Please take this discussion to this post: https://lemmy.ml/post/28376589
Main content
Selfhosting is always a dilemma in terms of security for a lot of reasons. Nevertheless, I have one simple goal: selfhost a Jellyfin instance in the most secure way possible. I don't plan to access it anywhere but home.
TL;DR
I want the highest degree of security possible, but my hard limits are:
- No custom DNS
- Always-on VPN
- No self-signed certificates (unless there is no risk of MITM)
- No external server
Full explanation
I want to be able to access it from multiple devices, so it can't be a local-only instance.
I have a Raspberry Pi 5 that I want to host it on. That means I will not be hosting it on an external server, and I will only be able to run something light like securecore rather than something heavy like Qubes OS. Eventually I would like to use GrapheneOS to host it, once Android's virtual machine management app becomes more stable.
It's still crazy to me that 2TB microSDXC cards are a real thing.
I would like to avoid subscription costs such as the cost of buying a domain or the cost of paying for a VPN, however I prioritize security over cost. It is truly annoying that Jellyfin clients seldom support self-signed certificates, meaning the only way to get proper E2EE is by buying a domain and using a certificate authority. I wouldn't want to use a self-signed certificate anyways, due to the risk of MITM attacks. I am a penetration tester, so I have tested attacks by injecting malicious certificates before. It is possible to add self-signed certificates as trusted certificates for each system, but I haven't been able to get that to work since it seems clients don't trust them anyways.
Buying a domain also runs many privacy risks, since it's difficult to buy domains without handing over personal information. I do not want to change my DNS, since that risks browser fingerprinting if it differs from the VPN provider. I always use a VPN (currently ProtonVPN) for my devices.
If I pay for ProtonVPN (or other providers) it is possible to allow LAN connections, which would help significantly, but the issue of self-signed certificates still lingers.
With that said, it seems my options are very limited.
Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That's the simplest.
A better option would be getting an OpenWRT router and start building proper infrastructure for doing something like this. You'll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.
I have no idea how to do this. Do you have any resources? Does it cost a subscription fee?
This is what I have planned. OpenWrt Two my beloved
I also don't know how to do this. Resources are much appreciated :)
Okay, so let me explain a bit:
Tailscale is a commercial client that is semi-FOSS. It's built on Wireguard, which is FOSS, but the cloud hosted architecture does cost money after I think 5 clients.
Headscale is a FOSS implementation of Tailscale, and totally free to host, skipping the above.
Tailscale itself is super easy to use, and you just install it on a node, register it, and then it has access to any other device on that secured network. So if you install it on your Jellyfin machine at home behind your normal firewall, then install it on your phone, you'll be able to connect to it without forwarding ports for messing around with much.
It should be that simple.
Iirc it supports 100 clients on the free tier, but even that is a soft limit -- I've heard that they will accommodate more devices if you ask (and you're in a non-commercial setting)
Does Headscale conflict with ProtonVPN/Mullvad VPN (i.e. can I use those alongside Headscale)? Android has a limited number of VPN slots, so that's why I ask.
Nope. Wireguard runs outside the same protocols.
Just give Tailscale a try first because it's essentially free for a few nodes. If you need more and don't want to pay, then investigate Headscale.
So:
Always-on VPNenabledBlock connections without VPNenabledAnd that will work? It will be encrypted during transit? And only run on the LAN? Does ProtonVPN need to allow LAN connections (I assume it does)?
Sorry, it may be confusing, but Headscale is ONLY the free server component. The client is still Tailscale's open client. That's why I'm saying just sign up and try it first with Tailscale, and then if you need more connections without paying, create a Headscale server and re-register your clients to that to skip charges.
Alright, I'm slowly learning, bare with me here:
Then:
Okay, so you might be unfamiliar with networking, so maybe some extra confusion there. Let me try to explain that a bit.
The Jellyfin server runs on LAN like normal. No need to use Tailscale if you're just using your Wi-Fi or Ethernet.
Tailscale/Headscale creates it's own VPN network which will need its own IP space. Same as any other VPN. It's just a setting in the config, and the routing is pretty simplistic and mostly automatic.
Tailscale/Headscale can run anywhere. Doesn't need to be on that Pi, but that Pi will need a Tailscale client to be on the "Tailnet" and communicate with other devices also connected to it.
ProtonVPN clients have their own IP space and network that go elsewhere. That's its own separate thing.
I'm familiar with some parts of networking, but selfhosted VPNs are something I am unfamiliar with, so thank you for helping me out!
I want it to be encrypted during transit, even if it is over the LAN.
This is what I was afraid of, because this means it probably can't run alongside ProtonVPN, since it would fill up the VPN slot on Android, right?
If so, it means we've come full circle. Unless there is a way to use Tailscale alongside ProtonVPN or a way to get Jellyfin clients to trust self-signed certificates, I don't see any other option than buying a domain and exposing the server to the internet. Am I missing something?
No, it can run along anything, as long as you don't conflict the IP space assigned to a VPN. It creates it's own IP network space when running, so just don't overlap with your other VPN software. Using it while at home is a bit wasteful on effort and power, but just use the Jellyfin LetsEncrypt setup and it's the same thing.
You are missing a lot here. I think you're confused on the difference between your LAN security, and how that fits into network connections. You don't need an SSL cert to say that something is secure, that's just one method of PUBLICLY securing something. Every connection on Tailscale is secure end-to-end, so if you run it on your Pi, any client that can connect to it is secured. No open ports, no lapses in security. The encryption happens between each client and the server. You're secure.
Android only allows one active VPN per Profile. So as OP said, running Tailscale and Proton in parallel is not possible.
I tried Tailscale on Android, and it isn't working because it requires the active VPN slot occupied by ProtonVPN.