Hi again.

How about the following idea:

Set up ProtonVPN on the raspberry pi.

On all other devices (or at least those you want to use Jellyfin on), switch from using Proton to using Wireguard. Unlike your phone, the raspberry pi has no trouble running multiple VPNs. I think the ProtonVPN limitations in regard to not allowing split tunneling don’t apply here, since all outgoing traffic will still go via Proton.

Essentially, the Pi would function as a proxy for all of your traffic, “and also” host Jellyfin. You would still connect to http://192.168.20.10:8096 (or whatever) on your devices, but that address would only resolve to anything when you are connected to the pi via Wireguard. No HTTPs, but “HTTP over Wireguard”, if you will.

Nots that this requires you trusting the pi to the same degree that you trust your phone.

For your static devices (PC, TV) this should solve the problem. Devices which you take with you, like your phone, unfortunately will loose internet connectivity when you leave your home until you switch off Wireguard, and switch on Proton, and not be able to connect to Jellyfin when you return home, until you switch them back.

Essentially, you would have a “home” VPN and a “on the go” VPN, though you never need to connect to both. There might be ways to automate this based on WiFi SSID on Android, but I have not looked into it.

The Pros:

• this should meet all your requirements. No additional expenses, no domain, no dynDNS; no selfsigned certificate or custom CA; traffic is never unencrypted; works on all common devices.
• Wireguard is sufficiently lightweight to not bog down the pi, normally
• this is actually well within the intended use-cases for Wireguard, so no “black magic” required in configuring it
• if you ever do decide to get a domain, you can configure everything to always be connected to your pi via Wireguard, even on the go! Not required though.

The Cons:

• when you are new to selfhosting, Wireguard is a bit daunting to set up. It is not the easiest to debug (don’t worry, it’s easy to tell IF it is working, but not always WHY it isn’t working). Some manual route handling is probably also required on the pi. It should definitely be doable though, but might turn this Jellyfin thing from a weekend project to a 2 week project…
• I have no experience with how well the pi runs Jellyfin. If the answer is “barely”, then adding multiple concurrent Wireguard sessions might be a bad experience. Though in this case, you could only switch Proton to Wireguard whenever you want to watch Jellyfin.
• the manual switching might be annoying, but that is the price to pay here, so to speak

Edit: someone else already mentioned setting up your own trusted network with a second router. IMO that is the better, more hassle-free option IF you are willing to shell out the money. My suggestion is the “free” version of that, essentially 😄

Hi again. Sorry for being so rude yesterday. Your new post actually clears the situation up a lot.

We might have an idea for you, will comment on the new post.

Hi. I am a software engineer with a background in IT security. My girlfriend is a literal network security engineer.

I showed her this thread and she said: don’t bother, just use http on your local network.

Anyways, I am going to disengage from this thread now. Skepticism against things one doesn’t fully understand can be healthy, but this is an insane mix of paranoia and naïveté.

You are not a target; the things you are afraid of will never happen; and if they did, they would not have the consequences you think they would.

Your router will NOT magically expose your traffic to the internet (what would that even mean?? Like, if it spontaneously started port forwarding to your Jellyfin server (how? By just randomly guessing the port and IP???), someone would still need to actively request that traffic, AND know your login credentials, AND CARE).

Your ISP does not give a shit about you owning or streaming copyrighted material over your local network. It has no stake in that.

Graphene is not an ultimate arbiter of IT security, but the reason it “distrusts networks” is because you take your phone with you, constantly moving into actual untrusted networks (i.e. ones you do not own).

Hosting Jellyfin on Graphene will not make it more secure, whatsoever.

If every device is assumed compromised, and compromising devices with knowledge that you watch media is a threat in your model, then even putting an SD card with media in your phone and clicking play is dangerous. Which is stupid.

If you actually assume your router is malicious, then please assume that when you initially downloaded your VPN client, it was also compromised and your VPN is not trustworthy.

The way I see it, you have two options:

1. educate yourself on network security to the point of being able to trust your network setup; or
2. forget about hosting anything

This isn’t really true. Even IF your router would fail catastrophically in the right way to expose your Server to the internet, or of it actually “ratted your traffic out” to the ISP and the ISP cared (which it does not), it’s not illegal to hist Jellyfin, or put media on it which you own (which is not discernible from just… Media being streamed).

Also your ISP has no part in your local network traffic.

Smh. I get wanting to be connected to a VPN, but being locked out of your own local network is just stupid.

This does not encrypt during transit, and my network is not a trusted party.

Then honestly, you have other problems than setting up Jellyfin.

For real though, if you think someone is (or might be) listening in on your local network, i.e. have physical access or compromised one of your machines, then the Jellyfin traffic is the least of your problems. Pick your battles. What’s the worst that could happen here - someone gets to know your favorite show?

They do, because if ProtonVPN blocks LAN connections then the only other option is exposing the server to the WAN

Ah, I see. On your PC you should just be able to set a static route over the physical interface for 192.168.0.0/24 (or whatever your local network is) which takes precedence over the VPN. For android… Oof, no idea. Probably need root.

What are you talking about. Please clarify if this is actually true:

I don’t plan to access it anywhere but home.

This would mean that you only want to access Jellyfin when you, and the device you are watching your show/movie on, are at home, where the Pi/server also is.

Is this correct?

If so, then questions about VPN, Certificates, DNS,… do not matter.

1. host Jellyfin on the Pi, e.g. with IP 192.168.10.20 on your local network
2. open the Jellyfin app on your TV/Phone/PC, connect to http://192.168.10.20:8096
3. done

Now you can access it at home, and only at home. I honestly fail to see where a VPN would even come into the equation here (again, if you wish to ONLY watch when you are at home, as you’ve said).

Huh, didn’t know. Thanks. I guess Hetzner is the right answer in both cases then 😄

Do you want all of that to be managed (DB, mailboxes, web-hosting,…) or just reliable hardware in “the cloud”?

For the latter, Hetzner.

Alright, thank you!

Hey, we’re also thinking about setting up authentik. Could you answer the following, where I haven’t found answers to yet: does introducing SSO impede logging into Jellyfin on a TV / phone app at all?

I am a bit confused tbh 😅

The link you send links to docker projects, the link I sent is the second one of those. Seems pretty straightforward?

But to be fair, I have never used docker for any of this. In my nix config, it’s literally just:

    services.prowlarr.enable = true;
    services.prowlarr.openFirewall = true;

There’s not really anything you need to configure host-side. Prowlarr needs to be able to communicate with sonarr and radarr (same as jackett), but otherwise it’s basically stateless.

This?

Yes - but I have no idea about docker, sorry. Have it running baremetal (or rather, in a proxmox VM).

Just a hunch, but in case you “only” share the directory where Sonarr puts Episode files with Jellyfin via some mount point or whatever, and not the directory where Sonarr gets them from (where the torrent client downloads to), then I can see hardlinks breaking in unexpected ways

Sorry to hear that that’s been your experience! :( My installation has been running for ~5 years without any problems

Yeah no worries - I discovered Prowlarr from that exact same comment years ago so jumped at the opportunity to post it here 😆

Real question is, why Jackett instead of Prowlarr? 😄

Kagi lenses “focus” the search. So normal web search definitely can contain fediverse results, but with the lens switched on, you ONLY get fediverse results.

Named mine after “objects” from Iain M. Banks’ Culture Novels.

Currently I have:

• gsv
• hub
• excession
• drone

Nice and short, and map roughly to the “power level” of the hardware, so to speak.

And my Yubikeys are named after Special Circumstances agents 😄

In that case I can really highly recommend it. Nixos on the server is fantastic anyways, and the only hurdle to recommending simple-nixos-mailserver is that most people are not familiar with nix… 😄