I am making this post in good faith
In my last post I asked about securely hosting Jellyfin given my specific setup. A lot of people misunderstood my situation, which caused the whole thread to turn into a mess, and I didn’t get the help I needed.
I am very new to selfhosting, which means I don’t know everything. Instead of telling me that I don’t know something, please help me learn and understand. I am here asking for help, even if I am not very good at it, which I apologize for.
With that said, let me reoutline my situation:
I use my ISP’s default router, and the router is owned by Amazon. I am not the one managing the router, so I have no control over it. That alone means I have significant reason not to trust my own home network, and it means I employ the use of ProtonVPN to hide my traffic from my ISP and I require the use of encryption even over the LAN for privacy reasons. That is my threat model, so please respect that, even if you don’t agree with it. If you don’t agree with it, and don’t have any help to give, please bring your knowledge elsewhere, as your assistance is not required here. Thank you for being respectful!
Due to financial reasons, I can only use the free tier of ProtonVPN, and I want to avoid costs where I can. That means I can only host on the hardware I have, which is a Raspberry Pi 5, and I want to avoid the cost of buying a domain or using a third party provider.
I want to access Jellyfin from multiple devices, such as my phone, laptop, and computer, which means I’m not going to host Jellyfin on-device. I have to host it on a server, which is, in this case, the Raspberry Pi.
With that, I already have a plan for protecting the server itself, which I outlined in the other post, by installing securecore on it. Securing the server is a different project, and not what I am asking for help for here.
I want help encrypting the Jellyfin traffic in transit. Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption. There is some hope in doing some manual ProtonVPN configurations, but I don’t know how that would work, so someone may be able to help with that.
All Jellyfin clients I have used (on Linux and Android) do not accept self-signed certificates. You can test this yourself by configuring Jellyfin to only accept HTTPS requests, using a self-signed certificate (without a domain), and trying to access Jellyfin from a client. This is a known limitation. I wouldn’t want to use self-signed certificates anyways, since an unknown intruder on the network could perform a MITM attack to decrypt traffic (or the router itself, however unlikely).
Even if I don’t trust my network, I can still verify the security and authenticity of the software I use in many, many ways. This is not the topic of this post, but I am mentioning it just in case.
Finally, I want to mention that ProtonVPN in its free tier does not allow LAN connections. The only other VPN providers I would consider are Mullvad VPN or IVPN, both of which are paid. I don’t intend to get rid of ProtonVPN, and again that is not the topic of this post.
Please keep things on-topic, and be respectful. Again, I am here to learn, which is why I am asking for help. I don’t know everything, so please keep that in mind. What are my options for encrypting Jellyfin traffic in transit, while prioritizing privacy and security?
You must log in or register to comment.
A lot of people have suggested Tailscale and it’s basically the perfect solution to all your requirements.
You keep saying you need ProtonVPN which means you can’t use Tailscale, but Tailscale actually supports setting up an exit node which is what you need. Put Protonvpn on the Raspberry Pi, then set it up as an exit node for your tailnet. There’s a lot of people talking about how they did this online. It looks like they even have native support for bypassing the manual setup if you use Mullvad.
As long as every client has the ability to use Tailscale (I.e. no weird TVs or anything) this seems like it checks all your boxes. And since everything is E2EE from Tailscale, TLS is redundant and you can just use HTTP.
I’ll just add my 2¢
Tailscale is incredibly powerful and they do a lot of work to make their systems intelligible, but the learning curve is still pretty steep. But still a great option.
One thing that I do, though it may not be as secure as a reverse proxy is just using tailscale funnel to expose my jellyfin instance.
I’d like to learn a self-hosted SSO but time is my least abundant resource at the moment.
How about creating your own LAN within the untrusted network?
Something like an inexpensive OpenWRT router would do fine. Connect all your devices and the server to the router. They are now on a trusted network. Set up Wireguard on the OpenWRT router to connect to Proton so that your outbound traffic from all your devices is secured.
I was looking for this. Op seems to be obsessed with “zero trust”, so creating a trusted area for this stuff would be an easy win.
Exactly! I did that for a couple years until I found a cheap modem to replace the ISP modem. It didn’t do any routing, so there was no weird NAT issue, it just converted the DSL signal to Ethernet with a WAN IP.
I didn’t have to change any network settings on my LAN when I switched, or when I moved to another place with a different ISP. I had that same router for years, even after I got a dedicated AP for my house.
I work for an ISP, and this is a common practice among my peers
I have done this before as well when living in a dorm where wifi was shit so i did my own little setup in my room so I could stream to Crome cast etc on my own trusted lan. Get a small router with support for wire Guard vpn (i love mikrotik for this) and you have an easy way to tunnel out for all your devices.
Hey, this is off topic from the original post but could you tell me what device specifically you have used?
I am going to be moving into a dorm soon and was looking to set up my own VLAN or ehatever you need for a private network because I don’t want to mess with the dorm router. I had a look at a Mikrotik switch (CRS310) but was unsure whether the fan noise would be too loud if I am staying in the same room and more importantly, whether this even allows me to do what I want to do
Edit: I misused the word dorm. It is a shared appartment rented with a couple of other students.
That isn’t what I would choose for your situation. CRS3xx switches are fast at switching (layer 1 & 2), but not as a NAT router, which you probably need.
Better to pick something from the Mikrotik Ethernet Routers range, assuming you don’t want your personal LAN to have WiFi. The L009 or basic RB5009 are both good options in the same price range. Choosing depends on your upstream connection speed. Both are fanless.
Or pick a Home/Office Wireless device if you are permitted to have your own WiFi access point. The hAP ax2 is small, affordable and performs well at 1Gbps. If your upstream connection is 1Gpbs this is probably what I would choose even if you don’t want WiFi as long as this is enough ports. Just turn off its WiFi radios to use it wired-only. If you have a 2.5Gbps upstream port then hAP ax3 is a better choice.
All the Mikrotik choices will require some learning if you want anything beyond a basic router configuration. But once you get it like you want it they are very solid and reliable.
OpenWRT and OPNSense are easier to jump into without a lot of effort, so if you don’t want a networking hobby I would use one of them. Pick up pre installed device if you want it easy. Or get a mini PC with a few network ports and install the OS yourself to get more power for the money.
Wow, that was a lot more comprehensive than what I was hoping for. Thanks.
I was particularly interested in the CRS310 because it had 2.5G ports with the ability to eventually later even expand into 10G. 10G speeds aren’t really relevant for me (for now) since I mainly want the speed advantage for slightly faster transfers to my NAS but I would be interested in 2.5G capability. Do you think it makes sense to pick one of the devices you recommended, specifically the hAP ax2 and then if I want to get into 2.5G territory to buy an unmanaged 2.5G switch? Speeds of 2.5G and more are only interesting for transfers between my own local devices for me. I don’t need the rest of the network to have fast access so I guess the hAP ax2 makes more sense to buy than ax3. The ability to open my own WiFi network is also quite attractive so I can have local access even from my laptop or phone which I guess is another point in favor of the Home/Office AP route.
Sure. That plan would work. You might want to be sure that this is permitted at your university.
Universities often have strict rules about what should connect to their networks.
Ah I may have misused the word dorm. It’s more of a shared appartment rented by multiple students so there aren’t any limitations in that regard fortunately.
Ah, got it. That plan should be great. You can segment your own wired+WiFi network with that hardware, and even do Wireguard from the hAP ax2 to get whole-network egress via an outside VPN service at a good data rate, if you want.
The other devices you might consider as the router are the GL-iNet Slate series. They will be slower as a VPN router, but they’re pretty small and light. They come with a skinned OpenWRT, but in most cases you can install a build of the unmodified OS if you want.
It can be a good idea to mentatlly seperate your router needs with you 2.5G speeds and WiFi needs, they dont have to live on the same device. For you private lan you need a router so you can hide and control your devices behind NAT and firewall. For that I’d just recommended one of the small hap or hax devices that suits your needs for routing, and/or wifi. If you want to be fancy the RB9005U could maybe work with your switching need as well.
You don’t need Vlan. I believe it is not what you think it is. Vlan is if you want to segregated your own lan int to different independent lans with various firewall rules.
All you need for your dorm is NAT. But for the love of god make sure that you dont connect your lan with the dorm lan or your DHCP server will start handing out IP’s to everyone else in your dorm and it will crash the dorm router. The ethernet jack in the wall of your dorm (I assume that’s how it works for you) needs to go to the WAN port of the router. But bare in mind on mikrotik you can configure the WAN port to be any physical port you want, but with default config it is port 1.
I may have misused the word dorm. It is a shared appartment rented with a couple other students.
My goal is basically to set up a private network inside the network used by the other people I share the apartment with so I can tinker with stuff like setting my own DNS server up for the network without possibly impacting the other people in case of failure. My naive impression was that I would need to use a VLAN to accomplish that.
In regards to your idea of using multiple devices I kind of agree but I want to keep the initial cost and energy usage low for now which is why I am trying to find a device I can use for this but also reuse in the future for something else if I want to upgrade (or just retire it without too much sunk cost).
I think we are getting too off topic here so maybe make a seperate post in here asking how to tinker with selfhosting, dns, tinkering etc and you can have multiple people’s inputs.
Yeah, you are right. That’s probably a good idea.
Hi again.
How about the following idea:
Set up ProtonVPN on the raspberry pi.
On all other devices (or at least those you want to use Jellyfin on), switch from using Proton to using Wireguard. Unlike your phone, the raspberry pi has no trouble running multiple VPNs. I think the ProtonVPN limitations in regard to not allowing split tunneling don’t apply here, since all outgoing traffic will still go via Proton.
Essentially, the Pi would function as a proxy for all of your traffic, “and also” host Jellyfin. You would still connect to http://192.168.20.10:8096/ (or whatever) on your devices, but that address would only resolve to anything when you are connected to the pi via Wireguard. No HTTPs, but “HTTP over Wireguard”, if you will.
Nots that this requires you trusting the pi to the same degree that you trust your phone.
For your static devices (PC, TV) this should solve the problem. Devices which you take with you, like your phone, unfortunately will loose internet connectivity when you leave your home until you switch off Wireguard, and switch on Proton, and not be able to connect to Jellyfin when you return home, until you switch them back.
Essentially, you would have a “home” VPN and a “on the go” VPN, though you never need to connect to both. There might be ways to automate this based on WiFi SSID on Android, but I have not looked into it.
The Pros:
- this should meet all your requirements. No additional expenses, no domain, no dynDNS; no selfsigned certificate or custom CA; traffic is never unencrypted; works on all common devices.
- Wireguard is sufficiently lightweight to not bog down the pi, normally
- this is actually well within the intended use-cases for Wireguard, so no “black magic” required in configuring it
- if you ever do decide to get a domain, you can configure everything to always be connected to your pi via Wireguard, even on the go! Not required though.
The Cons:
- when you are new to selfhosting, Wireguard is a bit daunting to set up. It is not the easiest to debug (don’t worry, it’s easy to tell IF it is working, but not always WHY it isn’t working). Some manual route handling is probably also required on the pi. It should definitely be doable though, but might turn this Jellyfin thing from a weekend project to a 2 week project…
- I have no experience with how well the pi runs Jellyfin. If the answer is “barely”, then adding multiple concurrent Wireguard sessions might be a bad experience. Though in this case, you could only switch Proton to Wireguard whenever you want to watch Jellyfin.
- the manual switching might be annoying, but that is the price to pay here, so to speak
Edit: someone else already mentioned setting up your own trusted network with a second router. IMO that is the better, more hassle-free option IF you are willing to shell out the money. My suggestion is the “free” version of that, essentially 😄
Hi again.
Hi there!
Set up ProtonVPN on the raspberry pi.
I’m actually surprised nobody suggested simply using the Pi with OpenWrt as my own router. Though, that would make it hard to host Jellyfin.
Nots that this requires you trusting the pi to the same degree that you trust your phone.
For the most part, I trust the security of my Pi. I can hold it in my hand and see every line of code, after all!
Devices which you take with you, like your phone, unfortunately will loose internet connectivity when you leave your home until you switch off Wireguard, and switch on Proton, and not be able to connect to Jellyfin when you return home, until you switch them back.
I plan to post a tutorial about how to securely host Jellyfin. Another user gave a solution to this problem that I absolutely love, and I’ll showcase it there. I don’t want to spoil it :)
Could you explain Wireguard vs. Tailscale in this scenario?
Thank you all so much for your help! This is likely the solution I will go with, combined with another one, so again thank you so much!
P.S. I don’t care if you wrap an ethernet cord around her finger, get going!
Tailscale is just a bunch of extra fancy stuff on top of Wireguard. If you don’t need the fancy stuff, using raw Wireguard can be more lightweight, but might require more networking knowledge.
The biggest thing Tailscale brings you the table is NAT traversal. On top of that it uses direct Wireguard tunnels as necessary instead of creating a mesh like you usually would if you were using raw Wireguard. It also offers convenient bits of sugar like internal DNS, and it handles key exchanges for you so it’s just generally easier to configure. When you do raw Wireguard you’re doing all the config yourself, which could be a pro or a con depending on your needs—and you’ll be editing config files, unlike Tailscale which has a GUI for most things. It also supports some more detailed security options like ACLs and I think SSO, while Wireguard is reliant on your existing firewall for that.
Here’s what Tailscale has to say about it: https://tailscale.com/compare/wireguard
I’ve messed around with Tailscale myself, but ultimately settled on running Wireguard. The reason I do that though is because I trust my LAN, and I only run Wireguard at the edge. Tailscale really wants to be run on every node, which in turn is something that raw Wireguard theoretically can do but would be onerous to maintain. If I didn’t trust my LAN, I’d probably switch to Tailscale.
I’m actually surprised nobody suggested simply using the Pi with OpenWrt as my own router. Though, that would make it hard to host Jellyfin.
A brief internet search shows that surprisingly, hosting Jellyfin on OpenWRT should work… No idea how well though. Come to think of it, having OpenWRT on the pi might make it a lot easier to configure, with graphical settings available and so on.
Could you explain Wireguard vs. Tailscale in this scenario?
I’ve never used tailscale, I’m afraid. Normally I would say: just use whatever seems easier to set up on your device/network; however, note that tailscale needs a “coordinate server”. No actual traffic ever goes through it, it just facilitates key exchanges and the like (from what I understand), but regardless, it’s a server outside your control which is involved in some way. You can selfhost this server, but that is additional work, of course…
Thank you all so much for your help! This is likely the solution I will go with, combined with another one, so again thank you so much!
Glad I could help, after being so unhelpful yesterday :)
P.S. I don’t care if you wrap an ethernet cord around her finger, get going!
Eh… Marriage is not really common in either of our families. We agreed to go sign the papers if there ever is a tax reason, lol. Sorry if that’s a bit unromantic :D Nice rings though ^^
A brief internet search shows that surprisingly, hosting Jellyfin on OpenWRT should work…
I still find it hilarious that since dd-wrt and OpenWrt are just… Linux, you could install Super Mario Bros on there. I checked, nobody seems to have tried.
I’ve never used tailscale, I’m afraid. Normally I would say: just use whatever seems easier to set up on your device/network; however, note that tailscale needs a “coordinate server”. No actual traffic ever goes through it, it just facilitates key exchanges and the like (from what I understand), but regardless, it’s a server outside your control which is involved in some way. You can selfhost this server, but that is additional work, of course…
Ah, that make sense. Is Wireguard P2P?
Glad I could help, after being so unhelpful yesterday :)
Don’t beat yourself up, you were fine. Because I’m big on privacy, when I ask for help I have a bad habit of leaving out the “why” behind my choices, so it’s understandable that people weren’t happy with what I needed.
Eh… Marriage is not really common in either of our families. We agreed to go sign the papers if there ever is a tax reason, lol. Sorry if that’s a bit unromantic :D Nice rings though ^^
I need to go make a petition to raise taxes then! /s
You both are perfect for each other, so don’t screw it up!
I still find it hilarious that since dd-wrt and OpenWrt are just… Linux, you could install Super Mario Bros on there. I checked, nobody seems to have tried.
Oh, definitely, but there are varying degrees of difficulty, esp. with what kinds of packages / package management you have available :D
Ah, that make sense. Is Wireguard P2P?
Yes, in the sense that each node/device is a peer. But the way I’d suggest you configure it in your case is more akin to a client/server setup - your devices forward all traffic to the “server”, but it never takes initiative to talk “back” to them, and they do not attempt to communicate with each other. Unless you have a separate usecase for that, of course.
You both are perfect for each other, so don’t screw it up!
❤️
Closing in on 8 years
I read the old thread and now this one.
As I understand it, you want to create connection between clients on your lan, but you don’t trust your lan, so it’s like having a raspberry pi server and some client both on the coffee shop network and you want them to communicate securely?
Tailscale is what you want. Easy setup, free, and allows exactly this to happen.
I use tailscale for exactly this purpose. And with the added benefit of bring able to watch media and manage the device remotely and easily
ProtonVPN in its free tier does not allow LAN connections
This is the limiting factor. In order to get around this, you’ll have to put your Jellyfin server on the Internet. Hopefully you can enable port forwarding. If not, you have painted yourself into a corner.
If you cannot use self-signed or internal CA certs, you will also need a domain name, and something like Let’s Encrypt to issue certs for that domain.
you’ll have to put your Jellyfin server on the Internet.
Don’t.
Yeah, you shouldn’t, but OP seems determined to hamstring themselves and do everything as convoluted as possible.
Yeah, this whole thread feels like a “but I can’t do that, work around it for me”
Do. And make sure your logs are piped through fail2ban.
All of these “vulnerabilities”, require already having knowledge of the ItemIDs, and anyone without it poking around will get banned.
The rest of them require a user be authenticated, but allows horizontal information gathering. These are not RCEs or anything serious. The ones which allowed cross-user information editing have been fixed.
All of these “vulnerabilities”, require already having knowledge of the ItemIDs, and anyone without it poking around will get banned.
Which are simply MD5 hashes… You can precompile (rainbow tables) those. The “knowledge” here to get a valid video stream is “What path is the file on” which is pretty standardized. This is a good way to have a major movie studio’s process server knocking on your door.
And again - if you put those behind a fail2ban; and you 404 5x in an hour, which is likely - you’ve solved that issue. Had my jellyfin instance publicly available for 2 years on its own VM with passthrough GPU, and haven’t had any issues. People poke around quite often, and get blackholed via the firewall for 30d.
It wouldn’t stop a dedicated attacker, but I doubt anyone’s threat model here is that intense. Most compromised servers happen from automated attacks probing for vulnerabilities in order to get RCE; not probing for what movies you have – Because having movies on a media server doesn’t prove that you didn’t rip them all off of blu-ray…it just means you have movies.
You’re not going to have 100% privacy when you put up ANY service on your network. Everything leaves a trace somehow; but I’m starting to think half of you are Chinese spies or something with the amount of paranoia people here show sometimes. :P
I was going to leave this alone… your original comment was correct enough that it wouldn’t matter and your “dedicated attacker” left it fine when i read it before.
but your edit has a gaping flaw. you assume that all content in the library would be physically released. lots of shows and movies are not physically released now. Can’t claim “backup” for those. The moment a movie studio finds your stuff and can map a few titles and one of them never had a physical release… your in the shit.
but yes you can be much harder to scan overall with a few steps. fail2ban is a great answer that makes it deeply unlikely to be an issue.
but i wish that they’d just fix it.
edit: OR that they wouldn’t try to go after you for distribution…
Don’t. OP already said in the previous post that they only need Jellyfin access within their home. The Principle of Least Privilege tilts in favor of keeping Jellyfin off the public Internet. Even if Jellyfin were flawless – and no program is – the only benefit that accrues to OP is that the free tier of ProtonVPN can access Jellyfin.
Opening a large attack surface for such a modest benefit is letting the tail wag the dog. It’s adding a kludge to workaround a different kludge, the latter being ProtonVPN’s very weird paid tier.
If they need SSL certs, they’ve got to. Jellyfin doesn’t accept self-signed certs, which means DNS entries in a domain, and access from the internet.
Really, honestly - what they need to do is just install Jellyfin on the Raspberry Pi and ditch the encryption requirement altogether. There’s no reason to have it on a LAN-only environment. They aren’t going to need it, nobody is going to MITM their lan environment, and VPNs will regularly allow LAN passthrough.
If ProntonVPNs own client doesn’t allow LAN connections, they either need to swap to the Wireguard vanilla client (if that’s allowed on free tier), or upgrade their VPN service.
OR switch VPNs altogether.
There isn’t a way to do this without breaking one of their requirements
Only options here are to publicly host with real SSL certs, on a domain and tunnel out – Or swap VPN providers/software so that you can achieve LAN access and forego HTTPS altogether.
Edit: And sorry – the previous post is gone regarding their only needing access within the home, there’s no way I could have known that.
There’s a bit of paranoia going on here to begin with - There’s no reason they need this level of “security” within their home network on the LAN side anyhow. They could possibly buy a managed switch and make the jellyfin server only visible to a specific vlan that didn’t include the router, but that doesn’t quite match up with what it sounds like they’re needing.
Jellyfin doesn’t accept self-signed certs.
Huh?? My
jellyfin.home.labself-signed certificate would like a word… Just put everything behind a reverse proxy (in a self-hosted community you will sooner or later be confronted to one anyway…) And you get all your services behind self-signed certs. Doesn’t matter if Jellyfin accept or not… It’s encrypted through your reverse proxy !Hmm, that’s a good point. I just checked my Jellyfin, and I don’t put any of the cert data into its config, I’m using caddy as my reverse proxy to serve it and I didn’t even think about this. No reason it has to be a self-signed cert, it could technically be local only and still be a Let’s Encrypt cert.
which means DNS entries in a domain, and access from the internet
The latter is not a requirement at all. Plenty of people have publicly-issued TLS certs for domain named services that aren’t exposed to the public internet, or aren’t using HTTP(s). If using LetsEncrypt, the DNS-01 challenge method would suffice, or can even issue a wildcard certificate for subdomains, so additional certificate issuance is not required.
If after acquiring a domain, said domain can be pointed to one of many free nameservers that provide an API which can be updated from an ACME script for automatic renewal of the LetsEncrypt certificate using DNS-01. dns.he.net is one such example.
OP has been given a variety of options, each of which come with their own tradeoffs. But public access to Jellyfin just to get a public cert is not a necessary tradeoff that OP needs to make.
Came to suggest this. I ran into the same problem when I tried to host Jellyfin at home. Also I was fed up with all those certificate warnings, depending on which device I used. Since I was already using pihole in my home network, I just went and looked at all the DNS plugins for certbot to learn which provider allows for easy DNS challenges. Then I researched a bit and stumbled upon a provider that was running a sale - so I got a domain for less than 5 bucks/year.
I set the public A record to 127.0.0.1 and configured certbot to use their API. This domain is now used internally in my network exclusively and I just added some DNS entries for several subdomains in pihole, so that it works for every device at home (e.g. jellyfin.example.com / dockerhost.example.com / proxmox.example.com / …).
When I’m away, I shouldn’t be able to resolve the domain, and even if DNS were hijacked, the TLS certificate will protect me from connecting to $randomServices. Also my router is less restricted, which means that I can just use it’s VPN server to connect directly to my home network, if I need to access my server or need to troubleshoot things when away.
Although not ideal, I would be willing to pay for ProtonVPN (or another) if that’s what is required. If I did have LAN connections, what are my options? Eventually I will get a more trustworthy router, but I still don’t want to trust it by sending data in plaintext, even if I can control it and enable port forwarding.
Already answered in your previous post: https://lemm.ee/post/60855169/19569046
To be totally honest I didn’t read your entire post, but just from your intro I think we are in similar situations. ISP router, low costs, using only the hardware you have around. I’ve solved a lot of stuff with Tailscale. None of my services are public facing and instead I connect to them over Tailscale (could be replaced with wireguard).
The wall I’m hitting you or maybe others could help with, is accessing my services from sub domains of a single Tailscale address rather than having to type port numbers for everything. I know this involves a reverse proxy and DNS (I use PiHole for that), but I’m stuck trying to configure the two in a way that actually works. Once I finally ditch iOS for good I’ll probably just sync a hosts file between all my devices using Syncthing to help streamline the DNS situation.
And I’m in a similar place as you though I’ve managed to get a bit further. I’m using docker and caddy sidecar with tailscale. I’ve started with nextcloud aio that had all neatly explained here and I’ve built on top of that. I’ve added other services like immich, jellyfin. I’m also testing local reverse proxy with the same domain (*.ts.net) as through the tailscale (to get their certificates), so that I can access them locally without tailscale. I want to use it mostly locally and only occasionally remotely. You might also learn something from this tutorial
Once I finally ditch iOS for good
I had that feeling for all too long. It’s so refreshing to break free. Word of advice: make sure to switch over your Signal account to make your new phone as an owner
You planning on GrapheneOS?
Honestly I want a Linux phone, but the scene needs to mature a bit. I’d also like a physical keyboard, so I’m even more limited in my options. LilyGo just released something I’d try, but it sold out almost instantly. Good call on the signal transfer, though I wish better platforms were catching on. Having to use a phone number to sign up kind of defeats the purpose in my opinion. Graphene and Postmark are on my short list of things to try if I end up on an android device.
and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption.
I solved a similar situation with a tailscale subnet router . a tailscale subnet router is a tailscale node that exposes the non-tailscale network to the tailscale network. This way I am able to access one of my routers (and its PBX) from all tailscale nodes. The android phone has only tailscale as a VPN. If i pay for mulvad I can have the rest of the traffic go over a mullvad node.
doesn’t really help you here though, unless you install protonVPN on the pi and add that as a tailscale exit node.
I previously proffered some information in the first thread.
But there’s something I wish to clarify about self-signed certificates, for the benefit of everyone. Irrespective of whichever certificate store that an app uses – either its own or the one maintained by the OS – the CA Browser Forum, which maintains the standards for public certificates, prohibits issuance of TLS certificates for reserved IPv4 or IPv6 addresses. See Section 4.2.2.
This is because those addresses will resolve to different machines on different networks. Whereas a certificate for a global-scope IP address is fine because it should resolve to the same destination. If certificate authorities won’t issue certs for private IP addresses, there’s a good chance that apps won’t tolerate such certs either. Nor should they, for precisely the reason given above.
A proper self-signed cert – either for a domain name or a global-scope IP address – does not create any MITM issues as long as the certificate was manually confirmed the first time and added to the trust store, either in-app or in the OS. Thereafter, only a bona fide MITM attack would raise an alarm, the same as if a MITM attacker tries to impersonate any other domain name. SSH is the most similar, where trust-on-first-connection is the norm, not the outlier.
There are safe ways to use self-signed certificate. People should not discard that option so wontonly.
It sounds like the clients do not have the ability to manually trust a self-signed cert.
I don’t get that…
I have self-signed SSL certificate and intermediateCA installed on all my devices and works flawlessly with every application that accept those (on android the manifest.XML has to allow user based certificate which is in most cases).
One exception on Android was the use of MPV which doesn’t do that and never will? However, the web player video type from official application works without issues…
I have navidrome, jellyfin, Ironfox, LibreTube, KoReader, Findroid… All work flawlessly with self-signed certs !
The issue here (as said in the second answer of his linked jellyfin post) is that them needs a reverse proxy that takes care of the SSL handshake and not jellyfin directly. So OP was missing a lot of good information in them’s first post…
If it’s signed by an intermediate CA, then it’s not self-signed.
Huh? Yeah it is… It’s a self-signed intermediate CA, signed by a self-signed rootCA.
In my case a miniCA in my lan.
Right. If it’s signed by a CA, it’s not self signed. Self signed means signed by nobody but the server that generated it.
self-signed certificates are public key certificates that are not issued by a certificate authority (CA)
https://en.wikipedia.org/wiki/Self-signed_certificate
An internal CA whose signing certs you’ve manually installed is still a trusted CA.
Ohhhhh ! Sometimes I just need to sh*up !
Thanks for the clarification.
@catloaf @litchralee As they shouldn’t trust a self-signed cert. If you can run Jellyfin, you can run an internal CA and DNS server. Create a .internal domain in your DNS server and create certs based on it. Then just roll out your root ca cert.
One thing that I haven’t seen anyone mention yet, in this post or the last one, how to you plan on aquiring videos for your server? If you plan on torrenting, you just have to pay for a vpn, Proton doesn’t allow you to make p2p connections like that on a free account
I’ve been able to use Proton for torrenting, although at abysmal speeds. I don’t acquire many new videos, so this isn’t an issue quite yet. When I have more money I will absolutely be switching to Mullvad VPN.
Don’t use Mullvad for torrenting. They’re a great VPN but they had to remove port forwarding so you’ll be unable to torrent properly. AirVPN is an alternative that still has port forwarding available.
Be careful, Mullvad doesnt allow port forwarding. I understand this to be important for torrent purposes.
Correct, trackers will work but DHT or whatever it’s called won’t, end up with a lot of dead torrents trying to run it through mull, but I paid a bit in advance so I can’t swap yet.
Nzbs work most of the time anyway
Here’s an idea: on your android device use something like Insular to create a work profile, that way you get its own VPN slot, add your selfhosted-related apps there along with Tailscale. You can keep ProtonVPN on for your other apps, while using TS for your “LAN away from home” stuff. Since Tailscale already encrypts all traffic, you don’t have to worry about HTTPS, certs, et al.
THIS
While I would make the modification to use Android’s Private Space instead of a work profile (or Shelter instead of Insular), this was such an obvious solution, and I feel stupid for not seeing it. I might use Wireguard instead of Tailscale, I don’t know yet, but thank you! Consider yourself an outside the box thinker!
We all got hung up on trying to fix Proton, when Android was the issue here!
Wow, there isn’t a single solution in here with the obvious answer?
You’ll need a domain name. It doesn’t need to be paid - you can use DuckDNS. Note that whoever hosts your DNS needs to support dynamic DNS. I use Cloudflare for this for free (not their other services) even though I bought my domains from Namecheap.
Then, you can either set up Let’s Encrypt on device and have it generate certs in a location Jellyfin knows about (not sure what this entails exactly, as I don’t use this approach) or you can do what I do:
- Set up a reverse proxy - I use Traefik but there are a few other solid options - and configure it to use Let’s Encrypt and your domain name.
- Your reverse proxy should have ports 443 and 80 exposed, but should upgrade http requests to https.
- Add Jellyfin as a service and route in your reverse proxy’s config.
On your router, forward port 443 to the outbound secure port from your PI (which for simplicity’s sake should also be port 443). You likely also need to forward port 80 in order to verify Let’s Encrypt.
If you want to use Jellyfin while on your network and your router doesn’t support NAT loopback requests, then you can use the server’s IP address and expose Jellyfin’s HTTP ports (e.g., 8080) - just make sure to not forward those ports from the router. You’ll have local unencrypted transfers if you do this, though.
Make sure you have secure passwords in Jellyfin. Note that you are vulnerable to a Jellyfin or Traefik vulnerability if one is found, so make sure to keep your software updated.
If you use Docker, I can share some config info with you on how to set this all up with Traefik, Jellyfin, and a dynamic dns services all up with docker-compose services.
OP, I have been facing the same situation as you in this community recently. This was not the case when I first joined Lemmy but the behaviour around these parts has started to resemble Reddit more and more. But we’ll leave it at that.
I think I have a solution for you if you’re willing to spend $2-$3 a month - set up a VPS and run a Wireguard server on it. Run clients on your devices and the raspberry pi and connect to it.
As for your LAN: from the discussion you linked, it seems that Jellyfin will use the CAs present in the OS trust store. That’s not very hard to do on Linux but I guess if you have to do it on Android you’d have some more trouble. In either case, using a reverse-proxy (I like HAProxy but I use it at work and it might be more enterprise than you need, for beginners Caddy is usually easier) will fix the trouble you’re having with your own CA and self-signed certs.
I am interested in the attack vector you mentioned; could you elaborate on the MITM attack?
Unfortunately, if you don’t have control over your network, you cannot force a DNS server for your devices unless you can set it yourself for every individual client. If I assume that you can do that, then:
- Set up DNS server on Pi
- Set up CA on Pi
- Create root CRT, CSR and server certs from it (bare-minimim setup)
- Copy over this stuff to Jellyfin image/VM, and copy root cert to clients trust store.
- Run reverse proxy in front of Jellyfin and configure the correct IP address of the reverse proxy with an A record in your DNS server.
- Configure reverse-proxy with server/application cert.
- Use RethinkDNS on Android to pass everything through the wireguard server hosted on the VPS, and set private DNS to the DNS server hosted on the Pi.
I think that should do it. This turned out more complicated than I imagined (it’s more of a brain dump at this point), feel free to ask if it is overwhelming.
OP, I have been facing the same situation as you in this community recently. This was not the case when I first joined Lemmy but the behaviour around these parts has started to resemble Reddit more and more. But we’ll leave it at that.
I’ve noticed that behavior is split between communities. Lemmy gets a bit weird because communities are usually hyper-specialized, and sometimes instances themselves cultivate different cultures (e.g. lemmy.ml is usually for privacy enthusiasts, since that’s where c/privacy is hosted). That, with the addition of specific idols for each community (e.g. Louis Rossmann for the selfhosted community) affects how each community behaves. That’s my theory, anyways.
I am interested in the attack vector you mentioned; could you elaborate on the MITM attack?
Basically the “this website is not secure” popup you see in your browser is sometimes due to the website using a self-signed cert. There’s no way to verify that that cert is from the website itself or from an attacker trying to inject their own cert, since there’s no CA attached to the cert. If an attacker injects their own self-signed cert, they can use that to decrypt your HTTPS traffic (since your browser will be encrypting using their cert) and then forward your traffic along to the real website so that from your perspective (minus the warning screen) nothing is wrong. I’m oversimplifying this, but that’s basically how it works.
Unfortunately, if you don’t have control over your network, you cannot force a DNS server for your devices unless you can set it yourself for every individual client.
I forgot to mention in this post, but because of browser fingerprinting reasons I don’t want to use a custom DNS. Thanks for the suggestion though!
I mentioned a firewall in your last post, but didn’t get a chance to respond to what you said and saw this post.
You can use something like opnsense or pfsense (or something similar) behind your current router/modem.
If you have a router/modem combo, it would look like this.
Wall cable (fiber, copper etc) > Router/Modem > Firewall/Router device with opnsense installed on it > wireless or wire connected devices.
The hardware will cost money up front, the OS for it is free.
You can use this to isolate your devices from the router/modem that is the cause of concern, and have a secure connection to your jellyfin server. Eliminating the need for signed certificates.
Don’t over think it. You can secure your network without making it excessively complicated.
If you have a raspberry pi you can also experiment with running the firewall on that (just as a test since there aren’t official builds for the RPI that I know of) and pentest from whatever device you use to do so connected to your router provided by your ISP or however you want to test it before you go out and buy hardware.
Just to be clear I wasn’t trying to be any sort of way with my question previously, but wanted a better understanding of what you meant by not trusting your device.
Edit: So a little side note, there are options to increase security when using something like opnsense. You can use freeradius to harden the access requirements to your network.
Since you mentioned pen testing but also seem to say that your knowledge of networking is a little bit limited, it may be a bit more involved than you’re ready for. The thing is (and this is by no means a knock on you) if you are doing pen testing then you definitely need to increase your knowledge on networking. Those two things kinda go hand in hand. If you don’t understand networking but you are trying to pen test a network, then how do you know what you are doing is actually effective? I suspect you may understand a bit more than you think you do, so try to broaden your knowledge more!
There’s something to check out just to get some concepts. You can do plenty of things to harden your security that could give you the comfort you need without defaulting to encrypted connections over LAN.
Thank you for this!
Is OPNsense like dd-wrt or OpenWrt?
The thing is (and this is by no means a knock on you) if you are doing pen testing then you definitely need to increase your knowledge on networking.
I have background in Wi-Fi hacking and LAN attacks, and I understand the structure of networking (LAN, WAN, layers of the internet, DNS, CAs, etc.). My head starts to hurt when RADIUS is involved, ad hoc networking (which I understand the concepts of, just not how it works. I want to learn this first), mDNS, and other complicated topics. I’m trying to push past those mental roadblocks and learn as best I can, but it’s a tricky topic!
There’s something to check out just to get some concepts. You can do plenty of things to harden your security that could give you the comfort you need without defaulting to encrypted connections over LAN.
Thank you! I’ll definitely check this out. You’ve been a huge help!
Is OPNsense like dd-wrt or OpenWrt?
Yes, both are similar in terms of being a firewall/access point. OpenWrt is Linux based and OPNsense is based on FreeBSD.
OpenWRT and OPNsense have similar wireless capabilities but OPNsense is a little bit more restricted due to being based on FreeBSD, it still should be easy to manage though. More on the wireless compatibility can be found at the below link.
https://www.freebsd.org/releases/14.2R/hardware/#wlan
I haven’t used dd-WRT so I can’t speak to it, but have tried OpenWRT. My personal preference is OPNsense, I just find it easier to use and prefer the interface.
Here’s a link to the OPNsense documentation.
https://docs.opnsense.org/index.html
I’m far from a network engineer but have been tinkering with computers and network stuff for 20ish years and there is still a ton that I don’t know. Don’t let it discourage you, you can make it work! Documentation can be muddy sometimes, and bland, but I find it best to just go one step at a time and slowly implement each piece while testing after each step.
Again, Tailscale.
Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption.
Tailscale is only for the server/host. You’re not changing all of your VPN services over to this, you’re using it in a ‘reverse’ fashion. You’re VPN-ing the server out to the world so it’s reachable and you have port forwarding options, etc.
From there, it can be reached by any client on the internet as a service. From there though, I don’t know how you’d get to it securely without a domain and SSL (Let’s Encrypt/Caddy) certs.
A domain is only like $16/year. So it’s not prohibitively expensive.
Domains can be even cheaper than that, I got a .net address from porkbun for $12.50 a year. That’s cheap enough for even me, and I am broke, y’all.
It’s can’t be reached by any client, only clients on machines logged into your tail scale network.
I remember you were worried about your ISP messing things up for you, hence the VPN. I would recommend creating a “Virtual Machine” that does all of your downloading to whatever hard drive you’re using. That VM can have proton installed. Then, on your regular computer (not within the VM), you can host Jellyfin with no VPN involved, making it accessible at 192.168.0.xx.
I think this hits your goals without needing to expose Jellyfin to the Internet. Plus it has minimal technical complexity. Your downloading traffic will be VPN protected, but Jellyfin will still be accessible to your local network.
edit: You can set up a password for Jellyfin, protecting it from your internal threats.edit2: You can use letsencrypt to create a certificate that picky clients will accept. Buy a domain, any domain, and configure the “A record” to point to 192.168.0.xx (your Jellyfin IP). Then tell your client to go to whatever domain you get, like “luigiliterallydidnothingwrongplzfree.com”, then the client will have to use the internet to ask DNS what the IP address is, but after that, it will just use your local network.
edit3: Since you just have the raspberry PI, instead of using a Virtual Machine, you could have 2 separate SD cards. One only has the downloader and VPN installed, the other only has Jellyfin installed (no VPN). Then swap as needed.
