Please take this discussion to this post: https://lemmy.ml/post/28376589

Main content

Selfhosting is always a dilemma in terms of security for a lot of reasons. Nevertheless, I have one simple goal: selfhost a Jellyfin instance in the most secure way possible. I don’t plan to access it anywhere but home.

TL;DR

I want the highest degree of security possible, but my hard limits are:

  • No custom DNS
  • Always-on VPN
  • No self-signed certificates (unless there is no risk of MITM)
  • No external server

Full explanation

I want to be able to access it from multiple devices, so it can’t be a local-only instance.

I have a Raspberry Pi 5 that I want to host it on. That means I will not be hosting it on an external server, and I will only be able to run something light like securecore rather than something heavy like Qubes OS. Eventually I would like to use GrapheneOS to host it, once Android’s virtual machine management app becomes more stable.

It’s still crazy to me that 2TB microSDXC cards are a real thing.

I would like to avoid subscription costs such as the cost of buying a domain or the cost of paying for a VPN, however I prioritize security over cost. It is truly annoying that Jellyfin clients seldom support self-signed certificates, meaning the only way to get proper E2EE is by buying a domain and using a certificate authority. I wouldn’t want to use a self-signed certificate anyways, due to the risk of MITM attacks. I am a penetration tester, so I have tested attacks by injecting malicious certificates before. It is possible to add self-signed certificates as trusted certificates for each system, but I haven’t been able to get that to work since it seems clients don’t trust them anyways.

Buying a domain also runs many privacy risks, since it’s difficult to buy domains without handing over personal information. I do not want to change my DNS, since that risks browser fingerprinting if it differs from the VPN provider. I always use a VPN (currently ProtonVPN) for my devices.

If I pay for ProtonVPN (or other providers) it is possible to allow LAN connections, which would help significantly, but the issue of self-signed certificates still lingers.

With that said, it seems my options are very limited.

  • lefixxx@lemmy.worldEnglish
    1·
    5 days ago

    a wireguard tunnel over a forced NordVPN tunnel will mean that all his traffic will flow all the way to the NordVPN node and all the way back for a LAN connection.

    a properly configured wireguard tunnel is harder to configure than a tailscale network with a mullvad exit node. (I think)

    a wireguard tunnel can only connect one device to the Jellyfin Server (or router if it supports it)

    • Jakeroxs@sh.itjust.worksEnglish
      1·
      5 days ago

      WG Ez worked fine for me? Basically just VPNs me right into my LAN.

      OH I’m an idiot, I forgot I connect to my domain for the wire guard connection lmao

      Though I did mean just tunnel into the Lan then the vpn is applied on outbound connections on the Lan using something like Gluetun or w/e