this post was submitted on 02 May 2025
40 points (91.7% liked)

Selfhosted

46537 readers
1600 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
40
Jellyfin / Remote Access Help (windows) (lemmy.world)
submitted 14 hours ago by Sighpolice@lemmy.world to c/selfhosted@lemmy.world
15 comments fedilink hide all child comments
 

Hi all,

We've all seen Plex's announcement about remote access now being behind a subscription. I've decided to give Jellyfin a go, and not afraid to admit I'm a bit of noob at this.

For context I've got an old PC running windows 10 which hosted Plex just fine and suited my needs. I had port forwarding on for it but outside of that there really wasn't much setup required. I do want to start heading down self hosting route and am exploring swapping to bazzite for my main PC, so this is me dipping my toes so to speak (despite not being Linux).

Jellyfin was also just as easy to install I'm happy to say, works really well within my home (using the Chromecast app for my TV downstairs) and have no issues with the player or how easy it was to setup. Just set it up via windows .exe installer and away we go.

I started to follow a guide (& doing a bunch of googling + chatGPT) for setting Jellyfin remote access for my parents. And this is where I'm a bit out of my depth.

I have a dynamic IP, so first thing to setup was something that would be easy for my family to setup and setup once. This lead me to the duckDNS path, which after some back and forth I did get working over http.

Another option could be something like NordVPN Meshnet, where we appear to be on the same network and therefore not expose my old PC to the world. That's not really an option for my family, as they find it hard enough to connect up Plex let alone have to have two apps (Jellyfin & NordVPN) to watch stuff.

I do have concerns about leaving it setup with just DuckDNS & http, so I tried a few things but I'm not sure what to even Google as it's a minefield of people just saying"use x/y/z" but not really an explanation of what exactly they are achieving or how. Thought I could get a https connection at least, which was looking at Certbot or Certify Web Manager but I couldn't get either to work. I later found out that's because my ISP blocks port 443.

So this is as far as I have currently got. I think the next best thing is Cloudflared, but I signed up to that and put in my duckDNS and Cloudflare was showing me the 3 DNS names but also 3 IP addresses, which are dynamic IPs, would that mean I have to keep re-registering Cloudflare each time my ISP updates the IP? I clicked next anyway as I was just testing, but then I have to change my setup some "Cnames" on the DNS host to the cloud flare names, which I couldn't get working with DuckDNS, not sure it has that option unfortunately.

Also as a side note: I see people talk about Caddy as a reverse proxy for extra security, but what does it do? It looks to just be re-routing to the same thing? I put in something regarding TLS and my duckDNS token in the config file as well, but that didn't create a certificate (which again might come back to the ISP blocking 443)

So, in short - what are best practices for setting up remote Jellyfin access? Where am I going wrong and what's the best way forward?? I think I have a lot of the pieces but none of the know-how! I did read about buying a domain outright instead of using a free method but I want to make sure I have things working smoothly before committing to a paid service. Also bonus points for my curiosity, why didn't we have to jump through these hoops with Plex? Do they take care of some of the hosting aspect or something?

Thanks for any help you can provide πŸ™‚

top 15 comments
sorted by: hot top controversial new old
[–] Flatfire@lemmy.ca 12 points 13 hours ago (2 children)

This is probably not what you're looking for, but I found registering a cheap domain name and using a dynamic DNS script that checks every hour or so against your public IP to be a good way to mitigate issues. It also depends on your ISP. Mine typically only renews upon a reboot of the modem or a new PPPoE authentication.

Others have also suggested Tailscale, and I think that's also a worthwhile option. It's a pretty easy thing to set and forget, working like any oher VPN client. This is the least complex option to navigate, and if Plex was the only service you were forwarding then it's likely the best option.

[–] brickfrog@lemmy.dbzer0.com 7 points 13 hours ago

Agreed - I'll also add that a lot of internet gateways/routers/firewalls also have a built-in feature to update a domain with your current public IP address. It definitely makes it easy, I haven't thought about needing to update my dynamic IP in years since it just happens on the router.

Not everyone can do it but it's definitely worth a look especially for those planning to do any real self hosting.

[–] SnotFlickerman@lemmy.blahaj.zone 1 points 12 hours ago

I haven't messed with it yet, but ddclient works with a lot of domain registrars.

https://github.com/ddclient/ddclient

ddclient even suggest these as alternatives:

https://github.com/troglobit/inadyn

https://github.com/lopsided98/dnsupdate

[–] sirico@feddit.uk 9 points 13 hours ago (1 children)

Tailscale is the simplest way I've found, this does become a bit finicky when it comes to friends and family but you can share a single device aka your Jellyfin server with them. This saves exposing ports etc.

[–] niemcycle@lemmy.world 1 points 11 hours ago

Something I do is use a Tailscale Funnel to share a regular link with friends and family and it works well, without them needing an account.

[–] webghost0101@sopuli.xyz 3 points 12 hours ago

One option that i am not sering here that is also very safe is install wireguard and allow them to use it via vpn.

[–] nutbutter@discuss.tchncs.de 2 points 8 hours ago

If your ISP blocks port forwarding, this guide can help.

[–] Underwire@lemmy.world 2 points 13 hours ago

If you have direct access to your server from the outside, then you are concerned about these changes. Am I mistaken?

[–] bigb@lemmy.world 2 points 11 hours ago* (last edited 11 hours ago)

Not sure if my setup is unique or wrong but here's what I use:

  1. I registered a domain with Name cheap and created subdomains for the tools I wanted to access (i.e. jellyfin.domain.tld, sonarr.domain.tld)
  2. A DDNS client on my OpenWRT router updates the IP address for those subdomains. Traffic for each subdomain is pointed at my server.
  3. Nginx Reverse Proxy runs on my server. This provides HTTPS certificates and is pretty straightforward.

I also use Tailscale for remote access and I'm not sure that my friends and family are ready for that. (Admittedly, I'm still on Plex.) Registering your own domain and using a DDNS service and reverse proxy will give your users an easier experience than Tailscale. I can give an easy-to-remember URL to folks rather than a new VPN platform to learn.

If security is more important, Tailscale is the best option for remote connections.

Why don't we need this for Plex? Because Plex has all of the above steps baked into its service.

[–] Xanza@lemm.ee 2 points 11 hours ago* (last edited 11 hours ago)

I started to follow a guide (& doing a bunch of googling + chatGPT) for setting Jellyfin remote access for my parents. And this is where I’m a bit out of my depth [...] I have a dynamic IP [...] duckDNS path

Stay away from DuckDNS. Used to be fabulous but now it's incredibly overused and very unstable. Works, then just stops for a period of time. Check out HurricaneElectric. Any A record can be enabled as DDNS that you can update with just curl. It's great. I've been using them for about 10 years now without issues. They were down one time like... 5 years ago for several hours, and that was it.

Also as a side note: I see people talk about Caddy as a reverse proxy for extra security, but what does it do?

This option is nice if you self-host a web server with no bandwidth restriction. You setup caddy, update your DNS to register your home IP on X domain. Point jelly.x.domain to whatever your public IP is, with the port as a reverse proxy, then your IP is reachable via jelly.x.domain but it's not a great setup for you because of the dynamic IP unless you do a bunch of setup to ensure it routes.

IMO the best option would be;

  1. Install jellyfin server
  2. Open port 8096 on your router for your jellyfin server IP
  3. Create a jellyfin user for your parents, and enable remote connection
  4. Setup DDNS (I highly suggest he.net) and point your domain to your IP
  5. Setup cron job to update your DDNS record with he.net every hour or so using curl
  6. Setup jellyfin for your parents TV or whatever device they'll use to watch it
  7. Login and enjoy
[–] PixelatedSaturn@lemmy.world 2 points 4 hours ago

Great thread, thanks everyone

[–] ZeroGravitas@lemm.ee 1 points 12 hours ago

Lots of dynamic DNS providers allow you to register a aubdomain and update the IP it points to with an API call. You can use something like this tool for it: https://github.com/lopsided98/dnsupdate - just run it on a schedule on the same machine and you're golden.

There are also Docker container based solutions if you'd rather go that route. Once you have a stable entry point, you can decide what to do with it.

I would personally get a Raspberry Pi and run Wireguard and Dnsupdater on it, use port forwarding in the router for Wireguard and close down everything else. Then share the Wireguard connection details with your friends and family. You can even set it up so that Wireguard connections are only granted access to your Jellyfin server, plenty of tutorials out there on how to configure firewall rules on the Wireguard machine.

[–] CompactFlax@discuss.tchncs.de -1 points 13 hours ago (2 children)

Jellyfin has a pile of security issues regarding unauthenticated enumeration of the media that’s shared. That’s probably not awesome on the public internet. οΏΌ

I’d suggest setting up Tailscale. https://github.com/jellyfin/jellyfin/issues/5415

[–] sneezycat@sopuli.xyz 8 points 12 hours ago

From the issue you shared:

Thank you b4too - unless something new has been uncovered - which if so should be reported to us via our responsible disclosure policy - it is NOT possible to arbitrarily enumerate all media on a server without authentication, and saying as much is massive fear-mongering

[–] ryan_harg@discuss.tchncs.de 5 points 12 hours ago* (last edited 12 hours ago)

unauthenticated playback: yes. enumeration: no

https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825240290