this post was submitted on 10 Apr 2025
104 points (87.7% liked)

Selfhosted

46685 readers
245 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
104
How do I securely host Jellyfin? (Part 2) (lemmy.ml)
submitted 1 month ago by [email protected] to c/[email protected]
74 comments fedilink hide all child comments
 

I am making this post in good faith

In my last post I asked about securely hosting Jellyfin given my specific setup. A lot of people misunderstood my situation, which caused the whole thread to turn into a mess, and I didn't get the help I needed.

I am very new to selfhosting, which means I don't know everything. Instead of telling me that I don't know something, please help me learn and understand. I am here asking for help, even if I am not very good at it, which I apologize for.

With that said, let me reoutline my situation:

I use my ISP's default router, and the router is owned by Amazon. I am not the one managing the router, so I have no control over it. That alone means I have significant reason not to trust my own home network, and it means I employ the use of ProtonVPN to hide my traffic from my ISP and I require the use of encryption even over the LAN for privacy reasons. That is my threat model, so please respect that, even if you don't agree with it. If you don't agree with it, and don't have any help to give, please bring your knowledge elsewhere, as your assistance is not required here. Thank you for being respectful!

Due to financial reasons, I can only use the free tier of ProtonVPN, and I want to avoid costs where I can. That means I can only host on the hardware I have, which is a Raspberry Pi 5, and I want to avoid the cost of buying a domain or using a third party provider.

I want to access Jellyfin from multiple devices, such as my phone, laptop, and computer, which means I'm not going to host Jellyfin on-device. I have to host it on a server, which is, in this case, the Raspberry Pi.

With that, I already have a plan for protecting the server itself, which I outlined in the other post, by installing securecore on it. Securing the server is a different project, and not what I am asking for help for here.

I want help encrypting the Jellyfin traffic in transit. Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption. There is some hope in doing some manual ProtonVPN configurations, but I don't know how that would work, so someone may be able to help with that.

All Jellyfin clients I have used (on Linux and Android) do not accept self-signed certificates. You can test this yourself by configuring Jellyfin to only accept HTTPS requests, using a self-signed certificate (without a domain), and trying to access Jellyfin from a client. This is a known limitation. I wouldn't want to use self-signed certificates anyways, since an unknown intruder on the network could perform a MITM attack to decrypt traffic (or the router itself, however unlikely).

Even if I don't trust my network, I can still verify the security and authenticity of the software I use in many, many ways. This is not the topic of this post, but I am mentioning it just in case.

Finally, I want to mention that ProtonVPN in its free tier does not allow LAN connections. The only other VPN providers I would consider are Mullvad VPN or IVPN, both of which are paid. I don't intend to get rid of ProtonVPN, and again that is not the topic of this post.

Please keep things on-topic, and be respectful. Again, I am here to learn, which is why I am asking for help. I don't know everything, so please keep that in mind. What are my options for encrypting Jellyfin traffic in transit, while prioritizing privacy and security?

(page 2) 27 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 1 month ago* (last edited 1 month ago) (1 children)

OP, I have been facing the same situation as you in this community recently. This was not the case when I first joined Lemmy but the behaviour around these parts has started to resemble Reddit more and more. But we'll leave it at that.

I think I have a solution for you if you're willing to spend $2-$3 a month - set up a VPS and run a Wireguard server on it. Run clients on your devices and the raspberry pi and connect to it.

As for your LAN: from the discussion you linked, it seems that Jellyfin will use the CAs present in the OS trust store. That's not very hard to do on Linux but I guess if you have to do it on Android you'd have some more trouble. In either case, using a reverse-proxy (I like HAProxy but I use it at work and it might be more enterprise than you need, for beginners Caddy is usually easier) will fix the trouble you're having with your own CA and self-signed certs.

I am interested in the attack vector you mentioned; could you elaborate on the MITM attack?

Unfortunately, if you don't have control over your network, you cannot force a DNS server for your devices unless you can set it yourself for every individual client. If I assume that you can do that, then:

  1. Set up DNS server on Pi
  2. Set up CA on Pi
  3. Create root CRT, CSR and server certs from it (bare-minimim setup)
  4. Copy over this stuff to Jellyfin image/VM, and copy root cert to clients trust store.
  5. Run reverse proxy in front of Jellyfin and configure the correct IP address of the reverse proxy with an A record in your DNS server.
  6. Configure reverse-proxy with server/application cert.
  7. Use RethinkDNS on Android to pass everything through the wireguard server hosted on the VPS, and set private DNS to the DNS server hosted on the Pi.

I think that should do it. This turned out more complicated than I imagined (it's more of a brain dump at this point), feel free to ask if it is overwhelming.

load more comments (1 replies)
[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

I remember you were worried about your ISP messing things up for you, hence the VPN. I would recommend creating a "Virtual Machine" that does all of your downloading to whatever hard drive you're using. That VM can have proton installed. Then, on your regular computer (not within the VM), you can host Jellyfin with no VPN involved, making it accessible at 192.168.0.xx.

I think this hits your goals without needing to expose Jellyfin to the Internet. Plus it has minimal technical complexity. Your downloading traffic will be VPN protected, but Jellyfin will still be accessible to your local network.
edit: You can set up a password for Jellyfin, protecting it from your internal threats.

edit2: You can use letsencrypt to create a certificate that picky clients will accept. Buy a domain, any domain, and configure the "A record" to point to 192.168.0.xx (your Jellyfin IP). Then tell your client to go to whatever domain you get, like "luigiliterallydidnothingwrongplzfree.com", then the client will have to use the internet to ask DNS what the IP address is, but after that, it will just use your local network.

edit3: Since you just have the raspberry PI, instead of using a Virtual Machine, you could have 2 separate SD cards. One only has the downloader and VPN installed, the other only has Jellyfin installed (no VPN). Then swap as needed.

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

Maybe self host your own VPN on a VPS and connect the jellyfin server as a client as well as any other devices you want to see that jellyfin server as other clients and configure the VPN server to not override your default routing and to allow clients to see each other? In my head I don't think that would conflict with your protonVPN connection.

Your traffic would be encrypted between devices so I wouldn't say https is nessesary and thus no certs needed.

The rubs that occur to me are that I'm not sure you can do this on a free tier VPS which is the only option I see given your financial limitations. And your devices all need to be able to connect to said VPN.

Edit: Slightly less worse English.

[–] [email protected] 12 points 1 month ago (1 children)

I read the old thread and now this one.

As I understand it, you want to create connection between clients on your lan, but you don't trust your lan, so it's like having a raspberry pi server and some client both on the coffee shop network and you want them to communicate securely?

Tailscale is what you want. Easy setup, free, and allows exactly this to happen.

load more comments (1 replies)
[–] [email protected] 9 points 1 month ago* (last edited 1 month ago) (1 children)

I previously proffered some information in the first thread.

But there's something I wish to clarify about self-signed certificates, for the benefit of everyone. Irrespective of whichever certificate store that an app uses -- either its own or the one maintained by the OS -- the CA Browser Forum, which maintains the standards for public certificates, prohibits issuance of TLS certificates for reserved IPv4 or IPv6 addresses. See Section 4.2.2.

This is because those addresses will resolve to different machines on different networks. Whereas a certificate for a global-scope IP address is fine because it should resolve to the same destination. If certificate authorities won't issue certs for private IP addresses, there's a good chance that apps won't tolerate such certs either. Nor should they, for precisely the reason given above.

A proper self-signed cert -- either for a domain name or a global-scope IP address -- does not create any MITM issues as long as the certificate was manually confirmed the first time and added to the trust store, either in-app or in the OS. Thereafter, only a bona fide MITM attack would raise an alarm, the same as if a MITM attacker tries to impersonate any other domain name. SSH is the most similar, where trust-on-first-connection is the norm, not the outlier.

There are safe ways to use self-signed certificate. People should not discard that option so wontonly.

[–] [email protected] 1 points 1 month ago (6 children)

It sounds like the clients do not have the ability to manually trust a self-signed cert.

[–] [email protected] -1 points 1 month ago

@catloaf @litchralee As they shouldn't trust a self-signed cert. If you can run Jellyfin, you can run an internal CA and DNS server. Create a .internal domain in your DNS server and create certs based on it. Then just roll out your root ca cert.

load more comments (5 replies)
[–] [email protected] 40 points 1 month ago (13 children)

How about creating your own LAN within the untrusted network?

Something like an inexpensive OpenWRT router would do fine. Connect all your devices and the server to the router. They are now on a trusted network. Set up Wireguard on the OpenWRT router to connect to Proton so that your outbound traffic from all your devices is secured.

[–] [email protected] 8 points 1 month ago

I work for an ISP, and this is a common practice among my peers

[–] [email protected] 24 points 1 month ago (1 children)

I was looking for this. Op seems to be obsessed with "zero trust", so creating a trusted area for this stuff would be an easy win.

[–] [email protected] 4 points 1 month ago* (last edited 1 month ago)

Exactly! I did that for a couple years until I found a cheap modem to replace the ISP modem. It didn't do any routing, so there was no weird NAT issue, it just converted the DSL signal to Ethernet with a WAN IP.

I didn't have to change any network settings on my LAN when I switched, or when I moved to another place with a different ISP. I had that same router for years, even after I got a dedicated AP for my house.

load more comments (11 replies)
[–] [email protected] 12 points 1 month ago (2 children)

ProtonVPN in its free tier does not allow LAN connections

This is the limiting factor. In order to get around this, you'll have to put your Jellyfin server on the Internet. Hopefully you can enable port forwarding. If not, you have painted yourself into a corner.

If you cannot use self-signed or internal CA certs, you will also need a domain name, and something like Let's Encrypt to issue certs for that domain.

[–] [email protected] 9 points 1 month ago (2 children)

you’ll have to put your Jellyfin server on the Internet.

Don't.

https://github.com/jellyfin/jellyfin/issues/5415

[–] [email protected] 4 points 1 month ago* (last edited 1 month ago) (4 children)

Do. And make sure your logs are piped through fail2ban.

All of these "vulnerabilities", require already having knowledge of the ItemIDs, and anyone without it poking around will get banned.

The rest of them require a user be authenticated, but allows horizontal information gathering. These are not RCEs or anything serious. The ones which allowed cross-user information editing have been fixed.

[–] [email protected] 3 points 1 month ago (1 children)

Don't. OP already said in the previous post that they only need Jellyfin access within their home. The Principle of Least Privilege tilts in favor of keeping Jellyfin off the public Internet. Even if Jellyfin were flawless -- and no program is -- the only benefit that accrues to OP is that the free tier of ProtonVPN can access Jellyfin.

Opening a large attack surface for such a modest benefit is letting the tail wag the dog. It's adding a kludge to workaround a different kludge, the latter being ProtonVPN's very weird paid tier.

[–] [email protected] -1 points 1 month ago* (last edited 1 month ago) (3 children)

If they need SSL certs, they've got to. Jellyfin doesn't accept self-signed certs, which means DNS entries in a domain, and access from the internet.

Really, honestly - what they need to do is just install Jellyfin on the Raspberry Pi and ditch the encryption requirement altogether. There's no reason to have it on a LAN-only environment. They aren't going to need it, nobody is going to MITM their lan environment, and VPNs will regularly allow LAN passthrough.

If ProntonVPNs own client doesn't allow LAN connections, they either need to swap to the Wireguard vanilla client (if that's allowed on free tier), or upgrade their VPN service.

OR switch VPNs altogether.

There isn't a way to do this without breaking one of their requirements

Only options here are to publicly host with real SSL certs, on a domain and tunnel out -- Or swap VPN providers/software so that you can achieve LAN access and forego HTTPS altogether.

Edit: And sorry -- the previous post is gone regarding their only needing access within the home, there's no way I could have known that.

There's a bit of paranoia going on here to begin with - There's no reason they need this level of "security" within their home network on the LAN side anyhow. They could possibly buy a managed switch and make the jellyfin server only visible to a specific vlan that didn't include the router, but that doesn't quite match up with what it sounds like they're needing.

[–] [email protected] 1 points 1 month ago (1 children)

which means DNS entries in a domain, and access from the internet

The latter is not a requirement at all. Plenty of people have publicly-issued TLS certs for domain named services that aren't exposed to the public internet, or aren't using HTTP(s). If using LetsEncrypt, the DNS-01 challenge method would suffice, or can even issue a wildcard certificate for subdomains, so additional certificate issuance is not required.

If after acquiring a domain, said domain can be pointed to one of many free nameservers that provide an API which can be updated from an ACME script for automatic renewal of the LetsEncrypt certificate using DNS-01. dns.he.net is one such example.

OP has been given a variety of options, each of which come with their own tradeoffs. But public access to Jellyfin just to get a public cert is not a necessary tradeoff that OP needs to make.

load more comments (1 replies)
load more comments (2 replies)
load more comments (3 replies)
[–] [email protected] 16 points 1 month ago (1 children)

Yeah, you shouldn't, but OP seems determined to hamstring themselves and do everything as convoluted as possible.

[–] [email protected] 10 points 1 month ago

Yeah, this whole thread feels like a "but I can't do that, work around it for me"

[–] [email protected] -1 points 1 month ago (1 children)

Although not ideal, I would be willing to pay for ProtonVPN (or another) if that's what is required. If I did have LAN connections, what are my options? Eventually I will get a more trustworthy router, but I still don't want to trust it by sending data in plaintext, even if I can control it and enable port forwarding.

[–] [email protected] 7 points 1 month ago

Already answered in your previous post: https://lemm.ee/post/60855169/19569046

[–] [email protected] 2 points 1 month ago (1 children)

Again, Tailscale.

[–] [email protected] 4 points 1 month ago (1 children)

Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption.

[–] [email protected] 3 points 1 month ago* (last edited 1 month ago) (2 children)

Tailscale is only for the server/host. You're not changing all of your VPN services over to this, you're using it in a 'reverse' fashion. You're VPN-ing the server out to the world so it's reachable and you have port forwarding options, etc.

From there, it can be reached by any client on the internet as a service. From there though, I don't know how you'd get to it securely without a domain and SSL (Let's Encrypt/Caddy) certs.

A domain is only like $16/year. So it's not prohibitively expensive.

[–] [email protected] 1 points 1 month ago

It's can't be reached by any client, only clients on machines logged into your tail scale network.

[–] [email protected] 3 points 1 month ago

Domains can be even cheaper than that, I got a .net address from porkbun for $12.50 a year. That's cheap enough for even me, and I am broke, y'all.

load more comments
view more: ‹ prev next ›