2024-06-07, 04:17 PM
On your insights:
1. Reverse proxy is the easiest for any end users. You set up the RP to proxy traffic from a domain or subdomain to your Jellyfin instance. With many tools that integrate certbot and auto-renewals, it's *relatively* easy to set up and the most secure way to make your instance publicly available. If you have many users or a large variety of clients, RP is definitely the way to go. More investment up front to learn, implement, and test, but easier for end users (nothing to install, one single address for JF instance).
...
3. This is misleading. Tailscale is a very secure way to allow access to your JF instance (or even your local network if you configure it that way). However, you have to install the Tailscale client on each device accessing the JF instance remotely. Easy for devices like phones or computers, harder for any OTT-type device (e.g., Roku, Firestick, etc...). Easy setup, more difficult for end users.
On your questions:
1. Yes. Tailscale is a specific implementation of Wireguard. PiVPN allows you to setup OpenVPN or Wireguard nodes to use in a similar fashion. Between the two, it may be easier to use Tailscale, though if you have a good understanding of networking, you can likely make either work.
2. You generally need to open a port for a VPN to exit, but I haven't used PiVPN or Tailscale. I have set up a Wireguard node and it requires a forwarded port to function properly.
3. I don't believe Tailscale requires any dynamic DNS config. In fact, neither really does, though you may need an IP updater for setting up your own Wireguard/OpenVPN instance. Reverse proxy would require DDNS to ensure your A record points to the correct IP address if you do not receive a static IP from your ISP.
4. Opening ports always carries a risk. When you have a service tied to a port (e.g., Wireguard node), that service becomes the entry point because it is assigned to the port. What you've described is completely opening a port on your server, which is the least secure route to go. You have encrypted the traffic with your VPN, but the port of entry on the server is still just wide open. Tailscale and Wireguard/OpenVPN (PiVPN) may require a port forward, but all traffic needs to go through a node on each end with permission to talk to the other. With a RP, all traffic from a single open port is routed to any of the services you have running and encrypted en route.
5. You're not a high-value target. Chances are low that you suffer an attack, but straight opening a port increases that risk substantially. Using your VPN doesn't matter -- script kiddies often scan for open ports on IP addresses via brute force. Using your commercial VPN makes no difference in the case where a malicious attacker finds the open port and has the ability to exploit any vulnerabilities present. What they can do depends on skill level and what security vulnerabilities exist. A VM isolates host access, but they can still wreak havoc within the VM if they're able to gain access.
6. Via credentials -- do not allow login/access without credentials -- and secure connections. Set strong passwords and hide usernames on the login page -- the less info you provide to somebody who may gain access, the better (i.e., security through obfuscation). You've named three solutions for remote access: open a port (VPN here is irrelevant for server security), run Tailscale or another OpenVPN/Wireguard solution (e.g., PiVPN), and full reverse proxy. Either of the latter two are much more secure than just opening a port.
7. I don't have an answer from experience with Jellyfin here, but there is a performance hit to encrypting drives. You use more CPU cycles and files cannot be accessed as quickly/directly. You're also not increasing the security of your system...if you open a port that provides open access to your server but you encrypt your media, all you're doing is punishing yourself. If somebody gains the right access, they could just re-encrypt your encrypted files and you've lost everything anyway. Local encryption is mainly for privacy, but given a good set of security measures in front of it (i.e., strong passwords, hidden usernames, Tailscale/OVPN/Wireguard or reverse proxy), that encryption means an attacker can't access the data directly, but they can still cause problems as previously described.
In other words:
A. Open port --> no real security
B. Tailscale/PiVPN/etc --> tunelled security, harder for end users in many cases
C. Reverse proxy --> encrypted traffic on public internet, easier for end users in most cases
1. Reverse proxy is the easiest for any end users. You set up the RP to proxy traffic from a domain or subdomain to your Jellyfin instance. With many tools that integrate certbot and auto-renewals, it's *relatively* easy to set up and the most secure way to make your instance publicly available. If you have many users or a large variety of clients, RP is definitely the way to go. More investment up front to learn, implement, and test, but easier for end users (nothing to install, one single address for JF instance).
...
3. This is misleading. Tailscale is a very secure way to allow access to your JF instance (or even your local network if you configure it that way). However, you have to install the Tailscale client on each device accessing the JF instance remotely. Easy for devices like phones or computers, harder for any OTT-type device (e.g., Roku, Firestick, etc...). Easy setup, more difficult for end users.
On your questions:
1. Yes. Tailscale is a specific implementation of Wireguard. PiVPN allows you to setup OpenVPN or Wireguard nodes to use in a similar fashion. Between the two, it may be easier to use Tailscale, though if you have a good understanding of networking, you can likely make either work.
2. You generally need to open a port for a VPN to exit, but I haven't used PiVPN or Tailscale. I have set up a Wireguard node and it requires a forwarded port to function properly.
3. I don't believe Tailscale requires any dynamic DNS config. In fact, neither really does, though you may need an IP updater for setting up your own Wireguard/OpenVPN instance. Reverse proxy would require DDNS to ensure your A record points to the correct IP address if you do not receive a static IP from your ISP.
4. Opening ports always carries a risk. When you have a service tied to a port (e.g., Wireguard node), that service becomes the entry point because it is assigned to the port. What you've described is completely opening a port on your server, which is the least secure route to go. You have encrypted the traffic with your VPN, but the port of entry on the server is still just wide open. Tailscale and Wireguard/OpenVPN (PiVPN) may require a port forward, but all traffic needs to go through a node on each end with permission to talk to the other. With a RP, all traffic from a single open port is routed to any of the services you have running and encrypted en route.
5. You're not a high-value target. Chances are low that you suffer an attack, but straight opening a port increases that risk substantially. Using your VPN doesn't matter -- script kiddies often scan for open ports on IP addresses via brute force. Using your commercial VPN makes no difference in the case where a malicious attacker finds the open port and has the ability to exploit any vulnerabilities present. What they can do depends on skill level and what security vulnerabilities exist. A VM isolates host access, but they can still wreak havoc within the VM if they're able to gain access.
6. Via credentials -- do not allow login/access without credentials -- and secure connections. Set strong passwords and hide usernames on the login page -- the less info you provide to somebody who may gain access, the better (i.e., security through obfuscation). You've named three solutions for remote access: open a port (VPN here is irrelevant for server security), run Tailscale or another OpenVPN/Wireguard solution (e.g., PiVPN), and full reverse proxy. Either of the latter two are much more secure than just opening a port.
7. I don't have an answer from experience with Jellyfin here, but there is a performance hit to encrypting drives. You use more CPU cycles and files cannot be accessed as quickly/directly. You're also not increasing the security of your system...if you open a port that provides open access to your server but you encrypt your media, all you're doing is punishing yourself. If somebody gains the right access, they could just re-encrypt your encrypted files and you've lost everything anyway. Local encryption is mainly for privacy, but given a good set of security measures in front of it (i.e., strong passwords, hidden usernames, Tailscale/OVPN/Wireguard or reverse proxy), that encryption means an attacker can't access the data directly, but they can still cause problems as previously described.
In other words:
A. Open port --> no real security
B. Tailscale/PiVPN/etc --> tunelled security, harder for end users in many cases
C. Reverse proxy --> encrypted traffic on public internet, easier for end users in most cases
Jellyfin 10.10.0 LSIO Docker | Ubuntu 24.04 LTS | i7-13700K | Arc A380 6 GB | 64 GB RAM | 79 TB Storage
![[Image: AIL4fc84QG6uSnTDEZiCCtosg7uAA8x9j1myFaFs...qL0Q=w2400]](https://lh3.googleusercontent.com/pw/AIL4fc84QG6uSnTDEZiCCtosg7uAA8x9j1myFaFsx_0wM5mKgTleZb466r4NtOHIRePq_CxyhsB72qsd-xuYFkqCGogLltAMN62BXsm-yFsSZcDuryqL0Q=w2400)