I have docker installed, but only have a vague idea of how it works.
Back in the day, I would just port forward, but even then, I would need a static IP somehow.
I have heard a reverse proxy is an option, but that is an entirely new topic to me.
Surely there is an easy way to access Jellyfin outside of my home network that I’m just missing.
*Edit: I am blown away by all the help and support! I currently have tailscale running, and I’m in the process of purchasing a domain.
Thanks everyone!
for a beginner with just a few remote clients, tailscale all the way.
though I still like doing it the old way with a custom nginx setup, fail2ban and a domain name, but its more work to make it secure and even then it’s still somewhat of a liability.
How stable is tail scale in teal life? I constantly have issues with relay servers not being available, spontaneous logouts, etc…
I want to use it, but I also want my wife to use it and she will need a “no matter what, it must work” solution or she won’t use it
wanted a free solution
ends up buying a domain
Welcome to the club, buddy!
Cheap domains are basically free though so it doesn’t count!
Until you have dozens of them… Lol.
And they keep rising in price or you didn’t notice the dark pattern where it was actually the price for the first year.
Which is why you migrate to cloudflare for at cost.
@Vegan_Joe — if you’re still stuck, try this: install Tailscale → join your tailnet → expose Jellyfin container port 8096 as 443. That’s it. No nginx, no static IP hunting. I wrote a 3-command cheatsheet here https://cxgo.ai/l/5bwrT9m that I wish existed when I started fumbling with docker-compose overrides. Works on a $20 raspberry pi and a 2014 Mac mini, so your hardware shouldn’t matter.
I ended up using duckdns for a free domain. It sucks that I had to tie it to a google account, and maybe one day this might be an area where I buy a proper domain instead.
I have a glinet Flint3 router that makes it easy to spin up Wireguard servers on it. It was a bit more finnicky, but eventually I was able to get into the advanced settings and configure the router to sync the dynamic IP with DuckDNS too.
So I have Wireguard on my phone and my wife’s phone. We have one pair of close friends who have a connection on their router too (and vice-versa) and their own Jellyfin server.
Tailscale. It’s free. Insanely easy to set up.
Just install on your devices and connect via the given tailscale ip for the jellyfin server.
Or head scale if you don’t want something you don’t control that requires an account with google/apple/microsoft
Headscale is great but requires port forwarding which, aside from having its own iasues, is something op wants to avoid.
I would also propose going with Tailscale instead If a VPN + DynDNS solution. Imho it is a lot easier to Setup compared to VPN + DynDNS If you are a beginner and just starting out.
If at some point you need more and then is available in the free Tier of Tailscale and you do not want to pay for it (and you have built up some knowledge!) you can switch to something like Headscale or Netbird.
Currently I’m using tailscale. I like it but often switching IP address if I’m at home and I can’t use my normal vpn on it. Plus, I’m excited to learn about DNS and cloud flare. Its just very overwhelming haha
Switching ip addresses doesn’t matter for things on the tailnet using the magic dns https://tailscale.com/docs/features/magicdns
I forgot to mention that one because I kinda thought it belongs with radmin and hamachi, but it’s my choice as well currently.
I am using it with my own Headscale though, so add a domain to that as well.
And I finally need to switch my vaultwarden to work over tailscale & LAN finally, it’s a huge security risk to expose that one.
https://netbird.io/ for your own private network of trusted devices, it’s free and doesn’t require a separate Big Tech account to use (unlike Tailscale)
And then if you want to share Jellyfin with someone who isn’t in your Netbird network… believe it or not, also Netbird
This
Does it work with a reverse proxy?
It has functionality to let you set up a reverse proxy (in beta). But you can access all your services by using the zero trust vpn
Nice! Maybe I’ll try the beta. Been wanting to tinker around with my set up recently
Tailscale has an option for OIDC. That should be avoiding the tech mafia enough no?
is this much different than nginx?
Yes, it is easier and safer for someone who doesn’t know what they are doing to set up.
That’s the whole point of a domain. Your IP changes every now and again you need people to know where to reach you. You give them a domain, and you configure the name records so that the domain always points to the right IP address.
Your options:
- dynamic IP - you keep your setup as is and just periodically tell them the new IP you’re on. Annoying and exposed
- static IP - you buy a static IP (from your ISP) and share it with your friends once. A little bit less annoying and still exposed
- you use a VPN like hamachi or radmin - your friends install the software, they look for you IP in there, you’re done - very secure but also very annoying
- you buy a domain - you have to configure an IP updater like ddclient or similar, then you jellyfin should be reachable - least annoying for your friends but also slightly less secure
Domain is the cleanest option.
I am telling you how annoying it is because that’s how likely your friends are to adopt it and how secure it is because depending on your country you are doing something illegal and you really don’t want anyone to find out and you gotta keep it updated more often if you don’t want people to exploit it. There’s an endless supply of very smart people out there who use known bugs to target public services.
Edit: I forgot DDNS, see below comments.
Thank you. I’ve bought a domain. I’d like to go with this option. Just researching how to do it on cloud flare
On Cloudflare, you’ll want to set a DNS record to point any relevant subdomains to your current WAN IP address. IPv4 will be an A Name record. IPv6 would be an AAAA Name record, but I’m not going to deal with IPv6 for this… Here is an example of mine, with info blocked out:


So for instance, maybe you have a
peepee.example.comsubdomain, apoopoo.example.comsubdomain, etc which all point to your WAN IP address. That will basically tell Cloudflare’s DNS to forward any traffic for those subdomains to your WAN IP. Each subdomain can also choose whether or not to proxy the content, or just directly send it to your WAN with DNS. Basically, when Cloudflare propagates the DNS records to the various DNS servers, you can choose whether that record has your WAN IP (DNS Only) or one of Cloudflare’s (Proxied). Proxy support means you can take advantage of some additional CF protections, but it also means passing all of the data through CF’s server. In most cases, you’ll want DNS Only. Proxy support will depend on the individual service. Some will work fine with it, some won’t. And it’s also possible that you don’t want services proxied through CF for privacy reasons.Next, you’ll want to set up a reverse proxy service. This will be something like Nginx Proxy Manager, Caddy, etc that you run on a device on your LAN. It can even be on the same machine running your various services. The big reverse proxies all offer Docker images, so you can incorporate it directly into an existing Docker stack if you already have one. Personally I use NPM, but Caddy is also very popular.
You’ll tell this reverse proxy “when you receive valid traffic addressed to {subdomain}, forward it to {relevant service on your LAN}.” You can also set some additional options for each subdomain, like automatically upgrading to https. For instance, maybe
peepee.example.comforwards to192.168.1.100:42069on your LAN, and is configured to automatically upgrade any http traffic to https, and to require https.You can also set up automatic TLS certificate renewal, so https traffic can be properly encrypted. The reverse proxy will need an API key, and it will allow the service to automatically check expiration dates and pull a fresh TLS cert for your domain if the date is coming up soon.
You’ll probably want to use a wildcard certificate, (basically
*.example.com) because the TLS certificates are open to the public. So if you do individual certs for all of your various services, bots will scrape the public records and you’ll inevitably get a lot of bot traffic probing your various subdomains. A wildcard domain usually means the bots hit the standardexample.comandwww.example.comfirst, which makes them super easy to detect and block. I even have rules set up to automatically block anything that tries to access my www subdomain, because I specifically don’t host a landing page and don’t have anything available there. So I know that any traffic hitting that www subdomain is a bot trying to access common subdomains.Next, you’ll want to forward ports 80 and 443 to your reverse proxy. Port 80 is the standard port for http traffic, and 443 is the standard port for https traffic. These will be the ports that your reverse proxy actually receives the traffic on, before forwarding it to the various services. Note that lots of lazy devs default to using 80 and 443 for lots of things, so you may want to configure your router to use a different port (like 81 or 444) for its config page if you’re able. Otherwise, you may end up accidentally locking yourself out of your router’s config page, because it will attempt to use 80 to reach the page, then get automatically forwarded to the reverse proxy instead.
Finally, for some ease-of-maintenance, you may want to consider adding a DDNS service (like Cloudflare-DDNS) to your docker stack. This will occasionally check your current WAN IP, and update it with Cloudflare if necessary. For example, if you have an outage and your router gets a new WAN IP when it boots back up again. Normally you would need to manually go to Cloudflare and update the IP info to point at your new address. But DDNS does that automatically.
The way traffic flows when it is all set up is along these lines:
- A device wants to access your service at
peepee.example.com. It doesn’t know where to find that site, so it asks a DNS server. - Cloudflare has told all of the various DNS servers “hey,
peepee.example.comcan be found at {your IPv4 WAN address}”. - The device follows that DNS record, and attempts to connect to your IPv4 WAN address, on port 80 or 443. For this example, let’s say it tries to connect on port 80 for standard http traffic. The device knocks on port 80’s door and says “hey, I’m here to access
http://peepee.example.com/.” - Your reverse proxy checks the configured list, finds the valid
peepee.example.comsubdomain, finds it has a valid TLS cert, finds it is configured to automatically upgrade to https, and responds “Yes, please upgrade to https. Http traffic is not allowed.” - The external device knocks again, this time on port 443’s door. It goes “hey, I’m here to access
https://peepee.example.com/. Your reverse proxy goes “thank you, here is the TLS cert and my half of the TLS security handshake.” - Your external device uses the data in the TLS cert to validate and complete the TLS handshake with the reverse proxy, and the traffic between the reverse proxy and your external device is now encrypted with https. Your device gets the nice little “secured” padlock icon in your browser. Because the traffic is encrypted, a malicious actor may be able to tell what kind of info you are passing (for example, a video stream will likely have a pretty obvious pattern) but they won’t be able to see what specific data you are passing. They may be able to tell that you’re streaming a video, but they won’t know which video specifically.
- The reverse proxy forwards the traffic to the service, configured at
192.168.1.100:42069. - Your service does not ever know the device is being accessed via WAN, because (as far as the service can tell) the traffic is coming from your reverse proxy (also a LAN device). So any “pay to use WAN” services will continue to work for free.
- The external device never gets access to info like the specific LAN IP or port number, because it only has access to the reverse proxy. All of the traffic is passing back and forth between the reverse proxy.
But notably, keep in mind that the reverse proxy didn’t do any actual user authentication. If your service has a weak password, a reverse proxy will act as a gateway for any potential hackers to gain access to the service. The same way an open port is a gateway directly to the service, the reverse proxy is now a gateway that simply requires an attacker to use a subdomain instead of an IP and port number. And if you make your subdomain something like
jellyfin.example.comit will probably be dead simple for a bot to guess. And any vulnerabilities in the service will still be exploitable via the reverse proxy, because the reverse proxy is simply making sure the request is valid, and then passing the traffic back and forth. It isn’t actually inspecting the content of that traffic, so it’s not going to stop things like attackers. When you hear digital security folks talk about things like attack vectors, this is what they’re referring to. Your reverse proxy is a potential vector of attack for your configured services. Use strong passwords, keep your services updated, etc…You can technically add authentication to a reverse proxy. So for instance, maybe a service doesn’t have any built-in way to add a password. You can have the reverse proxy act as an authentication gate, so it will prompt the user for a username+password before they can even reach the service. This will make the services more secure (yes, even the ones that already have passwords, as long as you use a different password for your reverse proxy authentication) but it will break most apps that are designed to work with a service. For instance, Jellyfin has several apps that work, but those apps won’t have any way to get past the reverse proxy’s password gate. So those apps will simply break if you add a second layer of authentication with your reverse proxy.
There are also some security options you’ll likely want to enable on Cloudflare’s side, but this comment is already long enough.
Thank you so much for such a detailed reply. I’m going to print this off and go through it point by point.
I didn’t realize how overwhelming this would be, the amount of information is incredible.
I was trying to use the cloud flare ai assistant to set up WARP access to my phone but then I realized its basically another VPN which defeats the whole point on me using the domain because I wanted to be able to use my traditional VPN to stay protected.
I also wanted to be able to log into my server android apps like immich and Joplin but can’t do that with authentication as its not a webpage.
I’ll print this off and anything I don’t understand (most of it at this stage haha) I’ll spend some time studying it.
I got a good laugh at peepee poopoo
Thanks again
I actually just updated it slightly, and may continue to do so if I think of things. So you may simply want to check back here instead of printing it.
- A device wants to access your service at
You left out DDNS. It’s free, easy to set up with lots of detailed guides online, and works as well as a static IP.
I added a reference to your comment
yeah I forgot that one. I had to rush the comment a bit.
I appreciate your response!
It looks like a VPN is the option I’m leaning towards, but I’ll definitely put the idea of buying a domain in my back pocket for a while.
Some .xyz domains cost less than 1$. Mine is 0,85$/year
What do you do, randomise it every year?
Nah same domain, 0,85$/year. It’s 8 numbers + .xyz
Wow thanks!! Looks like it works with 6-9 numbers
You get to pick your numbers
On June 1, 2017, .XYZ launched the 1.111B class .xyz domains, cheap domains priced at US$0.99 per year and renewed at the same price. The class of domains consists of six-, seven-, eight-, and nine-digit numeric combinations between 000000.xyz and 999999999.xyz. Daniel Negari, CEO of .XYZ, stated that it was meant to bring competition, choice, and innovation to the market
Personally I didn’t want to have to hand out VPN credentials to everyone, so I went with a cloudflare tunnel with Authelia as the method of authentication.
+1 for Cloudflare Tunnels/Zero Trust. The free tier is more than generous for a homelab
While I have similar users here. I noticed that anything I watched on Jellyfin and was connected to cloudflare would give me recommended YouTube shorts on the movies/shows or similar ones I was watching. It is a great free service and I got my domain hooked up through them for $12/year but I feel like it is the leak for my data. I didn’t mind it for a long time because getting shorts served to me that were movie clips was fine with me.
Anyone notice similar behaviors? My paranoia has me wanting to go a different route or lock things down more.
Well, I don’t run the *arr stack or JF, so I cannot comment to your issue.
Notice custom ads based on the content you ARE piping through zero trust? Just curious. I realize many users here are probably very avoidant of ads or algorithmic shifts in the first place so it may be unnoticeable
I’ll have to say it has been decades since I’ve seen an ad show up on my screen. However, as I said, I do not run the *arr stack or JF, so my experience might not be applicable to everyone.
So, you stream a video using JF or other and you are getting ads show up? Like pre-roll ads, or other? That just sounds weird to me. Could you provide a screen capture of said intrusions?
Not to mention, the amount of data you can run through it is nuts. I’ve been running Stremio web through it for months without issue to watch content at work.
is that against ToS? i want to do it but dont want to get banned
What are your concerns about Cloudflare and getting ‘banned’? There used to be a clause in the TOS that prohibited streaming video. However, as one user here has pointed out, that has been since superseded. Now, I’m not going to tell you that you can share your JF with 20 other users and not raise an eyebrow with Cloudflare. I don’t have a clue what they would do in that case. As far as streaming, I run Navidrome around the house from the time I get up in the morning, until I go to bed at night, and have had no issues. There also isn’t a bandwidth cap that I can find anywhere in Cloudflare’s documentation.
if you use or are suspected of using the CDN without such Paid Services to serve video or a disproportionate percentage of pictures, audio files, or other large files.
Not permitted but tolerated (until it isnt)
Like I said, if you’ve hooked up 20 of your best buds to your JF, then yeah they’d probably have an issue with that. Personal use, I doubt they’d care really.
Still only tolerated.
Walking a fime lime on getting your account closed/domain bammed or at the very least receoving a warning.Wishing you best of luck not getting banned.
I haven’t had any issues with friends streaming 4k! I probably should add a data cap in the Jellyfin settings, though
Good to know. I wasn’t aware of this.
Just looked it up and your right, they changed their ToS in 2023
They have not: https://lemmy.dbzer0.com/comment/26944007
Yup. OP was asking about bandwidth caps, I haven’t experienced any, nor can I find any documentation to support bandwidth caps. I stream Navidrome around the house from the time I get up to the time I go to bed and it has worked flawlessly.
Can I ask, how much of a limit does the free tier have on bandwidth if you’re doing something like hosting Jellyfin?
My understanding is that there is no hard limit. At some point they will decide “this is business level traffic” at which point they will start harassing you to purchase a business plan.
That cutover point is unknown. I’ve never even seen an estimation of when it happens, so it could very well be the type of traffic instead of the amount.
They also only allow HTTP traffic for the free tier, which is another way they push you towards business tiers.
They also only allow HTTP traffic for the free tier, which is another way they push you towards business tiers.
I don’t think that’s true. I’m pretty certain all of my domains are HTTPS only, but maybe that’s because I own the domain? Does cloudflare offer free domain names for tunneled traffic?
HTTPS traffic is still HTTP traffic. There’s just an encryption layer in there.
And yes cloudflare absolutely supports https.
Okay. Carry on. I was thinking that you meant the free tier didn’t support HTTPS encrypted traffic. I didnt want someone to rule out that option based on a false assumption. Sorry for the confusion.
Can I ask, how much of a limit does the free tier have on bandwidth if you’re doing something like hosting Jellyfin?
I honestly cannot find a hard bandwidth cap. Now, that is not to say that if you are sharing your JF with 20 other users, that they would not frown on that. However, from what I can tell, there is no real bandwidth cap.
On my mobile, but to give you an idea, I stream Navidrome probably 12-15 hours a day. I really don’t think they have a bandwidth limit per se, but when I get back to my desktop where I can actually see, lol, I can do some digging for you.
A VPN such as Tailscale.
That is a new concept to me, but I’ll definitely look into it.
it’s actually the recommended way if you use jellyfin, theres a few security/privacy vulnerabilities with publicly exposing the jellyfin server anyway, they are being worked on but, the safest way to do it is just use a vpn regardless.
Plus it enables you to access everything. If you have radarr or sonarr or whatever, you can get to those and add media while out and about.
Personally I use Mealie and pull up ingredient lists while I’m im at the grocery store.
Just be aware that if you want anyone else to connect to your Jellyfin, you’ll still have to route it through a domain and reverse proxy, unless you’re comfortable letting them log in to your tailnet.
It’s a bit of a fiddle to set up, but once it’s done it’s quite satisfying.
It’s my go to method super easy to set up and use on both the device hosting your JellyFinn server and whatever your steaming on
I’m using wireguard with wg-easy. It’s a gui that let you easely setup wireguard. My isp is giving a fixed ipv4. So i don’t have to think about dns or other complicated things. I have Jellyfin and wg-easy installed on truenas as docker apps.
There are official app for any os you want.
Yes, a VPN. And dynamic DNS if you don’t have a static IP address.
To be clear, your suggesting I set up my home computer as a virtual private Network server that I would connect to from the TV or device outside of my home network?
Yes, it works great for me. Probably not for a TV though, for that you’d probably need some travel router VPN client. But I don’t know how often you’d be at a random TV and need to get to jellyfin.
Got it! I think this is the plan of attack I’m going with
Yeh, exactly.
And the “dynamic DNS” part handles your public IP address changing with 0 pain.
You either buy a domain (like example.com), or there are free domain name providers that give you a subdomain (like mycooldomain.example.com) of one of their domains.
You then run an additional service on your home server that checks what the current public IP address is. If it changes, it notifies the DNS responsible for your domain/subdomain, which then points to your new public IP.
To connect to your VPN, you only ever care about “mycooldomain.example.com” and never the underlying IP address.…
As long as your ISP isn’t running CG-NAT of course 😵💫
I use pangolin and subdomains on my domain. It works really well, and enables SSO login to all services on the network.
I can’t get it working with the app unless I disable auth in pangolin, but it works beautifully with web
Yeah, for certain apps you may need to do that. I’ve had to do that with Nextcloud and Linkwarden. But Immich will happily work with a shareable link.
I actually commented a solution on a pangolin ticket, and they were like “good idea!” And implemented it, but then made it an enterprise only feature 😭
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network DNS Domain Name Service/System ISP Internet Service Provider NAT Network Address Translation Plex Brand of media server package SSO Single Sign-On TLS Transport Layer Security, supersedes SSL UDP User Datagram Protocol, for real-time communications VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
12 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.
[Thread #41 for this comm, first seen 5th Jul 2026, 18:30] [FAQ] [Full list] [Contact] [Source code]
@Vegan_Joe
try tailscaleI second this, if it’s only you that needs access then Tailscale will be all that you need. You can use Tailscale funnel if you want it to be available to the wider web, but then you have to manage SSL certificates and it is slightly less secure.
I would caution against port forwarding and leaving your server open to the wider web.
As others have said, Tailscale is the most pragmatic solution. It’s a mesh VPN based on Wireguard. It’s implemented in such a way that you don’t need a static IP and don’t need to open any ports on your firewall. The caveat is that you either need to register an account on tailscale.com (it’s free for small-scale use) or set up a self-hosted alternative like Headscale on a VPS. Then you have to install the Tailscale client on each of the hosts you want to access and log into your account.
Tailscale nodes will be accessible using an internal, private address in the
100.64.0.0/10address space. You can also set up a split DNS that allows you to access your hosts using a DNS name likehostname.your-tailnet-name.ts.net.
















