+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: General Questions (https://forum.jellyfin.org/f-general-questions)
+--- Thread: Remote access (/t-remote-access--11473)
Pages:
1
2
Remote access - carlospj - 2025-03-31
Hello all,
Before I explain my doubts, I wanted to explain a bit how my server is set up, what I want to achieve and what I have been trying to access Jellyfin remotely, in case it could be of any help for your answer.
First of all, so far I have been using Jellyfin to watch movies and tv shows from my local network. However, now I wanted to use Jellyfin as my server for my music collection, and for that I would like to be able to access Jellyfin from the outside so I can listen to it when I'm not at home (probably with Symfonium).
I have on an old Elitedesk set up my server with TrueNas Scale. On it I have Dockge installed and inside Dockge I have all my services up, including Jellyfin. In TrueNas I have set a static IP for its local IP, that way it doesn't change the IP every so often.
Well, having explained this, I have been doing a lot of research on how to remotely access Jellyfin. I have to say that I am a complete novice in networking matters, but I am learning a lot.
The first thing I tried was Tailscale. Easy installation and configuration, I don't need to open any ports. I installed Tailscale directly from TrueNas Apps, so I don't have a stack running in Dockge for Tailscale. That gives me access to the TrueNas GUI, but not really to my services, so what I did was to use Subnet routers.
This is where I had my first doubt:
1. is using Subnet routers the best way to access Jellyfin with Tailscale, taking into account my setup? Could it be possible and even desirable, to raise Tailscale with Dockge, specifically in the same docker compose as Jellyfin, and have them connected?
Anyhow, everything seemed to work fine: I had access from the outside to my music collection with Synfomium using Tailscale.
However, I ran into a problem, and that is that at least the first few days, I found that quite often, I had connection problems and did not have a really smooth and uninterrupted playback. Quite the opposite. There were days when I could even listen to more than two songs in a row.
I noticed that once I left my local network, I lost the Direct Connection to Tailscale on my mobile, which I understand may be the reason why I was having so many connection problems.
I don't really know why this is happening to me (I don't know if it has something to do with the fact that I use GrapheneOS on my mobile), but it made me rethink the use of Tailscale, at least for accessing multimedia files.
Also, I always have ProtonVPN connected on all my devices, and to connect to Tailscale on my mobile, I have to disconnect Proton, as only one VPN can be used.
Faced with this, I started to investigate alternatives, basically a reverse proxy solution. After watching several tutorials and reading several websites, I took the plunge.
I set up Nginx (NPM) in Dockge and opened an account in Cloudflare, where I bought a domain (something I had always wanted to do).
For all the configuration with the domain I wanted to use a wildcard certificate, so I created an SSL certificate in NPM (*.domiain.com and also domain.com), using DNS Challenge to link it to my Cloudflare account with a token I created.
Then I created a Proxy Host for Jellyfin. I configured it following the instructions in the Jellyfin's documentation for NPM.
In Cloudflare, under DNS/Records I registered a DNS for the Wildcard domain, like this.
This saves me from having to register DNS for each subdomain I want to use.
For the encryption mode I have it set to Full and in Always use HTTPS.
With this configuration I got a brand new URL with my domain, with certificates and I can access Jellyfin from my local network with this URL and https.
The final step was to open it to the internet and this is the part that, apart from scaring me the most, I completely failed.
As I have done for other things, I looked into the matter and tried it.
Basically, I opened ports 80 and 443 on my router pointing to the IP of my TrueNas server, but I'm sure I have something configured wrong. Either I have not done the port forwarding correctly, or I have something configured in NPM or Clouldflare that is not correct (or both).
Since it wasn't working for me, I closed the ports again. I'm not gonna opened again until I know what's wrong and what I'm doing is safe.
As I have understood, once the reverse proxy is done and once you have the certificates, to access from outside your local network you have to open ports 80 and 443 in your router pointing to the IP where NPM is listening on ports 80 and 443. The thing is that everywhere I was reading information about this, I seemed to understand that you also had to specify the port of NPM (ie Local_IP:81) but I at least do not see an option in my router for it.
I'll leave you with a screenshot of the port forwarding options on my router and what I've put in each, to see if I've done something wrong (assuming the explanation of how to do things from before is correct).
The example is with 443, but it's the same for the 80 one.
External Start Port: 443
External End Port: 443
Server IP Address: the local IP for my TrueNas server, which is the same as my NPM but in port 81.
Protocol: TCP+UDP
Open Start Port: 443
Open End Port: 443
So, my second question is:
2. Is there something I'm missing here? Is this wrong?
Another thing that may be wrong is the IP in Cloudflare's DNS/Records tab.
If you remember, in it I put the Local IP.
However, I don't know which IP I have to put here. In the tutorials that I have followed, I am understanding that to open it to the internet, I would have to put my Public IP.
The issue is that if I do this (along with Port Forwarding), not only do I still not have remote access, but I lose access to Jellyfin from my local network with the URL.
So my third question is:
3. is this configuration related to remote access, could this be where the bug is, what do I need to put here?
At this point, I don't know what else to do. I need to resolve these doubts and I just don't dare to do anything else alone.
However, I have other doubts.
4- Should I adopt another method other than reverse proxy and port forwarding? Or by configuring it well and with your help, am I on the right track?
5- Should I have a VPN service set up on my server? I would like to expose other services, including TrueNas GUI, but I have read on some sites that for this it is better to access through a VPN. If I did that, would it be better than doing a reverse proxy, or could it be complementary? Or if I do manage to set up a reverse proxy, would setting up the VPN be a fool's errand?
6- However, to use the TrueNas GUI, I could access with Tailscale. However, I would like it to have certificates and the URL, as I have done with Jellyfin. If I want to do this, wouldn't it be silly to use Tailscale, considering that having the reverse proxy and being exposed to the internet, I would already have remote access?
I hope you can help me with this. Thanks in advance!
RE: Remote access - TheDreadPirate - 2025-03-31
Regarding #2, the IP you put in cloudflare is your PUBLIC IP, which you can find with sites like https://whatismyipaddress.com/ or just by finding your WAN IP in your router's settings.
For the port forwarding, you would use the LAN IP for the host running NPM. FYI, port 81 is the NPM management port and does NOT need to be forwarded. Only ports 80 and 443.
IMO, using a reverse proxy is much preferred over a VPN. Some clients cannot run a VPN app (Roku and some Android TV devices). The danger of opening ports 80 and 443 are extremely over inflated.
RE: Remote access - pxr5 - 2025-03-31
I just read all this and it sounds so complicated what you've gone through. I realise you've gone down the Nginx route but for a super easy Reverse Proxy - you might want to try Caddy v2. I'm no network expert at all but had it running really quickly and it works very well:
https://forum.jellyfin.org/t-access-your-jellyfin-anywhere-with-caddy
https://forum.jellyfin.org/t-how-to-reverse-proxy-jellyfin-with-caddy-on-docker-beginner-friendly
RE: Remote access - carlospj - 2025-04-01
Hello again,
First of all, thanks for your quick answers guys!
(2025-03-31, 03:54 PM)TheDreadPirate Wrote: Regarding #2, the IP you put in cloudflare is your PUBLIC IP, which you can find with sites like https://whatismyipaddress.com/ or just by finding your WAN IP in your router's settings.
About this, when I tried to put under DNS/Records in Cloudflare my Public IP, stops working and I lose the local connection to jellyfin with the URL (I do get a message in the browser that I do not know very well what it means, which translating it from Spanish to English says something like this: this page is loaded from another page).
At first I thought it could be because of Proton (for example, when I clicked on the link you gave me, what appeared, logically, was the IP that Proton gives me, and not my Public IP), but it doesn't seem to be the case.
In the WAN options in my router, there are two IPs, one that I think is my Public IP, which says Internet, and that is the one that shows me the web page that you passed or the one that Proton shows me when it is not connected, and another one that I imagine will be the router's one, right?
So, if in the Cloudflare registry I put the Local IP of my server, everything works perfectly (locally), but if I put the Public IP, sometimes it works for a few minutes but then stops working and does not work again until I change it to the Local IP.
Why does this happen? Am I doing something wrong?
I was looking at the docker-compose I have for Jellyfin and I have this parameter in environment: JELLYFIN_PublishedServerUrl. Yesterday I noticed that an old Local IP of the server was set, and I thought it could be because of this. I set the current one, but I haven't seen any change.
Could it be that this parameter is interfering and I need to change it to something else?
On another note, I am not sure if my Public IP is dynamic. Since I always have Proton connected, I don't notice if it changes.
Should I look into this?
(2025-03-31, 03:54 PM)TheDreadPirate Wrote: For the port forwarding, you would use the LAN IP for the host running NPM. FYI, port 81 is the NPM management port and does NOT need to be forwarded. Only ports 80 and 443.
So, to rule things out, if I understood this correctly, I did the port forwarding properly, right?
For port 443 I put this:
External Start Port: 443
External End Port: 443
Server IP Address: the local IP for my TrueNas server
Open Start Port: 443
Open End Port: 443
(2025-03-31, 03:54 PM)TheDreadPirate Wrote: IMO, using a reverse proxy is much preferred over a VPN. Some clients cannot run a VPN app (Roku and some Android TV devices). The danger of opening ports 80 and 443 are extremely over inflated.
Ok. And what do you think using both, a VPN and reverse proxy? Is it overkill?
What other security measures can I implement?
(2025-03-31, 06:55 PM)pxr5 Wrote: I just read all this and it sounds so complicated what you've gone through. I realise you've gone down the Nginx route but for a super easy Reverse Proxy - you might want to try Caddy v2. I'm no network expert at all but had it running really quickly and it works very well:Yes, I considered Caddy during certain times, but honestly, since I started researching these things, I had always seen info about NPM, so when I learned about Caddy I was already familiar with NPM and decided to go ahead.
https://forum.jellyfin.org/t-access-your-jellyfin-anywhere-with-caddy
https://forum.jellyfin.org/t-how-to-reverse-proxy-jellyfin-with-caddy-on-docker-beginner-friendly
Anyway, thanks for the suggestions. If I see that I don't get off the hook, I'll think about switching to Caddy.
RE: Remote access - TheDreadPirate - 2025-04-01
Putting your LAN IP in Cloudflare will break access when not at home. Since those are private, non-routable, IPs.
What you should be is put back your public IP in cloudflare. Then in your router you can do one of two things. You can enable NAT loopback/hairpin or you can create custom DNS entries. NAT hairpin/loopback tells your router to intelligently keep traffic local. If it queries your domain name and sees that the IP address is itself, it will keep local traffic local.
The custom DNS entries would tell your local clients to use your LAN IP for your domain. But when your device disconnects, like your phone, the DNS results for your domain will now be your public IP.
I personally prefer custom DNS entries since it will continue to work properly when there is an Internet outage.
RE: Remote access - carlospj - 2025-04-01
(2025-04-01, 01:35 PM)TheDreadPirate Wrote: What you should be is put back your public IP in cloudflare. Then in your router you can do one of two things. You can enable NAT loopback/hairpin or you can create custom DNS entries.
Hello again,
I'm a bit lost here right now. To begin with, apparently, in the NAT options I already had the NAT Loopback option checked. So, if I understood you correctly, when I put the Local IP in Cloudflare, with this option checked, it should've worked, right? But when I do this combo, I have no access on my Local Network nor outside my network.
Maybe a malfunction of the router? Or am I doing something wrong here?
I would opt for the custom DNS entries option, as you suggested (and considering that the previous option doesn't seem to work, it seems to be my only option), but I must admit, I don't know how to do it. I don't know if there is an options panel in my router to do it, I have searched in several sections but honestly, I don't even know what I am looking for. And even if I did know this, I don't even know what I should add. Basicaly, I don't know what to do or how to do it
RE: Remote access - TheDreadPirate - 2025-04-01
With your local IP in Cloudflare, remote access will definitely never work.
With your PUBLIC address in Cloudfare, NAT loopback will cause requests to your domain to route to your server LAN IP. For NAT loopback to work you need port forwarding properly setup as well. That is assuming your router behaves the same as mine.
Can you share screenshots of your port forwarding config?
But, as I stated, custom DNS entries are the way to go. If that is even an option. On all the routers I've used, in the DNS config section of the router there was a "edit hosts" button or table where I could add DNS entries to.
RE: Remote access - carlospj - 2025-04-02
(2025-04-01, 10:24 PM)TheDreadPirate Wrote: With your local IP in Cloudflare, remote access will definitely never work.
Yeah, sorry, I meant to say PUBLIC IP instead of LOCAL. My mistake.
So, to recap, having the Public IP and NAT Loopback, what I need is proper port forwarding. What I meant to say earlier was that I had at some point the Public IP in Cloulflare, the NAT Loopback and the ports open, but I didn't have local or remote connection. So I probably screwed up the port configuration.
To add more information before moving on to the port forwarding configuration, in the WAN section there is a table called GPON Connection Table. In it you can see an entry that is Internet with its IP (my Public IP) and another entry that says Voip_ip_interface, which I think is the router, with another different IP.
If I edit the Internet entry, I have seen these NAT options:
Is this correct?
(2025-04-01, 10:24 PM)TheDreadPirate Wrote: Can you share screenshots of your port forwarding config?
In that screenshot they are not active.
One column's missing in the above screenshot:
In this column, in both rows, it is put the server's Local IP.
When you add new rules, there is other option that doesn't show up in the above table, which is Protocol. In that option I set in both TCP/UDP.
That is my full port forwarding configuration. Do you see something off?
(2025-04-01, 10:24 PM)TheDreadPirate Wrote: But, as I stated, custom DNS entries are the way to go. If that is even an option. On all the routers I've used, in the DNS config section of the router there was a "edit hosts" button or table where I could add DNS entries to.
I have gone into all the router options and the only one that says something unique to DNS and that you can add entries is this option:
Is this what you mean? If so, what exactly do I have to put in each column?
I can show you other section's options, in case I'm missing something by the name.
NAT Options:
LAN Options:
Hope all this could help!
RE: Remote access - TheDreadPirate - 2025-04-02
SUA is the correct mode for NAT.
From the info you provided, your port forwarding and Cloudflare setup are correctly. The only thing that would prevent it from working is if your ISP uses CGNAT (carrier grade NAT). Similar to how consume level NAT works, 1 public IP for multiple devices, some ISPs do the same at the ISP level. CGNAT pretty much makes it impossible to host a service since your IP changes pretty frequently and the carrier blocks unsolicited incoming requests like your router would if you don't setup port forwarding.
If you go to https://whatismyipaddress.com/ again and if the IP is different than yesterday, that is a pretty good indicator that your USP uses CGNAT.
DNS route is definitely not it, based on the description.
In LAN Options, can you show me "IP Alias"?
Or you can provide me with your router model and maybe I can find a manual for that model.
RE: Remote access - carlospj - 2025-04-02
(Yesterday, 02:17 PM)TheDreadPirate Wrote: From the info you provided, your port forwarding and Cloudflare setup are correctly. The only thing that would prevent it from working is if your ISP uses CGNAT (carrier grade NAT). Similar to how consume level NAT works, 1 public IP for multiple devices, some ISPs do the same at the ISP level. CGNAT pretty much makes it impossible to host a service since your IP changes pretty frequently and the carrier blocks unsolicited incoming requests like your router would if you don't setup port forwarding.
If you go to https://whatismyipaddress.com/ again and if the IP is different than yesterday, that is a pretty good indicator that your USP uses CGNAT.
I hope that's not it, but nothing else seems to make sense right now.
That said, the IP hasn't changed and is still the same as it was yesterday and almost certainly the same as when I opened the post, two or three days ago. I'd even want to swear that the number rings a bell enough to say it hasn't changed in a while.
(Yesterday, 02:17 PM)TheDreadPirate Wrote: In LAN Options, can you show me "IP Alias"?Yeah, sure. Here it goes:
These are the options:
And this is what IP Alias row has:
The other two options had IP addresses that I don't know if I should share. They are disable anyway.
(Yesterday, 02:17 PM)TheDreadPirate Wrote: Or you can provide me with your router model and maybe I can find a manual for that model.
The router is Smart Wifi (HGU) GPT-2741GNAC
One more thing I just remembered. When I did the installation of the Ethernet cables when I did the works in my house, all the cables converged in the living room, in a kind of “box” that was inside the wall.
Originally the idea was to put the router in there, but, one, it was too big, and two, it got too hot, and I didn't want to leave that in there as a precaution.
So I bought a switch (I think it was a switch, because it's a long time ago and I don't remember it very well), where I connected all the Ethernet cables in my house, and then one from the switch directly to the router.
Could this have something to do with it?