul 23:36 collapse

.

[deleted] on 06 Jul 01:15 collapse

.

[deleted] on 06 Jul 02:27 collapse

.

[deleted] on 05 Jul 22:26 collapse

.

[deleted] on 05 Jul 23:30 collapse

.

[deleted] on 06 Jul 01:20 collapse

.

[deleted] on 06 Jul 02:58 collapse

.

[deleted] on 06 Jul 04:03 collapse

.

[deleted] on 06 Jul 04:32 collapse

.

Vegan_Joe@anarchist.nexus on 05 Jul 19:59 collapse

This is how I would have done it in 2001.

It is my understanding that the only reason to go this route in this day and age is if you prefer to survive off the tears of cybersecurity professionals.

GreenKnight23@lemmy.world on 05 Jul 20:12 collapse

who needs cybersecurity? nothing bad should happen.

<img alt="1000004275" src="https://lemmy.world/pictrs/image/426c23e7-b5f6-463d-a68c-30033ce991e0.jpeg">

nfms@lemmy.ml on 05 Jul 19:28 next collapse

This is how I started.
I have a dynamic IP and a router provided by my ISP. IP assignations, DHCP, are managed by the router. I went with DuckDNS for a free DNS service. Select a name and you get a myname.duckdns.org that you need to assign to your dynamic IP. duckdns has instructions to create a cronjob to update your dynamic IP on duckdns.org. (Routers come in all shapes and configs, chances are that this won’t work for most people) On the router, I assigned a static IP to the server hosting Jellyfin, in case of a reboot Jellyfin would always have the same IP. On the Ports page I opened up the default port for Jellyfin at that IP. I could then access Jellyfin outside of my local network using myname.duckdns.org:1234
This is not what I have right now, but it helped my get started.

awelo@tuiter.rocks on 05 Jul 19:31 next collapse

@Vegan_Joe
try tailscale

MasterOKhan@lemmy.ca on 05 Jul 20:06 collapse

I second this, if it’s only you that needs access then Tailscale will be all that you need. You can use Tailscale funnel if you want it to be available to the wider web, but then you have to manage SSL certificates and it is slightly less secure.

I would caution against port forwarding and leaving your server open to the wider web.

KairuByte@lemmy.dbzer0.com on 05 Jul 20:48 next collapse

Personally I didn’t want to have to hand out VPN credentials to everyone, so I went with a cloudflare tunnel with Authelia as the method of authentication.

irmadlad@lemmy.world on 05 Jul 20:56 collapse

+1 for Cloudflare Tunnels/Zero Trust. The free tier is more than generous for a homelab

gravediggersbiscuit@sh.itjust.works on 05 Jul 21:25 next collapse

Can I ask, how much of a limit does the free tier have on bandwidth if you’re doing something like hosting Jellyfin?

irmadlad@lemmy.world on 05 Jul 22:17 next collapse

On my mobile, but to give you an idea, I stream Navidrome probably 12-15 hours a day. I really don’t think they have a bandwidth limit per se, but when I get back to my desktop where I can actually see, lol, I can do some digging for you.

KairuByte@lemmy.dbzer0.com on 05 Jul 22:21 next collapse

My understanding is that there is no hard limit. At some point they will decide “this is business level traffic” at which point they will start harassing you to purchase a business plan.

That cutover point is unknown. I’ve never even seen an estimation of when it happens, so it could very well be the type of traffic instead of the amount.

They also only allow HTTP traffic for the free tier, which is another way they push you towards business tiers.

LincolnsDogFido@lemmy.zip on 06 Jul 05:12 collapse

They also only allow HTTP traffic for the free tier, which is another way they push you towards business tiers.

I don’t think that’s true. I’m pretty certain all of my domains are HTTPS only, but maybe that’s because I own the domain? Does cloudflare offer free domain names for tunneled traffic?

KairuByte@lemmy.dbzer0.com on 06 Jul 05:16 collapse

HTTPS traffic is still HTTP traffic. There’s just an encryption layer in there.

And yes cloudflare absolutely supports https.

LincolnsDogFido@lemmy.zip on 06 Jul 05:20 collapse

Okay. Carry on. I was thinking that you meant the free tier didn’t support HTTPS encrypted traffic. I didnt want someone to rule out that option based on a false assumption. Sorry for the confusion.

KairuByte@lemmy.dbzer0.com on 05 Jul 21:26 collapse

Not to mention, the amount of data you can run through it is nuts. I’ve been running Stremio web through it for months without issue to watch content at work.

irmadlad@lemmy.world on 05 Jul 23:51 next collapse

Yup. OP was asking about bandwidth caps, I haven’t experienced any, nor can I find any documentation to support bandwidth caps. I stream Navidrome around the house from the time I get up to the time I go to bed and it has worked flawlessly.

philanthropicoctopus@thelemmy.club on 06 Jul 07:45 collapse

is that against ToS? i want to do it but dont want to get banned

irmadlad@lemmy.world on 06 Jul 14:53 collapse

What are your concerns about Cloudflare and getting ‘banned’? There used to be a clause in the TOS that prohibited streaming video. However, as one user here has pointed out, that has been since superseded. Now, I’m not going to tell you that you can share your JF with 20 other users and not raise an eyebrow with Cloudflare. I don’t have a clue what they would do in that case. As far as streaming, I run Navidrome around the house from the time I get up in the morning, until I go to bed at night, and have had no issues. There also isn’t a bandwidth cap that I can find anywhere in Cloudflare’s documentation.

muusemuuse@sh.itjust.works on 05 Jul 21:21 next collapse

WireGuard

TrippinMallard@lemmy.ml on 05 Jul 21:47 next collapse

Netbird or tailscale

chellomere@lemmy.world on 05 Jul 22:20 next collapse

I use pangolin and subdomains on my domain. It works really well, and enables SSO login to all services on the network.

PeriodicallyPedantic@lemmy.ca on 06 Jul 07:18 collapse

I can’t get it working with the app unless I disable auth in pangolin, but it works beautifully with web

chellomere@lemmy.world on 06 Jul 07:24 collapse

Yeah, for certain apps you may need to do that. I’ve had to do that with Nextcloud and Linkwarden. But Immich will happily work with a shareable link.

PeriodicallyPedantic@lemmy.ca on 06 Jul 12:19 collapse

I actually commented a solution on a pangolin ticket, and they were like “good idea!” And implemented it, but then made it an enterprise only feature 😭

The_Zen_Cow_Says_Mu@infosec.pub on 05 Jul 22:27 next collapse

I’m currently testing out jellyfin. Have it through my reverse proxy and using the ldap authentication with authentik. Works fine and nice having two-factor authentication.

pHr34kY@lemmy.world on 05 Jul 22:33 next collapse

You can still just open it to the internet. Just do it on IPv6 instead. You won’t find it by scanning IP ranges like they do on IPv4. You’ll want to set up DNS for it though. Also get a free TLS cert from LetsEncrypt. It’s a bit of work initially.

frongt@lemmy.zip on 05 Jul 23:41 next collapse

Assuming their ISP and everything else supports ipv6. An even so it’ll still be visible through scanning, through brute force, or if anyone is reading cert transparency reports anf scanning the domains that show up.

quick_snail@feddit.nl on 06 Jul 02:40 collapse

This. Better to hide it on a non standard port of an existing domain

helix@feddit.org on 06 Jul 06:19 collapse

Or to not do security by obscurity at all.

mic_check_one_two@lemmy.dbzer0.com on 06 Jul 00:59 collapse

Was going to comment something along the lines of “Inb4 someone posts that obscurity will keep you secure” but here you are. No, you won’t be secure just because it’s on IPv6. And TLS certs are open to the public, (they literally have to be, since any device attempting to access your server needs to be able to validate the cert) so bots will scrape them and instantly have whatever you made it for. So it wouldn’t even keep you obscure.

bloogoose@lemmy.zip on 05 Jul 22:36 next collapse

Look into nginx proxy manager. Pretty easy to setup and deploy.

alexquiniou@lemmy.zip on 05 Jul 22:40 next collapse

I’m using wireguard with wg-easy. It’s a gui that let you easely setup wireguard. My isp is giving a fixed ipv4. So i don’t have to think about dns or other complicated things. I have Jellyfin and wg-easy installed on truenas as docker apps.

There are official app for any os you want.

www.wireguard.com/install/

uuj8za@piefed.social on 05 Jul 23:12 next collapse

https://netbird.io/ for your own private network of trusted devices, it’s free and doesn’t require a separate Big Tech account to use (unlike Tailscale)

And then if you want to share Jellyfin with someone who isn’t in your Netbird network… believe it or not, also Netbird

https://docs.netbird.io/manage/reverse-proxy

Lumisal@lemmy.world on 06 Jul 07:40 next collapse

Does it work with a reverse proxy?

uthredii@programming.dev on 06 Jul 07:58 collapse

It has functionality to let you set up a reverse proxy (in beta). But you can access all your services by using the zero trust vpn

Lumisal@lemmy.world on 06 Jul 08:11 collapse

Nice! Maybe I’ll try the beta. Been wanting to tinker around with my set up recently

philanthropicoctopus@thelemmy.club on 06 Jul 07:46 next collapse

is this much different than nginx?

uthredii@programming.dev on 06 Jul 07:56 collapse

Yes, it is easier and safer for someone who doesn’t know what they are doing to set up.

HereIAm@lemmy.world on 06 Jul 08:13 next collapse

Tailscale has an option for OIDC. That should be avoiding the tech mafia enough no?

bmcgonag@lemmy.world on 06 Jul 14:54 collapse

This

Croquette@sh.itjust.works on 05 Jul 23:19 next collapse

I have setup NetBird with Authentik. Netbird is on a VPS and authentik on my home server.

NetBird allows to expose a service through a subdomain. Or you can use the netbird client as a VPN and allow peer to peer connection.

ohshit604@sh.itjust.works on 06 Jul 00:41 next collapse

Device -> VPN Tunnel (ideally WireGuard) -> Home Router / Server.

The only port that needs to be opened is your WireGuard server which typically is :51820.

The issue with this is you have explain VPN’s and WireGuard to people which, in my experience turns people away as they see it as a hassle.

Alternatively buy a domain, setup DDNS so that your home IP is associated with your domain, setup a reverse proxy and open port :443 on your router however, I would suggest a blacklist-first approach and only whitelist the few known IP’s you can trust.

FlexibleToast@lemmy.world on 06 Jul 01:13 next collapse

Free vps in oracle cloud with Pangolin. Never have to worry about explaining VPNs.

ohshit604@sh.itjust.works on 06 Jul 02:23 collapse

Free vps in oracle cloud with Pangolin

If I’m not mistaken I tried setting up pangolin to work along side my already running Traefik setup and it was just an absolute nightmare.

I just don’t have the time nor energy to reinvent my already running configuration.

FlexibleToast@lemmy.world on 06 Jul 03:27 collapse

I’ve set it up next to my NPM and it’s more complicated, but so much more capable. Traefik is what it uses to proxy things. You’re comparing a full suite of tools with just one piece.

ohshit604@sh.itjust.works on 06 Jul 04:47 collapse

Traefik is what it uses to proxy things. You’re comparing a full suite of tools with just one piece.

I mean, that’s debatable. Taking a look at their docker-compose.yml there are 3 containers they recommend running, with a 4 optional container.

  • image: docker.io/fosrl/pangolin:latest # Pangolin itself
  • image: docker.io/fosrl/gerbil:latest # WireGuard server
  • image: docker.io/traefik:v3.6 # Traefik Reverse Proxy
  • image: hhftechnology/middleware-manager:latest # Optional middleware manager for Traefik

To say this is a “full-suite” is a bit much when majority of the heavy lifting is done by Traefik, the middleware’s you assign to Traefik and WireGuard. Pangolin if I’m reading this correctly;

“Pangolin combines reverse proxy and VPN capabilities into one platform.”

Which is great! However as I mentioned previously, does not integrate well when these services are already setup to work standalone.

I suspect the same reaction from folks when they hear “download pangolin from the App Store, and use xyz credentials to connect.” And “download WireGuard from the App Store, and use xyz file to connect.”

FlexibleToast@lemmy.world on 06 Jul 12:15 collapse

Pangolin uses gerbil with newt for those wireguard tunnels. That’s a massive improvement already. It also adds a bunch more features like vpn, you can crowdsec, and more that I don’t use. To say it’s debatable if it’s a suite of tools is just wrong.

ohshit604@sh.itjust.works on 06 Jul 16:19 collapse

To say it’s debatable if it’s a suite of tools is just wrong.

How is it wrong to say it is debatable when Traefik and WireGuard have quite literally done majority of the development. Pangolin is just a man in the middle.


Pangolin uses gerbil with newt for those wireguard tunnels. That’s a massive improvement already. It also adds a bunch more features like vpn.

According to the Newt ReadMe -

Newt is a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. By using Newt, you don’t need to manage complex WireGuard tunnels and NATing.

Seems to me that WireGuard is their primary dependency, without WireGuard what use is it?


you can crowdsec

According to Pangolin docs they rely on the Crowdsec middleware offered by Traefik.

By default, Crowdsec is installed with a basic configuration, which includes the Crowdsec Bouncer Traefik plugin

dogs0n@sh.itjust.works on 06 Jul 02:55 next collapse

People’s IP addresses usually change so that might be annoying keeping a whitelist up to date.

A good alternative is something like fail2ban to ban ip addresses that spam your server looking for a way in and potentially geo-restricting access to your country.

ridethisbike@lemmy.dbzer0.com on 06 Jul 04:05 collapse

I did the last one. Bought a domain for $5 per year from cloudflare and used a cloudflared tunnel to direct traffic to Caddy (reverse proxy). Set up everything as deny-by-default, requiring log in to access things like sonarr, and let things like Jellyfin and Immich bypass the login requirement. Took a bit to get it all figured out, but it worked.

There is also a way to use the cloudflared tunnel for free that gives you a domain as well (sort of anyways).

All of that is run via docker containers, minus the

Documentation on all of this is fragmented and a challenge to figure out. Happy to help anyone who wants to message me about it.

I took this a step further as I use a wireguard tunnel to make use of my router level ad blocking. So I added an entry for my domain to route back to caddy and serve it all locally. This is proving to be a challenge due to the way some browsers handle forced https, but I’m making due.

ohshit604@sh.itjust.works on 06 Jul 04:27 collapse

and used a cloudflared tunnel to direct traffic to Caddy

There is also a way to use the cloudflared tunnel for free that gives you a domain as well (sort of anyways).

This is DDNS, a popular, free alternative would be ddclient. Essentially updating an A Record so that your dynamic IP is remains associated with your domain.

While cloudflare is also my registrar as well, I don’t use any of the “features” they offer, and opted to use Keycloak for my authentication needs.

ridethisbike@lemmy.dbzer0.com on 06 Jul 04:47 collapse

I’ve debated setting up Authelia or something similar because cloudflare is sooo slow to load their login page, but haven’t landed on anything yet… Plus I worry I set something up wrong and expose my network

ohshit604@sh.itjust.works on 06 Jul 04:58 collapse

I can’t be much of a help with Caddy however, for Traefik you can use the OIDC Middleware to forward requests to your authentication service.

Plus I worry I set something up wrong and expose my network

The only port that would need opening is :443, leave port :80 closed so that people cannot connect to your services insecurely. Slap fail2ban or geoblock on it and call it a day. Also, DDNS allowlist for that deny-first approach.

ridethisbike@lemmy.dbzer0.com on 06 Jul 05:45 collapse

The current config routes through the cloudflared tunnel so no ports are open externally at the moment, so that’s nice, but yea, I’d have to imagine there’s some documentation out there for caddy.

Caddy has been a pain, though, so I might give one of the others a try. Thanks for the tips!

quick_snail@feddit.nl on 06 Jul 02:38 next collapse

Not securely

quick_snail@feddit.nl on 06 Jul 02:41 next collapse

Consider a Tor Onion Service with client side certs for auth

dogs0n@sh.itjust.works on 06 Jul 02:52 collapse

Not 100% sure what you mean, but if you’re suggesting making it accessible publicly only through tor, that’s a bad idea (not to mention the people running tor don’t recommend streaming video through it).

quick_snail@feddit.nl on 06 Jul 03:07 collapse

Tor is extremely secure. Onion Services let you auth clients with a certificate. See also how Onion Share works.

Also I don’t think Tor etiquette says not to stream video. It says not to torrent.

dogs0n@sh.itjust.works on 06 Jul 04:07 next collapse

Hm I could be wrong on the streaming videos etiquette, I can’t remember nor can I find where I originally heard that from.

Still think it’s a bad idea though. As another reason: Won’t you have an awfully slow connection to your server (tor is already slow just to access a plain html website)?

quick_snail@feddit.nl on 06 Jul 05:19 collapse

Nah, Tor works great. But I only stream in 1080

helix@feddit.org on 06 Jul 06:18 collapse

Streaming videos puts a huge burden on the TOR network. Please don’t do it if you don’t need to, setting up a VPN is faster and doesn’t slow TOR down.

quick_snail@feddit.nl on 06 Jul 14:02 collapse

Link?

helix@feddit.org on 06 Jul 16:32 collapse

Here, a random link explaining why using bandwidth for no reason while people provide it to you for free might be ethically questionable

tor.stackexchange.com/…/tor-streaming-videos-is-i…

Should I explain it further?

quick_snail@feddit.nl on 06 Jul 16:38 collapse

I was looking for something from torproject.org. an official source.

xavier666@lemmy.umucat.day on 06 Jul 07:56 next collapse

wanted a free solution

ends up buying a domain

Welcome to the club, buddy!

pineapple@lemmy.ml on 06 Jul 08:12 collapse

Cheap domains are basically free though so it doesn’t count!

keenwillow12451@lemmy.1095.me on 06 Jul 12:01 next collapse

@Vegan_Joe — if you’re still stuck, try this: install Tailscale → join your tailnet → expose Jellyfin container port 8096 as 443. That’s it. No nginx, no static IP hunting. I wrote a 3-command cheatsheet here cxgo.ai/l/5bwrT9m that I wish existed when I started fumbling with docker-compose overrides. Works on a $20 raspberry pi and a 2014 Mac mini, so your hardware shouldn’t matter.

paultimate14@lemmy.world on 06 Jul 12:39 collapse

I ended up using duckdns for a free domain. It sucks that I had to tie it to a google account, and maybe one day this might be an area where I buy a proper domain instead.

I have a glinet Flint3 router that makes it easy to spin up Wireguard servers on it. It was a bit more finnicky, but eventually I was able to get into the advanced settings and configure the router to sync the dynamic IP with DuckDNS too.

So I have Wireguard on my phone and my wife’s phone. We have one pair of close friends who have a connection on their router too (and vice-versa) and their own Jellyfin server.