this post was submitted on 23 May 2026
206 points (97.2% liked)

Selfhosted

60664 readers
541 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?

(page 3) 50 comments
sorted by: hot top controversial new old
[–] sturmblast@lemmy.world 2 points 1 month ago (1 children)
load more comments (1 replies)
[–] njordomir@lemmy.world 2 points 1 month ago* (last edited 1 month ago)

I toyed with the idea of exposing ports and decided against it. I don't understand networking well enough yet. For me specifically, VPN access has been perfectly workable in the US with both speed and ease of access.

Can you use fail2ban on Jellyfin? That might be a wise step.

[–] Nomecks@lemmy.ca 2 points 1 month ago

How much access do you have to their system? I would set up a script on their end to poll https://ipv4.icanhazip.com/ and send you their IP. I would then trigger a firewall rule change on your end to that information. This keeps the access to only their IP, with maybe a few minutes between polls where it might be different.

[–] androidul@lemmy.world 2 points 1 month ago (6 children)

afaik but I’m not sure, Jellyfin lacks support for OIDC AuthN which is a clear sign that you cannot expose this publicly.

load more comments (6 replies)
[–] Konraddo@lemmy.world 2 points 1 month ago* (last edited 1 month ago)

Ask them to use the Jellyfin web, and you expose it to the public via Netbird / Pangolin locked behind SSO

[–] brickfrog@lemmy.dbzer0.com 1 points 1 month ago* (last edited 1 month ago) (1 children)

Adding onto the other comments, if you have admin access to your network router/firewall you can configure the incoming port forward itself to only allow specific IP addresses while dropping traffic from any other internet WAN IPs. It's a bit like using the Jellyfin whitelist/blacklist but doing it at the network level. This drops all unwanted internet traffic to that port at the firewall before ever reaching the Jellyfin software. Downside is having to occasionally update the firewall whenever there are IP address changes.

This is probably only feasible if you only have some specific Jellyfin clients in mind to accept connections from, not any random person from any random WAN IP address.

load more comments (1 replies)
[–] BartyDeCanter@piefed.social 1 points 1 month ago (1 children)

Does Tailscale count as a VPN for you? It’s how I roll. Well, I run my own headscale server, but the free Tailscale tier is going to be fine for any reasonably sized personal project.

[–] FreedomAdvocate@lemmy.net.au 1 points 1 month ago

Tailscale is a vpn for all that matters.

load more comments
view more: ‹ prev next ›