Please take this discussion to this post: https://lemmy.ml/post/28376589
Main content
Selfhosting is always a dilemma in terms of security for a lot of reasons. Nevertheless, I have one simple goal: selfhost a Jellyfin instance in the most secure way possible. I don’t plan to access it anywhere but home.
TL;DR
I want the highest degree of security possible, but my hard limits are:
- No custom DNS
- Always-on VPN
- No self-signed certificates (unless there is no risk of MITM)
- No external server
Full explanation
I want to be able to access it from multiple devices, so it can’t be a local-only instance.
I have a Raspberry Pi 5 that I want to host it on. That means I will not be hosting it on an external server, and I will only be able to run something light like securecore rather than something heavy like Qubes OS. Eventually I would like to use GrapheneOS to host it, once Android’s virtual machine management app becomes more stable.
It’s still crazy to me that 2TB microSDXC cards are a real thing.
I would like to avoid subscription costs such as the cost of buying a domain or the cost of paying for a VPN, however I prioritize security over cost. It is truly annoying that Jellyfin clients seldom support self-signed certificates, meaning the only way to get proper E2EE is by buying a domain and using a certificate authority. I wouldn’t want to use a self-signed certificate anyways, due to the risk of MITM attacks. I am a penetration tester, so I have tested attacks by injecting malicious certificates before. It is possible to add self-signed certificates as trusted certificates for each system, but I haven’t been able to get that to work since it seems clients don’t trust them anyways.
Buying a domain also runs many privacy risks, since it’s difficult to buy domains without handing over personal information. I do not want to change my DNS, since that risks browser fingerprinting if it differs from the VPN provider. I always use a VPN (currently ProtonVPN) for my devices.
If I pay for ProtonVPN (or other providers) it is possible to allow LAN connections, which would help significantly, but the issue of self-signed certificates still lingers.
With that said, it seems my options are very limited.
I don’t plan to access it anywhere but home
Okay so what’s all this faffing about for? Just don’t open it up to the internet and access it with your servers local ip address on your home network
I wish it were that simple, but as I mentioned that would require paying for ProtonVPN to allow LAN connections (which isn’t the worst thing in the world, but I’d prefer to avoid subscriptions where possible) and clients don’t allow self-signed certificates.
Look into Tailscale. Its free
Idk if proton allows you to download config files on a free account but if they do then you could use those to manually split tunnel your local internet
Edit: if they don’t then the “most secure” (and cheapest) option is to pay for a VPN that allows Lan connections
Idk if proton allows you to download config files on a free account
I remember a time a few years ago when I managed to do something similar… I’ll look into this!
Edit: It seems so
Just run it on the LAN and don’t expose it to the Internet. That’s 99% of the way there. HTTPS only secures the connection, and I doubt you’re sending any sensitive info to or from Jellyfin (but you can still run it in docker and use caddy or something with Let’s Encrypt).
The bigger target is making sure jellyfin itself and the host it runs on are updated and protected. You could use a WAF too.
Just run it on the LAN and don’t expose it to the Internet.
This would require paying for a VPN to allow LAN connections, which is an option but not my preferred one.
HTTPS only secures the connection, and I doubt you’re sending any sensitive info to or from Jellyfin
This is a matter of threat model, and I would prefer not to expose my TV preferences unencrypted over the network.
but you can still run it in docker and use caddy or something
Does Caddy require a custom DNS in order to point the domain to a local IP address?
The bigger target is making sure jellyfin itself and the host it runs on are updated and protected.
This is easy with securecore, since it updates daily. The rest of the semantics for the actual hosting side aren’t too difficult.
You don’t need a VPN for LAN connections. You’re already on the LAN. You’d only need it for access from the WAN.
If you’re using Let’s Encrypt, you should probably purchase a domain. I don’t think they support .internal domains. Or you could set up your own CA and run it however you want, even issuing certs to access by IP address if you wanted.
You don’t need a VPN for LAN connections.
ProtonVPN by default blocks LAN connections, and can only be changed using their paid tier.
For that aspect, I would recommend changing to a provider that doesn’t have such ridiculous restrictions.
I kind of get it from Proton’s POV. If they have a free tier that allows a limited number of devices they’ll want to make sure you don’t tunnel all you devices through that one.
The only other providers I would use are Mullvad VPN or IVPN, both of which are paid.
I agree it is ridiculous.
I applaud your accomplishment as a penetration tester. I am disappointed at your lack of understanding regarding non-public networking.
Move your VPN to your router. Don’t bother with HTTPS on anything not exposed to the Internet.
If that does not satisfy your concerns, you may want to give up using electronic devices.
No reason not to have both. Things like vaultwarden do warrant an extra layer so setup wildcard domain for internal services x.local.example.com and then normal certs for external stuff like y.example.com.
To get internal stuff you then need your vpn as well to access it. You can now easily choose what risk you want on a per app basis.
Technotim has a good video on this
There is a huge reason to use HTTPS inside the LAN - so many browsers and other client software show HTTPS connections as more secure, with a nice padlock. For me, this was worth the minor inconvenience of setting up DNS-challenge with let’s encrypt with a domain I already had.
Your huge reason is the padlock in the browser bar? I’m not against TLS internally. I do it myself with my own CA. For this particular instance and the unique requirements, it seemed easiest to avoid TLS.
Yes it is. I got so annoyed by seeing it unlocked.
Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That’s the simplest.
A better option would be getting an OpenWRT router and start building proper infrastructure for doing something like this. You’ll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.
Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That’s the simplest.
I have no idea how to do this. Do you have any resources? Does it cost a subscription fee?
A better option would be getting an OpenWRT router
This is what I have planned. OpenWrt Two my beloved
You’ll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.
I also don’t know how to do this. Resources are much appreciated :)
Okay, so let me explain a bit:
Tailscale is a commercial client that is semi-FOSS. It’s built on Wireguard, which is FOSS, but the cloud hosted architecture does cost money after I think 5 clients.
Headscale is a FOSS implementation of Tailscale, and totally free to host, skipping the above.
Tailscale itself is super easy to use, and you just install it on a node, register it, and then it has access to any other device on that secured network. So if you install it on your Jellyfin machine at home behind your normal firewall, then install it on your phone, you’ll be able to connect to it without forwarding ports for messing around with much.
It should be that simple.
Iirc it supports 100 clients on the free tier, but even that is a soft limit – I’ve heard that they will accommodate more devices if you ask (and you’re in a non-commercial setting)
Does Headscale conflict with ProtonVPN/Mullvad VPN (i.e. can I use those alongside Headscale)? Android has a limited number of VPN slots, so that’s why I ask.
Nope. Wireguard runs outside the same protocols.
Just give Tailscale a try first because it’s essentially free for a few nodes. If you need more and don’t want to pay, then investigate Headscale.
So:
- ProtonVPN is installed on my Android phone
- Android has
Always-on VPNenabled - Android has
Block connections without VPNenabled - Host Jellyfin on my Raspberry Pi 5
- Install Headscale on my Raspberry Pi 5
- Install Headscale on my Android phone
- Install a Jellyfin client on my Android phone
- Configure everything
And that will work? It will be encrypted during transit? And only run on the LAN? Does ProtonVPN need to allow LAN connections (I assume it does)?
Sorry, it may be confusing, but Headscale is ONLY the free server component. The client is still Tailscale’s open client. That’s why I’m saying just sign up and try it first with Tailscale, and then if you need more connections without paying, create a Headscale server and re-register your clients to that to skip charges.
Alright, I’m slowly learning, bare with me here:
- ProtonVPN is always-on and blocks connections without VPN
- Jellyfin and Headscale are hosted on the Pi (or does Headscale need its own server?)
- Tailscale and a Jellyfin client are installed on the phone
Then:
- Will that will run fully on the LAN?
- Will it be encrypted during transit?
- Does ProtonVPN need to allow LAN connections?
After reviewing the entire thread, I have to say that this is quite an interesting question. In a departure from most other people’s threat models, your LAN is not considered trusted. In addition, you’re seeking a solution that minimizes subscription costs, yet you already have a VPN provider, one which has a – IMO, illogical – paid tier to allow LAN access. In my book, paying more money for a basic feature is akin to hostage-taking. But I digress.
The hard requirement to avoid self-signed certificates is understandable, although I would be of the opinion that Jellyfin clients that use pinned root certificates are faulty, if they do not have an option to manage those pinned certificates to add a new one. Such certificate pinning only makes sense when the client knows that it would only connect to a known, finite list of domains, and thus is out-of-place for Jellyfin, as it might have to connect to new servers in future. For the most part, the OS root certificates can generally be relied upon, unless even the OS is not trusted.
A domain name is highly advised, even for internal use, as you can always issue subdomains for different logical network groupings. Or maybe even ask a friend for a subdomain delegation off of their domain. As you’ve found, without a domain, TLS certificates can’t be issued and that closes off the easy way to enable HTTPS for use on your untrusted LAN.
But supposing you absolutely do not want to tack on additional costs, then the only solution I see that remains is to set up a private VPN network, one which only connects your trusted devices. This would be secure when on your untrusted LAN, but would be unavailable when away from home. So when you’re out and about, you might still need a commercial VPN provider. What I wouldn’t recommend is to nest your private VPN inside of the commercial VPN; the performance is likely abysmal.
This is one of the funniest posts I’ve seen here so far. Thanks for that! I unfortunately don’t otherwise have anything to add that hasn’t already been said, just wanted you to know that I enjoyed it a lot :)
If you are willing to swap to mullvad then you can also install tailscale. You can then choose to connect to your jellyfin server (over LAN) or (over tailscale-wireguard tunnel over LAN) while the rest of the traffic flows through mullvad.
Why not just skip that and just use a wire guard tunnel?
a wireguard tunnel over a forced NordVPN tunnel will mean that all his traffic will flow all the way to the NordVPN node and all the way back for a LAN connection.
a properly configured wireguard tunnel is harder to configure than a tailscale network with a mullvad exit node. (I think)
a wireguard tunnel can only connect one device to the Jellyfin Server (or router if it supports it)
WG Ez worked fine for me? Basically just VPNs me right into my LAN.
OH I’m an idiot, I forgot I connect to my domain for the wire guard connection lmao
Though I did mean just tunnel into the Lan then the vpn is applied on outbound connections on the Lan using something like Gluetun or w/e
I think the easiest way would be to have two vlans on your local network. One that is connected to the internet and another that is local only. I think you’d have to switch networks when wanting to access the jellyfin server in that instance, but would negate the main issue, which is your VPN.
Edit: that’s about the most secure you can get I think. If you bought a different physical router to host it, you’d have about as secure a setup as possible.
This is fair, and does solve the problem. I didn’t explicitly state that I needed it to be convenient, so you’re right. Having one network that is LAN only and switching to it to use Jellyfin, and having a second network that is WAN only and using ProtonVPN there would probably be the most secure setup. Unfortunately, it still doesn’t solve the issue of encryption in transit over the LAN, but that might be fixable with Tailscale. The LAN could even be ethernet-only, to mitigate wireless attacks.
That makes me wonder if there’s a way I could simply plug an ethernet cord from my phone to the airgapped Pi and use it that way. Is that possible? Surely it is. Could ProtonVPN be used on the phone even while the phone is connected physically to the Pi?
Fwiw jellyfin apps don’t even allow you to use a self signed cert.
I know. It’s very unfortunate, but I understand why.
I can’t answer your question as I rely on Plex rather than fooling around with my own security, but I’d suggest reconsidering the Pi and a microSD to host Jellyfin. Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files. Beyond that, SD cards are terrible for this kind of task and you’d be much better served with an SSD as your boot/data drive for robustness. I can’t even count the number of failed SD cards I’ve had over the years.
but I’d suggest reconsidering the Pi
It’s what I have on hand at the moment. I don’t have proper server hardware yet.
and a microSD to host Jellyfin.
Beyond that, SD cards are terrible for this kind of task and you’d be much better served with an SSD as your boot/data drive for robustness. I can’t even count the number of failed SD cards I’ve had over the years.
I will keep this in mind, thank you!
Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files.
I haven’t tried playing videos from my Raspberry Pi, but I’ve been able to run extremely modern video codecs on some pretty old hardware without any issues. Since I’ve never had issues with video codecs, I’m not experienced in what hardware can and can’t handle it.
A micro sized PC with an i5 and 8gb or ram can cost under 100€, and it’s way more powerful compared to a pi. Power efficient too. That’s what I used for a long time for my jellyfin server.
Thank you! I’d like to avoid extra costs, since I already have the Pi on hand, but when I have the money I will switch to a proper server.
Can I run it via PoE?
I don’t think so, but don’t quote me on that. My machines come with a 65w charger.
It cannot.
While used equipment is more powerful then a Pi, it doesn’t always fit everyone’s use case and I hate it when people have a “one size fits all” solution.
I agree with you, but this was specifically about jellyfin.
I’m not taking this to lemmyml
Your options are only as limited as your imagination and complexity of your requirements.
If you’re only using it on your network, just use HTTP with mdns (or have static routes from your router or something, but you said you don’t want that) so you don’t have to remember IP addresses. If you want TLS, you can borrow someone else’s domain with a service like FreeDNS.afraid.org (5 free subdomains). Or if you control the devices completely, you can make a root CA and add that to each device’s trusted CA list, and then sign your own certs and eliminate MITM attacks.
You have options, and most are overkill. The simplest, secure solution is HTTP on your local network or over a VPN you trust (if you have a publicly accessible IP, just host your own WireGuard server on/via your router).
You can also add a second network interface to the computer that needs to access the jellyfin server over LAN.
So you want a self hosted jellyfin instance that you only plan to access at home, as secure and simply as possible?
Buy an HDMI splitter.
