MubelotixJellyfin critical security update - This is not a joke
escThat’s never made sense to me; why build an authn frontend instead of just clicking your user if the security is just an illusion anyways. “Use a VPN” is fine for a mainframe, but an active project in 2026 should aspire to be better.
Unfortunately, not everyone is tech-literate enough nowadays to understand how a VPN works, nor do they want to
Infernal_pizzaIsn’t it easier to set up a VPN than expose it to the internet?
Oh absolutely, difference being that you only need to expose the service once, versus helping however many people set up VPNs to access the service on your LAN
I know way too many people who won’t remember to toggle it on, or just won’t deal with it It’s just not convenient enough
and then you are giving access to your lan to people whose computer you don’t control and might be full of malware.
Tbh I forgot about giving access to others, my homelab is for me only lol
You only have to give them access to a specific port on a specific machine, not your entire LAN.
My VPN has a ‘media’ usergroup who can only access the, read-only, NFS exports of my media library.
If you’re just installing Wireguard and enabling IP forwarding, yeah it would not be secure. But using a mesh VPN, like Tailscale/Headscale, gives you A LOT more tools to control access.
yeah but even with plain wireguard the peers can be limited. you just have to figure out the firewall rules, or use opnsense as your wireguard server because it figures the harder part out for you.
it’s not that it cannot be done. the issue is that something as simple as acceding a service should not require to configure wire guard and routing rules. plenty of FOSS priests are safe to expose through a simple reverse proxy
Yes, not everyone. My grandmother would struggle setting up a VPN, for example.
However, a community member of the selfhosted community is perfectly capable of reading a manual and learning the software.
That’s how you become tech literate in the first place, and you’re already on that path if you’re commenting/reading here.
Agreed, was more so referring to others. I apologize if it seemed like I was referring to myself
I’m already well and truly deep into this, myself. Two Proxmox nodes running the *Arr stack and Jellyfin in LXC containers. Bare metal TrueNAS, with scheduled LTO backups every two weeks. A few other bits and bobs, like some game servers and home automation for family.
Look at Tailscale (or self-host headscale)
Especially for things like game servers, you could use tailscale serve (tailscale.com/docs/features/tailscale-serve) to allow temporary access, via a generated URL using your tailscale domain, to the server’s port.
It’s a bit of learning (like all of these other things) but it’s a very powerful tool.
I do agree with the general point that Jellyfin shouldn’t require a VPN.
Yes, not everyone. My grandmother would struggle setting up a VPN, for example.
that’s a weird take. your grandmother doesn’t need to set up a VPN. It’s not like this is where they would get stuck, they would have problems much sooner with running their own Jellyfin. that’s why you are hosting it for them, and why you go there and set the VPN up yourself.
I was not actually presenting a scenario where my grandmother would use a VPN.
I was pointing out that this community is full of people who are perfectly capable of learning to use a VPN. In response to this comment:
Unfortunately, not everyone is tech-literate enough nowadays to understand how a VPN works, nor do they want to
That’s a true statement about ‘everyone’ i.e. the entire population of the planet… but true about everyone here in this community.