this post was submitted on 09 Apr 2025

46 points (77.4% liked)

Selfhosted

45728 readers

879 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

[email protected]

How do I host Jellyfin in the most secure manner possible? (lemmy.ml)

submitted 3 days ago* (last edited 3 days ago) by [email protected] to c/[email protected]

100 comments fedilink hide all child comments

Please take this discussion to this post: https://lemmy.ml/post/28376589

Main content

Selfhosting is always a dilemma in terms of security for a lot of reasons. Nevertheless, I have one simple goal: selfhost a Jellyfin instance in the most secure way possible. I don't plan to access it anywhere but home.

TL;DR

I want the highest degree of security possible, but my hard limits are:

No custom DNS
Always-on VPN
No self-signed certificates (unless there is no risk of MITM)
No external server

Full explanation

I want to be able to access it from multiple devices, so it can't be a local-only instance.

I have a Raspberry Pi 5 that I want to host it on. That means I will not be hosting it on an external server, and I will only be able to run something light like securecore rather than something heavy like Qubes OS. Eventually I would like to use GrapheneOS to host it, once Android's virtual machine management app becomes more stable.

It's still crazy to me that 2TB microSDXC cards are a real thing.

I would like to avoid subscription costs such as the cost of buying a domain or the cost of paying for a VPN, however I prioritize security over cost. It is truly annoying that Jellyfin clients seldom support self-signed certificates, meaning the only way to get proper E2EE is by buying a domain and using a certificate authority. I wouldn't want to use a self-signed certificate anyways, due to the risk of MITM attacks. I am a penetration tester, so I have tested attacks by injecting malicious certificates before. It is possible to add self-signed certificates as trusted certificates for each system, but I haven't been able to get that to work since it seems clients don't trust them anyways.

Buying a domain also runs many privacy risks, since it's difficult to buy domains without handing over personal information. I do not want to change my DNS, since that risks browser fingerprinting if it differs from the VPN provider. I always use a VPN (currently ProtonVPN) for my devices.

If I pay for ProtonVPN (or other providers) it is possible to allow LAN connections, which would help significantly, but the issue of self-signed certificates still lingers.

With that said, it seems my options are very limited.

top 50 comments

sorted by: hot top controversial new old

[–] [email protected] 45 points 3 days ago* (last edited 3 days ago) (3 children)

Hi. I am a software engineer with a background in IT security. My girlfriend is a literal network security engineer.

I showed her this thread and she said: don't bother, just use http on your local network.

Anyways, I am going to disengage from this thread now. Skepticism against things one doesn't fully understand can be healthy, but this is an insane mix of paranoia and naïveté.

You are not a target; the things you are afraid of will never happen; and if they did, they would not have the consequences you think they would.

Your router will NOT magically expose your traffic to the internet (what would that even mean?? Like, if it spontaneously started port forwarding to your Jellyfin server (how? By just randomly guessing the port and IP???), someone would still need to actively request that traffic, AND know your login credentials, AND CARE).

Your ISP does not give a shit about you owning or streaming copyrighted material over your local network. It has no stake in that.

Graphene is not an ultimate arbiter of IT security, but the reason it "distrusts networks" is because you take your phone with you, constantly moving into actual untrusted networks (i.e. ones you do not own).

Hosting Jellyfin on Graphene will not make it more secure, whatsoever.

If every device is assumed compromised, and compromising devices with knowledge that you watch media is a threat in your model, then even putting an SD card with media in your phone and clicking play is dangerous. Which is stupid.

If you actually assume your router is malicious, then please assume that when you initially downloaded your VPN client, it was also compromised and your VPN is not trustworthy.

The way I see it, you have two options:

educate yourself on network security to the point of being able to trust your network setup; or
forget about hosting anything

[–] [email protected] 1 points 3 days ago

Regarding the ‘taking your phone with and joining untrusted networks,’ you can set up WireGuard to auto join your vpn on any network you haven’t whitelisted, including your cellular network.

load more comments (2 replies)

[–] [email protected] 38 points 3 days ago (16 children)

I don't plan to access it anywhere but home

Okay so what's all this faffing about for? Just don't open it up to the internet and access it with your servers local ip address on your home network

load more comments (16 replies)

[–] [email protected] 16 points 3 days ago* (last edited 3 days ago) (4 children)

I applaud your accomplishment as a penetration tester. I am disappointed at your lack of understanding regarding non-public networking.

Move your VPN to your router. Don’t bother with HTTPS on anything not exposed to the Internet.

If that does not satisfy your concerns, you may want to give up using electronic devices.

[–] Lem453 3 points 3 days ago

No reason not to have both. Things like vaultwarden do warrant an extra layer so setup wildcard domain for internal services x.local.example.com and then normal certs for external stuff like y.example.com.

To get internal stuff you then need your vpn as well to access it. You can now easily choose what risk you want on a per app basis.

Technotim has a good video on this

load more comments (3 replies)

[–] [email protected] 19 points 3 days ago (23 children)

Just run it on the LAN and don't expose it to the Internet. That's 99% of the way there. HTTPS only secures the connection, and I doubt you're sending any sensitive info to or from Jellyfin (but you can still run it in docker and use caddy or something with Let's Encrypt).

The bigger target is making sure jellyfin itself and the host it runs on are updated and protected. You could use a WAF too.

load more comments (23 replies)

[–] [email protected] 13 points 3 days ago (3 children)

Your post is very confusing. You want to use it only locally (on your home), but it can't be a local-only instance.

You want to e2ee everything, but fail to mention why. There is no reason to do that on your own network.

I do not know why you want to use a VPN and what you want to do with it. Where do you want to connect to?

What is the attack vector you're worried about? Are there malicious entities on your network?

load more comments (3 replies)

[–] [email protected] 4 points 3 days ago (1 children)

If you are willing to swap to mullvad then you can also install tailscale. You can then choose to connect to your jellyfin server (over LAN) or (over tailscale-wireguard tunnel over LAN) while the rest of the traffic flows through mullvad.

[–] [email protected] 1 points 3 days ago (1 children)

Why not just skip that and just use a wire guard tunnel?

[–] [email protected] 1 points 2 days ago (1 children)

a wireguard tunnel over a forced NordVPN tunnel will mean that all his traffic will flow all the way to the NordVPN node and all the way back for a LAN connection.

a properly configured wireguard tunnel is harder to configure than a tailscale network with a mullvad exit node. (I think)

a wireguard tunnel can only connect one device to the Jellyfin Server (or router if it supports it)

[–] [email protected] 1 points 2 days ago* (last edited 2 days ago)

WG Ez worked fine for me? Basically just VPNs me right into my LAN.

OH I'm an idiot, I forgot I connect to my domain for the wire guard connection lmao

Though I did mean just tunnel into the Lan then the vpn is applied on outbound connections on the Lan using something like Gluetun or w/e

[–] [email protected] 10 points 3 days ago (13 children)

Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That's the simplest.

A better option would be getting an OpenWRT router and start building proper infrastructure for doing something like this. You'll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.

load more comments (13 replies)

[–] [email protected] 8 points 3 days ago* (last edited 3 days ago)

This is one of the funniest posts I've seen here so far. Thanks for that! I unfortunately don't otherwise have anything to add that hasn't already been said, just wanted you to know that I enjoyed it a lot :)

[–] [email protected] 5 points 3 days ago* (last edited 3 days ago) (1 children)

After reviewing the entire thread, I have to say that this is quite an interesting question. In a departure from most other people's threat models, your LAN is not considered trusted. In addition, you're seeking a solution that minimizes subscription costs, yet you already have a VPN provider, one which has a -- IMO, illogical -- paid tier to allow LAN access. In my book, paying more money for a basic feature is akin to hostage-taking. But I digress.

The hard requirement to avoid self-signed certificates is understandable, although I would be of the opinion that Jellyfin clients that use pinned root certificates are faulty, if they do not have an option to manage those pinned certificates to add a new one. Such certificate pinning only makes sense when the client knows that it would only connect to a known, finite list of domains, and thus is out-of-place for Jellyfin, as it might have to connect to new servers in future. For the most part, the OS root certificates can generally be relied upon, unless even the OS is not trusted.

A domain name is highly advised, even for internal use, as you can always issue subdomains for different logical network groupings. Or maybe even ask a friend for a subdomain delegation off of their domain. As you've found, without a domain, TLS certificates can't be issued and that closes off the easy way to enable HTTPS for use on your untrusted LAN.

But supposing you absolutely do not want to tack on additional costs, then the only solution I see that remains is to set up a private VPN network, one which only connects your trusted devices. This would be secure when on your untrusted LAN, but would be unavailable when away from home. So when you're out and about, you might still need a commercial VPN provider. What I wouldn't recommend is to nest your private VPN inside of the commercial VPN; the performance is likely abysmal.

[–] [email protected] 5 points 3 days ago (1 children)

But supposing you absolutely do not want to tack on additional costs, then the only solution I see that remains is to set up a private VPN network, one which only connects your trusted devices. This would be secure when on your I trusted LAN, but would be unavailable when awat from home.

Traditionally this would be performed by creating a dedicated network of trusted devices. Most commonly via a VLAN for ease of configuration. Set the switch ports that the trusted devices are connected to to use that vlan and badabing badaboom you're there. For external access using Tailscale or one of the many similar services/solutions (such as headscale, netbird, etc.) with either the client on every device or using subnet routing features to access your trusted network, and of course configure firewalls as desired

[–] [email protected] 3 points 3 days ago* (last edited 3 days ago) (3 children)

I had a small typo where "untrusted" was written as "I trusted". That said, I think we're suggesting different strategies to address OP's quandary, and either (or both!) would be valid.

My suggestion was for encrypted L3 tunneling between end-devices which are trusted, so that even an untrustworthy L2 network would present no issue. With technologies like WireGuard, this isn't too hard to do for mobile phone clients, and it's well supported for Linux clients.

If I understand your suggestion, it is to improve the LAN so that it can be trusted, by way of segmentation into VLANs which separate the trusted devices from the rest. The problem I see with this is that per-port VLANs alone do not address the possibility of physical wire-tapping, which I presumed was why OP does not trust their own LAN. Perhaps they're running cable through a space shared with other tenants, or something like that. VLANs help, but MACsec encryption on the wire paired with 802.1x device certificate for authentication is the gold standard for L2 security.

But seeing as that's primarily the domain of enterprise switches, the L3 solution in software using WireGuard or other tunneling technologies seems more reasonable. That said, the principle of Defense In Depth means both should be considered.

load more comments (3 replies)

[–] [email protected] 1 points 2 days ago

I'm not taking this to lemmyml

[–] [email protected] 4 points 3 days ago* (last edited 3 days ago) (1 children)

I think the easiest way would be to have two vlans on your local network. One that is connected to the internet and another that is local only. I think you'd have to switch networks when wanting to access the jellyfin server in that instance, but would negate the main issue, which is your VPN.

Edit: that's about the most secure you can get I think. If you bought a different physical router to host it, you'd have about as secure a setup as possible.

load more comments (1 replies)

[–] [email protected] 4 points 3 days ago (2 children)

Hang on.

Would it not be better to run a VPN server on your router to force all WAN-bound traffic through the VPN? This way, you could still access your local devices.