I am making this post in good faith
In my last post I asked about securely hosting Jellyfin given my specific setup. A lot of people misunderstood my situation, which caused the whole thread to turn into a mess, and I didn't get the help I needed.
I am very new to selfhosting, which means I don't know everything. Instead of telling me that I don't know something, please help me learn and understand. I am here asking for help, even if I am not very good at it, which I apologize for.
With that said, let me reoutline my situation:
I use my ISP's default router, and the router is owned by Amazon. I am not the one managing the router, so I have no control over it. That alone means I have significant reason not to trust my own home network, and it means I employ the use of ProtonVPN to hide my traffic from my ISP and I require the use of encryption even over the LAN for privacy reasons. That is my threat model, so please respect that, even if you don't agree with it. If you don't agree with it, and don't have any help to give, please bring your knowledge elsewhere, as your assistance is not required here. Thank you for being respectful!
Due to financial reasons, I can only use the free tier of ProtonVPN, and I want to avoid costs where I can. That means I can only host on the hardware I have, which is a Raspberry Pi 5, and I want to avoid the cost of buying a domain or using a third party provider.
I want to access Jellyfin from multiple devices, such as my phone, laptop, and computer, which means I'm not going to host Jellyfin on-device. I have to host it on a server, which is, in this case, the Raspberry Pi.
With that, I already have a plan for protecting the server itself, which I outlined in the other post, by installing securecore on it. Securing the server is a different project, and not what I am asking for help for here.
I want help encrypting the Jellyfin traffic in transit. Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption. There is some hope in doing some manual ProtonVPN configurations, but I don't know how that would work, so someone may be able to help with that.
All Jellyfin clients I have used (on Linux and Android) do not accept self-signed certificates. You can test this yourself by configuring Jellyfin to only accept HTTPS requests, using a self-signed certificate (without a domain), and trying to access Jellyfin from a client. This is a known limitation. I wouldn't want to use self-signed certificates anyways, since an unknown intruder on the network could perform a MITM attack to decrypt traffic (or the router itself, however unlikely).
Even if I don't trust my network, I can still verify the security and authenticity of the software I use in many, many ways. This is not the topic of this post, but I am mentioning it just in case.
Finally, I want to mention that ProtonVPN in its free tier does not allow LAN connections. The only other VPN providers I would consider are Mullvad VPN or IVPN, both of which are paid. I don't intend to get rid of ProtonVPN, and again that is not the topic of this post.
Please keep things on-topic, and be respectful. Again, I am here to learn, which is why I am asking for help. I don't know everything, so please keep that in mind. What are my options for encrypting Jellyfin traffic in transit, while prioritizing privacy and security?
How about creating your own LAN within the untrusted network?
Something like an inexpensive OpenWRT router would do fine. Connect all your devices and the server to the router. They are now on a trusted network. Set up Wireguard on the OpenWRT router to connect to Proton so that your outbound traffic from all your devices is secured.
I have done this before as well when living in a dorm where wifi was shit so i did my own little setup in my room so I could stream to Crome cast etc on my own trusted lan. Get a small router with support for wire Guard vpn (i love mikrotik for this) and you have an easy way to tunnel out for all your devices.
Hey, this is off topic from the original post but could you tell me what device specifically you have used?
I am going to be moving into a dorm soon and was looking to set up my own VLAN or ehatever you need for a private network because I don't want to mess with the dorm router. I had a look at a Mikrotik switch (CRS310) but was unsure whether the fan noise would be too loud if I am staying in the same room and more importantly, whether this even allows me to do what I want to do
Edit: I misused the word dorm. It is a shared appartment rented with a couple of other students.
It can be a good idea to mentatlly seperate your router needs with you 2.5G speeds and WiFi needs, they dont have to live on the same device. For you private lan you need a router so you can hide and control your devices behind NAT and firewall. For that I'd just recommended one of the small hap or hax devices that suits your needs for routing, and/or wifi. If you want to be fancy the RB9005U could maybe work with your switching need as well.
You don't need Vlan. I believe it is not what you think it is. Vlan is if you want to segregated your own lan int to different independent lans with various firewall rules.
All you need for your dorm is NAT. But for the love of god make sure that you dont connect your lan with the dorm lan or your DHCP server will start handing out IP's to everyone else in your dorm and it will crash the dorm router. The ethernet jack in the wall of your dorm (I assume that's how it works for you) needs to go to the WAN port of the router. But bare in mind on mikrotik you can configure the WAN port to be any physical port you want, but with default config it is port 1.
I may have misused the word dorm. It is a shared appartment rented with a couple other students.
My goal is basically to set up a private network inside the network used by the other people I share the apartment with so I can tinker with stuff like setting my own DNS server up for the network without possibly impacting the other people in case of failure. My naive impression was that I would need to use a VLAN to accomplish that.
In regards to your idea of using multiple devices I kind of agree but I want to keep the initial cost and energy usage low for now which is why I am trying to find a device I can use for this but also reuse in the future for something else if I want to upgrade (or just retire it without too much sunk cost).
I think we are getting too off topic here so maybe make a seperate post in here asking how to tinker with selfhosting, dns, tinkering etc and you can have multiple people's inputs.
Yeah, you are right. That's probably a good idea.