I am making this post in good faith
In my last post I asked about securely hosting Jellyfin given my specific setup. A lot of people misunderstood my situation, which caused the whole thread to turn into a mess, and I didn’t get the help I needed.
I am very new to selfhosting, which means I don’t know everything. Instead of telling me that I don’t know something, please help me learn and understand. I am here asking for help, even if I am not very good at it, which I apologize for.
With that said, let me reoutline my situation:
I use my ISP’s default router, and the router is owned by Amazon. I am not the one managing the router, so I have no control over it. That alone means I have significant reason not to trust my own home network, and it means I employ the use of ProtonVPN to hide my traffic from my ISP and I require the use of encryption even over the LAN for privacy reasons. That is my threat model, so please respect that, even if you don’t agree with it. If you don’t agree with it, and don’t have any help to give, please bring your knowledge elsewhere, as your assistance is not required here. Thank you for being respectful!
Due to financial reasons, I can only use the free tier of ProtonVPN, and I want to avoid costs where I can. That means I can only host on the hardware I have, which is a Raspberry Pi 5, and I want to avoid the cost of buying a domain or using a third party provider.
I want to access Jellyfin from multiple devices, such as my phone, laptop, and computer, which means I’m not going to host Jellyfin on-device. I have to host it on a server, which is, in this case, the Raspberry Pi.
With that, I already have a plan for protecting the server itself, which I outlined in the other post, by installing securecore on it. Securing the server is a different project, and not what I am asking for help for here.
I want help encrypting the Jellyfin traffic in transit. Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption. There is some hope in doing some manual ProtonVPN configurations, but I don’t know how that would work, so someone may be able to help with that.
All Jellyfin clients I have used (on Linux and Android) do not accept self-signed certificates. You can test this yourself by configuring Jellyfin to only accept HTTPS requests, using a self-signed certificate (without a domain), and trying to access Jellyfin from a client. This is a known limitation. I wouldn’t want to use self-signed certificates anyways, since an unknown intruder on the network could perform a MITM attack to decrypt traffic (or the router itself, however unlikely).
Even if I don’t trust my network, I can still verify the security and authenticity of the software I use in many, many ways. This is not the topic of this post, but I am mentioning it just in case.
Finally, I want to mention that ProtonVPN in its free tier does not allow LAN connections. The only other VPN providers I would consider are Mullvad VPN or IVPN, both of which are paid. I don’t intend to get rid of ProtonVPN, and again that is not the topic of this post.
Please keep things on-topic, and be respectful. Again, I am here to learn, which is why I am asking for help. I don’t know everything, so please keep that in mind. What are my options for encrypting Jellyfin traffic in transit, while prioritizing privacy and security?
You must log in or register to comment.
A lot of people have suggested Tailscale and it’s basically the perfect solution to all your requirements.
You keep saying you need ProtonVPN which means you can’t use Tailscale, but Tailscale actually supports setting up an exit node which is what you need. Put Protonvpn on the Raspberry Pi, then set it up as an exit node for your tailnet. There’s a lot of people talking about how they did this online. It looks like they even have native support for bypassing the manual setup if you use Mullvad.
As long as every client has the ability to use Tailscale (I.e. no weird TVs or anything) this seems like it checks all your boxes. And since everything is E2EE from Tailscale, TLS is redundant and you can just use HTTP.
I’ll just add my 2¢
Tailscale is incredibly powerful and they do a lot of work to make their systems intelligible, but the learning curve is still pretty steep. But still a great option.
One thing that I do, though it may not be as secure as a reverse proxy is just using tailscale funnel to expose my jellyfin instance.
I’d like to learn a self-hosted SSO but time is my least abundant resource at the moment.
How about creating your own LAN within the untrusted network?
Something like an inexpensive OpenWRT router would do fine. Connect all your devices and the server to the router. They are now on a trusted network. Set up Wireguard on the OpenWRT router to connect to Proton so that your outbound traffic from all your devices is secured.
I work for an ISP, and this is a common practice among my peers
I was looking for this. Op seems to be obsessed with “zero trust”, so creating a trusted area for this stuff would be an easy win.
I have done this before as well when living in a dorm where wifi was shit so i did my own little setup in my room so I could stream to Crome cast etc on my own trusted lan. Get a small router with support for wire Guard vpn (i love mikrotik for this) and you have an easy way to tunnel out for all your devices.
Hey, this is off topic from the original post but could you tell me what device specifically you have used?
I am going to be moving into a dorm soon and was looking to set up my own VLAN or ehatever you need for a private network because I don’t want to mess with the dorm router. I had a look at a Mikrotik switch (CRS310) but was unsure whether the fan noise would be too loud if I am staying in the same room and more importantly, whether this even allows me to do what I want to do
Edit: I misused the word dorm. It is a shared appartment rented with a couple of other students.
It can be a good idea to mentatlly seperate your router needs with you 2.5G speeds and WiFi needs, they dont have to live on the same device. For you private lan you need a router so you can hide and control your devices behind NAT and firewall. For that I’d just recommended one of the small hap or hax devices that suits your needs for routing, and/or wifi. If you want to be fancy the RB9005U could maybe work with your switching need as well.
You don’t need Vlan. I believe it is not what you think it is. Vlan is if you want to segregated your own lan int to different independent lans with various firewall rules.
All you need for your dorm is NAT. But for the love of god make sure that you dont connect your lan with the dorm lan or your DHCP server will start handing out IP’s to everyone else in your dorm and it will crash the dorm router. The ethernet jack in the wall of your dorm (I assume that’s how it works for you) needs to go to the WAN port of the router. But bare in mind on mikrotik you can configure the WAN port to be any physical port you want, but with default config it is port 1.
I may have misused the word dorm. It is a shared appartment rented with a couple other students.
My goal is basically to set up a private network inside the network used by the other people I share the apartment with so I can tinker with stuff like setting my own DNS server up for the network without possibly impacting the other people in case of failure. My naive impression was that I would need to use a VLAN to accomplish that.
In regards to your idea of using multiple devices I kind of agree but I want to keep the initial cost and energy usage low for now which is why I am trying to find a device I can use for this but also reuse in the future for something else if I want to upgrade (or just retire it without too much sunk cost).
Hi again.
How about the following idea:
Set up ProtonVPN on the raspberry pi.
On all other devices (or at least those you want to use Jellyfin on), switch from using Proton to using Wireguard. Unlike your phone, the raspberry pi has no trouble running multiple VPNs. I think the ProtonVPN limitations in regard to not allowing split tunneling don’t apply here, since all outgoing traffic will still go via Proton.
Essentially, the Pi would function as a proxy for all of your traffic, “and also” host Jellyfin. You would still connect to http://192.168.20.10:8096/ (or whatever) on your devices, but that address would only resolve to anything when you are connected to the pi via Wireguard. No HTTPs, but “HTTP over Wireguard”, if you will.
Nots that this requires you trusting the pi to the same degree that you trust your phone.
For your static devices (PC, TV) this should solve the problem. Devices which you take with you, like your phone, unfortunately will loose internet connectivity when you leave your home until you switch off Wireguard, and switch on Proton, and not be able to connect to Jellyfin when you return home, until you switch them back.
Essentially, you would have a “home” VPN and a “on the go” VPN, though you never need to connect to both. There might be ways to automate this based on WiFi SSID on Android, but I have not looked into it.
The Pros:
- this should meet all your requirements. No additional expenses, no domain, no dynDNS; no selfsigned certificate or custom CA; traffic is never unencrypted; works on all common devices.
- Wireguard is sufficiently lightweight to not bog down the pi, normally
- this is actually well within the intended use-cases for Wireguard, so no “black magic” required in configuring it
- if you ever do decide to get a domain, you can configure everything to always be connected to your pi via Wireguard, even on the go! Not required though.
The Cons:
- when you are new to selfhosting, Wireguard is a bit daunting to set up. It is not the easiest to debug (don’t worry, it’s easy to tell IF it is working, but not always WHY it isn’t working). Some manual route handling is probably also required on the pi. It should definitely be doable though, but might turn this Jellyfin thing from a weekend project to a 2 week project…
- I have no experience with how well the pi runs Jellyfin. If the answer is “barely”, then adding multiple concurrent Wireguard sessions might be a bad experience. Though in this case, you could only switch Proton to Wireguard whenever you want to watch Jellyfin.
- the manual switching might be annoying, but that is the price to pay here, so to speak
Edit: someone else already mentioned setting up your own trusted network with a second router. IMO that is the better, more hassle-free option IF you are willing to shell out the money. My suggestion is the “free” version of that, essentially 😄
Hi again.
Hi there!
Set up ProtonVPN on the raspberry pi.
I’m actually surprised nobody suggested simply using the Pi with OpenWrt as my own router. Though, that would make it hard to host Jellyfin.
Nots that this requires you trusting the pi to the same degree that you trust your phone.
For the most part, I trust the security of my Pi. I can hold it in my hand and see every line of code, after all!
Devices which you take with you, like your phone, unfortunately will loose internet connectivity when you leave your home until you switch off Wireguard, and switch on Proton, and not be able to connect to Jellyfin when you return home, until you switch them back.
I plan to post a tutorial about how to securely host Jellyfin. Another user gave a solution to this problem that I absolutely love, and I’ll showcase it there. I don’t want to spoil it :)
Could you explain Wireguard vs. Tailscale in this scenario?
Thank you all so much for your help! This is likely the solution I will go with, combined with another one, so again thank you so much!
P.S. I don’t care if you wrap an ethernet cord around her finger, get going!
I’m actually surprised nobody suggested simply using the Pi with OpenWrt as my own router. Though, that would make it hard to host Jellyfin.
A brief internet search shows that surprisingly, hosting Jellyfin on OpenWRT should work… No idea how well though. Come to think of it, having OpenWRT on the pi might make it a lot easier to configure, with graphical settings available and so on.
Could you explain Wireguard vs. Tailscale in this scenario?
I’ve never used tailscale, I’m afraid. Normally I would say: just use whatever seems easier to set up on your device/network; however, note that tailscale needs a “coordinate server”. No actual traffic ever goes through it, it just facilitates key exchanges and the like (from what I understand), but regardless, it’s a server outside your control which is involved in some way. You can selfhost this server, but that is additional work, of course…
Thank you all so much for your help! This is likely the solution I will go with, combined with another one, so again thank you so much!
Glad I could help, after being so unhelpful yesterday :)
P.S. I don’t care if you wrap an ethernet cord around her finger, get going!
Eh… Marriage is not really common in either of our families. We agreed to go sign the papers if there ever is a tax reason, lol. Sorry if that’s a bit unromantic :D Nice rings though ^^
A brief internet search shows that surprisingly, hosting Jellyfin on OpenWRT should work…
I still find it hilarious that since dd-wrt and OpenWrt are just… Linux, you could install Super Mario Bros on there. I checked, nobody seems to have tried.
I’ve never used tailscale, I’m afraid. Normally I would say: just use whatever seems easier to set up on your device/network; however, note that tailscale needs a “coordinate server”. No actual traffic ever goes through it, it just facilitates key exchanges and the like (from what I understand), but regardless, it’s a server outside your control which is involved in some way. You can selfhost this server, but that is additional work, of course…
Ah, that make sense. Is Wireguard P2P?
Glad I could help, after being so unhelpful yesterday :)
Don’t beat yourself up, you were fine. Because I’m big on privacy, when I ask for help I have a bad habit of leaving out the “why” behind my choices, so it’s understandable that people weren’t happy with what I needed.
Eh… Marriage is not really common in either of our families. We agreed to go sign the papers if there ever is a tax reason, lol. Sorry if that’s a bit unromantic :D Nice rings though ^^
I need to go make a petition to raise taxes then! /s
You both are perfect for each other, so don’t screw it up!
I still find it hilarious that since dd-wrt and OpenWrt are just… Linux, you could install Super Mario Bros on there. I checked, nobody seems to have tried.
Oh, definitely, but there are varying degrees of difficulty, esp. with what kinds of packages / package management you have available :D
Ah, that make sense. Is Wireguard P2P?
Yes, in the sense that each node/device is a peer. But the way I’d suggest you configure it in your case is more akin to a client/server setup - your devices forward all traffic to the “server”, but it never takes initiative to talk “back” to them, and they do not attempt to communicate with each other. Unless you have a separate usecase for that, of course.
You both are perfect for each other, so don’t screw it up!
❤️
Closing in on 8 years
Tailscale is just a bunch of extra fancy stuff on top of Wireguard. If you don’t need the fancy stuff, using raw Wireguard can be more lightweight, but might require more networking knowledge.
The biggest thing Tailscale brings you the table is NAT traversal. On top of that it uses direct Wireguard tunnels as necessary instead of creating a mesh like you usually would if you were using raw Wireguard. It also offers convenient bits of sugar like internal DNS, and it handles key exchanges for you so it’s just generally easier to configure. When you do raw Wireguard you’re doing all the config yourself, which could be a pro or a con depending on your needs—and you’ll be editing config files, unlike Tailscale which has a GUI for most things. It also supports some more detailed security options like ACLs and I think SSO, while Wireguard is reliant on your existing firewall for that.
Here’s what Tailscale has to say about it: https://tailscale.com/compare/wireguard
I’ve messed around with Tailscale myself, but ultimately settled on running Wireguard. The reason I do that though is because I trust my LAN, and I only run Wireguard at the edge. Tailscale really wants to be run on every node, which in turn is something that raw Wireguard theoretically can do but would be onerous to maintain. If I didn’t trust my LAN, I’d probably switch to Tailscale.
ProtonVPN in its free tier does not allow LAN connections
This is the limiting factor. In order to get around this, you’ll have to put your Jellyfin server on the Internet. Hopefully you can enable port forwarding. If not, you have painted yourself into a corner.
If you cannot use self-signed or internal CA certs, you will also need a domain name, and something like Let’s Encrypt to issue certs for that domain.
you’ll have to put your Jellyfin server on the Internet.
Don’t.
Do. And make sure your logs are piped through fail2ban.
All of these “vulnerabilities”, require already having knowledge of the ItemIDs, and anyone without it poking around will get banned.
The rest of them require a user be authenticated, but allows horizontal information gathering. These are not RCEs or anything serious. The ones which allowed cross-user information editing have been fixed.
Don’t. OP already said in the previous post that they only need Jellyfin access within their home. The Principle of Least Privilege tilts in favor of keeping Jellyfin off the public Internet. Even if Jellyfin were flawless – and no program is – the only benefit that accrues to OP is that the free tier of ProtonVPN can access Jellyfin.
Opening a large attack surface for such a modest benefit is letting the tail wag the dog. It’s adding a kludge to workaround a different kludge, the latter being ProtonVPN’s very weird paid tier.
All of these “vulnerabilities”, require already having knowledge of the ItemIDs, and anyone without it poking around will get banned.
Which are simply MD5 hashes… You can precompile (rainbow tables) those. The “knowledge” here to get a valid video stream is “What path is the file on” which is pretty standardized. This is a good way to have a major movie studio’s process server knocking on your door.
And again - if you put those behind a fail2ban; and you 404 5x in an hour, which is likely - you’ve solved that issue. Had my jellyfin instance publicly available for 2 years on its own VM with passthrough GPU, and haven’t had any issues. People poke around quite often, and get blackholed via the firewall for 30d.
It wouldn’t stop a dedicated attacker, but I doubt anyone’s threat model here is that intense. Most compromised servers happen from automated attacks probing for vulnerabilities in order to get RCE; not probing for what movies you have – Because having movies on a media server doesn’t prove that you didn’t rip them all off of blu-ray…it just means you have movies.
You’re not going to have 100% privacy when you put up ANY service on your network. Everything leaves a trace somehow; but I’m starting to think half of you are Chinese spies or something with the amount of paranoia people here show sometimes. :P
Yeah, you shouldn’t, but OP seems determined to hamstring themselves and do everything as convoluted as possible.
Yeah, this whole thread feels like a “but I can’t do that, work around it for me”
