I am making this post in good faith
In my last post I asked about securely hosting Jellyfin given my specific setup. A lot of people misunderstood my situation, which caused the whole thread to turn into a mess, and I didn’t get the help I needed.
I am very new to selfhosting, which means I don’t know everything. Instead of telling me that I don’t know something, please help me learn and understand. I am here asking for help, even if I am not very good at it, which I apologize for.
With that said, let me reoutline my situation:
I use my ISP’s default router, and the router is owned by Amazon. I am not the one managing the router, so I have no control over it. That alone means I have significant reason not to trust my own home network, and it means I employ the use of ProtonVPN to hide my traffic from my ISP and I require the use of encryption even over the LAN for privacy reasons. That is my threat model, so please respect that, even if you don’t agree with it. If you don’t agree with it, and don’t have any help to give, please bring your knowledge elsewhere, as your assistance is not required here. Thank you for being respectful!
Due to financial reasons, I can only use the free tier of ProtonVPN, and I want to avoid costs where I can. That means I can only host on the hardware I have, which is a Raspberry Pi 5, and I want to avoid the cost of buying a domain or using a third party provider.
I want to access Jellyfin from multiple devices, such as my phone, laptop, and computer, which means I’m not going to host Jellyfin on-device. I have to host it on a server, which is, in this case, the Raspberry Pi.
With that, I already have a plan for protecting the server itself, which I outlined in the other post, by installing securecore on it. Securing the server is a different project, and not what I am asking for help for here.
I want help encrypting the Jellyfin traffic in transit. Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption. There is some hope in doing some manual ProtonVPN configurations, but I don’t know how that would work, so someone may be able to help with that.
All Jellyfin clients I have used (on Linux and Android) do not accept self-signed certificates. You can test this yourself by configuring Jellyfin to only accept HTTPS requests, using a self-signed certificate (without a domain), and trying to access Jellyfin from a client. This is a known limitation. I wouldn’t want to use self-signed certificates anyways, since an unknown intruder on the network could perform a MITM attack to decrypt traffic (or the router itself, however unlikely).
Even if I don’t trust my network, I can still verify the security and authenticity of the software I use in many, many ways. This is not the topic of this post, but I am mentioning it just in case.
Finally, I want to mention that ProtonVPN in its free tier does not allow LAN connections. The only other VPN providers I would consider are Mullvad VPN or IVPN, both of which are paid. I don’t intend to get rid of ProtonVPN, and again that is not the topic of this post.
Please keep things on-topic, and be respectful. Again, I am here to learn, which is why I am asking for help. I don’t know everything, so please keep that in mind. What are my options for encrypting Jellyfin traffic in transit, while prioritizing privacy and security?
Wow, that was a lot more comprehensive than what I was hoping for. Thanks.
I was particularly interested in the CRS310 because it had 2.5G ports with the ability to eventually later even expand into 10G. 10G speeds aren’t really relevant for me (for now) since I mainly want the speed advantage for slightly faster transfers to my NAS but I would be interested in 2.5G capability. Do you think it makes sense to pick one of the devices you recommended, specifically the hAP ax2 and then if I want to get into 2.5G territory to buy an unmanaged 2.5G switch? Speeds of 2.5G and more are only interesting for transfers between my own local devices for me. I don’t need the rest of the network to have fast access so I guess the hAP ax2 makes more sense to buy than ax3. The ability to open my own WiFi network is also quite attractive so I can have local access even from my laptop or phone which I guess is another point in favor of the Home/Office AP route.
Sure. That plan would work. You might want to be sure that this is permitted at your university.
Universities often have strict rules about what should connect to their networks.
Ah I may have misused the word dorm. It’s more of a shared appartment rented by multiple students so there aren’t any limitations in that regard fortunately.
Ah, got it. That plan should be great. You can segment your own wired+WiFi network with that hardware, and even do Wireguard from the hAP ax2 to get whole-network egress via an outside VPN service at a good data rate, if you want.
The other devices you might consider as the router are the GL-iNet Slate series. They will be slower as a VPN router, but they’re pretty small and light. They come with a skinned OpenWRT, but in most cases you can install a build of the unmodified OS if you want.