Then you just need to run a DNS Forwarder, or something with a DNS forwarding capability. Your router most likely already has this.

DNS is essentially just a request and a response from a service. These can be public or private. A DNS Forwarder on your network will quickly respond if it knows that something is when asked, and return an IP address. If it doesn’t know what it is, it will ask the public services available.

So if you have an internal-only network, a VPN into that network, and a forwarder or other DNS service on that network, you just tell your VPN client of choice to switch to using that DNS instead of public once it connects. It’s a simple setting that every VPN solution supports, and actually makes you MORE secure by not using public DNS servers by default. You can add any record you want to said forwarder, and it will return whatever value you give it for a given domain name.

Here’s a simple workflow as an example:

1. Setup all your services
2. Setup names in your local DNS for each service like “service1.jimmypoops.dev”, or “jellyfin.woopsiedoodle.net”
3. Install VPN client on your phone and make sure your internal DNS server name is used for that connection
4. Connect to VPN from phone and request the DNS names you added
5. You DNS will return the correct IP to visit.

All contained within your local network and VPN by extension.

No need for public DNS entries or TLDs and HSTS requirements.

Well, that’s the simplest way in practice, but not usability. Let me explain:

You control the IP address space once you’re connected to your VPN, and you control the various settings that connection makes, including DNS.

You have a network already, and a VPN of some sort, so that means you have a network device that is terminating that VPN. Is that a router you’re familiar with, or a box on your network?

Right, so if it’s going to JUST be available over VPN, you don’t need to use a public TLD, DNS, or HSTS at all. Why use the public TLD with these requirements and expose private IP address space over public DNS if it’s sole purpose isn’t going to be consuming it publicly?

Yeah, but you’re saying this is going to be used internal to you only, right? No public facing exposure?

deleted by creator

Required? That’s quite a commitment. Is this a Cloudflare thing?

All it really means is that you have to advertise some metadata about your max-age and (sub)domains associated with whatever the domain is. If you’re only planning to serve over HTTPS, and you have a bulletproof refresh workflow for your certs, it’s not going to be a huge issue. Clients need to respect HSTS first, so if your clients don’t check, it’ll still function.

If you’re just using internal or VPN traffic, there’s literally no point in using it EXCEPT to satisfy client requirements.

Can you expound a bit more on this requirement btw? Now I’m curious.

Check out the Minisforum Refurb store page. They sell out what they put up there pretty quickly, so you have to stay on top of it, but there are some great deals there, and they carry a 1 year warranty. Been buying from them for years now, and they’ve always had a great product, and quick turn around.

Well you won’t get far building something from scratch for $200. I think everybody was referring to MiniPCs.

Yeah, and also now, the value of $100 vs $200 in a minipc is vast. That’s a fairly new thing.

It’s pretty meek on specs. It depends on how much you’d be paying for it. If it was free, I’d say go for it. If it’s $100, you’re halfway to a much more capable machine. The onboard graphics on this are going to be abysmal, even for video.

You joking?

Again, Tailscale.

Cool. You got lucky. This is covered in the docs and is normal behavior.

The problems arise when this exchange doesn’t happen without issue though.

That is a LOCAL running interface. It’s not something being run as a server-side interface in the docker container.

I’m not sure what point you’re trying to make, but at this point, you’re original concern and question has been answered.

I…don’t think I need to. It’s all open source. Here is the DBGate repo right here.

If you’re unfamiliar with all of this, that’s your job to get educated. This is how browser-based JS software works. The “proof” is right there in all it’s glory for you to peruse.

No, it can run along anything, as long as you don’t conflict the IP space assigned to a VPN. It creates it’s own IP network space when running, so just don’t overlap with your other VPN software. Using it while at home is a bit wasteful on effort and power, but just use the Jellyfin LetsEncrypt setup and it’s the same thing.

You are missing a lot here. I think you’re confused on the difference between your LAN security, and how that fits into network connections. You don’t need an SSL cert to say that something is secure, that’s just one method of PUBLICLY securing something. Every connection on Tailscale is secure end-to-end, so if you run it on your Pi, any client that can connect to it is secured. No open ports, no lapses in security. The encryption happens between each client and the server. You’re secure.

Okay, so you might be unfamiliar with networking, so maybe some extra confusion there. Let me try to explain that a bit.

The Jellyfin server runs on LAN like normal. No need to use Tailscale if you’re just using your Wi-Fi or Ethernet.

Tailscale/Headscale creates it’s own VPN network which will need its own IP space. Same as any other VPN. It’s just a setting in the config, and the routing is pretty simplistic and mostly automatic.

Tailscale/Headscale can run anywhere. Doesn’t need to be on that Pi, but that Pi will need a Tailscale client to be on the “Tailnet” and communicate with other devices also connected to it.

ProtonVPN clients have their own IP space and network that go elsewhere. That’s its own separate thing.

Sorry, it may be confusing, but Headscale is ONLY the free server component. The client is still Tailscale’s open client. That’s why I’m saying just sign up and try it first with Tailscale, and then if you need more connections without paying, create a Headscale server and re-register your clients to that to skip charges.

Nope. Wireguard runs outside the same protocols.

Just give Tailscale a try first because it’s essentially free for a few nodes. If you need more and don’t want to pay, then investigate Headscale.

Okay, so let me explain a bit:

Tailscale is a commercial client that is semi-FOSS. It’s built on Wireguard, which is FOSS, but the cloud hosted architecture does cost money after I think 5 clients.

Headscale is a FOSS implementation of Tailscale, and totally free to host, skipping the above.

Tailscale itself is super easy to use, and you just install it on a node, register it, and then it has access to any other device on that secured network. So if you install it on your Jellyfin machine at home behind your normal firewall, then install it on your phone, you’ll be able to connect to it without forwarding ports for messing around with much.

It should be that simple.