- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
We are also changing how remote playback works for streaming personal media (that is, playback when not on the same local network as the server). The reality is that we need more resources to continue putting forth the best personal media experience, and as a result, we will no longer offer remote playback as a free feature. This—alongside the new Plex Pass pricing—will help provide those resources. This change will apply to the future release of our new Plex experience for mobile and other platforms.
How do you do this on Jellyfin? The only ways I’m familiar with is to expose Jellyfin to the internet or access it through Tailscale, would love to hear alternatives.
Edit: From the replies I think that either I don’t understand how this feature works or many people here don’t, so I’ll give an overview of my understanding and explain why this is different from anything you can do on Jellyfin and what’s the closest you can come.
You are running Plex-home in your house, Plex-home connects to Plex-server hosted by Plex and establishes a reverse connection that’s only accessible by Plex-server, i.e. you can’t access your Plex-home outside of your house. When you login on Plex you’re logging in to Plex-server and if you’re in the same network as Plex-home you get redirected to form a direct connection with it, if not (and for me Plex keeps failing this verification) you connect to Plex-server and every request you make gets forwarded to Plex-home and when you ask for media it gets routed through Plex-server. This is very different from exposing Plex-home directly to the internet, in order for someone online to access your Plex-home they need to have taken control of Plex-server and then they’re limited by the API between those two (whichight be different from the Plex-home API) to try to escalate into your machine.
With Jellyfin there’s no server side component, you access Jellyfin directly every time, so in order to access Jellyfin outside of your house it needs to be accessible for everyone. The closest you can come up with is using a third party authentication server, for example by having a VPS running Authentik/Authelia/etc and hosting Jellyfin behind that authentication. This gets you a similar level of security because someone would need to compromise your Auth and then your Jellyfin to get into your server. However I’m not sure Jellyfin clients would know how to handle a third party authentication service, and would probably just crap their pants and prevent you from logging in. You could still access it in a browser, but not on native clients like the one on your TV or Fire Stick.
If you don’t have this VPS with authentication you’re exposing Jellyfin directly to the internet, which means that any flaw in Jellyfin security immediately compromises your home server. And while I don’t expect there to be many big or obvious flaws, there’s a reason why stuff like Authelia or Authentik exists, and besides the convenience of a SSO they exist because proper authentication is hard and has many pitfalls, and they offer security in the knowledge that their main focus is authentication, whereas on most other services authentication is just one of the features they offer so it might not be as secure.
Reverse proxy
That exposes Jellyfin to the internet, so it’s my option 1.
Nope.
My home connection is behind cgnat so I got a free VPS from oracle (provides a public ip address), install caddy on VPS, install tailscale on VPS and router, expose routes from LAN to tailscale network.
Now you can use caddy to expose, for example, a docker container (jellyfin) at 192.168.1.100 to subdomain.exampledomain.com with ssl cert provided by caddy.
VPS also requires some other stuff like ddclient and fail2ban.
I pieced this all together myself… it’s doable if you spend some time reading.
That exposes Jellyfin to the internet
Yes exactly. What do you think plex is doing?
Using a relay server to separate online from home connection
I don’t see anything in the linked article about a relay server
No, the article only mentions the feature by name, the docs for the feature mentions the relay https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/
I see. So if you read that instruction you’ll see it’s the exact same setup that I outlined. They use a vpn to connect your client to your server and just negotiate the meeting in the middle. It’s the exact same risk scenario as running a reverse proxy on your own vps. Unless I’m missing something else?
You are, authentication on the VPS, you’re relying on Jellyfin authentication against the internet. Correct me if I’m wrong, but this is your suggested setup: [home server] Jellyfin -> [remote server] Reverse Proxy -> [remote machine] users. Let’s imagine a scenario where Jellyfin has a bug that if you leave the password empty it logs you in (I know, it’s an exaggeration but just for the sake of argument, an SQL injection or other similar attacks would be more plausible but I’m trying to keep things simple), on your setup now anyone can log into your Jellyfin and from there it’s one jump to your home server. On Plex’s solution even if Plex authentication gets compromised the attacker only got access to the remote server, and would now need to find another vulnerability to jump to your Plex at home.
Putting something like Authelia/Authentik on a VPS in front of Jellyfin is a similar approach, but the Jellyfin client can’t handle third party authentication AFAIK