+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: General Questions (https://forum.jellyfin.org/f-general-questions)
+--- Thread: Jellyfin and VPN (/t-jellyfin-and-vpn--1084)
Jellyfin and VPN - Glowing9011 - 2023-09-20
Hello, first of all english is not my main language, so im sorry if i say something weird.
Im kinda new to this self hosting stuff, i managed to use my jellyfin server remotely with tailscale. i pay for proton vpn and use it in all my devices (the server and clients) with the "allways on VPN" and killswitch enabled. My server is on my windows laptop in which i also have qbittorrent to "supply" the server remotely with the webUI, the problem is that i cant use the webUI nor access the server without tailscale, and i cant use tailscale over vpn, is there a way i can access the webUI and the server remotely without turning my vpn off?
Thanks in advance!
RE: Jellyfin and VPN - bitmap - 2023-09-20
Yes. But it's only worth pursuing if you host your services in Docker. You can ignore this advice and read further, but you will not like what you read.
It's likely not worth going down the rabbit hole -- as English isn't your first language, I will rephrase my euphemism. The solution is a LOT of work, requires a LOT of configuration, you will break a LOT of things, and you MIGHT be able to fix them and get it working. The option you're looking for is called split tunneling (you split your VPN tunnel into n+1 lanes of traffic). Essentially wherever you have your VPN configured, you have to figure out how to set it up so that you can split off all the traffic from your Jellyfin server and tunnel it outside of the VPN.
Most routers don't support this by default. You would likely need to flash your router with custom firmware and even the standard custom firmware may not support it. Some router models may not even support the packages necessary to enable split tunneling. From there, you have to figure out how to design your tunneling mechanics.
Are you hosting everything on one machine? Do you more than just Jellyfin traffic coming from that machine? If so, you have to look at how to identify which traffic belongs to Jellyfin and which belongs to other sources. There's a way to tag your traffic from different sources so that you can use these "tags" as a way to identify what traffic goes into which tunnel (this is where my brain started leaking out of my ears).
Okay, if you're still reading, you want to know how easy it is if you use Docker? You create a VPN container and you tell every other container to use that container as their network except Jellyfin. I'm leaving out the whole "learning Docker" part, but I guess that felt easier than "learning split tunneling". Seriously, it's a nightmare.
RE: Jellyfin and VPN - Glowing9011 - 2023-09-21
(2023-09-20, 11:47 PM)bitmap Wrote: Yes. But it's only worth pursuing if you host your services in Docker. You can ignore this advice and read further, but you will not like what you read.
It's likely not worth going down the rabbit hole -- as English isn't your first language, I will rephrase my euphemism. The solution is a LOT of work, requires a LOT of configuration, you will break a LOT of things, and you MIGHT be able to fix them and get it working. The option you're looking for is called split tunneling (you split your VPN tunnel into n+1 lanes of traffic). Essentially wherever you have your VPN configured, you have to figure out how to set it up so that you can split off all the traffic from your Jellyfin server and tunnel it outside of the VPN.
Most routers don't support this by default. You would likely need to flash your router with custom firmware and even the standard custom firmware may not support it. Some router models may not even support the packages necessary to enable split tunneling. From there, you have to figure out how to design your tunneling mechanics.
Are you hosting everything on one machine? Do you more than just Jellyfin traffic coming from that machine? If so, you have to look at how to identify which traffic belongs to Jellyfin and which belongs to other sources. There's a way to tag your traffic from different sources so that you can use these "tags" as a way to identify what traffic goes into which tunnel (this is where my brain started leaking out of my ears).
Okay, if you're still reading, you want to know how easy it is if you use Docker? You create a VPN container and you tell every other container to use that container as their network except Jellyfin. I'm leaving out the whole "learning Docker" part, but I guess that felt easier than "learning split tunneling". Seriously, it's a nightmare.
I might as well explain my situation, i have an acer predator laptop with an i7-7700 and a gtx 1060 which i intend to use as the server, i run windows and use proton vpn only on my devices and not on my router, proton vpn has a split tunneling config, but idk if its the same as you are saying, i know something about docker (i once self hosted a chatgpt custom ui) but thats as far as i get.
I was thinking about split tunneling in a way that qbittorrent is vpn only and jellyfin is out of the vpn entirely, and then port forward the server and qbittorrent webUI, but the places i asked tell me that im going to get a russian hacker in my network if i do that.
RE: Jellyfin and VPN - bitmap - 2023-09-21
Split tunnel the VPN, don't port forward either service. Set up Tailscale (easy but extremely limited) or another Wireguard implementation (slightly harder, but provides secure access to your entire internal network) as a VPN back into your home network and forward only that port. You can also use a non-standard port to reduce chances of it being found passively.
With a setup like that, they would essentially need to have the port, config, and a secret to get in. I believe that's the most secure way to accomplish what you want and it sounds like you could accomplish it with what you know.
RE: Jellyfin and VPN - Glowing9011 - 2023-09-22
(2023-09-21, 08:32 PM)bitmap Wrote: Split tunnel the VPN, don't port forward either service. Set up Tailscale (easy but extremely limited) or another Wireguard implementation (slightly harder, but provides secure access to your entire internal network) as a VPN back into your home network and forward only that port. You can also use a non-standard port to reduce chances of it being found passively.
With a setup like that, they would essentially need to have the port, config, and a secret to get in. I believe that's the most secure way to accomplish what you want and it sounds like you could accomplish it with what you know.
Thanks man!, ill try just that.