this post was submitted on 09 Apr 2025
48 points (78.6% liked)

Selfhosted

52504 readers
975 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Please take this discussion to this post: https://lemmy.ml/post/28376589

Main contentSelfhosting is always a dilemma in terms of security for a lot of reasons. Nevertheless, I have one simple goal: selfhost a Jellyfin instance in the most secure way possible. I don't plan to access it anywhere but home.

TL;DR

I want the highest degree of security possible, but my hard limits are:

  • No custom DNS
  • Always-on VPN
  • No self-signed certificates (unless there is no risk of MITM)
  • No external server

Full explanation

I want to be able to access it from multiple devices, so it can't be a local-only instance.

I have a Raspberry Pi 5 that I want to host it on. That means I will not be hosting it on an external server, and I will only be able to run something light like securecore rather than something heavy like Qubes OS. Eventually I would like to use GrapheneOS to host it, once Android's virtual machine management app becomes more stable.

It's still crazy to me that 2TB microSDXC cards are a real thing.

I would like to avoid subscription costs such as the cost of buying a domain or the cost of paying for a VPN, however I prioritize security over cost. It is truly annoying that Jellyfin clients seldom support self-signed certificates, meaning the only way to get proper E2EE is by buying a domain and using a certificate authority. I wouldn't want to use a self-signed certificate anyways, due to the risk of MITM attacks. I am a penetration tester, so I have tested attacks by injecting malicious certificates before. It is possible to add self-signed certificates as trusted certificates for each system, but I haven't been able to get that to work since it seems clients don't trust them anyways.

Buying a domain also runs many privacy risks, since it's difficult to buy domains without handing over personal information. I do not want to change my DNS, since that risks browser fingerprinting if it differs from the VPN provider. I always use a VPN (currently ProtonVPN) for my devices.

If I pay for ProtonVPN (or other providers) it is possible to allow LAN connections, which would help significantly, but the issue of self-signed certificates still lingers.

With that said, it seems my options are very limited.

top 50 comments
sorted by: hot top controversial new old
[–] smiletolerantly@awful.systems 47 points 6 months ago* (last edited 6 months ago) (2 children)

Hi. I am a software engineer with a background in IT security. My girlfriend is a literal network security engineer.

I showed her this thread and she said: don't bother, just use http on your local network.

Anyways, I am going to disengage from this thread now. Skepticism against things one doesn't fully understand can be healthy, but this is an insane mix of paranoia and naïveté.

You are not a target; the things you are afraid of will never happen; and if they did, they would not have the consequences you think they would.

Your router will NOT magically expose your traffic to the internet (what would that even mean?? Like, if it spontaneously started port forwarding to your Jellyfin server (how? By just randomly guessing the port and IP???), someone would still need to actively request that traffic, AND know your login credentials, AND CARE).

Your ISP does not give a shit about you owning or streaming copyrighted material over your local network. It has no stake in that.

Graphene is not an ultimate arbiter of IT security, but the reason it "distrusts networks" is because you take your phone with you, constantly moving into actual untrusted networks (i.e. ones you do not own).

Hosting Jellyfin on Graphene will not make it more secure, whatsoever.

If every device is assumed compromised, and compromising devices with knowledge that you watch media is a threat in your model, then even putting an SD card with media in your phone and clicking play is dangerous. Which is stupid.

If you actually assume your router is malicious, then please assume that when you initially downloaded your VPN client, it was also compromised and your VPN is not trustworthy.

The way I see it, you have two options:

  1. educate yourself on network security to the point of being able to trust your network setup; or
  2. forget about hosting anything
[–] Charger8232@lemmy.ml 2 points 6 months ago (1 children)

I'm interested in you and your girlfriend's thoughts on my new post about this issue.

P.S. She's a keeper. Marry her already!

[–] smiletolerantly@awful.systems 8 points 6 months ago

Hi again. Sorry for being so rude yesterday. Your new post actually clears the situation up a lot.

We might have an idea for you, will comment on the new post.

load more comments (1 replies)
[–] DesolateMood@lemm.ee 37 points 6 months ago (16 children)

I don't plan to access it anywhere but home

Okay so what's all this faffing about for? Just don't open it up to the internet and access it with your servers local ip address on your home network

load more comments (16 replies)
[–] catloaf@lemm.ee 18 points 6 months ago (23 children)

Just run it on the LAN and don't expose it to the Internet. That's 99% of the way there. HTTPS only secures the connection, and I doubt you're sending any sensitive info to or from Jellyfin (but you can still run it in docker and use caddy or something with Let's Encrypt).

The bigger target is making sure jellyfin itself and the host it runs on are updated and protected. You could use a WAF too.

load more comments (23 replies)
[–] HybridSarcasm@lemmy.world 17 points 6 months ago* (last edited 6 months ago) (4 children)

I applaud your accomplishment as a penetration tester. I am disappointed at your lack of understanding regarding non-public networking.

Move your VPN to your router. Don’t bother with HTTPS on anything not exposed to the Internet.

If that does not satisfy your concerns, you may want to give up using electronic devices.

[–] Lem453@lemmy.ca 3 points 6 months ago

No reason not to have both. Things like vaultwarden do warrant an extra layer so setup wildcard domain for internal services x.local.example.com and then normal certs for external stuff like y.example.com.

To get internal stuff you then need your vpn as well to access it. You can now easily choose what risk you want on a per app basis.

Technotim has a good video on this

load more comments (3 replies)
[–] korn@feddit.org 13 points 6 months ago (3 children)

Your post is very confusing. You want to use it only locally (on your home), but it can't be a local-only instance.

You want to e2ee everything, but fail to mention why. There is no reason to do that on your own network.

I do not know why you want to use a VPN and what you want to do with it. Where do you want to connect to?

What is the attack vector you're worried about? Are there malicious entities on your network?

load more comments (3 replies)
[–] just_another_person@lemmy.world 10 points 6 months ago (13 children)

Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That's the simplest.

A better option would be getting an OpenWRT router and start building proper infrastructure for doing something like this. You'll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.

load more comments (13 replies)
[–] Azzu@lemm.ee 8 points 6 months ago* (last edited 6 months ago)

This is one of the funniest posts I've seen here so far. Thanks for that! I unfortunately don't otherwise have anything to add that hasn't already been said, just wanted you to know that I enjoyed it a lot :)

[–] litchralee@sh.itjust.works 5 points 6 months ago* (last edited 6 months ago) (1 children)

After reviewing the entire thread, I have to say that this is quite an interesting question. In a departure from most other people's threat models, your LAN is not considered trusted. In addition, you're seeking a solution that minimizes subscription costs, yet you already have a VPN provider, one which has a -- IMO, illogical -- paid tier to allow LAN access. In my book, paying more money for a basic feature is akin to hostage-taking. But I digress.

The hard requirement to avoid self-signed certificates is understandable, although I would be of the opinion that Jellyfin clients that use pinned root certificates are faulty, if they do not have an option to manage those pinned certificates to add a new one. Such certificate pinning only makes sense when the client knows that it would only connect to a known, finite list of domains, and thus is out-of-place for Jellyfin, as it might have to connect to new servers in future. For the most part, the OS root certificates can generally be relied upon, unless even the OS is not trusted.

A domain name is highly advised, even for internal use, as you can always issue subdomains for different logical network groupings. Or maybe even ask a friend for a subdomain delegation off of their domain. As you've found, without a domain, TLS certificates can't be issued and that closes off the easy way to enable HTTPS for use on your untrusted LAN.

But supposing you absolutely do not want to tack on additional costs, then the only solution I see that remains is to set up a private VPN network, one which only connects your trusted devices. This would be secure when on your untrusted LAN, but would be unavailable when away from home. So when you're out and about, you might still need a commercial VPN provider. What I wouldn't recommend is to nest your private VPN inside of the commercial VPN; the performance is likely abysmal.

[–] Trainguyrom@reddthat.com 5 points 6 months ago (1 children)

But supposing you absolutely do not want to tack on additional costs, then the only solution I see that remains is to set up a private VPN network, one which only connects your trusted devices. This would be secure when on your I trusted LAN, but would be unavailable when awat from home.

Traditionally this would be performed by creating a dedicated network of trusted devices. Most commonly via a VLAN for ease of configuration. Set the switch ports that the trusted devices are connected to to use that vlan and badabing badaboom you're there. For external access using Tailscale or one of the many similar services/solutions (such as headscale, netbird, etc.) with either the client on every device or using subnet routing features to access your trusted network, and of course configure firewalls as desired

[–] litchralee@sh.itjust.works 3 points 6 months ago* (last edited 6 months ago) (3 children)

I had a small typo where "untrusted" was written as "I trusted". That said, I think we're suggesting different strategies to address OP's quandary, and either (or both!) would be valid.

My suggestion was for encrypted L3 tunneling between end-devices which are trusted, so that even an untrustworthy L2 network would present no issue. With technologies like WireGuard, this isn't too hard to do for mobile phone clients, and it's well supported for Linux clients.

If I understand your suggestion, it is to improve the LAN so that it can be trusted, by way of segmentation into VLANs which separate the trusted devices from the rest. The problem I see with this is that per-port VLANs alone do not address the possibility of physical wire-tapping, which I presumed was why OP does not trust their own LAN. Perhaps they're running cable through a space shared with other tenants, or something like that. VLANs help, but MACsec encryption on the wire paired with 802.1x device certificate for authentication is the gold standard for L2 security.

But seeing as that's primarily the domain of enterprise switches, the L3 solution in software using WireGuard or other tunneling technologies seems more reasonable. That said, the principle of Defense In Depth means both should be considered.

load more comments (3 replies)
[–] fenndev@leminal.space 4 points 6 months ago (2 children)

Hang on.

Would it not be better to run a VPN server on your router to force all WAN-bound traffic through the VPN? This way, you could still access your local devices.

load more comments (2 replies)
[–] lefixxx@lemmy.world 4 points 6 months ago (3 children)

If you are willing to swap to mullvad then you can also install tailscale. You can then choose to connect to your jellyfin server (over LAN) or (over tailscale-wireguard tunnel over LAN) while the rest of the traffic flows through mullvad.

load more comments (3 replies)
[–] jacksilver@lemmy.world 4 points 6 months ago* (last edited 6 months ago) (1 children)

I think the easiest way would be to have two vlans on your local network. One that is connected to the internet and another that is local only. I think you'd have to switch networks when wanting to access the jellyfin server in that instance, but would negate the main issue, which is your VPN.

Edit: that's about the most secure you can get I think. If you bought a different physical router to host it, you'd have about as secure a setup as possible.

load more comments (1 replies)
[–] Chocrates@lemmy.world 3 points 6 months ago (1 children)

Fwiw jellyfin apps don't even allow you to use a self signed cert.

load more comments (1 replies)
[–] LainTrain@lemmy.dbzer0.com 2 points 6 months ago* (last edited 6 months ago)

If you're running externally, use a cloudflare tunnel.

No ports exposed = no attack surface. This is 99% of security.

HTTPS is provided by CF although only secures comms between your devices to CF, not CF to your Pi, meaning CF can see clear text technically.

If that's not good enough then use a VPN server like PiVPN and put it on your pi and OpenVPN on your devices. *This has nothing to do with paid VPN Client subscriptions like Tunnelbear or Proton or whatever. *

You will be running a VPN server on your pi to which you will connect from your devices on which you want to watch JF by downloading a device profile to your devices and opening it in the OpenVPN app.

You do not need to pay for anything at all anywhere ever (other than something for DDNS and a domain name), use a strong password and make sure your JF is updated if there's any CVE. Expose nothing else to the internet.

You don't even need HTTPS at that point or any certs, a VPN will encrypt your traffic anyway. The only cleartext you'll have is between your VPN and your JF, and if both are on the pi then the only MITM vector is literally inside your Pi which is unlikely to have any issues.

[–] helios@social.ggbox.fr 2 points 6 months ago (1 children)

You're overthinking. Just host it on any server with a domain name and use let's encrypt certs if you want to access it from anywhere. TLS offers good encryption, I don't get how you need a VPN on top of that.

For local access only, I'd just host it on a machine over the lan, self-signed certs for TLS, hell I would even settle with http in this case. As for your VPN app preventing you to access a local resource on your lan, if true, you should get rid of that nonsense.

load more comments (1 replies)
load more comments
view more: next ›