Please take this discussion to this post: https://lemmy.ml/post/28376589

Main content

Selfhosting is always a dilemma in terms of security for a lot of reasons. Nevertheless, I have one simple goal: selfhost a Jellyfin instance in the most secure way possible. I don’t plan to access it anywhere but home.

TL;DR

I want the highest degree of security possible, but my hard limits are:

  • No custom DNS
  • Always-on VPN
  • No self-signed certificates (unless there is no risk of MITM)
  • No external server

Full explanation

I want to be able to access it from multiple devices, so it can’t be a local-only instance.

I have a Raspberry Pi 5 that I want to host it on. That means I will not be hosting it on an external server, and I will only be able to run something light like securecore rather than something heavy like Qubes OS. Eventually I would like to use GrapheneOS to host it, once Android’s virtual machine management app becomes more stable.

It’s still crazy to me that 2TB microSDXC cards are a real thing.

I would like to avoid subscription costs such as the cost of buying a domain or the cost of paying for a VPN, however I prioritize security over cost. It is truly annoying that Jellyfin clients seldom support self-signed certificates, meaning the only way to get proper E2EE is by buying a domain and using a certificate authority. I wouldn’t want to use a self-signed certificate anyways, due to the risk of MITM attacks. I am a penetration tester, so I have tested attacks by injecting malicious certificates before. It is possible to add self-signed certificates as trusted certificates for each system, but I haven’t been able to get that to work since it seems clients don’t trust them anyways.

Buying a domain also runs many privacy risks, since it’s difficult to buy domains without handing over personal information. I do not want to change my DNS, since that risks browser fingerprinting if it differs from the VPN provider. I always use a VPN (currently ProtonVPN) for my devices.

If I pay for ProtonVPN (or other providers) it is possible to allow LAN connections, which would help significantly, but the issue of self-signed certificates still lingers.

With that said, it seems my options are very limited.

  • smiletolerantly@awful.systems
    link
    fedilink
    English
    arrow-up
    35
    ·
    7 months ago

    What are you talking about. Please clarify if this is actually true:

    I don’t plan to access it anywhere but home.

    This would mean that you only want to access Jellyfin when you, and the device you are watching your show/movie on, are at home, where the Pi/server also is.

    Is this correct?

    If so, then questions about VPN, Certificates, DNS,… do not matter.

    1. host Jellyfin on the Pi, e.g. with IP 192.168.10.20 on your local network
    2. open the Jellyfin app on your TV/Phone/PC, connect to http://192.168.10.20:8096/
    3. done

    Now you can access it at home, and only at home. I honestly fail to see where a VPN would even come into the equation here (again, if you wish to ONLY watch when you are at home, as you’ve said).

    • DesolateMood@lemm.ee
      link
      fedilink
      English
      arrow-up
      9
      ·
      7 months ago

      OPs problem is that proton blocks Lan connections when connected and require you to pay them if you want to unblock it

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      13
      ·
      7 months ago

      This would mean that you only want to access Jellyfin when you, and the device you are watching your show/movie on, are at home, where the Pi/server also is.

      Is this correct?

      Yes.

      If so, then questions about VPN, Certificates, DNS,… do not matter.

      They do, because if ProtonVPN blocks LAN connections then the only other option is exposing the server to the WAN

      open the Jellyfin app on your TV/Phone/PC, connect to http://192.168.10.20:8096/

      This does not encrypt during transit, and my network is not a trusted party.

      I honestly fail to see where a VPN would even come into the equation here

      I, like many others, use my devices for more than just accessing my LAN while I am on my home network.

      • smiletolerantly@awful.systems
        link
        fedilink
        English
        arrow-up
        19
        ·
        7 months ago

        This does not encrypt during transit, and my network is not a trusted party.

        Then honestly, you have other problems than setting up Jellyfin.

        For real though, if you think someone is (or might be) listening in on your local network, i.e. have physical access or compromised one of your machines, then the Jellyfin traffic is the least of your problems. Pick your battles. What’s the worst that could happen here - someone gets to know your favorite show?

        They do, because if ProtonVPN blocks LAN connections then the only other option is exposing the server to the WAN

        Ah, I see. On your PC you should just be able to set a static route over the physical interface for 192.168.0.0/24 (or whatever your local network is) which takes precedence over the VPN. For android… Oof, no idea. Probably need root.

        • The 8232 Project@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          8
          ·
          7 months ago

          For real though, if you think someone is (or might be) listening in on your local network, i.e. have physical access or compromised one of your machines, then the Jellyfin traffic is the least of your problems. Pick your battles. What’s the worst that could happen here - someone gets to know your favorite show?

          A bad router + bad ISP combo means I get ratted out for copyrighted material (that I don’t have… I only host creative commons videos on my Jellyfin server, of course…)

          • smiletolerantly@awful.systems
            link
            fedilink
            English
            arrow-up
            15
            ·
            7 months ago

            This isn’t really true. Even IF your router would fail catastrophically in the right way to expose your Server to the internet, or of it actually “ratted your traffic out” to the ISP and the ISP cared (which it does not), it’s not illegal to hist Jellyfin, or put media on it which you own (which is not discernible from just… Media being streamed).

            Also your ISP has no part in your local network traffic.

          • Trainguyrom@reddthat.com
            link
            fedilink
            English
            arrow-up
            4
            ·
            7 months ago

            Sounds far more likely that either someone misunderstood that residential IPs change frequently/may be shared by multiple subscribers or the ISP made an error when responding to a subpeana and provided the incorrect IP. Unfortunately both are all too common with privacy enforcement

            If you really think the ISP router is snooping and can’t by bypassed you could simply double-NAT your network with a trusted router and call it a day. Much less VPNing and much less unusual decisions of trust and threat model involved then

        • The 8232 Project@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          6
          ·
          7 months ago

          Just out of curiosity, why is your network not a trusted party?

          Part of my threat model is essentially “anything that can connect to the internet poses a security risk”. Since networks are the literal gateway to the internet, it is reasonable not to trust them. Routers don’t run as secure operating systems as Qubes OS, secureblue, or GrapheneOS. If a malicious party found a way to connect to the network, all unencrypted activities can be intercepted. If the router itself has malicious code, any unencrypted traffic can be sent to a third party. Those are just the basics, but trying to put band-aid solutions on a fundamentally broken system is a losing battle.

          GrapheneOS distrusts networks as much as possible, so I do too. Even if I own the network, I am not a network engineer, so the chances of fault are high. In the simplest case, the network is a gateway to all activity that happens on the LAN, and it only takes one zero day to make that happen. The best mitigation is proper encryption and no self-signed certificates (where possible).