this post was submitted on 01 Apr 2026
466 points (98.7% liked)

Selfhosted

60482 readers
436 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] InnerScientist@lemmy.world 36 points 3 months ago (2 children)

Use a VPN, it's not ideal but it's secure.

[–] faercol@lemmy.blahaj.zone 32 points 3 months ago (1 children)

Somehow difficult to install on a TV though.

[–] ramble81@lemmy.zip 15 points 3 months ago (2 children)

That’s why you do it at your router or gateway and then set a route for the Jellyfin server through the VPN adapter. That way any device on your network will flow through the tunnel to the Jellyfin server including TVs

[–] faercol@lemmy.blahaj.zone 28 points 3 months ago

Which again implies that you have a router that allows you to do so. It's not always the case. For tech enthusiast people that's the case. But not for everyone.

I tried to do the same thing at first, but it was a pain, there were tons of issues.

[–] douglasg14b@lemmy.world 8 points 3 months ago* (last edited 3 months ago) (1 children)

Oh yes, the routers and gateways that most people have that are isp provided that may not actually have open VPN or wireguard support.

Those ones?

Also putting a VPN in someone else's house so that all their Network traffic goes through your gateway is pretty damn extreme.

[–] ramble81@lemmy.zip -1 points 3 months ago

What? No, you can do a tiny reverse proxy/vpn on a stick with something like a RPi. Configure it and give it to them. Then they point their Jellyfin client on their device to the IP of the RPi instance on their network and that creates the tunnel back to your VPN endpoint and server.

And for VPNs at a router level you can inject routes and leave th default route going out through your ISP, you don’t need to, nor want to, have all traffic going through it.

[–] tiz@lemmy.ml 5 points 3 months ago (3 children)

Don’t reverse proxies like pangolin just do the job? Does it have to be VPN in this particular concept? VPN isn’t like immune to vulnerabilities.

[–] radar@programming.dev 15 points 3 months ago (2 children)

Reverse proxy doesn't really get you much security. If there is an application level issue a reverse proxy will not help

[–] whimsy@lemmy.zip 3 points 3 months ago (1 children)

Hmmm, I'm a bit rusty on this but can't one put an auth gate in front of the application, handled by the reverse proxy?

[–] radar@programming.dev 2 points 3 months ago

You can, that would actually give you security. Not sure how many people do that. I assumed a straight reverse proxy without any auth

[–] tiz@lemmy.ml 1 points 3 months ago

I see thanks. I’ll think about it more.

[–] r00ty@kbin.life 9 points 3 months ago (1 children)

Reverse proxy will let anyone connect to it. VPN, you can create keys/logins for your intended users only. Having said that, from what I could see, nothing in the security fixes were to do with authentication. I think (just from a cursory look), they could only be exploited, if at all from an authenticated user session.

But personally, something like jellyfin where the number of people I want to be able to access it is very limited, stays behind a VPN. Better to limit your potential attack surface as much as you can.

[–] PeriodicallyPedantic@lemmy.ca 1 points 3 months ago

Reverse proxies like the one specifically mentioned, pangolin, have auth and user access rules.

[–] ohshit604@sh.itjust.works 2 points 3 months ago* (last edited 3 months ago) (1 children)

Pangolin is based off of Traefik if I’m not mistaken, should be able to use Traefiks IPAllowlist middleware to blacklist all IP addresses and only whitelisting the known few.

[–] VeganCheesecake@lemmy.blahaj.zone 2 points 3 months ago (1 children)

If the people you want to have access have static, exclusive ip addresses. Which is pretty unusual, these days.

[–] ohshit604@sh.itjust.works 1 points 3 months ago* (last edited 3 months ago)

Oh yeah I’m aware, if people don’t want to use a VPN then I suggest this but give them the advisory warning.

Actually, recently I’ve been using a fork of IPAllowList which accepts DDNS addresses, but that usually is for more technical folk who would probably rather use a VPN then purchase a domain and associate it with their network.