2024-03-03, 06:40 AM
Problem
I have a Jellyfin install that's working perfectly fine from both the local LAN and from remote via the internet. Using browsers, native Jellyfin apps, or 3rd party apps (e.g. Infuse) work fine both locally and from remote to connect to my instance. But for some reason, the Roku app won't connect remotely at all, and seems to have a very limited and finnicky method of connecting on LAN.
Setup
My setup has my Jellyfin server running in a docker container with a Caddy reverse proxy. Caddy terminates the TLS for valid publicly signed ZeroSSL certificates for a few different domain names that direct to jellyfin. I'm not trying to do any subpathing, Jellyfin is running directly on the root of the domain. I also have a small VPS running in a public cloud that my router has a local wireguard connection to (for bypassing my CGNAT ISP). I have simple masquerade firewall rules running on the VPS to redirect any incoming 443 or 8920 port connections to the Jellyfin server thru the wireguard tunnel. My public domain name DNS record points to the VPS fixed public IP address, and I have a split horizon DNS on my router that overrides those same DNS entries to redirect to the LAN IP address when accessed from within my home network. So the effective process when accesing my Jellyfin server remotely is:
Client --> VPS --wireguard--> home router --> Jellyfin server --> caddy --> jellyfin container
This has been thoroughly tested and works for everyone without issue on any network when using any native Jellyfin app or web browser as a client, except for the Roku Jellyfin app. I've tested this on 2 different remote networks using 3 different Rokus, all with the same failing results for all the Rokus.
Two of the Rokus I'm testing are the same model, Roku Ultra 4800X with fully up to date Software, but I'm unable to get the details of the third right now (it's a Roku Express of some sort). In all cases the Roku Jellyfin app is the current latest, 2.0 build 5.
What I've done so far
I was debugging this by looking at traffic at each point in the chain. I'm unable to get useful connection logs from the VPS because it gets regularly scanned by random bots on the internet and it muddles the traffic results, but it's a transparent traffic redirector that's completely unaware of any protocol involved, so it shouldn't matter. From my home router, I can watch the connections coming thru the wireguard connection and see everything coming thru. I can also see all errors encountered at the caddy reverse proxy, as well as all traffic successfully matched to a domain name by the proxy. I can also see the Jellyfin logs.
What I'm seeing is that no matter what I put into the manually populated server name box in the Roku app, no traffic from the Roku ever even reaches the router. The server currently has no one using it (because of the time of day), so I can easily trace every connection. The only connections coming thru the router are for someone else's domain (someone clearly misconfigured their DNS record), which Caddy is dutifully reporting as an error when it rejects the TLS handshake. If I use the exact same network connection the Roku is on and connect via a browser or native mobile app, I see the logs I'd expect in the router, caddy, and jellyfin. This tells me that Roku is never even attempting to connect to the server name it's given, which eliminates TLS certificate issues as the source of the problem, and eliminates the network it's running on as a source of filtering/blocking for the resolved domain IP address.
All possible answers pretty clearly point to the Rokus themselves as the source of the issue. My server has multiple custom domains that route to this same jellyfin server thru this same process, all with valid ZeroSSL certificates, some with different TLDs (*.tv and *.xyz). So domain TLD filtering by the Roku itself seems unlikely, though not impossible. The resolved IP address of my domains are a US-based IP address, and are from a Linode/Akamai data center, so a prior owner of the IP address causing it to be added to a block list in the Roku also seems unlikely. Just to be sure though, I reset the public IP address of the VPS instance, made sure everything was still working, and tried again, still with the same results from the Rokus.
Server name formats I've tried in the Roku app (maybe it's somehow related to this?):
For comparison, when I was connecting one of the Rokus to the same LAN as my Jellyfin server, where my home router serves the LAN IP of the Jellyfin server when looking up the domain public domain names, I was only able to get it to connect by entering "mydomain.tv" or "myotherdomain.xyz". It wouldn't connect if a port or protocol was included. That strongly suggests the app is hard coded to try only specific things when connecting, but what that might be seems to be undocumented and not obvious. Furthermore, entering the same thing when trying to connect remotely doesn't work.
Help?
I'm out of ideas. Any recommendations for further debugging, or hints for how to work around this would be great. I have at least 2 users who only have a Roku as their possible means of accessing my jellyfin server, and it seems like the Jellyfin Roku app simply doesn't work. Hopefully I'm wrong though.
I have a Jellyfin install that's working perfectly fine from both the local LAN and from remote via the internet. Using browsers, native Jellyfin apps, or 3rd party apps (e.g. Infuse) work fine both locally and from remote to connect to my instance. But for some reason, the Roku app won't connect remotely at all, and seems to have a very limited and finnicky method of connecting on LAN.
Setup
My setup has my Jellyfin server running in a docker container with a Caddy reverse proxy. Caddy terminates the TLS for valid publicly signed ZeroSSL certificates for a few different domain names that direct to jellyfin. I'm not trying to do any subpathing, Jellyfin is running directly on the root of the domain. I also have a small VPS running in a public cloud that my router has a local wireguard connection to (for bypassing my CGNAT ISP). I have simple masquerade firewall rules running on the VPS to redirect any incoming 443 or 8920 port connections to the Jellyfin server thru the wireguard tunnel. My public domain name DNS record points to the VPS fixed public IP address, and I have a split horizon DNS on my router that overrides those same DNS entries to redirect to the LAN IP address when accessed from within my home network. So the effective process when accesing my Jellyfin server remotely is:
Client --> VPS --wireguard--> home router --> Jellyfin server --> caddy --> jellyfin container
This has been thoroughly tested and works for everyone without issue on any network when using any native Jellyfin app or web browser as a client, except for the Roku Jellyfin app. I've tested this on 2 different remote networks using 3 different Rokus, all with the same failing results for all the Rokus.
Two of the Rokus I'm testing are the same model, Roku Ultra 4800X with fully up to date Software, but I'm unable to get the details of the third right now (it's a Roku Express of some sort). In all cases the Roku Jellyfin app is the current latest, 2.0 build 5.
What I've done so far
I was debugging this by looking at traffic at each point in the chain. I'm unable to get useful connection logs from the VPS because it gets regularly scanned by random bots on the internet and it muddles the traffic results, but it's a transparent traffic redirector that's completely unaware of any protocol involved, so it shouldn't matter. From my home router, I can watch the connections coming thru the wireguard connection and see everything coming thru. I can also see all errors encountered at the caddy reverse proxy, as well as all traffic successfully matched to a domain name by the proxy. I can also see the Jellyfin logs.
What I'm seeing is that no matter what I put into the manually populated server name box in the Roku app, no traffic from the Roku ever even reaches the router. The server currently has no one using it (because of the time of day), so I can easily trace every connection. The only connections coming thru the router are for someone else's domain (someone clearly misconfigured their DNS record), which Caddy is dutifully reporting as an error when it rejects the TLS handshake. If I use the exact same network connection the Roku is on and connect via a browser or native mobile app, I see the logs I'd expect in the router, caddy, and jellyfin. This tells me that Roku is never even attempting to connect to the server name it's given, which eliminates TLS certificate issues as the source of the problem, and eliminates the network it's running on as a source of filtering/blocking for the resolved domain IP address.
All possible answers pretty clearly point to the Rokus themselves as the source of the issue. My server has multiple custom domains that route to this same jellyfin server thru this same process, all with valid ZeroSSL certificates, some with different TLDs (*.tv and *.xyz). So domain TLD filtering by the Roku itself seems unlikely, though not impossible. The resolved IP address of my domains are a US-based IP address, and are from a Linode/Akamai data center, so a prior owner of the IP address causing it to be added to a block list in the Roku also seems unlikely. Just to be sure though, I reset the public IP address of the VPS instance, made sure everything was still working, and tried again, still with the same results from the Rokus.
Server name formats I've tried in the Roku app (maybe it's somehow related to this?):
- mydomain.tv
- https://mydomain.tv
- https://mydomain.tv/
- mydomain.tv:443
- https://mydomain.tv:443
- https://mydomain.tv:443/
- mydomain.tv:8920
- https://mydomain.tv:8920
- https://mydomain.tv:8920/
- myotherdomain.xyz
- https://myotherdomain.xyz
- https://myotherdomain.xyz/
- myotherdomain.xyz:443
- https://myotherdomain.xyz:443
- https://myotherdomain.xyz:443/
- myotherdomain.xyz:8920
- https://myotherdomain.xyz:8920
- https://myotherdomain.xyz:8920/
For comparison, when I was connecting one of the Rokus to the same LAN as my Jellyfin server, where my home router serves the LAN IP of the Jellyfin server when looking up the domain public domain names, I was only able to get it to connect by entering "mydomain.tv" or "myotherdomain.xyz". It wouldn't connect if a port or protocol was included. That strongly suggests the app is hard coded to try only specific things when connecting, but what that might be seems to be undocumented and not obvious. Furthermore, entering the same thing when trying to connect remotely doesn't work.
Help?
I'm out of ideas. Any recommendations for further debugging, or hints for how to work around this would be great. I have at least 2 users who only have a Roku as their possible means of accessing my jellyfin server, and it seems like the Jellyfin Roku app simply doesn't work. Hopefully I'm wrong though.