SOLVED: CGNAT setup issues

[houmi]

Hi Everyone,

So I am new to Jellyfin, decided to try it as it has hevc / av1 encoding. I am a long time Plex user.

I currently have Plex working behind CGNAT, basically I have the Wireguard client running a Gl.Inet router (Torguard before and now AirVPN),  and I do port forwarding via those VPN and I also do it on the Router forwarding the port to my Unraid Plex docker local IP address.

I did the same thing for Jellyfin via a different port and it also worked, but then realized Jellyfin client is connected via http and not https and no real easy way to enable https on the Jellyfin.

I saw Unraid people have enabled Tailscale for devices/nodes recently, so got that to work with MagicDNS/https, I can share the node with my friends/family for Jellyfin via https, but that requires them to also install Tailscale on all their clients to access via web/jellyfin client which they don't quite like.

So I am trying to setup Jellyfin via AirVPN and realize I have to use a reverse proxy. But AirVPN doesn't allow port forwarding of 443/80 when I was trying to setup nginx. I am wondering if people have tried the reverse proxy setup behind a VPN with any success ?

I don't have access to a VPS, and I do know I can probably get it working with IPv6 but was mostly looking into a similar setup that I have for Plex + reverse proxy. I was thinking to maybe setup a CNAME for my custom domain pointing it to AirVPN DDNS, but no idea how to forward port 80/443 to nginx when AirVPN doesn't allow it.

Thanks for any suggestions.

[TheDreadPirate]

Does AirVPN allow you to forward OTHER ports? Your reverse proxy doesn't need to be on 80/443. But you would need to append your URL with the port number.

But you would need to use DNS based validation when requesting certs instead of well-known, since using well-known during the cert request process MUST occur on port 80.

[houmi]

Thanks for your reply.... so I got this to work.

I bought a Linode VPS for $5 / month, then used tailscale to the jellyfin docker from the VPS, and used Caddy as reverse proxy using my subdomain I pointed to the VPS. It was pretty easy to setup once I figured out how Caddy works and Caddy takes care of certs.

I might switch from Tailscale to Wireguard down the line.

[TheDreadPirate]

Tailscale IS Wireguard with a UI and a few quality-of-life changes. If you need the switch to plain Wireguard to keep your user count within the free tier, that's another thing.

[houmi]

Yeah I knew they are the same but I thought TS had extra overhead.

Right now my setup is

Unraid Jellyfin Docker (with Built-in tailscale) <->
CGNAT <->
VPS (tailscale) <->
Caddy (reverse proxy from jf.mydomain to JellyFin's TS_IP:port) <->
jf.mydomain (pointed to VPS IP)

I have strengthened the VPS somehow with different ufw rules, ssh cfg/port changes, fail2ban, etc.

But if someone randomly finds my jf.mydomain address, they get to the login page of Jellyfin, I don't show user's logins, but then theoretically they can try to find JF's vulnerabilities if any to get through. I am not that paranoid and I don't think I want to limit the VPS to certain IPs, but is there anything else I can do to strengthen that connection from the outside ? Since it's just a https://jf.mydomain that will give them a login/pass page.

[TheDreadPirate]

If by "overhead" you mean extra bytes of overhead for the VPN protocol per packet, AFAIK Tailscale directly implements Wireguard as is with no extra overhead. It's the config management that Tailscale automates and simplies.

If you mean extra overhead in the sense of memory and CPU, I doubt it adds any meaningful overhead.

There are a few things you can do to strength security on the VPS.

- Setup PKI key logins
- Disable password logins
- Disable root login via SSH
- Use a non-standard port (preferably an ephemeral port 49152–65535)

That last one reduces the likely hood of a script kiddie even getting a chance to scan anything.

If you do setup PKI logins, and disable password logins, just make sure you put your private key on every device you would ssh to your VPS from. Or put it in an encrypted file in your cloud storage or something.

Using PKI for SSH makes life a lot easier. If you have friends that run servers and you need access to it for whatever reason, you can simply give them your public key. No need for them to set a password.

[houmi]

Thank you! I had done most of those except the non-standard port between that range.

You were correct about the Wireguard speeds, I did some iperf3 tests and tailscale actually fared better. I usually get better speeds in the evenings, but this was during peak hours.

Wireguard Download 150Mbps / Upload 10Mbps
Tailscale Download 157Mbps / Upload 15Mbps