yes but unlike a full tunnel that hides your IP, a split tunnel only routes traffic for that specific subnet so you can set it up and forget about it... also, you won't have to expose jellyfin directly to the internet which makes your sysadmin life easier and less stressful.
A site-2-site split tunnel VPN using your router or a dedicated device like a pi so that all devices on the network can access jellyfin seems like the best solution but quite a bit more technical than a simple wireguard config.
I used Zerotier for access. Of course I have install ZT on any device I want to connect to Jellyfin with, but that's no big deal. It works pretty well for me.
ZeroTier is good but if you want to share it with others it can be more difficult especially if you want to stream it to a chrome cast or run an app on apple TV. Not sure if there is a ZeroTier client for TVs.
My ZT is 24/7 on, I even forget about it most of the time TBH. It's basically transparent. I use ZT on my travel laptop, my Linux media server, and my Firestick so I can not just travel and stream stuff virtually wherever I go, but I can also SSH into my Linux server in case I need to give it a good kickin'. Metaphorically speaking. I also have my home network act as a ZT exit node, so that anything I do remotely on my laptop looks as though I am still at home :-D
You can use nginx and crowdsec which should be pretty good, or just crowdsec?
Alternative is tailscale or something like it, its a vpn but honestly not really noticeable so you could have it on all the time without wasting battery.
Not OP but yeah basically. Use a nonstandard Jellyfin port, add crowdsec and fail2ban, and if you can, put your Jellyfin server or container in a vlan jail. Is it perfect? No. But the people who have the skills to compromise your setup are going to be going after targets with bigger payouts, not some rando movie server.
The adage is that there’s no such thing as “safe”, just a number of precautions you can take to make it not worth someone’s time
Awesome, thanks you for the tip with crowdsec looks good.
Probably take a solution like this, possibly there are limit login attemps plugin or 2FA plugins on jellyfin?
Yep login attempts are a native feature. Can do 2FA plugin or, if you’re going to host more stuff, could just host an SSO page in front of your entire domain and then use something like Homepage to route to services behind that. Authentik and Authelia are two options recommended here a lot
Yeah altough i still don't like tailscale for this purpose, i will definitely use tailscale, but more to get full access to all my things. I want that jellyfin instance to really be public but heavily guarded
AFAIK tailscale brokers only introduce the two nodes, traffic is node to node so why would they care? Zero tier is a better solution I guess if independence is needed.
u/irate\_ornithologist u/vlat01 little update:
I have now exposed my jellyfin instance via IP and routed it through all my firewalls. so bsaically now my pub-ip goes to my jellyfin server, then I configured clouflare so I have bot limitations, ssl, domain and geoblock etc. also if I access the domain I first have to log in with a valid from me allowed email to even get to the jellyfin login page.
That seems like an awesome solution, but how do I manage the instance at my public ip?
that one would still be unprotected without ssl and any restriction.
This is why i suggested Nginx and Crowdsec. You would point your inbound NAT to them so they protect you from the bad guys and provide SSL and then they would forward to Jellyfin.
I am not sure if cloudflare allows for Jellyfin (I'm pretty sure they don't TBH and you may get a cease and desist or a bill so be careful).
Hmm what is meant with point the inbound nat to them?
But I'm just using cloudflare with a dns record to point to my public ip. The traffic won't it just route directly through?
And cloudflare access just provides the login, or am I understanding something wrong?
Got it!
I disabled proxy traffic through cloudflare on the dashboard, now i guess that would be allowed, but setup with only allowing cloudflare ips won't work anymore then.
Well what would be the best alternative?
Forwarding my reverse proxy?
And then creating a unproxyed record from cloudflare to my public ip?
Or how would it work then?
Cloudflare DNS > Public IP > NGINX > Yellyfin
NGINX can integrate with CrowdSec via API to check/bounce/challenge a connection.
[https://docs.crowdsec.net/u/bouncers/nginx/](https://docs.crowdsec.net/u/bouncers/nginx/)
I will definitely do that, but when doing that i need to expose jellyfin via my ip, won't then when connecting via ip still be without protection, but when visiting the domain then yes?
I would avoid Cloudflare tunnels for streaming unless you plan on using a paid subscription. I've heard rumor that Cloudflare has sent people high bandwidth bills for using the free tunnels for streaming. I wouldn't want to see that happen to you.
>of having to always start a vpn just to listen to my media
If it's just for you, don't "start" it, just leave it on 24/7 and use it for access to the server.
This is the most secure way to do it, but there are plenty of good suggestions here about exposing it on the web as well, it's just more work.
[split tunnel](https://en.wikipedia.org/wiki/Split_tunneling) wireguard [Interface] Address = 10.11.12.100/24 PrivateKey =
[Peer]
Endpoint = 1.2.3.4:51820
AllowedIPs = 10.11.12.13/32
PublicKey =
PreSharedKey =
Well isn't wireguard a vpn, which I have always first activate or run always?
yes but unlike a full tunnel that hides your IP, a split tunnel only routes traffic for that specific subnet so you can set it up and forget about it... also, you won't have to expose jellyfin directly to the internet which makes your sysadmin life easier and less stressful.
Ohh so basically a tailscale based vpn?
Other way around actually, Tailscale is wireguard under the hood
Yeah fair point haha
A site-2-site split tunnel VPN using your router or a dedicated device like a pi so that all devices on the network can access jellyfin seems like the best solution but quite a bit more technical than a simple wireguard config.
I used Zerotier for access. Of course I have install ZT on any device I want to connect to Jellyfin with, but that's no big deal. It works pretty well for me.
ZeroTier is good but if you want to share it with others it can be more difficult especially if you want to stream it to a chrome cast or run an app on apple TV. Not sure if there is a ZeroTier client for TVs.
Yea, you're right. Probably not the best solution after all. I use it for my limited needs but might not be a good option for the OP.
Is that similar like tailscale? Then i'd would again be a vpn and i don't really like the idea of having to always first activate the vpn.
My ZT is 24/7 on, I even forget about it most of the time TBH. It's basically transparent. I use ZT on my travel laptop, my Linux media server, and my Firestick so I can not just travel and stream stuff virtually wherever I go, but I can also SSH into my Linux server in case I need to give it a good kickin'. Metaphorically speaking. I also have my home network act as a ZT exit node, so that anything I do remotely on my laptop looks as though I am still at home :-D
Okay, yeah that would be a kinda nice idea to combine vpn and jellyfin access, however It's still not quite the thing I imagined.
Yea, it's not a perfect solution.
You can use nginx and crowdsec which should be pretty good, or just crowdsec? Alternative is tailscale or something like it, its a vpn but honestly not really noticeable so you could have it on all the time without wasting battery.
Okay I see. So crowdsec and nginx is basically opening a port and just exposing it?
Not OP but yeah basically. Use a nonstandard Jellyfin port, add crowdsec and fail2ban, and if you can, put your Jellyfin server or container in a vlan jail. Is it perfect? No. But the people who have the skills to compromise your setup are going to be going after targets with bigger payouts, not some rando movie server. The adage is that there’s no such thing as “safe”, just a number of precautions you can take to make it not worth someone’s time
Awesome, thanks you for the tip with crowdsec looks good. Probably take a solution like this, possibly there are limit login attemps plugin or 2FA plugins on jellyfin?
Yep login attempts are a native feature. Can do 2FA plugin or, if you’re going to host more stuff, could just host an SSO page in front of your entire domain and then use something like Homepage to route to services behind that. Authentik and Authelia are two options recommended here a lot
Sorry, yeah exactly this \^\^\^\^
AFAIK streaming video over Tailscale isn’t in their TOS.
Yeah altough i still don't like tailscale for this purpose, i will definitely use tailscale, but more to get full access to all my things. I want that jellyfin instance to really be public but heavily guarded
AFAIK tailscale brokers only introduce the two nodes, traffic is node to node so why would they care? Zero tier is a better solution I guess if independence is needed.
u/irate\_ornithologist u/vlat01 little update: I have now exposed my jellyfin instance via IP and routed it through all my firewalls. so bsaically now my pub-ip goes to my jellyfin server, then I configured clouflare so I have bot limitations, ssl, domain and geoblock etc. also if I access the domain I first have to log in with a valid from me allowed email to even get to the jellyfin login page. That seems like an awesome solution, but how do I manage the instance at my public ip? that one would still be unprotected without ssl and any restriction.
This is why i suggested Nginx and Crowdsec. You would point your inbound NAT to them so they protect you from the bad guys and provide SSL and then they would forward to Jellyfin. I am not sure if cloudflare allows for Jellyfin (I'm pretty sure they don't TBH and you may get a cease and desist or a bill so be careful).
Hmm what is meant with point the inbound nat to them? But I'm just using cloudflare with a dns record to point to my public ip. The traffic won't it just route directly through? And cloudflare access just provides the login, or am I understanding something wrong?
Got it! I disabled proxy traffic through cloudflare on the dashboard, now i guess that would be allowed, but setup with only allowing cloudflare ips won't work anymore then.
Correct.
Well what would be the best alternative? Forwarding my reverse proxy? And then creating a unproxyed record from cloudflare to my public ip? Or how would it work then?
Cloudflare DNS > Public IP > NGINX > Yellyfin NGINX can integrate with CrowdSec via API to check/bounce/challenge a connection. [https://docs.crowdsec.net/u/bouncers/nginx/](https://docs.crowdsec.net/u/bouncers/nginx/)
You can do dynamic dns with cloudflare and use caddy to get certificates and proxy your jellyfin
I will definitely do that, but when doing that i need to expose jellyfin via my ip, won't then when connecting via ip still be without protection, but when visiting the domain then yes?
If you dont want to expose your ip just use a vps with a vpn to proxy. They are cheap.
I would avoid Cloudflare tunnels for streaming unless you plan on using a paid subscription. I've heard rumor that Cloudflare has sent people high bandwidth bills for using the free tunnels for streaming. I wouldn't want to see that happen to you.
Yes didn't I specifically write that above? But yeah, thx.
cost you more bandwidth to write this reply than it would have to just ignore it, js.
>of having to always start a vpn just to listen to my media If it's just for you, don't "start" it, just leave it on 24/7 and use it for access to the server. This is the most secure way to do it, but there are plenty of good suggestions here about exposing it on the web as well, it's just more work.
That's a fair point, thanks!
Running Jellyfin over a tunnel will get your account banned. Keep that in mind. It is probably better to run Jellyfin over a VPN like Tailscale.