+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: Troubleshooting (https://forum.jellyfin.org/f-troubleshooting)
+--- Thread: SOLVED: ExpressVpn breaking Jellyfin (/t-solved-expressvpn-breaking-jellyfin)
ExpressVpn breaking Jellyfin - SilveryAbaba - 2024-01-24
Hello, I have tailscale installed so I can access Jellyfin from other devices. I have ExpressVpn split tunneled so that my other activity on the server is protected. I have jellyfin and tailscale excluded in the split tunnel. When ExpressVpn is on I can access Jellyfin from localhost:port only, not my tailscale ip like I can usually, so no other devices can connect either. I attached my exclusion rules. It shouldn't be touching either of these at all. Curiously, with these same settings it worked on my old server before I migrated. Any idea what's going on? Thanks!
RE: ExpressVpn breaking Jellyfin - TheDreadPirate - 2024-01-24
Instead of the Jellyfin Tray App, add jellyfin.exe to the list? They are separate processes. The tray app only starts/stops jellyfin.exe.
RE: ExpressVpn breaking Jellyfin - SilveryAbaba - 2024-01-26
Hey, thanks for answering. If you'll check my attachment I already have that excluded too. Thanks again.
(2024-01-24, 05:20 AM)TheDreadPirate Wrote: Instead of the Jellyfin Tray App, add jellyfin.exe to the list? They are separate processes. The tray app only starts/stops jellyfin.exe.
RE: ExpressVpn breaking Jellyfin - tmsrxzar - 2024-01-26
trying to better understand your setup
jellyfin server is installed and running on the pc
tailscale is on the pc which allows external traffic to connect to your jellyfin instance
if that's correct; excluding expressvpn for the moment
jellyfin is successfully being accessed from where, LAN or External through tailscale?
then when expressvpn is up and running it is also running on the same pc creating a 3rd network
jellyfin can no longer be accessed from where, LAN or External through tailscale?
the routing bit is important to understand which way the traffic IS being routed vs how it SHOULD BE routed
RE: ExpressVpn breaking Jellyfin - SilveryAbaba - 2024-01-26
(2024-01-26, 12:52 AM)tmsrxzar Wrote: trying to better understand your setupThanks for trying to understand! Jellyfin server and tailscale is on my desktop yes. I can only access on LAN on my server computer through localhost:port when ExpressVpn is connected, but not ip:port or MagicDns:port on browser or jelly media player. All external devices (ie, can't use localhost:port) cannot access. ExpressVpn should exclude tailscale and jellyfin from the third network because of the split tunneling above (I think). As soon as I disconnect ExpressVpn everything works as it should. Expressvpn on a client also with the same exclusions cannot connect as well, but does as soon as it is disconnected resumes playback.
jellyfin server is installed and running on the pc
tailscale is on the pc which allows external traffic to connect to your jellyfin instance
if that's correct; excluding expressvpn for the moment
jellyfin is successfully being accessed from where, LAN or External through tailscale?
then when expressvpn is up and running it is also running on the same pc creating a 3rd network
jellyfin can no longer be accessed from where, LAN or External through tailscale?
the routing bit is important to understand which way the traffic IS being routed vs how it SHOULD BE routed
Edit: because localhost:port does not work on clients, I believe tailscale is routing externally to make a successful connection without ExpressVpn
RE: ExpressVpn breaking Jellyfin - tmsrxzar - 2024-01-26
alright, makes sense
i can give you some testing hints, i believe the routing on the machine running all these is incorrect
basic overview guide of routing on windows is here https://www.howtogeek.com/22/adding-a-tcpip-route-to-the-windows-routing-table
what i believe needs to happen is your machine needs a route for tailscale that tells it to only send that traffic to tailscale
since the 'automatic' split tunneling doesn't (seem to) work, it will be manual
need to add a route using 'route add' that directs all traffic from your "LAN IP" to the Tailscale Gateway Server IP VIA your LAN Gateway so that it doesn't try to send it to (or through) expressVPN
example
Lan IP 192.168.0.20
Lan Gateway 192.168.0.1
Tailscale Server 2.3.4.5
route add 2.3.4.0 MASK 255.255.255.0 192.168.0.1
it gets quite involved doing routing and it's been years since i've done it on windows but i believe this should be the path forward
RE: ExpressVpn breaking Jellyfin - SilveryAbaba - 2024-01-26
(2024-01-26, 01:41 AM)tmsrxzar Wrote: alright, makes sense
i can give you some testing hints, i believe the routing on the machine running all these is incorrect
basic overview guide of routing on windows is here https://www.howtogeek.com/22/adding-a-tcpip-route-to-the-windows-routing-table
what i believe needs to happen is your machine needs a route for tailscale that tells it to only send that traffic to tailscale
since the 'automatic' split tunneling doesn't (seem to) work, it will be manual
need to add a route using 'route add' that directs all traffic from your "LAN IP" to the Tailscale Gateway Server IP VIA your LAN Gateway so that it doesn't try to send it to (or through) expressVPN
example
Lan IP 192.168.0.20
Lan Gateway 192.168.0.1
Tailscale Server 2.3.4.5
route add 2.3.4.0 MASK 255.255.255.0 192.168.0.1
it gets quite involved doing routing and it's been years since i've done it on windows but i believe this should be the path forward
Wow, that's definitely something I never would have thought to try! I added -p to make it persistent, and it didn't work with the mask, but it autofills with that anyway if you leave it out. So I did: route -p add [tailscale provided server ip] [my computer's default gateway from ipconfig] Thank you so much tmsrxzar!
Edit: Now I can't access tailscale client on the server computer on external browser or media player, but localhost still works fine, so who cares.
RE: ExpressVpn breaking Jellyfin - tmsrxzar - 2024-01-26
awesome
yea, the rest of that will need more routes, just need to work out what should go where and make it go there
but if localhost still does what you need then good enough
you're welcome, glad it worked out