I have docker installed, but only have a vague idea of how it works.

Back in the day, I would just port forward, but even then, I would need a static IP somehow.

I have heard a reverse proxy is an option, but that is an entirely new topic to me.

Surely there is an easy way to access Jellyfin outside of my home network that I’m just missing.

*Edit: I am blown away by all the help and support! I currently have tailscale running, and I’m in the process of purchasing a domain.

Thanks everyone!

  • Faceman🇦🇺@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    2
    ·
    4 hours ago

    for a beginner with just a few remote clients, tailscale all the way.

    though I still like doing it the old way with a custom nginx setup, fail2ban and a domain name, but its more work to make it secure and even then it’s still somewhat of a liability.

  • 棉蘭阿偉@lemmy.1095.me
    link
    fedilink
    English
    arrow-up
    14
    ·
    21 hours ago

    @Vegan_Joe — if you’re still stuck, try this: install Tailscale → join your tailnet → expose Jellyfin container port 8096 as 443. That’s it. No nginx, no static IP hunting. I wrote a 3-command cheatsheet here https://cxgo.ai/l/5bwrT9m that I wish existed when I started fumbling with docker-compose overrides. Works on a $20 raspberry pi and a 2014 Mac mini, so your hardware shouldn’t matter.

  • paultimate14@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    21 hours ago

    I ended up using duckdns for a free domain. It sucks that I had to tie it to a google account, and maybe one day this might be an area where I buy a proper domain instead.

    I have a glinet Flint3 router that makes it easy to spin up Wireguard servers on it. It was a bit more finnicky, but eventually I was able to get into the advanced settings and configure the router to sync the dynamic IP with DuckDNS too.

    So I have Wireguard on my phone and my wife’s phone. We have one pair of close friends who have a connection on their router too (and vice-versa) and their own Jellyfin server.

  • Wilmo@programming.dev
    link
    fedilink
    English
    arrow-up
    103
    arrow-down
    2
    ·
    2 days ago

    Tailscale. It’s free. Insanely easy to set up.

    Just install on your devices and connect via the given tailscale ip for the jellyfin server.

    • ragebutt@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      14
      ·
      1 day ago

      Or head scale if you don’t want something you don’t control that requires an account with google/apple/microsoft

      • pineapple@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 day ago

        Headscale is great but requires port forwarding which, aside from having its own iasues, is something op wants to avoid.

    • sakphul@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      29
      ·
      2 days ago

      I would also propose going with Tailscale instead If a VPN + DynDNS solution. Imho it is a lot easier to Setup compared to VPN + DynDNS If you are a beginner and just starting out.

      If at some point you need more and then is available in the free Tier of Tailscale and you do not want to pay for it (and you have built up some knowledge!) you can switch to something like Headscale or Netbird.

      • philanthropicoctopus@thelemmy.club
        link
        fedilink
        English
        arrow-up
        2
        ·
        13 hours ago

        Currently I’m using tailscale. I like it but often switching IP address if I’m at home and I can’t use my normal vpn on it. Plus, I’m excited to learn about DNS and cloud flare. Its just very overwhelming haha

      • hoshikarakitaridia@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        2 days ago

        I forgot to mention that one because I kinda thought it belongs with radmin and hamachi, but it’s my choice as well currently.

        I am using it with my own Headscale though, so add a domain to that as well.

        And I finally need to switch my vaultwarden to work over tailscale & LAN finally, it’s a huge security risk to expose that one.

  • KairuByte@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    25
    ·
    2 days ago

    Personally I didn’t want to have to hand out VPN credentials to everyone, so I went with a cloudflare tunnel with Authelia as the method of authentication.

  • hoshikarakitaridia@lemmy.world
    link
    fedilink
    English
    arrow-up
    39
    ·
    edit-2
    2 days ago

    That’s the whole point of a domain. Your IP changes every now and again you need people to know where to reach you. You give them a domain, and you configure the name records so that the domain always points to the right IP address.

    Your options:

    • dynamic IP - you keep your setup as is and just periodically tell them the new IP you’re on. Annoying and exposed
    • static IP - you buy a static IP (from your ISP) and share it with your friends once. A little bit less annoying and still exposed
    • you use a VPN like hamachi or radmin - your friends install the software, they look for you IP in there, you’re done - very secure but also very annoying
    • you buy a domain - you have to configure an IP updater like ddclient or similar, then you jellyfin should be reachable - least annoying for your friends but also slightly less secure

    Domain is the cleanest option.

    I am telling you how annoying it is because that’s how likely your friends are to adopt it and how secure it is because depending on your country you are doing something illegal and you really don’t want anyone to find out and you gotta keep it updated more often if you don’t want people to exploit it. There’s an endless supply of very smart people out there who use known bugs to target public services.

    Edit: I forgot DDNS, see below comments.

      • mic_check_one_two@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        9 hours ago

        On Cloudflare, you’ll want to set a DNS record to point any relevant subdomains to your current WAN IP address. IPv4 will be an A Name record. IPv6 would be an AAAA Name record, but I’m not going to deal with IPv6 for this… Here is an example of mine, with info blocked out:


        So for instance, maybe you have a peepee.example.com subdomain, a poopoo.example.com subdomain, etc which all point to your WAN IP address. That will basically tell Cloudflare’s DNS to forward any traffic for those subdomains to your WAN IP. Each subdomain can also choose whether or not to proxy the content, or just directly send it to your WAN with DNS. Basically, when Cloudflare propagates the DNS records to the various DNS servers, you can choose whether that record has your WAN IP (DNS Only) or one of Cloudflare’s (Proxied). Proxy support means you can take advantage of some additional CF protections, but it also means passing all of the data through CF’s server. In most cases, you’ll want DNS Only. Proxy support will depend on the individual service. Some will work fine with it, some won’t. And it’s also possible that you don’t want services proxied through CF for privacy reasons.

        Next, you’ll want to set up a reverse proxy service. This will be something like Nginx Proxy Manager, Caddy, etc that you run on a device on your LAN. It can even be on the same machine running your various services. The big reverse proxies all offer Docker images, so you can incorporate it directly into an existing Docker stack if you already have one. Personally I use NPM, but Caddy is also very popular.

        You’ll tell this reverse proxy “when you receive valid traffic addressed to {subdomain}, forward it to {relevant service on your LAN}.” You can also set some additional options for each subdomain, like automatically upgrading to https. For instance, maybe peepee.example.com forwards to 192.168.1.100:42069 on your LAN, and is configured to automatically upgrade any http traffic to https, and to require https.

        You can also set up automatic TLS certificate renewal, so https traffic can be properly encrypted. The reverse proxy will need an API key, and it will allow the service to automatically check expiration dates and pull a fresh TLS cert for your domain if the date is coming up soon.

        You’ll probably want to use a wildcard certificate, (basically *.example.com) because the TLS certificates are open to the public. So if you do individual certs for all of your various services, bots will scrape the public records and you’ll inevitably get a lot of bot traffic probing your various subdomains. A wildcard domain usually means the bots hit the standard example.com and www.example.com first, which makes them super easy to detect and block. I even have rules set up to automatically block anything that tries to access my www subdomain, because I specifically don’t host a landing page and don’t have anything available there. So I know that any traffic hitting that www subdomain is a bot trying to access common subdomains.

        Next, you’ll want to forward ports 80 and 443 to your reverse proxy. Port 80 is the standard port for http traffic, and 443 is the standard port for https traffic. These will be the ports that your reverse proxy actually receives the traffic on, before forwarding it to the various services. Note that lots of lazy devs default to using 80 and 443 for lots of things, so you may want to configure your router to use a different port (like 81 or 444) for its config page if you’re able. Otherwise, you may end up accidentally locking yourself out of your router’s config page, because it will attempt to use 80 to reach the page, then get automatically forwarded to the reverse proxy instead.

        Finally, for some ease-of-maintenance, you may want to consider adding a DDNS service (like Cloudflare-DDNS) to your docker stack. This will occasionally check your current WAN IP, and update it with Cloudflare if necessary. For example, if you have an outage and your router gets a new WAN IP when it boots back up again. Normally you would need to manually go to Cloudflare and update the IP info to point at your new address. But DDNS does that automatically.

        The way traffic flows when it is all set up is along these lines:

        1. A device wants to access your service at peepee.example.com. It doesn’t know where to find that site, so it asks a DNS server.
        2. Cloudflare has told all of the various DNS servers “hey, peepee.example.com can be found at {your IPv4 WAN address}”.
        3. The device follows that DNS record, and attempts to connect to your IPv4 WAN address, on port 80 or 443. For this example, let’s say it tries to connect on port 80 for standard http traffic. The device knocks on port 80’s door and says “hey, I’m here to access http://peepee.example.com/.”
        4. Your reverse proxy checks the configured list, finds the valid peepee.example.com subdomain, finds it has a valid TLS cert, finds it is configured to automatically upgrade to https, and responds “Yes, please upgrade to https. Http traffic is not allowed.”
        5. The external device knocks again, this time on port 443’s door. It goes “hey, I’m here to access https://peepee.example.com/. Your reverse proxy goes “thank you, here is the TLS cert and my half of the TLS security handshake.”
        6. Your external device uses the data in the TLS cert to validate and complete the TLS handshake with the reverse proxy, and the traffic between the reverse proxy and your external device is now encrypted with https. Your device gets the nice little “secured” padlock icon in your browser. Because the traffic is encrypted, a malicious actor may be able to tell what kind of info you are passing (for example, a video stream will likely have a pretty obvious pattern) but they won’t be able to see what specific data you are passing. They may be able to tell that you’re streaming a video, but they won’t know which video specifically.
        7. The reverse proxy forwards the traffic to the service, configured at 192.168.1.100:42069.
        8. Your service does not ever know the device is being accessed via WAN, because (as far as the service can tell) the traffic is coming from your reverse proxy (also a LAN device). So any “pay to use WAN” services will continue to work for free.
        9. The external device never gets access to info like the specific LAN IP or port number, because it only has access to the reverse proxy. All of the traffic is passing back and forth between the reverse proxy.

        But notably, keep in mind that the reverse proxy didn’t do any actual user authentication. If your service has a weak password, a reverse proxy will act as a gateway for any potential hackers to gain access to the service. The same way an open port is a gateway directly to the service, the reverse proxy is now a gateway that simply requires an attacker to use a subdomain instead of an IP and port number. And if you make your subdomain something like jellyfin.example.com it will probably be dead simple for a bot to guess. And any vulnerabilities in the service will still be exploitable via the reverse proxy, because the reverse proxy is simply making sure the request is valid, and then passing the traffic back and forth. It isn’t actually inspecting the content of that traffic, so it’s not going to stop things like attackers. When you hear digital security folks talk about things like attack vectors, this is what they’re referring to. Your reverse proxy is a potential vector of attack for your configured services. Use strong passwords, keep your services updated, etc…

        You can technically add authentication to a reverse proxy. So for instance, maybe a service doesn’t have any built-in way to add a password. You can have the reverse proxy act as an authentication gate, so it will prompt the user for a username+password before they can even reach the service. This will make the services more secure (yes, even the ones that already have passwords, as long as you use a different password for your reverse proxy authentication) but it will break most apps that are designed to work with a service. For instance, Jellyfin has several apps that work, but those apps won’t have any way to get past the reverse proxy’s password gate. So those apps will simply break if you add a second layer of authentication with your reverse proxy.

        There are also some security options you’ll likely want to enable on Cloudflare’s side, but this comment is already long enough.

        • philanthropicoctopus@thelemmy.club
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 hours ago

          Thank you so much for such a detailed reply. I’m going to print this off and go through it point by point.

          I didn’t realize how overwhelming this would be, the amount of information is incredible.

          I was trying to use the cloud flare ai assistant to set up WARP access to my phone but then I realized its basically another VPN which defeats the whole point on me using the domain because I wanted to be able to use my traditional VPN to stay protected.

          I also wanted to be able to log into my server android apps like immich and Joplin but can’t do that with authentication as its not a webpage.

          I’ll print this off and anything I don’t understand (most of it at this stage haha) I’ll spend some time studying it.

          I got a good laugh at peepee poopoo

          Thanks again

          • mic_check_one_two@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 hours ago

            I actually just updated it slightly, and may continue to do so if I think of things. So you may simply want to check back here instead of printing it.

    • Vegan_Joe@anarchist.nexusOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 days ago

      I appreciate your response!

      It looks like a VPN is the option I’m leaning towards, but I’ll definitely put the idea of buying a domain in my back pocket for a while.

              • Saapas@piefed.zip
                link
                fedilink
                English
                arrow-up
                6
                ·
                2 days ago

                You get to pick your numbers

                On June 1, 2017, .XYZ launched the 1.111B class .xyz domains, cheap domains priced at US$0.99 per year and renewed at the same price. The class of domains consists of six-, seven-, eight-, and nine-digit numeric combinations between 000000.xyz and 999999999.xyz. Daniel Negari, CEO of .XYZ, stated that it was meant to bring competition, choice, and innovation to the market

  • alexquiniou@lemmy.zip
    link
    fedilink
    English
    arrow-up
    9
    ·
    1 day ago

    I’m using wireguard with wg-easy. It’s a gui that let you easely setup wireguard. My isp is giving a fixed ipv4. So i don’t have to think about dns or other complicated things. I have Jellyfin and wg-easy installed on truenas as docker apps.

    There are official app for any os you want.

    https://www.wireguard.com/install/

      • Pika@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        7
        ·
        2 days ago

        it’s actually the recommended way if you use jellyfin, theres a few security/privacy vulnerabilities with publicly exposing the jellyfin server anyway, they are being worked on but, the safest way to do it is just use a vpn regardless.

        • frongt@lemmy.zip
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 day ago

          Plus it enables you to access everything. If you have radarr or sonarr or whatever, you can get to those and add media while out and about.

          Personally I use Mealie and pull up ingredient lists while I’m im at the grocery store.

      • djdarren@piefed.social
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 days ago

        Just be aware that if you want anyone else to connect to your Jellyfin, you’ll still have to route it through a domain and reverse proxy, unless you’re comfortable letting them log in to your tailnet.

        It’s a bit of a fiddle to set up, but once it’s done it’s quite satisfying.

    • Pacrat173@lemmy.ml
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 days ago

      It’s my go to method super easy to set up and use on both the device hosting your JellyFinn server and whatever your steaming on

    • Vegan_Joe@anarchist.nexusOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 days ago

      To be clear, your suggesting I set up my home computer as a virtual private Network server that I would connect to from the TV or device outside of my home network?

      • frongt@lemmy.zip
        link
        fedilink
        English
        arrow-up
        10
        ·
        2 days ago

        Yes, it works great for me. Probably not for a TV though, for that you’d probably need some travel router VPN client. But I don’t know how often you’d be at a random TV and need to get to jellyfin.

      • towerful@programming.dev
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 days ago

        Yeh, exactly.
        And the “dynamic DNS” part handles your public IP address changing with 0 pain.
        You either buy a domain (like example.com), or there are free domain name providers that give you a subdomain (like mycooldomain.example.com) of one of their domains.
        You then run an additional service on your home server that checks what the current public IP address is. If it changes, it notifies the DNS responsible for your domain/subdomain, which then points to your new public IP.
        To connect to your VPN, you only ever care about “mycooldomain.example.com” and never the underlying IP address.


        As long as your ISP isn’t running CG-NAT of course 😵‍💫

  • chellomere@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 day ago

    I use pangolin and subdomains on my domain. It works really well, and enables SSO login to all services on the network.

      • chellomere@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 day ago

        Yeah, for certain apps you may need to do that. I’ve had to do that with Nextcloud and Linkwarden. But Immich will happily work with a shareable link.

        • PeriodicallyPedantic@lemmy.ca
          link
          fedilink
          English
          arrow-up
          1
          ·
          21 hours ago

          I actually commented a solution on a pangolin ticket, and they were like “good idea!” And implemented it, but then made it an enterprise only feature 😭

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    4 hours ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CGNAT Carrier-Grade NAT
    DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network
    DNS Domain Name Service/System
    ISP Internet Service Provider
    NAT Network Address Translation
    Plex Brand of media server package
    SSO Single Sign-On
    TLS Transport Layer Security, supersedes SSL
    UDP User Datagram Protocol, for real-time communications
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)
    nginx Popular HTTP server

    [Thread #41 for this comm, first seen 5th Jul 2026, 18:30] [FAQ] [Full list] [Contact] [Source code]

    • MasterOKhan@lemmy.ca
      link
      fedilink
      English
      arrow-up
      8
      ·
      2 days ago

      I second this, if it’s only you that needs access then Tailscale will be all that you need. You can use Tailscale funnel if you want it to be available to the wider web, but then you have to manage SSL certificates and it is slightly less secure.

      I would caution against port forwarding and leaving your server open to the wider web.

  • Err(()).unwrap()@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    2 days ago

    As others have said, Tailscale is the most pragmatic solution. It’s a mesh VPN based on Wireguard. It’s implemented in such a way that you don’t need a static IP and don’t need to open any ports on your firewall. The caveat is that you either need to register an account on tailscale.com (it’s free for small-scale use) or set up a self-hosted alternative like Headscale on a VPS. Then you have to install the Tailscale client on each of the hosts you want to access and log into your account.

    Tailscale nodes will be accessible using an internal, private address in the 100.64.0.0/10 address space. You can also set up a split DNS that allows you to access your hosts using a DNS name like hostname.your-tailnet-name.ts.net.