I have docker installed, but only have a vague idea of how it works.

Back in the day, I would just port forward, but even then, I would need a static IP somehow.

I have heard a reverse proxy is an option, but that is an entirely new topic to me.

Surely there is an easy way to access Jellyfin outside of my home network that I’m just missing.

*Edit: I am blown away by all the help and support! I currently have tailscale running, and I’m in the process of purchasing a domain.

Thanks everyone!

  • 棉蘭阿偉@lemmy.1095.me
    link
    fedilink
    English
    arrow-up
    1
    ·
    11 minutes ago

    @Vegan_Joe — if you’re still stuck, try this: install Tailscale → join your tailnet → expose Jellyfin container port 8096 as 443. That’s it. No nginx, no static IP hunting. I wrote a 3-command cheatsheet here https://cxgo.ai/l/5bwrT9m that I wish existed when I started fumbling with docker-compose overrides. Works on a $20 raspberry pi and a 2014 Mac mini, so your hardware shouldn’t matter.

  • Wilmo@programming.dev
    link
    fedilink
    English
    arrow-up
    78
    arrow-down
    2
    ·
    18 hours ago

    Tailscale. It’s free. Insanely easy to set up.

    Just install on your devices and connect via the given tailscale ip for the jellyfin server.

    • ragebutt@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      9
      ·
      11 hours ago

      Or head scale if you don’t want something you don’t control that requires an account with google/apple/microsoft

      • pineapple@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 hours ago

        Headscale is great but requires port forwarding which, aside from having its own iasues, is something op wants to avoid.

    • sakphul@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      24
      ·
      18 hours ago

      I would also propose going with Tailscale instead If a VPN + DynDNS solution. Imho it is a lot easier to Setup compared to VPN + DynDNS If you are a beginner and just starting out.

      If at some point you need more and then is available in the free Tier of Tailscale and you do not want to pay for it (and you have built up some knowledge!) you can switch to something like Headscale or Netbird.

      • hoshikarakitaridia@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        15 hours ago

        I forgot to mention that one because I kinda thought it belongs with radmin and hamachi, but it’s my choice as well currently.

        I am using it with my own Headscale though, so add a domain to that as well.

        And I finally need to switch my vaultwarden to work over tailscale & LAN finally, it’s a huge security risk to expose that one.

  • KairuByte@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    17
    ·
    15 hours ago

    Personally I didn’t want to have to hand out VPN credentials to everyone, so I went with a cloudflare tunnel with Authelia as the method of authentication.

  • hoshikarakitaridia@lemmy.world
    link
    fedilink
    English
    arrow-up
    35
    ·
    edit-2
    15 hours ago

    That’s the whole point of a domain. Your IP changes every now and again you need people to know where to reach you. You give them a domain, and you configure the name records so that the domain always points to the right IP address.

    Your options:

    • dynamic IP - you keep your setup as is and just periodically tell them the new IP you’re on. Annoying and exposed
    • static IP - you buy a static IP (from your ISP) and share it with your friends once. A little bit less annoying and still exposed
    • you use a VPN like hamachi or radmin - your friends install the software, they look for you IP in there, you’re done - very secure but also very annoying
    • you buy a domain - you have to configure an IP updater like ddclient or similar, then you jellyfin should be reachable - least annoying for your friends but also slightly less secure

    Domain is the cleanest option.

    I am telling you how annoying it is because that’s how likely your friends are to adopt it and how secure it is because depending on your country you are doing something illegal and you really don’t want anyone to find out and you gotta keep it updated more often if you don’t want people to exploit it. There’s an endless supply of very smart people out there who use known bugs to target public services.

    Edit: I forgot DDNS, see below comments.

    • Vegan_Joe@anarchist.nexusOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      18 hours ago

      I appreciate your response!

      It looks like a VPN is the option I’m leaning towards, but I’ll definitely put the idea of buying a domain in my back pocket for a while.

              • Saapas@piefed.zip
                link
                fedilink
                English
                arrow-up
                5
                ·
                16 hours ago

                You get to pick your numbers

                On June 1, 2017, .XYZ launched the 1.111B class .xyz domains, cheap domains priced at US$0.99 per year and renewed at the same price. The class of domains consists of six-, seven-, eight-, and nine-digit numeric combinations between 000000.xyz and 999999999.xyz. Daniel Negari, CEO of .XYZ, stated that it was meant to bring competition, choice, and innovation to the market

  • alexquiniou@lemmy.zip
    link
    fedilink
    English
    arrow-up
    6
    ·
    14 hours ago

    I’m using wireguard with wg-easy. It’s a gui that let you easely setup wireguard. My isp is giving a fixed ipv4. So i don’t have to think about dns or other complicated things. I have Jellyfin and wg-easy installed on truenas as docker apps.

    There are official app for any os you want.

    https://www.wireguard.com/install/

  • chellomere@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    14 hours ago

    I use pangolin and subdomains on my domain. It works really well, and enables SSO login to all services on the network.

      • chellomere@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 hours ago

        Yeah, for certain apps you may need to do that. I’ve had to do that with Nextcloud and Linkwarden. But Immich will happily work with a shareable link.

  • ohshit604@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    12 hours ago

    Device -> VPN Tunnel (ideally WireGuard) -> Home Router / Server.

    The only port that needs to be opened is your WireGuard server which typically is :51820.

    The issue with this is you have explain VPN’s and WireGuard to people which, in my experience turns people away as they see it as a hassle.

    Alternatively buy a domain, setup DDNS so that your home IP is associated with your domain, setup a reverse proxy and open port :443 on your router however, I would suggest a blacklist-first approach and only whitelist the few known IP’s you can trust.

    • ridethisbike@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      8 hours ago

      I did the last one. Bought a domain for $5 per year from cloudflare and used a cloudflared tunnel to direct traffic to Caddy (reverse proxy). Set up everything as deny-by-default, requiring log in to access things like sonarr, and let things like Jellyfin and Immich bypass the login requirement. Took a bit to get it all figured out, but it worked.

      There is also a way to use the cloudflared tunnel for free that gives you a domain as well (sort of anyways).

      All of that is run via docker containers, minus the

      Documentation on all of this is fragmented and a challenge to figure out. Happy to help anyone who wants to message me about it.

      I took this a step further as I use a wireguard tunnel to make use of my router level ad blocking. So I added an entry for my domain to route back to caddy and serve it all locally. This is proving to be a challenge due to the way some browsers handle forced https, but I’m making due.

      • ohshit604@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 hours ago

        and used a cloudflared tunnel to direct traffic to Caddy

        There is also a way to use the cloudflared tunnel for free that gives you a domain as well (sort of anyways).

        This is DDNS, a popular, free alternative would be ddclient. Essentially updating an A Record so that your dynamic IP is remains associated with your domain.

        While cloudflare is also my registrar as well, I don’t use any of the “features” they offer, and opted to use Keycloak for my authentication needs.

        • ridethisbike@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 hours ago

          I’ve debated setting up Authelia or something similar because cloudflare is sooo slow to load their login page, but haven’t landed on anything yet… Plus I worry I set something up wrong and expose my network

          • ohshit604@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            7 hours ago

            I can’t be much of a help with Caddy however, for Traefik you can use the OIDC Middleware to forward requests to your authentication service.

            Plus I worry I set something up wrong and expose my network

            The only port that would need opening is :443, leave port :80 closed so that people cannot connect to your services insecurely. Slap fail2ban or geoblock on it and call it a day. Also, DDNS allowlist for that deny-first approach.

            • ridethisbike@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              6 hours ago

              The current config routes through the cloudflared tunnel so no ports are open externally at the moment, so that’s nice, but yea, I’d have to imagine there’s some documentation out there for caddy.

              Caddy has been a pain, though, so I might give one of the others a try. Thanks for the tips!

    • dogs0n@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 hours ago

      People’s IP addresses usually change so that might be annoying keeping a whitelist up to date.

      A good alternative is something like fail2ban to ban ip addresses that spam your server looking for a way in and potentially geo-restricting access to your country.

      • ohshit604@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 hours ago

        Free vps in oracle cloud with Pangolin

        If I’m not mistaken I tried setting up pangolin to work along side my already running Traefik setup and it was just an absolute nightmare.

        I just don’t have the time nor energy to reinvent my already running configuration.

        • FlexibleToast@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 hours ago

          I’ve set it up next to my NPM and it’s more complicated, but so much more capable. Traefik is what it uses to proxy things. You’re comparing a full suite of tools with just one piece.

          • ohshit604@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            7 hours ago

            Traefik is what it uses to proxy things. You’re comparing a full suite of tools with just one piece.

            I mean, that’s debatable. Taking a look at their docker-compose.yml there are 3 containers they recommend running, with a 4 optional container.

            To say this is a “full-suite” is a bit much when majority of the heavy lifting is done by Traefik, the middleware’s you assign to Traefik and WireGuard. Pangolin if I’m reading this correctly;

            “Pangolin combines reverse proxy and VPN capabilities into one platform.”

            Which is great! However as I mentioned previously, does not integrate well when these services are already setup to work standalone.

            I suspect the same reaction from folks when they hear “download pangolin from the App Store, and use xyz credentials to connect.” And “download WireGuard from the App Store, and use xyz file to connect.”

    • Pacrat173@lemmy.ml
      link
      fedilink
      English
      arrow-up
      3
      ·
      17 hours ago

      It’s my go to method super easy to set up and use on both the device hosting your JellyFinn server and whatever your steaming on

      • djdarren@piefed.social
        link
        fedilink
        English
        arrow-up
        4
        ·
        15 hours ago

        Just be aware that if you want anyone else to connect to your Jellyfin, you’ll still have to route it through a domain and reverse proxy, unless you’re comfortable letting them log in to your tailnet.

        It’s a bit of a fiddle to set up, but once it’s done it’s quite satisfying.

      • Pika@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        6
        ·
        18 hours ago

        it’s actually the recommended way if you use jellyfin, theres a few security/privacy vulnerabilities with publicly exposing the jellyfin server anyway, they are being worked on but, the safest way to do it is just use a vpn regardless.

        • frongt@lemmy.zip
          link
          fedilink
          English
          arrow-up
          3
          ·
          12 hours ago

          Plus it enables you to access everything. If you have radarr or sonarr or whatever, you can get to those and add media while out and about.

          Personally I use Mealie and pull up ingredient lists while I’m im at the grocery store.

  • pHr34kY@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    3
    ·
    edit-2
    14 hours ago

    You can still just open it to the internet. Just do it on IPv6 instead. You won’t find it by scanning IP ranges like they do on IPv4. You’ll want to set up DNS for it though. Also get a free TLS cert from LetsEncrypt. It’s a bit of work initially.

    • mic_check_one_two@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      11 hours ago

      Was going to comment something along the lines of “Inb4 someone posts that obscurity will keep you secure” but here you are. No, you won’t be secure just because it’s on IPv6. And TLS certs are open to the public, (they literally have to be, since any device attempting to access your server needs to be able to validate the cert) so bots will scrape them and instantly have whatever you made it for. So it wouldn’t even keep you obscure.

    • frongt@lemmy.zip
      link
      fedilink
      English
      arrow-up
      8
      ·
      13 hours ago

      Assuming their ISP and everything else supports ipv6. An even so it’ll still be visible through scanning, through brute force, or if anyone is reading cert transparency reports anf scanning the domains that show up.

  • frongt@lemmy.zip
    link
    fedilink
    English
    arrow-up
    11
    ·
    18 hours ago

    Yes, a VPN. And dynamic DNS if you don’t have a static IP address.

    • Vegan_Joe@anarchist.nexusOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      18 hours ago

      To be clear, your suggesting I set up my home computer as a virtual private Network server that I would connect to from the TV or device outside of my home network?

      • frongt@lemmy.zip
        link
        fedilink
        English
        arrow-up
        10
        ·
        18 hours ago

        Yes, it works great for me. Probably not for a TV though, for that you’d probably need some travel router VPN client. But I don’t know how often you’d be at a random TV and need to get to jellyfin.

      • towerful@programming.dev
        link
        fedilink
        English
        arrow-up
        4
        ·
        17 hours ago

        Yeh, exactly.
        And the “dynamic DNS” part handles your public IP address changing with 0 pain.
        You either buy a domain (like example.com), or there are free domain name providers that give you a subdomain (like mycooldomain.example.com) of one of their domains.
        You then run an additional service on your home server that checks what the current public IP address is. If it changes, it notifies the DNS responsible for your domain/subdomain, which then points to your new public IP.
        To connect to your VPN, you only ever care about “mycooldomain.example.com” and never the underlying IP address.


        As long as your ISP isn’t running CG-NAT of course 😵‍💫

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    3 minutes ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CGNAT Carrier-Grade NAT
    DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network
    DNS Domain Name Service/System
    ISP Internet Service Provider
    NAT Network Address Translation
    Plex Brand of media server package
    SSO Single Sign-On
    TLS Transport Layer Security, supersedes SSL
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)
    nginx Popular HTTP server

    [Thread #41 for this comm, first seen 5th Jul 2026, 18:30] [FAQ] [Full list] [Contact] [Source code]

  • Croquette@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    13 hours ago

    I have setup NetBird with Authentik. Netbird is on a VPS and authentik on my home server.

    NetBird allows to expose a service through a subdomain. Or you can use the netbird client as a VPN and allow peer to peer connection.