How do I host Jellyfin in the most secure manner possible?

Please take this discussion to this post: https://lemmy.ml/post/28376589

99 comments

Hi. I am a software engineer with a background in IT security. My girlfriend is a literal network security engineer.
I showed her this thread and she said: don't bother, just use http on your local network.
Anyways, I am going to disengage from this thread now. Skepticism against things one doesn't fully understand can be healthy, but this is an insane mix of paranoia and naïveté.
You are not a target; the things you are afraid of will never happen; and if they did, they would not have the consequences you think they would.
Your router will NOT magically expose your traffic to the internet (what would that even mean?? Like, if it spontaneously started port forwarding to your Jellyfin server (how? By just randomly guessing the port and IP???), someone would still need to actively request that traffic, AND know your login credentials, AND CARE).
Your ISP does not give a shit about you owning or streaming copyrighted material over your local network. It has no stake in that.
Graphene is not an ultimate arbiter of IT security, but the reason it "distrusts networks" is because you take your phone with you, constantly moving into actual untrusted networks (i.e. ones you do not own).
Hosting Jellyfin on Graphene will not make it more secure, whatsoever.
If every device is assumed compromised, and compromising devices with knowledge that you watch media is a threat in your model, then even putting an SD card with media in your phone and clicking play is dangerous. Which is stupid.
If you actually assume your router is malicious, then please assume that when you initially downloaded your VPN client, it was also compromised and your VPN is not trustworthy.
The way I see it, you have two options:
educate yourself on network security to the point of being able to trust your network setup; or
forget about hosting anything
- I'm interested in you and your girlfriend's thoughts on my new post about this issue.
  P.S. She's a keeper. Marry her already!
  
  Hi again. Sorry for being so rude yesterday. Your new post actually clears the situation up a lot.
  We might have an idea for you, will comment on the new post.
- Regarding the ‘taking your phone with and joining untrusted networks,’ you can set up WireGuard to auto join your vpn on any network you haven’t whitelisted, including your cellular network.

I don't plan to access it anywhere but home
Okay so what's all this faffing about for? Just don't open it up to the internet and access it with your servers local ip address on your home network
- I wish it were that simple, but as I mentioned that would require paying for ProtonVPN to allow LAN connections (which isn't the worst thing in the world, but I'd prefer to avoid subscriptions where possible) and clients don't allow self-signed certificates.
  
  What are you talking about. Please clarify if this is actually true:
  I don’t plan to access it anywhere but home.
  This would mean that you only want to access Jellyfin when you, and the device you are watching your show/movie on, are at home, where the Pi/server also is.
  Is this correct?
  If so, then questions about VPN, Certificates, DNS,.... do not matter.
  host Jellyfin on the Pi, e.g. with IP 192.168.10.20 on your local network
  open the Jellyfin app on your TV/Phone/PC, connect to http://192.168.10.20:8096/
  done
  Now you can access it at home, and only at home. I honestly fail to see where a VPN would even come into the equation here (again, if you wish to ONLY watch when you are at home, as you've said).
  
  Look into Tailscale. Its free
  
  Idk if proton allows you to download config files on a free account but if they do then you could use those to manually split tunnel your local internet
  Edit: if they don't then the "most secure" (and cheapest) option is to pay for a VPN that allows Lan connections

Just run it on the LAN and don't expose it to the Internet. That's 99% of the way there. HTTPS only secures the connection, and I doubt you're sending any sensitive info to or from Jellyfin (but you can still run it in docker and use caddy or something with Let's Encrypt).
The bigger target is making sure jellyfin itself and the host it runs on are updated and protected. You could use a WAF too.
- Just run it on the LAN and don’t expose it to the Internet.
  This would require paying for a VPN to allow LAN connections, which is an option but not my preferred one.
  HTTPS only secures the connection, and I doubt you’re sending any sensitive info to or from Jellyfin
  This is a matter of threat model, and I would prefer not to expose my TV preferences unencrypted over the network.
  but you can still run it in docker and use caddy or something
  Does Caddy require a custom DNS in order to point the domain to a local IP address?
  The bigger target is making sure jellyfin itself and the host it runs on are updated and protected.
  This is easy with securecore, since it updates daily. The rest of the semantics for the actual hosting side aren't too difficult.
  
  You don't need a VPN for LAN connections. You're already on the LAN. You'd only need it for access from the WAN.
  If you're using Let's Encrypt, you should probably purchase a domain. I don't think they support .internal domains. Or you could set up your own CA and run it however you want, even issuing certs to access by IP address if you wanted.
  
  But if you don't plan to access it anywhere but home (your words), then it doesn't have outside access, and putting it on your LAN is done.
  Edit: if you do want to access it from outside, running a wire guard vpn locally is pretty easy to do.
  
  You could do a vpn hosting by yourself.
  Meaning your server is basically a vpn tunnel server and you can connect from the Internet to it. Once you are in the encrypted vpn connection you have access to the local network.
  If you have dynamic ip you need dns though. But no one can connect just because they know the ip)/dns

I applaud your accomplishment as a penetration tester. I am disappointed at your lack of understanding regarding non-public networking.
Move your VPN to your router. Don’t bother with HTTPS on anything not exposed to the Internet.
If that does not satisfy your concerns, you may want to give up using electronic devices.
- No reason not to have both. Things like vaultwarden do warrant an extra layer so setup wildcard domain for internal services x.local.example.com and then normal certs for external stuff like y.example.com.
  To get internal stuff you then need your vpn as well to access it. You can now easily choose what risk you want on a per app basis.
  Technotim has a good video on this
- There is a huge reason to use HTTPS inside the LAN - so many browsers and other client software show HTTPS connections as more secure, with a nice padlock. For me, this was worth the minor inconvenience of setting up DNS-challenge with let's encrypt with a domain I already had.
  
  Your huge reason is the padlock in the browser bar? I’m not against TLS internally. I do it myself with my own CA. For this particular instance and the unique requirements, it seemed easiest to avoid TLS.

Your post is very confusing. You want to use it only locally (on your home), but it can't be a local-only instance.
You want to e2ee everything, but fail to mention why. There is no reason to do that on your own network.
I do not know why you want to use a VPN and what you want to do with it. Where do you want to connect to?
What is the attack vector you're worried about? Are there malicious entities on your network?
- You want to use it only locally (on your home), but it can’t be a local-only instance.
  By "local-only" I meant on-device
  You want to e2ee everything, but fail to mention why.
  Privacy and security.
  There is no reason to do that on your own network.
  Networks are not a trusted party in any capacity.
  I do not know why you want to use a VPN and what you want to do with it. Where do you want to connect to?
  A VPN such as ProtonVPN or Mullvad VPN are used to displace trust from your ISP into your VPN provider and obscure your IP address while web browsing (among other benefits that I don't utilize).
  What is the attack vector you’re worried about? Are there malicious entities on your network?
  These are good questions but not ones I can answer briefly.
  
  My short answer: you're overthinking it way too hard and I think sticking that microSD-Card into the device you want to watch on is your best bet.
  You're chasing ghosts.
  
  If you don't trust the devices inside your own house, no amount of VPNs or e2ee are going to help.
  If it's entirely on your lan, your isp isn't involved and a VPN is just adding unnecessary complications.

Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That's the simplest.
A better option would be getting an OpenWRT router and start building proper infrastructure for doing something like this. You'll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.
- Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That’s the simplest.
  I have no idea how to do this. Do you have any resources? Does it cost a subscription fee?
  A better option would be getting an OpenWRT router
  This is what I have planned. OpenWrt Two my beloved
  You’ll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.
  I also don't know how to do this. Resources are much appreciated :)
  
  Okay, so let me explain a bit:
  Tailscale is a commercial client that is semi-FOSS. It's built on Wireguard, which is FOSS, but the cloud hosted architecture does cost money after I think 5 clients.
  Headscale is a FOSS implementation of Tailscale, and totally free to host, skipping the above.
  Tailscale itself is super easy to use, and you just install it on a node, register it, and then it has access to any other device on that secured network. So if you install it on your Jellyfin machine at home behind your normal firewall, then install it on your phone, you'll be able to connect to it without forwarding ports for messing around with much.
  It should be that simple.

This is one of the funniest posts I've seen here so far. Thanks for that! I unfortunately don't otherwise have anything to add that hasn't already been said, just wanted you to know that I enjoyed it a lot :)

After reviewing the entire thread, I have to say that this is quite an interesting question. In a departure from most other people's threat models, your LAN is not considered trusted. In addition, you're seeking a solution that minimizes subscription costs, yet you already have a VPN provider, one which has a -- IMO, illogical -- paid tier to allow LAN access. In my book, paying more money for a basic feature is akin to hostage-taking. But I digress.
The hard requirement to avoid self-signed certificates is understandable, although I would be of the opinion that Jellyfin clients that use pinned root certificates are faulty, if they do not have an option to manage those pinned certificates to add a new one. Such certificate pinning only makes sense when the client knows that it would only connect to a known, finite list of domains, and thus is out-of-place for Jellyfin, as it might have to connect to new servers in future. For the most part, the OS root certificates can generally be relied upon, unless even the OS is not trusted.
A domain name is highly advised, even for internal use, as you can always issue subdomains for different logical network groupings. Or maybe even ask a friend for a subdomain delegation off of their domain. As you've found, without a domain, TLS certificates can't be issued and that closes off the easy way to enable HTTPS for use on your untrusted LAN.
But supposing you absolutely do not want to tack on additional costs, then the only solution I see that remains is to set up a private VPN network, one which only connects your trusted devices. This would be secure when on your untrusted LAN, but would be unavailable when away from home. So when you're out and about, you might still need a commercial VPN provider. What I wouldn't recommend is to nest your private VPN inside of the commercial VPN; the performance is likely abysmal.
- But supposing you absolutely do not want to tack on additional costs, then the only solution I see that remains is to set up a private VPN network, one which only connects your trusted devices. This would be secure when on your I trusted LAN, but would be unavailable when awat from home.
  Traditionally this would be performed by creating a dedicated network of trusted devices. Most commonly via a VLAN for ease of configuration. Set the switch ports that the trusted devices are connected to to use that vlan and badabing badaboom you're there. For external access using Tailscale or one of the many similar services/solutions (such as headscale, netbird, etc.) with either the client on every device or using subnet routing features to access your trusted network, and of course configure firewalls as desired
  
  I had a small typo where "untrusted" was written as "I trusted". That said, I think we're suggesting different strategies to address OP's quandary, and either (or both!) would be valid.
  My suggestion was for encrypted L3 tunneling between end-devices which are trusted, so that even an untrustworthy L2 network would present no issue. With technologies like WireGuard, this isn't too hard to do for mobile phone clients, and it's well supported for Linux clients.
  If I understand your suggestion, it is to improve the LAN so that it can be trusted, by way of segmentation into VLANs which separate the trusted devices from the rest. The problem I see with this is that per-port VLANs alone do not address the possibility of physical wire-tapping, which I presumed was why OP does not trust their own LAN. Perhaps they're running cable through a space shared with other tenants, or something like that. VLANs help, but MACsec encryption on the wire paired with 802.1x device certificate for authentication is the gold standard for L2 security.
  But seeing as that's primarily the domain of enterprise switches, the L3 solution in software using WireGuard or other tunneling technologies seems more reasonable. That said, the principle of Defense In Depth means both should be considered.

If you are willing to swap to mullvad then you can also install tailscale. You can then choose to connect to your jellyfin server (over LAN) or (over tailscale-wireguard tunnel over LAN) while the rest of the traffic flows through mullvad.
- Why not just skip that and just use a wire guard tunnel?
  
  a wireguard tunnel over a forced NordVPN tunnel will mean that all his traffic will flow all the way to the NordVPN node and all the way back for a LAN connection.
  a properly configured wireguard tunnel is harder to configure than a tailscale network with a mullvad exit node. (I think)
  a wireguard tunnel can only connect one device to the Jellyfin Server (or router if it supports it)

I think the easiest way would be to have two vlans on your local network. One that is connected to the internet and another that is local only. I think you'd have to switch networks when wanting to access the jellyfin server in that instance, but would negate the main issue, which is your VPN.
Edit: that's about the most secure you can get I think. If you bought a different physical router to host it, you'd have about as secure a setup as possible.
- This is fair, and does solve the problem. I didn't explicitly state that I needed it to be convenient, so you're right. Having one network that is LAN only and switching to it to use Jellyfin, and having a second network that is WAN only and using ProtonVPN there would probably be the most secure setup. Unfortunately, it still doesn't solve the issue of encryption in transit over the LAN, but that might be fixable with Tailscale. The LAN could even be ethernet-only, to mitigate wireless attacks.
  That makes me wonder if there's a way I could simply plug an ethernet cord from my phone to the airgapped Pi and use it that way. Is that possible? Surely it is. Could ProtonVPN be used on the phone even while the phone is connected physically to the Pi?

Hang on.
Would it not be better to run a VPN server on your router to force all WAN-bound traffic through the VPN? This way, you could still access your local devices.
- Good eye! I'd like to avoid trusting my network, but I did consider this option. It also becomes a hassle to enable my VPN per-device each time I leave my house and connect to another network. This still doesn't solve the problem of encrypting Jellyfin in transit over the LAN.
  
  Jellyfin has https support built in, you just have to enable it in settings. I just made a self-signed cert with openssl and use that

Fwiw jellyfin apps don't even allow you to use a self signed cert.
- I know. It's very unfortunate, but I understand why.

I can't answer your question as I rely on Plex rather than fooling around with my own security, but I'd suggest reconsidering the Pi and a microSD to host Jellyfin. Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files. Beyond that, SD cards are terrible for this kind of task and you'd be much better served with an SSD as your boot/data drive for robustness. I can't even count the number of failed SD cards I've had over the years.
- but I’d suggest reconsidering the Pi
  It's what I have on hand at the moment. I don't have proper server hardware yet.
  and a microSD to host Jellyfin.
  Beyond that, SD cards are terrible for this kind of task and you’d be much better served with an SSD as your boot/data drive for robustness. I can’t even count the number of failed SD cards I’ve had over the years.
  I will keep this in mind, thank you!
  Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files.
  I haven't tried playing videos from my Raspberry Pi, but I've been able to run extremely modern video codecs on some pretty old hardware without any issues. Since I've never had issues with video codecs, I'm not experienced in what hardware can and can't handle it.
  
  A micro sized PC with an i5 and 8gb or ram can cost under 100€, and it's way more powerful compared to a pi. Power efficient too. That's what I used for a long time for my jellyfin server.

You're overthinking. Just host it on any server with a domain name and use let's encrypt certs if you want to access it from anywhere. TLS offers good encryption, I don't get how you need a VPN on top of that.
For local access only, I'd just host it on a machine over the lan, self-signed certs for TLS, hell I would even settle with http in this case. As for your VPN app preventing you to access a local resource on your lan, if true, you should get rid of that nonsense.

If you're running externally, use a cloudflare tunnel.
No ports exposed = no attack surface. This is 99% of security.
HTTPS is provided by CF although only secures comms between your devices to CF, not CF to your Pi, meaning CF can see clear text technically.
If that's not good enough then use a VPN server like PiVPN and put it on your pi and OpenVPN on your devices. *This has nothing to do with paid VPN Client subscriptions like Tunnelbear or Proton or whatever. *
You will be running a VPN server on your pi to which you will connect from your devices on which you want to watch JF by downloading a device profile to your devices and opening it in the OpenVPN app.
You do not need to pay for anything at all anywhere ever (other than something for DDNS and a domain name), use a strong password and make sure your JF is updated if there's any CVE. Expose nothing else to the internet.
You don't even need HTTPS at that point or any certs, a VPN will encrypt your traffic anyway. The only cleartext you'll have is between your VPN and your JF, and if both are on the pi then the only MITM vector is literally inside your Pi which is unlikely to have any issues.

I'm not taking this to lemmyml

How i do it:
Wireguard for VPN endpoint on the pi and device that I have root on, secure, fast to setup and doesn't add a lot of overhead
For access outside of VPN:
You might have to pay for a domain name if you dont have a static IP, which is relatively cheap.
You can manually allow trusted IP to access the service in your firewall which nullify surface of attack if done perfectly but is really an hassle to setup and maintain. I'm looking to setup Keycloack for a strong pre-auth that I can share between services and that is also lightweight (Authentik is not lightweight, Authelia seems to be i'd like to try it aswell) This coupled with firewall rules and/or fail2ban like service should be more than enough for a private server I think.

Your options are only as limited as your imagination and complexity of your requirements.
If you're only using it on your network, just use HTTP with mdns (or have static routes from your router or something, but you said you don't want that) so you don't have to remember IP addresses. If you want TLS, you can borrow someone else's domain with a service like FreeDNS.afraid.org (5 free subdomains). Or if you control the devices completely, you can make a root CA and add that to each device's trusted CA list, and then sign your own certs and eliminate MITM attacks.
You have options, and most are overkill. The simplest, secure solution is HTTP on your local network or over a VPN you trust (if you have a publicly accessible IP, just host your own WireGuard server on/via your router).

You can also add a second network interface to the computer that needs to access the jellyfin server over LAN.

So you want a self hosted jellyfin instance that you only plan to access at home, as secure and simply as possible?
Buy an HDMI splitter.

99 comments