Protection Against EVERYTHING

[Hanako]

Hello to the Jellyfin community , 
I recently got into Jellyfin, setting it up and port-forwarding to watch even outside of home has gone well.  
However, my biggest concern is protection against ISPs or, in general, any kind of attack. I've watched a couple of videos and read up on some forums, but now I think I'm more lost than before. Is port-forwarding the best kind of protection against ISPs or any sort of attack? I've heard of masking IPs and changing DNS, but I don't really know the proper way to do such a thing. 

Thank you for reading and I hope you have a great day!

[gnattu]

Setup a VPN and use VPN exclusively to connect back to your home is the best practice that normal people can afford to do AFAIK. You expose nothing but the VPN endpoint to the public network and assume the VPN's security mechanism is good enough (it usually is if you use modern variants).

[Hanako]

Setup a VPN and use VPN exclusively to connect back to your home is the best practice that normal people can afford to do AFAIK. You expose nothing but the VPN endpoint to the public network and assume the VPN's security mechanism is good enough (it usually is if you use modern variants).

Would any free VPN work, I'm hoping to get a free experience since I'll be sharing this with close friends and family. And would there be any recommendations you have, I was considering just proton VPN. What does "AFAIK" mean? 
If I have the server setup (with a reverse proxy), and I go to a device (roku or Android phone/tablet) on the same network without a VPN, am I at risk from ISP or any sort of danger?  
Are there any more free safety measures I can take to ensure safety on the server, kind of like the reverse proxy? 
I already have Caddy and Duckdns to create the reverse proxy. They should be working already since I'm able to access my Jellyfin server through the ducks URL I created. But the server is still accessible through the usual IP address, did I set up Duckdns and Caddy correctly?

[TheDreadPirate]

I believe gnattu was referring to self-hosted VPNs like Wireguard, OpenVPN, or Tailscale. A lot of routers come with OpenVPN Server that you can enable to act as the "gateway" to your LAN.

IMO, the "risk" of hosting a service on the Internet is greatly overstated. I am not saying that the risk doesn't exist, but taking basic pre-cautions mitigates or eliminates that risk.

Use https, keep your server up-to-date, use strong passwords for accounts and you've mitigated or eliminated most of the risk and privacy concerns most people have.

If you've already setup caddy and duckdns, I am assuming you're already using https with Let's Encrypt certs. Accessing the server with the IP address will always work if Jellyfin is the only service running. Unless you are talking about accessing Jellyfin via port 8096 from an external device.

[34626]

Yes, the internet is dangerous, just like it's dangerous being alive..

To help you best, we do need to know what OS you are running on the server where you are running Jellyfin? :-)

[Hanako]

Self-hosted VPNS: Wouldn't that expose my own IP address if someone were to check it (ISP)? I now have Tailscale set up so that I can use the VPN from my phone. Should I add/change anything with Tailscale to ensure more secure and safe traffic?
I went ahead and checked for caddy and duckdns on my server, it has "Organization (O) Let's Encrypt" as a certificate, and the website's url has https so I presume I'm properly using it?
From home: If I wanted to stream my server to a device on the same network, is a VPN still needed? Am I safe streaming if I am on the same network as the server and I'm using the reverse proxy?

My server: Intel® Core i5-6600K CPU | NVIDIA GeForce GTX 1070 | 16gb RAM | 2TB storage |
OS: Windows 10 Home
Network: TRENDnet N600

[TheDreadPirate]

If you're using https or a VPN, nobody can see the content of the traffic.

Your ISP already knows your IP, since they're the ones that gave it to you. Using https or VPNs prevents them from snooping the contents, as stated above.

You do not need to use https or a VPN while at home.

[Hanako]

Well, I have HTTPS, right, or is there something else I am missing? I have HTTPS in the URL and the "let encrypt" certificate is there. I am super sorry for being oblivious and thank you for helping me so far.

[TheDreadPirate]

Yes. You are using https.