I have docker installed, but only have a vague idea of how it works.

Back in the day, I would just port forward, but even then, I would need a static IP somehow.

I have heard a reverse proxy is an option, but that is an entirely new topic to me.

Surely there is an easy way to access Jellyfin outside of my home network that I’m just missing.

*Edit: I am blown away by all the help and support! I currently have tailscale running, and I’m in the process of purchasing a domain.

Thanks everyone!

  • ohshit604@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    14 hours ago

    Device -> VPN Tunnel (ideally WireGuard) -> Home Router / Server.

    The only port that needs to be opened is your WireGuard server which typically is :51820.

    The issue with this is you have explain VPN’s and WireGuard to people which, in my experience turns people away as they see it as a hassle.

    Alternatively buy a domain, setup DDNS so that your home IP is associated with your domain, setup a reverse proxy and open port :443 on your router however, I would suggest a blacklist-first approach and only whitelist the few known IP’s you can trust.

    • ridethisbike@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      11 hours ago

      I did the last one. Bought a domain for $5 per year from cloudflare and used a cloudflared tunnel to direct traffic to Caddy (reverse proxy). Set up everything as deny-by-default, requiring log in to access things like sonarr, and let things like Jellyfin and Immich bypass the login requirement. Took a bit to get it all figured out, but it worked.

      There is also a way to use the cloudflared tunnel for free that gives you a domain as well (sort of anyways).

      All of that is run via docker containers, minus the

      Documentation on all of this is fragmented and a challenge to figure out. Happy to help anyone who wants to message me about it.

      I took this a step further as I use a wireguard tunnel to make use of my router level ad blocking. So I added an entry for my domain to route back to caddy and serve it all locally. This is proving to be a challenge due to the way some browsers handle forced https, but I’m making due.

      • ohshit604@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        11 hours ago

        and used a cloudflared tunnel to direct traffic to Caddy

        There is also a way to use the cloudflared tunnel for free that gives you a domain as well (sort of anyways).

        This is DDNS, a popular, free alternative would be ddclient. Essentially updating an A Record so that your dynamic IP is remains associated with your domain.

        While cloudflare is also my registrar as well, I don’t use any of the “features” they offer, and opted to use Keycloak for my authentication needs.

        • ridethisbike@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          10 hours ago

          I’ve debated setting up Authelia or something similar because cloudflare is sooo slow to load their login page, but haven’t landed on anything yet… Plus I worry I set something up wrong and expose my network

          • ohshit604@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            10 hours ago

            I can’t be much of a help with Caddy however, for Traefik you can use the OIDC Middleware to forward requests to your authentication service.

            Plus I worry I set something up wrong and expose my network

            The only port that would need opening is :443, leave port :80 closed so that people cannot connect to your services insecurely. Slap fail2ban or geoblock on it and call it a day. Also, DDNS allowlist for that deny-first approach.

            • ridethisbike@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              2
              ·
              9 hours ago

              The current config routes through the cloudflared tunnel so no ports are open externally at the moment, so that’s nice, but yea, I’d have to imagine there’s some documentation out there for caddy.

              Caddy has been a pain, though, so I might give one of the others a try. Thanks for the tips!

    • dogs0n@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      12 hours ago

      People’s IP addresses usually change so that might be annoying keeping a whitelist up to date.

      A good alternative is something like fail2ban to ban ip addresses that spam your server looking for a way in and potentially geo-restricting access to your country.

      • ohshit604@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        13 hours ago

        Free vps in oracle cloud with Pangolin

        If I’m not mistaken I tried setting up pangolin to work along side my already running Traefik setup and it was just an absolute nightmare.

        I just don’t have the time nor energy to reinvent my already running configuration.

        • FlexibleToast@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          12 hours ago

          I’ve set it up next to my NPM and it’s more complicated, but so much more capable. Traefik is what it uses to proxy things. You’re comparing a full suite of tools with just one piece.

          • ohshit604@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            10 hours ago

            Traefik is what it uses to proxy things. You’re comparing a full suite of tools with just one piece.

            I mean, that’s debatable. Taking a look at their docker-compose.yml there are 3 containers they recommend running, with a 4 optional container.

            To say this is a “full-suite” is a bit much when majority of the heavy lifting is done by Traefik, the middleware’s you assign to Traefik and WireGuard. Pangolin if I’m reading this correctly;

            “Pangolin combines reverse proxy and VPN capabilities into one platform.”

            Which is great! However as I mentioned previously, does not integrate well when these services are already setup to work standalone.

            I suspect the same reaction from folks when they hear “download pangolin from the App Store, and use xyz credentials to connect.” And “download WireGuard from the App Store, and use xyz file to connect.”

            • FlexibleToast@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              3 hours ago

              Pangolin uses gerbil with newt for those wireguard tunnels. That’s a massive improvement already. It also adds a bunch more features like vpn, you can crowdsec, and more that I don’t use. To say it’s debatable if it’s a suite of tools is just wrong.