this post was submitted on 09 Apr 2025

47 points (77.6% liked)

Selfhosted

46685 readers

770 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

[email protected]

How do I host Jellyfin in the most secure manner possible? (lemmy.ml)

submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]

99 comments fedilink hide all child comments

Please take this discussion to this post: https://lemmy.ml/post/28376589

Main content

Selfhosting is always a dilemma in terms of security for a lot of reasons. Nevertheless, I have one simple goal: selfhost a Jellyfin instance in the most secure way possible. I don't plan to access it anywhere but home.

TL;DR

I want the highest degree of security possible, but my hard limits are:

No custom DNS
Always-on VPN
No self-signed certificates (unless there is no risk of MITM)
No external server

Full explanation

I want to be able to access it from multiple devices, so it can't be a local-only instance.

I have a Raspberry Pi 5 that I want to host it on. That means I will not be hosting it on an external server, and I will only be able to run something light like securecore rather than something heavy like Qubes OS. Eventually I would like to use GrapheneOS to host it, once Android's virtual machine management app becomes more stable.

It's still crazy to me that 2TB microSDXC cards are a real thing.

I would like to avoid subscription costs such as the cost of buying a domain or the cost of paying for a VPN, however I prioritize security over cost. It is truly annoying that Jellyfin clients seldom support self-signed certificates, meaning the only way to get proper E2EE is by buying a domain and using a certificate authority. I wouldn't want to use a self-signed certificate anyways, due to the risk of MITM attacks. I am a penetration tester, so I have tested attacks by injecting malicious certificates before. It is possible to add self-signed certificates as trusted certificates for each system, but I haven't been able to get that to work since it seems clients don't trust them anyways.

Buying a domain also runs many privacy risks, since it's difficult to buy domains without handing over personal information. I do not want to change my DNS, since that risks browser fingerprinting if it differs from the VPN provider. I always use a VPN (currently ProtonVPN) for my devices.

If I pay for ProtonVPN (or other providers) it is possible to allow LAN connections, which would help significantly, but the issue of self-signed certificates still lingers.

With that said, it seems my options are very limited.

(page 2) 50 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

How i do it:

Wireguard for VPN endpoint on the pi and device that I have root on, secure, fast to setup and doesn't add a lot of overhead
For access outside of VPN:

You might have to pay for a domain name if you dont have a static IP, which is relatively cheap.

You can manually allow trusted IP to access the service in your firewall which nullify surface of attack if done perfectly but is really an hassle to setup and maintain. I'm looking to setup Keycloack for a strong pre-auth that I can share between services and that is also lightweight (Authentik is not lightweight, Authelia seems to be i'd like to try it aswell) This coupled with firewall rules and/or fail2ban like service should be more than enough for a private server I think.

[–] [email protected] 4 points 1 month ago* (last edited 1 month ago) (1 children)

I think the easiest way would be to have two vlans on your local network. One that is connected to the internet and another that is local only. I think you'd have to switch networks when wanting to access the jellyfin server in that instance, but would negate the main issue, which is your VPN.

Edit: that's about the most secure you can get I think. If you bought a different physical router to host it, you'd have about as secure a setup as possible.

load more comments (1 replies)

[–] [email protected] 4 points 1 month ago (1 children)

Hang on.

Would it not be better to run a VPN server on your router to force all WAN-bound traffic through the VPN? This way, you could still access your local devices.

[–] [email protected] -3 points 1 month ago (1 children)

Good eye! I'd like to avoid trusting my network, but I did consider this option. It also becomes a hassle to enable my VPN per-device each time I leave my house and connect to another network. This still doesn't solve the problem of encrypting Jellyfin in transit over the LAN.

load more comments (1 replies)

[–] [email protected] 37 points 1 month ago (1 children)

I don't plan to access it anywhere but home

Okay so what's all this faffing about for? Just don't open it up to the internet and access it with your servers local ip address on your home network

[+] [email protected] -10 points 1 month ago (3 children)

I wish it were that simple, but as I mentioned that would require paying for ProtonVPN to allow LAN connections (which isn't the worst thing in the world, but I'd prefer to avoid subscriptions where possible) and clients don't allow self-signed certificates.

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago) (1 children)

Idk if proton allows you to download config files on a free account but if they do then you could use those to manually split tunnel your local internet

Edit: if they don't then the "most secure" (and cheapest) option is to pay for a VPN that allows Lan connections

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

Idk if proton allows you to download config files on a free account

I remember a time a few years ago when I managed to do something similar... I'll look into this!

Edit: It seems so

https://protonvpn.com/support/vpn-config-download/

https://protonvpn.com/support/wireguard-configurations/

[–] [email protected] 35 points 1 month ago (2 children)

What are you talking about. Please clarify if this is actually true:

I don’t plan to access it anywhere but home.

This would mean that you only want to access Jellyfin when you, and the device you are watching your show/movie on, are at home, where the Pi/server also is.

Is this correct?

If so, then questions about VPN, Certificates, DNS,.... do not matter.

host Jellyfin on the Pi, e.g. with IP 192.168.10.20 on your local network
open the Jellyfin app on your TV/Phone/PC, connect to http://192.168.10.20:8096/
done

Now you can access it at home, and only at home. I honestly fail to see where a VPN would even come into the equation here (again, if you wish to ONLY watch when you are at home, as you've said).

[–] [email protected] 9 points 1 month ago (3 children)

OPs problem is that proton blocks Lan connections when connected and require you to pay them if you want to unblock it

[–] [email protected] 24 points 1 month ago* (last edited 1 month ago)

Smh. I get wanting to be connected to a VPN, but being locked out of your own local network is just stupid.

load more comments (2 replies)

[+] [email protected] -12 points 1 month ago (2 children)

This would mean that you only want to access Jellyfin when you, and the device you are watching your show/movie on, are at home, where the Pi/server also is.

Is this correct?

Yes.

If so, then questions about VPN, Certificates, DNS,.... do not matter.

They do, because if ProtonVPN blocks LAN connections then the only other option is exposing the server to the WAN

open the Jellyfin app on your TV/Phone/PC, connect to http://192.168.10.20:8096/

This does not encrypt during transit, and my network is not a trusted party.

I honestly fail to see where a VPN would even come into the equation here

I, like many others, use my devices for more than just accessing my LAN while I am on my home network.

[–] [email protected] 19 points 1 month ago (3 children)

This does not encrypt during transit, and my network is not a trusted party.

Then honestly, you have other problems than setting up Jellyfin.

For real though, if you think someone is (or might be) listening in on your local network, i.e. have physical access or compromised one of your machines, then the Jellyfin traffic is the least of your problems. Pick your battles. What's the worst that could happen here - someone gets to know your favorite show?

They do, because if ProtonVPN blocks LAN connections then the only other option is exposing the server to the WAN

Ah, I see. On your PC you should just be able to set a static route over the physical interface for 192.168.0.0/24 (or whatever your local network is) which takes precedence over the VPN. For android.... Oof, no idea. Probably need root.

load more comments (3 replies)

[–] [email protected] 9 points 1 month ago

Look into Tailscale. Its free

[–] [email protected] 3 points 1 month ago (1 children)

Fwiw jellyfin apps don't even allow you to use a self signed cert.

[–] [email protected] 0 points 1 month ago

I know. It's very unfortunate, but I understand why.

[–] [email protected] 13 points 1 month ago (1 children)

Your post is very confusing. You want to use it only locally (on your home), but it can't be a local-only instance.

You want to e2ee everything, but fail to mention why. There is no reason to do that on your own network.

I do not know why you want to use a VPN and what you want to do with it. Where do you want to connect to?

What is the attack vector you're worried about? Are there malicious entities on your network?

[–] [email protected] -4 points 1 month ago (2 children)

You want to use it only locally (on your home), but it can’t be a local-only instance.

By "local-only" I meant on-device

You want to e2ee everything, but fail to mention why.

Privacy and security.

There is no reason to do that on your own network.

Networks are not a trusted party in any capacity.

I do not know why you want to use a VPN and what you want to do with it. Where do you want to connect to?

A VPN such as ProtonVPN or Mullvad VPN are used to displace trust from your ISP into your VPN provider and obscure your IP address while web browsing (among other benefits that I don't utilize).

What is the attack vector you’re worried about? Are there malicious entities on your network?

These are good questions but not ones I can answer briefly.

[–] [email protected] 18 points 1 month ago

My short answer: you're overthinking it way too hard and I think sticking that microSD-Card into the device you want to watch on is your best bet.

You're chasing ghosts.

load more comments (1 replies)

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

If you're running externally, use a cloudflare tunnel.

No ports exposed = no attack surface. This is 99% of security.

HTTPS is provided by CF although only secures comms between your devices to CF, not CF to your Pi, meaning CF can see clear text technically.

If that's not good enough then use a VPN server like PiVPN and put it on your pi and OpenVPN on your devices. *This has nothing to do with paid VPN Client subscriptions like Tunnelbear or Proton or whatever. *

You will be running a VPN server on your pi to which you will connect from your devices on which you want to watch JF by downloading a device profile to your devices and opening it in the OpenVPN app.

You do not need to pay for anything at all anywhere ever (other than something for DDNS and a domain name), use a strong password and make sure your JF is updated if there's any CVE. Expose nothing else to the internet.

You don't even need HTTPS at that point or any certs, a VPN will encrypt your traffic anyway. The only cleartext you'll have is between your VPN and your JF, and if both are on the pi then the only MITM vector is literally inside your Pi which is unlikely to have any issues.

[–] [email protected] 2 points 1 month ago (1 children)

I can't answer your question as I rely on Plex rather than fooling around with my own security, but I'd suggest reconsidering the Pi and a microSD to host Jellyfin. Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files. Beyond that, SD cards are terrible for this kind of task and you'd be much better served with an SSD as your boot/data drive for robustness. I can't even count the number of failed SD cards I've had over the years.

[–] [email protected] 2 points 1 month ago (1 children)

but I’d suggest reconsidering the Pi

It's what I have on hand at the moment. I don't have proper server hardware yet.

and a microSD to host Jellyfin.

Beyond that, SD cards are terrible for this kind of task and you’d be much better served with an SSD as your boot/data drive for robustness. I can’t even count the number of failed SD cards I’ve had over the years.

I will keep this in mind, thank you!

Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files.

I haven't tried playing videos from my Raspberry Pi, but I've been able to run extremely modern video codecs on some pretty old hardware without any issues. Since I've never had issues with video codecs, I'm not experienced in what hardware can and can't handle it.

[–] [email protected] 1 points 1 month ago (5 children)

A micro sized PC with an i5 and 8gb or ram can cost under 100€, and it's way more powerful compared to a pi. Power efficient too. That's what I used for a long time for my jellyfin server.

[–] [email protected] 2 points 1 month ago

Thank you! I'd like to avoid extra costs, since I already have the Pi on hand, but when I have the money I will switch to a proper server.

load more comments (4 replies)

[–] [email protected] 10 points 1 month ago (1 children)

Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That's the simplest.

A better option would be getting an OpenWRT router and start building proper infrastructure for doing something like this. You'll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.

[–] [email protected] 0 points 1 month ago (1 children)

Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That’s the simplest.

I have no idea how to do this. Do you have any resources? Does it cost a subscription fee?

A better option would be getting an OpenWRT router

This is what I have planned. OpenWrt Two my beloved

You’ll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.

I also don't know how to do this. Resources are much appreciated :)

[–] [email protected] 1 points 1 month ago (2 children)

Okay, so let me explain a bit:

Tailscale is a commercial client that is semi-FOSS. It's built on Wireguard, which is FOSS, but the cloud hosted architecture does cost money after I think 5 clients.

Headscale is a FOSS implementation of Tailscale, and totally free to host, skipping the above.

Tailscale itself is super easy to use, and you just install it on a node, register it, and then it has access to any other device on that secured network. So if you install it on your Jellyfin machine at home behind your normal firewall, then install it on your phone, you'll be able to connect to it without forwarding ports for messing around with much.

It should be that simple.

[–] [email protected] 0 points 1 month ago (1 children)

Does Headscale conflict with ProtonVPN/Mullvad VPN (i.e. can I use those alongside Headscale)? Android has a limited number of VPN slots, so that's why I ask.

[–] [email protected] 3 points 1 month ago* (last edited 1 month ago) (1 children)

Nope. Wireguard runs outside the same protocols.

Just give Tailscale a try first because it's essentially free for a few nodes. If you need more and don't want to pay, then investigate Headscale.

[–] [email protected] -2 points 1 month ago (1 children)

So:

ProtonVPN is installed on my Android phone
Android has Always-on VPN enabled
Android has Block connections without VPN enabled
Host Jellyfin on my Raspberry Pi 5
Install Headscale on my Raspberry Pi 5
Install Headscale on my Android phone
Install a Jellyfin client on my Android phone
Configure everything

And that will work? It will be encrypted during transit? And only run on the LAN? Does ProtonVPN need to allow LAN connections (I assume it does)?

[–] [email protected] 0 points 1 month ago (1 children)

Sorry, it may be confusing, but Headscale is ONLY the free server component. The client is still Tailscale's open client. That's why I'm saying just sign up and try it first with Tailscale, and then if you need more connections without paying, create a Headscale server and re-register your clients to that to skip charges.

[–] [email protected] 0 points 1 month ago* (last edited 1 month ago) (1 children)

Alright, I'm slowly learning, bare with me here:

ProtonVPN is always-on and blocks connections without VPN
Jellyfin and Headscale are hosted on the Pi (or does Headscale need its own server?)
Tailscale and a Jellyfin client are installed on the phone

Then:

Will that will run fully on the LAN?
Will it be encrypted during transit?
Does ProtonVPN need to allow LAN connections?

[–] [email protected] 0 points 1 month ago (1 children)

Okay, so you might be unfamiliar with networking, so maybe some extra confusion there. Let me try to explain that a bit.

The Jellyfin server runs on LAN like normal. No need to use Tailscale if you're just using your Wi-Fi or Ethernet.

Tailscale/Headscale creates it's own VPN network which will need its own IP space. Same as any other VPN. It's just a setting in the config, and the routing is pretty simplistic and mostly automatic.

Tailscale/Headscale can run anywhere. Doesn't need to be on that Pi, but that Pi will need a Tailscale client to be on the "Tailnet" and communicate with other devices also connected to it.

ProtonVPN clients have their own IP space and network that go elsewhere. That's its own separate thing.

[–] [email protected] 1 points 1 month ago (1 children)

Okay, so you might be unfamiliar with networking

I'm familiar with some parts of networking, but selfhosted VPNs are something I am unfamiliar with, so thank you for helping me out!

No need to use Tailscale if you’re just using your Wi-Fi or Ethernet.

I want it to be encrypted during transit, even if it is over the LAN.

Tailscale/Headscale creates it’s own VPN network which will need its own IP space.

This is what I was afraid of, because this means it probably can't run alongside ProtonVPN, since it would fill up the VPN slot on Android, right?

If so, it means we've come full circle. Unless there is a way to use Tailscale alongside ProtonVPN or a way to get Jellyfin clients to trust self-signed certificates, I don't see any other option than buying a domain and exposing the server to the internet. Am I missing something?

[–] [email protected] 1 points 1 month ago (2 children)

No, it can run along anything, as long as you don't conflict the IP space assigned to a VPN. It creates it's own IP network space when running, so just don't overlap with your other VPN software. Using it while at home is a bit wasteful on effort and power, but just use the Jellyfin LetsEncrypt setup and it's the same thing.

You are missing a lot here. I think you're confused on the difference between your LAN security, and how that fits into network connections. You don't need an SSL cert to say that something is secure, that's just one method of PUBLICLY securing something. Every connection on Tailscale is secure end-to-end, so if you run it on your Pi, any client that can connect to it is secured. No open ports, no lapses in security. The encryption happens between each client and the server. You're secure.

[–] [email protected] 5 points 1 month ago

Android only allows one active VPN per Profile. So as OP said, running Tailscale and Proton in parallel is not possible.

[–] [email protected] 4 points 1 month ago

No, it can run along anything, as long as you don’t conflict the IP space assigned to a VPN.

I tried Tailscale on Android, and it isn't working because it requires the active VPN slot occupied by ProtonVPN.

load more comments (1 replies)

load more comments