azorius.vedetta.com

LXC Jellyfin Container and Tailscale
from NastyNative@mander.xyz to selfhosted@lemmy.world on 03 Mar 10:35
https://mander.xyz/post/48333324

Progress so far - mander.xyz/post/47833580

My next objective is configuring Jellyfin for secure external access. It is fully operational on my LAN and is performing significantly better than the Windows instance I previously ran.

I have installed Tailscale on the Proxmox VE host shell to enable remote access and have also enabled multi-factor authentication on my proxmox account. While everything appears to be functioning properly, I am still relatively new to Tailscale and want to ensure I am implementing this securely.

My initial assumption was that I would also need to install Tailscale within the Jellyfin LXC container. However, I have encountered conflicting information suggesting this may introduce security concerns, particularly when dealing with container privileges and root access. As a result, I am uncertain whether this is the appropriate approach.

What is the recommended and secure method to provide external access to Jellyfin in this setup?

#selfhosted

threaded - newest

rtxn@lemmy.world on 03 Mar 15:21 next collapse

external access

Do you want the Jellyfin server to be accessible from only within your tailnet, or anywhere from the internet?

NastyNative@mander.xyz on 03 Mar 15:28 collapse

anywhere from the internet.

rtxn@lemmy.world on 03 Mar 16:41 collapse

Tailscale Funnel will let you expose a host to everyone on the internet. You’ll need the Tailscale client running on either the Jellyfin host or a reverse proxy pointing to it. Tailscale itself will act as a reverse proxy with TLS encryption, plus a DNS server.

Exposing a service to the internet will always present some risk. You should definitely run your LXCs as unprivileged, unless needed otherwise, to mitigate the potential damage if an attacker escapes the container, or put the services in full virtual machines.

baner@lemmy.zip on 04 Mar 02:42 collapse

Just remember that using funnel for streamimg servicies it is against the toss.

NastyNative@mander.xyz on 04 Mar 08:06 collapse

Tailscale actually has good documentation on this Funnel and I read the same. Thank you!

baner@lemmy.zip on 04 Mar 02:49 next collapse

You have 2 options:

1 - Open up Jellyfin port (8093) in your router if you are not behind a cgnat and add a reverse proxy

2 - Get a small vps and a domain, install a reverse proxy and use tailscale to connect the vps with your home server, point your domain to the vps and forward traffic to jellyfin.

NastyNative@mander.xyz on 04 Mar 08:08 collapse

I can open the required port without issue. However, I would like to further educate myself on reverse proxy configurations, as I believe this would be the most secure and appropriate approach. Thank you!

baner@lemmy.zip on 04 Mar 11:37 collapse

What is the use case? Share with family and friends?

Decronym@lemmy.decronym.xyz on 04 Mar 02:50 collapse

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
LXC	Linux Containers
SSL	Secure Sockets Layer, for transparent encryption
TLS	Transport Layer Security, supersedes SSL

3 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.

[Thread #133 for this comm, first seen 4th Mar 2026, 10:50] [FAQ] [Full list] [Contact] [Source code]