It sounds like the clients do not have the ability to manually trust a self-signed cert.

Yeah, you shouldn’t, but OP seems determined to hamstring themselves and do everything as convoluted as possible.

Already answered in your previous post: https://lemm.ee/post/60855169/19569046

ProtonVPN in its free tier does not allow LAN connections

This is the limiting factor. In order to get around this, you’ll have to put your Jellyfin server on the Internet. Hopefully you can enable port forwarding. If not, you have painted yourself into a corner.

If you cannot use self-signed or internal CA certs, you will also need a domain name, and something like Let’s Encrypt to issue certs for that domain.

For that aspect, I would recommend changing to a provider that doesn’t have such ridiculous restrictions.

You don’t need a VPN for LAN connections. You’re already on the LAN. You’d only need it for access from the WAN.

If you’re using Let’s Encrypt, you should probably purchase a domain. I don’t think they support .internal domains. Or you could set up your own CA and run it however you want, even issuing certs to access by IP address if you wanted.

Just run it on the LAN and don’t expose it to the Internet. That’s 99% of the way there. HTTPS only secures the connection, and I doubt you’re sending any sensitive info to or from Jellyfin (but you can still run it in docker and use caddy or something with Let’s Encrypt).

The bigger target is making sure jellyfin itself and the host it runs on are updated and protected. You could use a WAF too.

Those who need single-core performance are not buying this.

Prices are absolutely going to go up. If you think you’ll want to buy in the next year or two, do it now.

What grounds would she have to sue?

E2EE is only in-transit. They are the other end, so it can be decrypted there.

But they also say it’s zero-knowledge, so it’s more than E2EE. They take the encrypted stream and write it directly to disk. Claiming E2EE is probably not what they wanted to convey.

That would be worse, because then it would send and receive traffic for multiple vlans.

Unless your switch uses that to refer to link aggregation instead of vlan trunking. Network terminology like that can mean different things to different vendors.

Yeah let me just do some AES in my head real quick

One of the PCs can spoof the MAC of the other and receive its Ethernet frames.

If the IP address belongs to a network in country B, that’s why it would place you there.

If they’re on your device, you’ve already lost. To protect against that, you’d have to keep an offline device, either physical or digital. Digital encrypted, physical in a made-up language and script that only you know.

Digital with strong encryption, and protect the device so that it can’t be copied while unlocked. You’re probably not so important that they’d target you.

Modern browsers do, at least on desktop. I know Firefox does.

It is definitely not open-source. They created their own license: https://github.com/antiwork/gumroad?tab=License-1-ov-file

And the tl;dr on the “suspicious timing” is that the owner seems to have gotten rid of support staff and replaced them with an AI chatbot so that he can go “work” for DOGE. Yes, really.

Unless your whole router tunnels over a VPN, it probably geolocated you to country B.

But geolocation databases are inaccurate, and sometimes advertisers target a large area. It might just be a guess.