2025-03-31, 03:31 PM
Hello all,
Before I explain my doubts, I wanted to explain a bit how my server is set up, what I want to achieve and what I have been trying to access Jellyfin remotely, in case it could be of any help for your answer.
First of all, so far I have been using Jellyfin to watch movies and tv shows from my local network. However, now I wanted to use Jellyfin as my server for my music collection, and for that I would like to be able to access Jellyfin from the outside so I can listen to it when I'm not at home (probably with Symfonium).
I have on an old Elitedesk set up my server with TrueNas Scale. On it I have Dockge installed and inside Dockge I have all my services up, including Jellyfin. In TrueNas I have set a static IP for its local IP, that way it doesn't change the IP every so often.
Well, having explained this, I have been doing a lot of research on how to remotely access Jellyfin. I have to say that I am a complete novice in networking matters, but I am learning a lot.
The first thing I tried was Tailscale. Easy installation and configuration, I don't need to open any ports. I installed Tailscale directly from TrueNas Apps, so I don't have a stack running in Dockge for Tailscale. That gives me access to the TrueNas GUI, but not really to my services, so what I did was to use Subnet routers.
This is where I had my first doubt:
1. is using Subnet routers the best way to access Jellyfin with Tailscale, taking into account my setup? Could it be possible and even desirable, to raise Tailscale with Dockge, specifically in the same docker compose as Jellyfin, and have them connected?
Anyhow, everything seemed to work fine: I had access from the outside to my music collection with Synfomium using Tailscale.
However, I ran into a problem, and that is that at least the first few days, I found that quite often, I had connection problems and did not have a really smooth and uninterrupted playback. Quite the opposite. There were days when I could even listen to more than two songs in a row.
I noticed that once I left my local network, I lost the Direct Connection to Tailscale on my mobile, which I understand may be the reason why I was having so many connection problems.
I don't really know why this is happening to me (I don't know if it has something to do with the fact that I use GrapheneOS on my mobile), but it made me rethink the use of Tailscale, at least for accessing multimedia files.
Also, I always have ProtonVPN connected on all my devices, and to connect to Tailscale on my mobile, I have to disconnect Proton, as only one VPN can be used.
Faced with this, I started to investigate alternatives, basically a reverse proxy solution. After watching several tutorials and reading several websites, I took the plunge.
I set up Nginx (NPM) in Dockge and opened an account in Cloudflare, where I bought a domain (something I had always wanted to do).
For all the configuration with the domain I wanted to use a wildcard certificate, so I created an SSL certificate in NPM (*.domiain.com and also domain.com), using DNS Challenge to link it to my Cloudflare account with a token I created.
Then I created a Proxy Host for Jellyfin. I configured it following the instructions in the Jellyfin's documentation for NPM.
In Cloudflare, under DNS/Records I registered a DNS for the Wildcard domain, like this.
This saves me from having to register DNS for each subdomain I want to use.
For the encryption mode I have it set to Full and in Always use HTTPS.
With this configuration I got a brand new URL with my domain, with certificates and I can access Jellyfin from my local network with this URL and https.
The final step was to open it to the internet and this is the part that, apart from scaring me the most, I completely failed.
As I have done for other things, I looked into the matter and tried it.
Basically, I opened ports 80 and 443 on my router pointing to the IP of my TrueNas server, but I'm sure I have something configured wrong. Either I have not done the port forwarding correctly, or I have something configured in NPM or Clouldflare that is not correct (or both).
Since it wasn't working for me, I closed the ports again. I'm not gonna opened again until I know what's wrong and what I'm doing is safe.
As I have understood, once the reverse proxy is done and once you have the certificates, to access from outside your local network you have to open ports 80 and 443 in your router pointing to the IP where NPM is listening on ports 80 and 443. The thing is that everywhere I was reading information about this, I seemed to understand that you also had to specify the port of NPM (ie Local_IP:81) but I at least do not see an option in my router for it.
I'll leave you with a screenshot of the port forwarding options on my router and what I've put in each, to see if I've done something wrong (assuming the explanation of how to do things from before is correct).
The example is with 443, but it's the same for the 80 one.
External Start Port: 443
External End Port: 443
Server IP Address: the local IP for my TrueNas server, which is the same as my NPM but in port 81.
Protocol: TCP+UDP
Open Start Port: 443
Open End Port: 443
So, my second question is:
2. Is there something I'm missing here? Is this wrong?
Another thing that may be wrong is the IP in Cloudflare's DNS/Records tab.
If you remember, in it I put the Local IP.
However, I don't know which IP I have to put here. In the tutorials that I have followed, I am understanding that to open it to the internet, I would have to put my Public IP.
The issue is that if I do this (along with Port Forwarding), not only do I still not have remote access, but I lose access to Jellyfin from my local network with the URL.
So my third question is:
3. is this configuration related to remote access, could this be where the bug is, what do I need to put here?
At this point, I don't know what else to do. I need to resolve these doubts and I just don't dare to do anything else alone.
However, I have other doubts.
4- Should I adopt another method other than reverse proxy and port forwarding? Or by configuring it well and with your help, am I on the right track?
5- Should I have a VPN service set up on my server? I would like to expose other services, including TrueNas GUI, but I have read on some sites that for this it is better to access through a VPN. If I did that, would it be better than doing a reverse proxy, or could it be complementary? Or if I do manage to set up a reverse proxy, would setting up the VPN be a fool's errand?
6- However, to use the TrueNas GUI, I could access with Tailscale. However, I would like it to have certificates and the URL, as I have done with Jellyfin. If I want to do this, wouldn't it be silly to use Tailscale, considering that having the reverse proxy and being exposed to the internet, I would already have remote access?
I hope you can help me with this. Thanks in advance!
Before I explain my doubts, I wanted to explain a bit how my server is set up, what I want to achieve and what I have been trying to access Jellyfin remotely, in case it could be of any help for your answer.
First of all, so far I have been using Jellyfin to watch movies and tv shows from my local network. However, now I wanted to use Jellyfin as my server for my music collection, and for that I would like to be able to access Jellyfin from the outside so I can listen to it when I'm not at home (probably with Symfonium).
I have on an old Elitedesk set up my server with TrueNas Scale. On it I have Dockge installed and inside Dockge I have all my services up, including Jellyfin. In TrueNas I have set a static IP for its local IP, that way it doesn't change the IP every so often.
Well, having explained this, I have been doing a lot of research on how to remotely access Jellyfin. I have to say that I am a complete novice in networking matters, but I am learning a lot.
The first thing I tried was Tailscale. Easy installation and configuration, I don't need to open any ports. I installed Tailscale directly from TrueNas Apps, so I don't have a stack running in Dockge for Tailscale. That gives me access to the TrueNas GUI, but not really to my services, so what I did was to use Subnet routers.
This is where I had my first doubt:
1. is using Subnet routers the best way to access Jellyfin with Tailscale, taking into account my setup? Could it be possible and even desirable, to raise Tailscale with Dockge, specifically in the same docker compose as Jellyfin, and have them connected?
Anyhow, everything seemed to work fine: I had access from the outside to my music collection with Synfomium using Tailscale.
However, I ran into a problem, and that is that at least the first few days, I found that quite often, I had connection problems and did not have a really smooth and uninterrupted playback. Quite the opposite. There were days when I could even listen to more than two songs in a row.
I noticed that once I left my local network, I lost the Direct Connection to Tailscale on my mobile, which I understand may be the reason why I was having so many connection problems.
I don't really know why this is happening to me (I don't know if it has something to do with the fact that I use GrapheneOS on my mobile), but it made me rethink the use of Tailscale, at least for accessing multimedia files.
Also, I always have ProtonVPN connected on all my devices, and to connect to Tailscale on my mobile, I have to disconnect Proton, as only one VPN can be used.
Faced with this, I started to investigate alternatives, basically a reverse proxy solution. After watching several tutorials and reading several websites, I took the plunge.
I set up Nginx (NPM) in Dockge and opened an account in Cloudflare, where I bought a domain (something I had always wanted to do).
For all the configuration with the domain I wanted to use a wildcard certificate, so I created an SSL certificate in NPM (*.domiain.com and also domain.com), using DNS Challenge to link it to my Cloudflare account with a token I created.
Then I created a Proxy Host for Jellyfin. I configured it following the instructions in the Jellyfin's documentation for NPM.
In Cloudflare, under DNS/Records I registered a DNS for the Wildcard domain, like this.
This saves me from having to register DNS for each subdomain I want to use.
For the encryption mode I have it set to Full and in Always use HTTPS.
With this configuration I got a brand new URL with my domain, with certificates and I can access Jellyfin from my local network with this URL and https.
The final step was to open it to the internet and this is the part that, apart from scaring me the most, I completely failed.
As I have done for other things, I looked into the matter and tried it.
Basically, I opened ports 80 and 443 on my router pointing to the IP of my TrueNas server, but I'm sure I have something configured wrong. Either I have not done the port forwarding correctly, or I have something configured in NPM or Clouldflare that is not correct (or both).
Since it wasn't working for me, I closed the ports again. I'm not gonna opened again until I know what's wrong and what I'm doing is safe.
As I have understood, once the reverse proxy is done and once you have the certificates, to access from outside your local network you have to open ports 80 and 443 in your router pointing to the IP where NPM is listening on ports 80 and 443. The thing is that everywhere I was reading information about this, I seemed to understand that you also had to specify the port of NPM (ie Local_IP:81) but I at least do not see an option in my router for it.
I'll leave you with a screenshot of the port forwarding options on my router and what I've put in each, to see if I've done something wrong (assuming the explanation of how to do things from before is correct).
The example is with 443, but it's the same for the 80 one.
External Start Port: 443
External End Port: 443
Server IP Address: the local IP for my TrueNas server, which is the same as my NPM but in port 81.
Protocol: TCP+UDP
Open Start Port: 443
Open End Port: 443
So, my second question is:
2. Is there something I'm missing here? Is this wrong?
Another thing that may be wrong is the IP in Cloudflare's DNS/Records tab.
If you remember, in it I put the Local IP.
However, I don't know which IP I have to put here. In the tutorials that I have followed, I am understanding that to open it to the internet, I would have to put my Public IP.
The issue is that if I do this (along with Port Forwarding), not only do I still not have remote access, but I lose access to Jellyfin from my local network with the URL.
So my third question is:
3. is this configuration related to remote access, could this be where the bug is, what do I need to put here?
At this point, I don't know what else to do. I need to resolve these doubts and I just don't dare to do anything else alone.
However, I have other doubts.
4- Should I adopt another method other than reverse proxy and port forwarding? Or by configuring it well and with your help, am I on the right track?
5- Should I have a VPN service set up on my server? I would like to expose other services, including TrueNas GUI, but I have read on some sites that for this it is better to access through a VPN. If I did that, would it be better than doing a reverse proxy, or could it be complementary? Or if I do manage to set up a reverse proxy, would setting up the VPN be a fool's errand?
6- However, to use the TrueNas GUI, I could access with Tailscale. However, I would like it to have certificates and the URL, as I have done with Jellyfin. If I want to do this, wouldn't it be silly to use Tailscale, considering that having the reverse proxy and being exposed to the internet, I would already have remote access?
I hope you can help me with this. Thanks in advance!
![[Image: GitHub%20Sponsors-grey?logo=github]](https://img.shields.io/badge/GitHub%20Sponsors-grey?logo=github){kind=icon}
