this post was submitted on 05 Jul 2026
96 points (95.3% liked)

Selfhosted

60451 readers
772 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

I have docker installed, but only have a vague idea of how it works.

Back in the day, I would just port forward, but even then, I would need a static IP somehow.

I have heard a reverse proxy is an option, but that is an entirely new topic to me.

Surely there is an easy way to access Jellyfin outside of my home network that I'm just missing.

top 50 comments
sorted by: hot top controversial new old
[–] xavier666@lemmy.umucat.day 5 points 3 hours ago (1 children)

wanted a free solution

ends up buying a domain

Welcome to the club, buddy!

[–] pineapple@lemmy.ml 1 points 3 hours ago

Cheap domains are basically free though so it doesn't count!

[–] uuj8za@piefed.social 14 points 12 hours ago (2 children)

https://netbird.io/ for your own private network of trusted devices, it's free and doesn't require a separate Big Tech account to use (unlike Tailscale)

And then if you want to share Jellyfin with someone who isn't in your Netbird network... believe it or not, also Netbird

https://docs.netbird.io/manage/reverse-proxy

[–] philanthropicoctopus@thelemmy.club 1 points 3 hours ago (1 children)

is this much different than nginx?

[–] uthredii@programming.dev 1 points 3 hours ago

Yes, it is easier and safer for someone who doesn't know what they are doing to set up.

[–] Lumisal@lemmy.world 0 points 4 hours ago (1 children)

Does it work with a reverse proxy?

[–] uthredii@programming.dev 1 points 3 hours ago (1 children)

It has functionality to let you set up a reverse proxy (in beta). But you can access all your services by using the zero trust vpn

[–] Lumisal@lemmy.world 1 points 3 hours ago

Nice! Maybe I'll try the beta. Been wanting to tinker around with my set up recently

[–] wilmo@programming.dev 51 points 17 hours ago (2 children)

Tailscale. It's free. Insanely easy to set up.

Just install on your devices and connect via the given tailscale ip for the jellyfin server.

[–] ragebutt@lemmy.dbzer0.com 8 points 10 hours ago (1 children)

Or head scale if you don’t want something you don’t control that requires an account with google/apple/microsoft

[–] pineapple@lemmy.ml 1 points 3 hours ago

Headscale is great but requires port forwarding which, aside from having its own iasues, is something op wants to avoid.

[–] sakphul@discuss.tchncs.de 14 points 17 hours ago (1 children)

I would also propose going with Tailscale instead If a VPN + DynDNS solution. Imho it is a lot easier to Setup compared to VPN + DynDNS If you are a beginner and just starting out.

If at some point you need more and then is available in the free Tier of Tailscale and you do not want to pay for it (and you have built up some knowledge!) you can switch to something like Headscale or Netbird.

load more comments (1 replies)
[–] KairuByte@lemmy.dbzer0.com 14 points 14 hours ago (1 children)

Personally I didn’t want to have to hand out VPN credentials to everyone, so I went with a cloudflare tunnel with Authelia as the method of authentication.

[–] irmadlad@lemmy.world 9 points 14 hours ago (7 children)

+1 for Cloudflare Tunnels/Zero Trust. The free tier is more than generous for a homelab

[–] KairuByte@lemmy.dbzer0.com 5 points 14 hours ago (2 children)

Not to mention, the amount of data you can run through it is nuts. I’ve been running Stremio web through it for months without issue to watch content at work.

is that against ToS? i want to do it but dont want to get banned

[–] irmadlad@lemmy.world 2 points 11 hours ago

Yup. OP was asking about bandwidth caps, I haven't experienced any, nor can I find any documentation to support bandwidth caps. I stream Navidrome around the house from the time I get up to the time I go to bed and it has worked flawlessly.

load more comments (6 replies)
[–] hoshikarakitaridia@lemmy.world 28 points 17 hours ago* (last edited 14 hours ago) (7 children)

That's the whole point of a domain. Your IP changes every now and again you need people to know where to reach you. You give them a domain, and you configure the name records so that the domain always points to the right IP address.

Your options:

  • dynamic IP - you keep your setup as is and just periodically tell them the new IP you're on. Annoying and exposed
  • static IP - you buy a static IP (from your ISP) and share it with your friends once. A little bit less annoying and still exposed
  • you use a VPN like hamachi or radmin - your friends install the software, they look for you IP in there, you're done - very secure but also very annoying
  • you buy a domain - you have to configure an IP updater like ddclient or similar, then you jellyfin should be reachable - least annoying for your friends but also slightly less secure

Domain is the cleanest option.

I am telling you how annoying it is because that's how likely your friends are to adopt it and how secure it is because depending on your country you are doing something illegal and you really don't want anyone to find out and you gotta keep it updated more often if you don't want people to exploit it. There's an endless supply of very smart people out there who use known bugs to target public services.

Edit: I forgot DDNS, see below comments.

[–] spaghettiwestern@sh.itjust.works 15 points 17 hours ago (1 children)

You left out DDNS. It's free, easy to set up with lots of detailed guides online, and works as well as a static IP.

load more comments (1 replies)
load more comments (6 replies)
[–] ohshit604@sh.itjust.works 2 points 11 hours ago (3 children)

Device -> VPN Tunnel (ideally WireGuard) -> Home Router / Server.

The only port that needs to be opened is your WireGuard server which typically is :51820.

The issue with this is you have explain VPN’s and WireGuard to people which, in my experience turns people away as they see it as a hassle.

Alternatively buy a domain, setup DDNS so that your home IP is associated with your domain, setup a reverse proxy and open port :443 on your router however, I would suggest a blacklist-first approach and only whitelist the few known IP’s you can trust.

[–] ridethisbike@lemmy.dbzer0.com 2 points 7 hours ago (1 children)

I did the last one. Bought a domain for $5 per year from cloudflare and used a cloudflared tunnel to direct traffic to Caddy (reverse proxy). Set up everything as deny-by-default, requiring log in to access things like sonarr, and let things like Jellyfin and Immich bypass the login requirement. Took a bit to get it all figured out, but it worked.

There is also a way to use the cloudflared tunnel for free that gives you a domain as well (sort of anyways).

All of that is run via docker containers, minus the

Documentation on all of this is fragmented and a challenge to figure out. Happy to help anyone who wants to message me about it.

I took this a step further as I use a wireguard tunnel to make use of my router level ad blocking. So I added an entry for my domain to route back to caddy and serve it all locally. This is proving to be a challenge due to the way some browsers handle forced https, but I'm making due.

[–] ohshit604@sh.itjust.works 2 points 7 hours ago (1 children)

and used a cloudflared tunnel to direct traffic to Caddy

There is also a way to use the cloudflared tunnel for free that gives you a domain as well (sort of anyways).

This is DDNS, a popular, free alternative would be ddclient. Essentially updating an A Record so that your dynamic IP is remains associated with your domain.

While cloudflare is also my registrar as well, I don’t use any of the “features” they offer, and opted to use Keycloak for my authentication needs.

[–] ridethisbike@lemmy.dbzer0.com 1 points 6 hours ago (1 children)

I've debated setting up Authelia or something similar because cloudflare is sooo slow to load their login page, but haven't landed on anything yet... Plus I worry I set something up wrong and expose my network

[–] ohshit604@sh.itjust.works 1 points 6 hours ago* (last edited 6 hours ago) (1 children)

I can’t be much of a help with Caddy however, for Traefik you can use the OIDC Middleware to forward requests to your authentication service.

Plus I worry I set something up wrong and expose my network

The only port that would need opening is :443, leave port :80 closed so that people cannot connect to your services insecurely. Slap fail2ban or geoblock on it and call it a day. Also, DDNS allowlist for that deny-first approach.

[–] ridethisbike@lemmy.dbzer0.com 1 points 5 hours ago

The current config routes through the cloudflared tunnel so no ports are open externally at the moment, so that's nice, but yea, I'd have to imagine there's some documentation out there for caddy.

Caddy has been a pain, though, so I might give one of the others a try. Thanks for the tips!

[–] dogs0n@sh.itjust.works 2 points 8 hours ago

People's IP addresses usually change so that might be annoying keeping a whitelist up to date.

A good alternative is something like fail2ban to ban ip addresses that spam your server looking for a way in and potentially geo-restricting access to your country.

[–] FlexibleToast@lemmy.world 3 points 10 hours ago (1 children)

Free vps in oracle cloud with Pangolin. Never have to worry about explaining VPNs.

[–] ohshit604@sh.itjust.works 1 points 9 hours ago (1 children)

Free vps in oracle cloud with Pangolin

If I’m not mistaken I tried setting up pangolin to work along side my already running Traefik setup and it was just an absolute nightmare.

I just don’t have the time nor energy to reinvent my already running configuration.

[–] FlexibleToast@lemmy.world 1 points 8 hours ago (1 children)

I've set it up next to my NPM and it's more complicated, but so much more capable. Traefik is what it uses to proxy things. You're comparing a full suite of tools with just one piece.

[–] ohshit604@sh.itjust.works 1 points 6 hours ago* (last edited 6 hours ago)

Traefik is what it uses to proxy things. You're comparing a full suite of tools with just one piece.

I mean, that’s debatable. Taking a look at their docker-compose.yml there are 3 containers they recommend running, with a 4 optional container.

  • image: docker.io/fosrl/pangolin:latest # Pangolin itself
  • image: docker.io/fosrl/gerbil:latest # WireGuard server
  • image: docker.io/traefik:v3.6 # Traefik Reverse Proxy
  • image: hhftechnology/middleware-manager:latest # Optional middleware manager for Traefik

To say this is a “full-suite” is a bit much when majority of the heavy lifting is done by Traefik, the middleware’s you assign to Traefik and WireGuard. Pangolin if I’m reading this correctly;

“Pangolin combines reverse proxy and VPN capabilities into one platform.”

Which is great! However as I mentioned previously, does not integrate well when these services are already setup to work standalone.

I suspect the same reaction from folks when they hear “download pangolin from the App Store, and use xyz credentials to connect.” And “download WireGuard from the App Store, and use xyz file to connect.”

[–] bloogoose@lemmy.zip 4 points 13 hours ago

Look into nginx proxy manager. Pretty easy to setup and deploy.

[–] ThatFuckingIdiot@lemmy.today 13 points 17 hours ago (5 children)
load more comments (5 replies)
load more comments
view more: next ›