Hello!
I have Jellyfin running locally on my linux pc, in a docker container but I also use Mullvad vpn. I’m still newish to linux but I can access jellyfin through my lan. I am at a total loss with how to remotely access it remotely and securely. I think I need to split tunnel jellyfin but I also run arr apps in other containers. Maybe gluetun? I cant find a guide that tells me for sure but it sounds like what I may need
I have been through several guides for different methods but I’m at a loss on what to do.
Can anyone point me in the right direction?
Probably what you’re looking for is the following setup:
docker <-> services <-> reverse proxy <-> VPN <-> Internet
- Your next step is to chose a reverse proxy to handle your requests and serve your services on port
80
and port443
. There are several choice and you have to somehow stick with it, because each reverse proxy has it’s up and downsides and learning curve:
- Treafik (that’s the one I use and is specifically made for containers)
- Caddy (Never used it but heard only good things about it)
- Nginx (this one is a beast to tame, however I heard it’s easier to setup with nginx proxy manager)
Those are the 3 big players I’m aware of.
- You reverse proxy ready and functional you need something to access them outside your LAN. There are also several ways to achieve the same goal. The one I use and are happy with is to configure Wireguard on your server and only open the port needed to connect to it.
This is also a big part and probably this is the route of a tinkerer and have lot of personal time to spare… There are easier AIO routes that will probably save you time and energy. (Others will point you to the right direction)
- Bonus tip
You will rapidly understand the necessity of DNS. Reaching out to your services by IP:PORT will annoy you over time, even if you save them as bookmarks. Also if you don’t assign a static IP to your containers they will change every time you restart them or reboot your server. Not very practical !!
Here you have 2 choices:
- personal mini certificate authority (totally free and personal local domains but harder to setup)
- cheap domain name with automatic certificate generation.
I personally chose the tinkerer route and learning process. But I have time to spare and while I prefer this route… It’s very time consuming and involves a lot of web crawling and books reading.
If you are interested I can recommend you a good ebook on how to setup your own mini-CA :).
Hope it helps, you are halfway through !
Nice explanation =). I am not OP but I am curious about one point: you seem to have the reverse proxy on your homeserver, not on the VPS.
Is wireguard enough then to tunnel HTTPS traffic to your reverse proxy? Or do you need a more sophiscated tunnel (e.g. ngrok, boringproxy).
P.S. I actually assumed that your VPN entry point is a VPS with a public, static IP. Therefore I understood that your were talking about two servers: the home server with the reverse proxy and a VPS as wireguard entry point. Please correct if this is wrong.
- Your next step is to chose a reverse proxy to handle your requests and serve your services on port
Reverse proxy that handles TLS/HTTPS. Caddy is pretty easy to set up, or you could use a cloudflare tunnel (or other tunnel) to expose the services across a different IP; in case you’re worried about DDoS, or revealing your IP address.
You’ll want a domain for the reverse proxy; I assume you already have one.
https://jellyfin.org/docs/general/networking/caddy/
This is instructions for domain.tld/jellyfin; but I use a subdomain jellyfin.domain.tld
I use my domain name provider’s own services for updating my semi-dynamic IP address (it basically never changes unless I have a multi-day power outage)
Easiest? Tailscale., set it up on the server and each client you want to access it and it creates auto-resolving P2P VPN tunnels between them all.
Wholeheartedly support Tailscale or similar solutions. Reverse-proxy or VPN are just too complicated (for me, at least).