remotely connected via openvpn - local but need it to be treated as remote

[TheDreadPirate]

This is the log I am looking for.

Code:

[2024-12-12 15:14:51.675 +00:00] [INF] User policy for "chenks". EnablePlaybackRemuxing: True EnableVideoPlaybackTranscoding: True EnableAudioPlaybackTranscoding: True
[2024-12-12 15:14:51.675 +00:00] [INF] RemoteClientBitrateLimit: 8000000, RemoteIP: "141.101.98.214", IsInLocalNetwork: False

As for still being remote when local, you need to enable "NAT loopback" on your router. This will tell the router to keep traffic local if a URL resolves to itself or another local device.

Your other option is to add custom DNS entries in your router that resolve your URL to the local IP of your jellyfin server.

You will need to add your router as a known proxy for NAT loopback. That field can support more than one address, comma separated.

You should also check if there is a setting in Infuse to NOT directly access media and to use Jellyfin's playback api.

[chenks]

This is the log I am looking for.

Code:

[2024-12-12 15:14:51.675 +00:00] [INF] User policy for "chenks". EnablePlaybackRemuxing: True EnableVideoPlaybackTranscoding: True EnableAudioPlaybackTranscoding: True
[2024-12-12 15:14:51.675 +00:00] [INF] RemoteClientBitrateLimit: 8000000, RemoteIP: "141.101.98.214", IsInLocalNetwork: False

As for still being remote when local, you need to enable "NAT loopback" on your router.  This will tell the router to keep traffic local if a URL resolves to itself or another local device.

Your other option is to add custom DNS entries in your router that resolve your URL to the local IP of your jellyfin server.

You will need to add your router as a known proxy for NAT loopback.  That field can support more than one address, comma separated.

You should also check if there is a setting in Infuse to NOT directly access media and to use Jellyfin's playback api.

hmmm, NAT Reflection was set to "system default" for the 2 port foward rules in opnsense for port 80 and 443.
i changed them both to "Enabled" and applied the changes.

tested Swiftin whilst local and it still applied the remote limiting rule to playback.
was the part about adding the router IP as a known proxy applicable to that or just if doing custom DNS entries?

[TheDreadPirate]

I, personally, prefer custom DNS entries. This way if your Internet connection goes out, DNS resolution for your jellyfin address will still work.

[chenks]

I, personally, prefer custom DNS entries.  This way if your Internet connection goes out, DNS resolution for your jellyfin address will still work.

ok i've added a host override in opensense for the domain (and subdomain) that i have.
set the override to point to my nginx local IP address (i assume that's correct).

i flushed the DNS on my laptop and now when pinging jellyfin.fubar.xyz is resolves to the local IP of nginx (previously it resolved to the WAN IP of cloudlfare), so i assume that is working correctly.

did you say i also then had to add the IP of my router to the known proxies in jellyfin as well? (which would be 192.168.50.1)

if that is correct i'll then test again using either Jellyfin Mobile or Swiftfin (both locally and remote) to see what happens.

i've also posted the question about endpoints etc over on the Infuse forum to see what they come back with.

[TheDreadPirate]

I THINK you only have to add the router to the known proxies for NAT loopback. I don't think you do for custom DNS entries since the router isn't acting as a proxy in that situation. Only in the NAT loopback situation.

[chenks]

Testing now seems to be doing what it should when using jellyfin mobile - playing full bitrate when local and restricted bitrate to 8Mbps when remote. This is when using the domain name with both connection methods.

Now I just need to try and get infuse to play ball.

Do I need to put in any extra protection now that my jellyfin instance is exposed to the Internet? Or is routing the domain name via cloudflare to nginx enough protection?

[TheDreadPirate]

Using cloudflare to proxy or tunnel video services is against their TOS. Nginx is the "protection". If you want to go the extra mile, you can setup fail2ban.

https://jellyfin.org/docs/general/networking/fail2ban/

[chenks]

Oops, never knew that, I just used it as an extra level of protection so that my own wan ip was “hidden”.

I don’t plan to use remote very often (probably just when on holidays), so will see what happens. Worst case I just have to set the nameservers back to the domain registrar and add the required A records.

[TheDreadPirate]

If your domain is set to "DNS only" in cloudflare, that is fine. It's only when you flip the switch to "Proxied" that it is a problem.

[chenks]

I don't have any Apple devices and have never used Infuse.  But I am interpreting the logs as Infuse directly accessing the media, perhaps via the "download" endpoint instead of the playback endpoints.  This means there are no checks for "locality", no application of bit rate controls, no checks for client compatibility and transcoding.

ok so i've not had much luck getting the Infuse dev to answer the question i've asked about which endpoint they are using, be it "download" or "playback".
is there anything in the logs that would tell me this?

this is my post over on the infuse forum about this
https://community.firecore.com/t/jellyfi...lity/53047