Just know that this is a step forward in the direction of making it technically possible to force people to usw the app.

I disagree. There is nothing stopping that as it is. What this really does is remove one more level of control from the end user on their device.

Ask yourself if you trust them to not try and profit from this.

Im not sure what you are getting at here. Of course i don't trust "them". Nor do i trust any corp. It's those reasons among others why i have completely removed google from my computing life and almost exclusively use open source software as well as self host functionally all network services.

You never specified what specs you want/require

In the scope of wireguard it'll just be a matter of you building appropriate firewall rules.

Since you want their internet traffic to go through you then i assime you're effectively pushing a 0.0.0.0/0 route to your clients. You then need to add firewall rules on your server to block traffic to its local subnet and in the future allow traffic to only your jellyfin server.

This is also pretty simple and nothing wrong with that setup.

Correct. I've never used banking apps in the first place anyway. If my bank doesnt have a functional website then I would change banks.

And i say this not to be difficult or contrarian. I just really hate using apps for every business in existence and simply refuse to do so. Yes I have absolutely sacrificed convenience on many occasions due to this principal.

You're probably better off looking for hardware to meet your spec requirements and then looking into its Linux support.

Well that's an easy fix. I just won't use those apps.

You did not answer what VPN tech you are using.

Without that knowledge i would recommend setting up tailscale and having your users use that. If you want to be fully self hosted you can also run Headscale as the control plane instead of relying on Tailscales own service.

I recommend tailscale as it is very easy to grant a user privileges to ONLY use an endpoint as an exit node but also grant access to any other endpoints as needed (such as your future jellyfin server) via theor ACLs.

Yeah, and it's pretty clear you are at fault.

Well that certainly removes any uncertainty from this "debate". OP was rude and peoe didnt takd mind to his rudeness.

Best practices comes down to what you do or do not want the VPN clients to access. This mostly comes down to routing and firewall rules.

So, what should your users have access to?

Also what is the vpn?

I'm not entirely sure what the actual question is. Can you rephrase what exactly you are trying to accomplish?

But the article explains that there is a technical reason.