Hi all,
We’ve all seen Plex’s announcement about remote access now being behind a subscription. I’ve decided to give Jellyfin a go, and not afraid to admit I’m a bit of noob at this.
For context I’ve got an old PC running windows 10 which hosted Plex just fine and suited my needs. I had port forwarding on for it but outside of that there really wasn’t much setup required. I do want to start heading down self hosting route and am exploring swapping to bazzite for my main PC, so this is me dipping my toes so to speak (despite not being Linux).
Jellyfin was also just as easy to install I’m happy to say, works really well within my home (using the Chromecast app for my TV downstairs) and have no issues with the player or how easy it was to setup. Just set it up via windows .exe installer and away we go.
I started to follow a guide (& doing a bunch of googling + chatGPT) for setting Jellyfin remote access for my parents. And this is where I’m a bit out of my depth.
I have a dynamic IP, so first thing to setup was something that would be easy for my family to setup and setup once. This lead me to the duckDNS path, which after some back and forth I did get working over http.
Another option could be something like NordVPN Meshnet, where we appear to be on the same network and therefore not expose my old PC to the world. That’s not really an option for my family, as they find it hard enough to connect up Plex let alone have to have two apps (Jellyfin & NordVPN) to watch stuff.
I do have concerns about leaving it setup with just DuckDNS & http, so I tried a few things but I’m not sure what to even Google as it’s a minefield of people just saying"use x/y/z" but not really an explanation of what exactly they are achieving or how. Thought I could get a https connection at least, which was looking at Certbot or Certify Web Manager but I couldn’t get either to work. I later found out that’s because my ISP blocks port 443.
So this is as far as I have currently got. I think the next best thing is Cloudflared, but I signed up to that and put in my duckDNS and Cloudflare was showing me the 3 DNS names but also 3 IP addresses, which are dynamic IPs, would that mean I have to keep re-registering Cloudflare each time my ISP updates the IP? I clicked next anyway as I was just testing, but then I have to change my setup some “Cnames” on the DNS host to the cloud flare names, which I couldn’t get working with DuckDNS, not sure it has that option unfortunately.
Also as a side note: I see people talk about Caddy as a reverse proxy for extra security, but what does it do? It looks to just be re-routing to the same thing? I put in something regarding TLS and my duckDNS token in the config file as well, but that didn’t create a certificate (which again might come back to the ISP blocking 443)
So, in short - what are best practices for setting up remote Jellyfin access? Where am I going wrong and what’s the best way forward?? I think I have a lot of the pieces but none of the know-how! I did read about buying a domain outright instead of using a free method but I want to make sure I have things working smoothly before committing to a paid service. Also bonus points for my curiosity, why didn’t we have to jump through these hoops with Plex? Do they take care of some of the hosting aspect or something?
Thanks for any help you can provide 🙂
You must log in or register to comment.
I use a VPS to make it accessible https://codeberg.org/skjalli/jellyfin-vps-setup
Be careful, outbound traffic from VPS to client is can be expensive.
Great thread, thanks everyone
This is probably not what you’re looking for, but I found registering a cheap domain name and using a dynamic DNS script that checks every hour or so against your public IP to be a good way to mitigate issues. It also depends on your ISP. Mine typically only renews upon a reboot of the modem or a new PPPoE authentication.
Others have also suggested Tailscale, and I think that’s also a worthwhile option. It’s a pretty easy thing to set and forget, working like any oher VPN client. This is the least complex option to navigate, and if Plex was the only service you were forwarding then it’s likely the best option.
Agreed - I’ll also add that a lot of internet gateways/routers/firewalls also have a built-in feature to update a domain with your current public IP address. It definitely makes it easy, I haven’t thought about needing to update my dynamic IP in years since it just happens on the router.
Not everyone can do it but it’s definitely worth a look especially for those planning to do any real self hosting.
The feature is called DDNS (Dynamic DNS).
I haven’t messed with it yet, but ddclient works with a lot of domain registrars.
https://github.com/ddclient/ddclient
ddclient even suggest these as alternatives:
Tailscale is the simplest way I’ve found, this does become a bit finicky when it comes to friends and family but you can share a single device aka your Jellyfin server with them. This saves exposing ports etc.
Something I do is use a Tailscale Funnel to share a regular link with friends and family and it works well, without them needing an account.
Have you found any issues serving Jellyfin through funnel? The page you linked says there’s some limitations
Traffic sent over a Funnel is subject to non-configurable bandwidth limits.
I’m tempted to use this one so my non-technical friends can use my jellyfin instance without complaining about how difficult it is to install tailscale (it’s not).
If your ISP blocks port forwarding, this guide can help.
I started to follow a guide (& doing a bunch of googling + chatGPT) for setting Jellyfin remote access for my parents. And this is where I’m a bit out of my depth […] I have a dynamic IP […] duckDNS path
Stay away from DuckDNS. Used to be fabulous but now it’s incredibly overused and very unstable. Works, then just stops for a period of time. Check out HurricaneElectric. Any A record can be enabled as DDNS that you can update with just
curl. It’s great. I’ve been using them for about 10 years now without issues. They were down one time like… 5 years ago for several hours, and that was it.Also as a side note: I see people talk about Caddy as a reverse proxy for extra security, but what does it do?
This option is nice if you self-host a web server with no bandwidth restriction. You setup caddy, update your DNS to register your home IP on X domain. Point
jelly.x.domainto whatever your public IP is, with the port as a reverse proxy, then your IP is reachable viajelly.x.domainbut it’s not a great setup for you because of the dynamic IP unless you do a bunch of setup to ensure it routes.IMO the best option would be;
- Install jellyfin server
- Open port
8096on your router for your jellyfin server IP - Create a jellyfin user for your parents, and enable remote connection
- Setup DDNS (I highly suggest he.net) and point your domain to your IP
- Setup cron job to update your DDNS record with he.net every hour or so using
curl - Setup jellyfin for your parents TV or whatever device they’ll use to watch it
- Login and enjoy
One option that i am not sering here that is also very safe is install wireguard and allow them to use it via vpn.
Not sure if my setup is unique or wrong but here’s what I use:
- I registered a domain with Name cheap and created subdomains for the tools I wanted to access (i.e. jellyfin.domain.tld, sonarr.domain.tld)
- A DDNS client on my OpenWRT router updates the IP address for those subdomains. Traffic for each subdomain is pointed at my server.
- Nginx Reverse Proxy runs on my server. This provides HTTPS certificates and is pretty straightforward.
I also use Tailscale for remote access and I’m not sure that my friends and family are ready for that. (Admittedly, I’m still on Plex.) Registering your own domain and using a DDNS service and reverse proxy will give your users an easier experience than Tailscale. I can give an easy-to-remember URL to folks rather than a new VPN platform to learn.
If security is more important, Tailscale is the best option for remote connections.
Why don’t we need this for Plex? Because Plex has all of the above steps baked into its service.
Lots of dynamic DNS providers allow you to register a aubdomain and update the IP it points to with an API call. You can use something like this tool for it: https://github.com/lopsided98/dnsupdate - just run it on a schedule on the same machine and you’re golden.
There are also Docker container based solutions if you’d rather go that route. Once you have a stable entry point, you can decide what to do with it.
I would personally get a Raspberry Pi and run Wireguard and Dnsupdater on it, use port forwarding in the router for Wireguard and close down everything else. Then share the Wireguard connection details with your friends and family. You can even set it up so that Wireguard connections are only granted access to your Jellyfin server, plenty of tutorials out there on how to configure firewall rules on the Wireguard machine.
If you have direct access to your server from the outside, then you are concerned about these changes. Am I mistaken?
Jellyfin has a pile of security issues regarding unauthenticated enumeration of the media that’s shared. That’s probably not awesome on the public internet. 
I’d suggest setting up Tailscale. https://github.com/jellyfin/jellyfin/issues/5415
From the issue you shared:
Thank you b4too - unless something new has been uncovered - which if so should be reported to us via our responsible disclosure policy - it is NOT possible to arbitrarily enumerate all media on a server without authentication, and saying as much is massive fear-mongering
unauthenticated playback: yes. enumeration: no
https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825240290
if you can play an item back. you can enumerate it.
