I am making this post in good faith
In my last post I asked about securely hosting Jellyfin given my specific setup. A lot of people misunderstood my situation, which caused the whole thread to turn into a mess, and I didn’t get the help I needed.
I am very new to selfhosting, which means I don’t know everything. Instead of telling me that I don’t know something, please help me learn and understand. I am here asking for help, even if I am not very good at it, which I apologize for.
With that said, let me reoutline my situation:
I use my ISP’s default router, and the router is owned by Amazon. I am not the one managing the router, so I have no control over it. That alone means I have significant reason not to trust my own home network, and it means I employ the use of ProtonVPN to hide my traffic from my ISP and I require the use of encryption even over the LAN for privacy reasons. That is my threat model, so please respect that, even if you don’t agree with it. If you don’t agree with it, and don’t have any help to give, please bring your knowledge elsewhere, as your assistance is not required here. Thank you for being respectful!
Due to financial reasons, I can only use the free tier of ProtonVPN, and I want to avoid costs where I can. That means I can only host on the hardware I have, which is a Raspberry Pi 5, and I want to avoid the cost of buying a domain or using a third party provider.
I want to access Jellyfin from multiple devices, such as my phone, laptop, and computer, which means I’m not going to host Jellyfin on-device. I have to host it on a server, which is, in this case, the Raspberry Pi.
With that, I already have a plan for protecting the server itself, which I outlined in the other post, by installing securecore on it. Securing the server is a different project, and not what I am asking for help for here.
I want help encrypting the Jellyfin traffic in transit. Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption. There is some hope in doing some manual ProtonVPN configurations, but I don’t know how that would work, so someone may be able to help with that.
All Jellyfin clients I have used (on Linux and Android) do not accept self-signed certificates. You can test this yourself by configuring Jellyfin to only accept HTTPS requests, using a self-signed certificate (without a domain), and trying to access Jellyfin from a client. This is a known limitation. I wouldn’t want to use self-signed certificates anyways, since an unknown intruder on the network could perform a MITM attack to decrypt traffic (or the router itself, however unlikely).
Even if I don’t trust my network, I can still verify the security and authenticity of the software I use in many, many ways. This is not the topic of this post, but I am mentioning it just in case.
Finally, I want to mention that ProtonVPN in its free tier does not allow LAN connections. The only other VPN providers I would consider are Mullvad VPN or IVPN, both of which are paid. I don’t intend to get rid of ProtonVPN, and again that is not the topic of this post.
Please keep things on-topic, and be respectful. Again, I am here to learn, which is why I am asking for help. I don’t know everything, so please keep that in mind. What are my options for encrypting Jellyfin traffic in transit, while prioritizing privacy and security?
You must log in or register to comment.
I read the old thread and now this one.
As I understand it, you want to create connection between clients on your lan, but you don’t trust your lan, so it’s like having a raspberry pi server and some client both on the coffee shop network and you want them to communicate securely?
Tailscale is what you want. Easy setup, free, and allows exactly this to happen.
I use tailscale for exactly this purpose. And with the added benefit of bring able to watch media and manage the device remotely and easily
I previously proffered some information in the first thread.
But there’s something I wish to clarify about self-signed certificates, for the benefit of everyone. Irrespective of whichever certificate store that an app uses – either its own or the one maintained by the OS – the CA Browser Forum, which maintains the standards for public certificates, prohibits issuance of TLS certificates for reserved IPv4 or IPv6 addresses. See Section 4.2.2.
This is because those addresses will resolve to different machines on different networks. Whereas a certificate for a global-scope IP address is fine because it should resolve to the same destination. If certificate authorities won’t issue certs for private IP addresses, there’s a good chance that apps won’t tolerate such certs either. Nor should they, for precisely the reason given above.
A proper self-signed cert – either for a domain name or a global-scope IP address – does not create any MITM issues as long as the certificate was manually confirmed the first time and added to the trust store, either in-app or in the OS. Thereafter, only a bona fide MITM attack would raise an alarm, the same as if a MITM attacker tries to impersonate any other domain name. SSH is the most similar, where trust-on-first-connection is the norm, not the outlier.
There are safe ways to use self-signed certificate. People should not discard that option so wontonly.
Here’s an idea: on your android device use something like Insular to create a work profile, that way you get its own VPN slot, add your selfhosted-related apps there along with Tailscale. You can keep ProtonVPN on for your other apps, while using TS for your “LAN away from home” stuff. Since Tailscale already encrypts all traffic, you don’t have to worry about HTTPS, certs, et al.
THIS
While I would make the modification to use Android’s Private Space instead of a work profile (or Shelter instead of Insular), this was such an obvious solution, and I feel stupid for not seeing it. I might use Wireguard instead of Tailscale, I don’t know yet, but thank you! Consider yourself an outside the box thinker!
We all got hung up on trying to fix Proton, when Android was the issue here!
and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption.
I solved a similar situation with a tailscale subnet router . a tailscale subnet router is a tailscale node that exposes the non-tailscale network to the tailscale network. This way I am able to access one of my routers (and its PBX) from all tailscale nodes. The android phone has only tailscale as a VPN. If i pay for mulvad I can have the rest of the traffic go over a mullvad node.
doesn’t really help you here though, unless you install protonVPN on the pi and add that as a tailscale exit node.
I remember you were worried about your ISP messing things up for you, hence the VPN. I would recommend creating a “Virtual Machine” that does all of your downloading to whatever hard drive you’re using. That VM can have proton installed. Then, on your regular computer (not within the VM), you can host Jellyfin with no VPN involved, making it accessible at 192.168.0.xx.
I think this hits your goals without needing to expose Jellyfin to the Internet. Plus it has minimal technical complexity. Your downloading traffic will be VPN protected, but Jellyfin will still be accessible to your local network.
edit: You can set up a password for Jellyfin, protecting it from your internal threats.edit2: You can use letsencrypt to create a certificate that picky clients will accept. Buy a domain, any domain, and configure the “A record” to point to 192.168.0.xx (your Jellyfin IP). Then tell your client to go to whatever domain you get, like “luigiliterallydidnothingwrongplzfree.com”, then the client will have to use the internet to ask DNS what the IP address is, but after that, it will just use your local network.
edit3: Since you just have the raspberry PI, instead of using a Virtual Machine, you could have 2 separate SD cards. One only has the downloader and VPN installed, the other only has Jellyfin installed (no VPN). Then swap as needed.
I mentioned a firewall in your last post, but didn’t get a chance to respond to what you said and saw this post.
You can use something like opnsense or pfsense (or something similar) behind your current router/modem.
If you have a router/modem combo, it would look like this.
Wall cable (fiber, copper etc) > Router/Modem > Firewall/Router device with opnsense installed on it > wireless or wire connected devices.
The hardware will cost money up front, the OS for it is free.
You can use this to isolate your devices from the router/modem that is the cause of concern, and have a secure connection to your jellyfin server. Eliminating the need for signed certificates.
Don’t over think it. You can secure your network without making it excessively complicated.
If you have a raspberry pi you can also experiment with running the firewall on that (just as a test since there aren’t official builds for the RPI that I know of) and pentest from whatever device you use to do so connected to your router provided by your ISP or however you want to test it before you go out and buy hardware.
Just to be clear I wasn’t trying to be any sort of way with my question previously, but wanted a better understanding of what you meant by not trusting your device.
Edit: So a little side note, there are options to increase security when using something like opnsense. You can use freeradius to harden the access requirements to your network.
Since you mentioned pen testing but also seem to say that your knowledge of networking is a little bit limited, it may be a bit more involved than you’re ready for. The thing is (and this is by no means a knock on you) if you are doing pen testing then you definitely need to increase your knowledge on networking. Those two things kinda go hand in hand. If you don’t understand networking but you are trying to pen test a network, then how do you know what you are doing is actually effective? I suspect you may understand a bit more than you think you do, so try to broaden your knowledge more!
There’s something to check out just to get some concepts. You can do plenty of things to harden your security that could give you the comfort you need without defaulting to encrypted connections over LAN.
Thank you for this!
Is OPNsense like dd-wrt or OpenWrt?
The thing is (and this is by no means a knock on you) if you are doing pen testing then you definitely need to increase your knowledge on networking.
I have background in Wi-Fi hacking and LAN attacks, and I understand the structure of networking (LAN, WAN, layers of the internet, DNS, CAs, etc.). My head starts to hurt when RADIUS is involved, ad hoc networking (which I understand the concepts of, just not how it works. I want to learn this first), mDNS, and other complicated topics. I’m trying to push past those mental roadblocks and learn as best I can, but it’s a tricky topic!
There’s something to check out just to get some concepts. You can do plenty of things to harden your security that could give you the comfort you need without defaulting to encrypted connections over LAN.
Thank you! I’ll definitely check this out. You’ve been a huge help!
Is OPNsense like dd-wrt or OpenWrt?
Yes, both are similar in terms of being a firewall/access point. OpenWrt is Linux based and OPNsense is based on FreeBSD.
OpenWRT and OPNsense have similar wireless capabilities but OPNsense is a little bit more restricted due to being based on FreeBSD, it still should be easy to manage though. More on the wireless compatibility can be found at the below link.
https://www.freebsd.org/releases/14.2R/hardware/#wlan
I haven’t used dd-WRT so I can’t speak to it, but have tried OpenWRT. My personal preference is OPNsense, I just find it easier to use and prefer the interface.
Here’s a link to the OPNsense documentation.
https://docs.opnsense.org/index.html
I’m far from a network engineer but have been tinkering with computers and network stuff for 20ish years and there is still a ton that I don’t know. Don’t let it discourage you, you can make it work! Documentation can be muddy sometimes, and bland, but I find it best to just go one step at a time and slowly implement each piece while testing after each step.
Again, Tailscale.
Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption.
Tailscale is only for the server/host. You’re not changing all of your VPN services over to this, you’re using it in a ‘reverse’ fashion. You’re VPN-ing the server out to the world so it’s reachable and you have port forwarding options, etc.
From there, it can be reached by any client on the internet as a service. From there though, I don’t know how you’d get to it securely without a domain and SSL (Let’s Encrypt/Caddy) certs.
A domain is only like $16/year. So it’s not prohibitively expensive.