202
How would you expose Jellyfin securely without a vpn? (discuss.online)
submitted 3 weeks ago by kiol@discuss.online to c/selfhosted@lemmy.world
201 comments fedilink hide all child comments

Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?

you are viewing a single comment's thread
view the rest of the comments
[-] zaggynl@feddit.nl 10 points 3 weeks ago

Ask them to visit https://ipv4.icanhazip.com/ and give you back the number, then whitelist in your webserver, as well as your LAN/VPN range, deny rest. Explain they can only reach jellyfin from their home internet. Repeat if they get 403 forbidden after they get a new WAN IP.

That or VPN like openziti, wireguard but gets more complicated.

[-] floral_toxicity@lemmy.world 5 points 3 weeks ago

https://www.moanmyip.com/

It's exactly what it sounds like.

[-] EncryptKeeper@lemmy.world 1 points 3 weeks ago

I like how if it’s IPv6 it just gives up

[-] axx@slrpnk.net 4 points 3 weeks ago

You really can't assume your visitors are going to have static IPs.

What happens when they visit from their phone? A friend's WiFi? Their home connection that has a regularly changing IP?

[-] zaggynl@feddit.nl 1 points 3 weeks ago* (last edited 3 weeks ago)

So far I've seen WAN leases expire after a long time, say months, or quarter year, so is doable. If becomes an issue I'll work with them on a VPN solution but is a pain for non-technical users or non-supported hardware. That's also why I explain "use from your home network only".

[-] axx@slrpnk.net 1 points 3 weeks ago

What's your concern about running it behind a reverse proxy, like caddy or nginx?

[-] zaggynl@feddit.nl 1 points 1 week ago* (last edited 1 week ago)

I don't consider Jellyfin a fully secure and audited application to host, unsecured endpoints come to mind, that and the less exposed to the whole internet the better.

https://github.com/jellyfin/jellyfin/issues/13987

Things like these scare me:

https://blog.lastpass.com/posts/notice-of-recent-security-incident

https://www.androidpolice.com/lastpass-breach-plex-update/

[-] hereiamagain@sh.itjust.works 4 points 3 weeks ago

This is solid. I wonder if you could rig up a ddns somehow to keep it seamless?

[-] zaggynl@feddit.nl 2 points 3 weeks ago

Something like reverse dynamic DNS for end users? Hm, only if it would be easy to setup, is on the same level as a VPN client I'd say.

this post was submitted on 23 May 2026
202 points (97.2% liked)

Selfhosted

59955 readers
299 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world