Background and Goal
Jellyfin is an amazing media server software app. In my experience, the single biggest barrier to entry for new users (especially people like me with pretty limited technical experience) is that - by default - Jellyfin runs without encryption and is unreachable from outside your local network.
Of course, there are many ways to secure Jellyfin, and guides on opening ports, handling dynamic IP addresses, and acquiring security certificates. But all of these require multiple steps, multiple apps, and a networking learning curve that can be off-putting to new users.
My GOAL was to find a "one and done" solution to replace:
Of course, there are many ways to secure Jellyfin, and guides on opening ports, handling dynamic IP addresses, and acquiring security certificates. But all of these require multiple steps, multiple apps, and a networking learning curve that can be off-putting to new users.
My GOAL was to find a "one and done" solution to replace:
- DDNS
- Reverse proxy
- Port forwarding and router tweaking
- Server security
What is Tailscale and What Does it Do?
Tailscale describes itself as a "Zero config VPN. Installs on any device in minutes, manages firewall rules for you, and works from anywhere." In practice what this means is that Tailscale creates a private network through which two or more devices can connect and interact privately. Tailscale works seamlessly with a dynamic IP without the need for a DDNS solution, and does not require port forwarding or opening to function. Best of all, Tailscale is free for up to 20 devices.
How it Works
Install the Tailscale app on the computer running your server and on any device you wish to use as a client. (as far as I can tell, Tailscale is available for Windows, MacOS, iOS, Linux, and Android - there are some reddit posts walking you through how to get it working on the NVIDIA Shield as well).
Once you have installed Tailscale on a device and signed in, that device will be assigned an internal network IP address by Tailscale. This IP address is not accessible to anyone outside your private Tailscale network (ie anyone who is not signed in to your personal Tailscale account). All devices signed into your Tailscale account, will now function as if they are all on the same local network.
Once you're installed on various computers, your Tailscale admin dashboard will look something like this:
Once you have installed Tailscale on a device and signed in, that device will be assigned an internal network IP address by Tailscale. This IP address is not accessible to anyone outside your private Tailscale network (ie anyone who is not signed in to your personal Tailscale account). All devices signed into your Tailscale account, will now function as if they are all on the same local network.
Once you're installed on various computers, your Tailscale admin dashboard will look something like this:
As you can see, I've registered 4 devices on my private Tailscale network and each of them has been assigned a private, internal IP address (100,x,x,x).
If I wanted to access my Jellyfin server from any Tailscale connected device, I would simply open a browser window and enter 100.124.6.128:8096. Because this is a private, secure network - I don't need a reverse proxy or SSL and it doesn't matter where in the world the computers are as long as they are all connected to the same Tailscale account and logged in.
The same goes for Jellyfin clients. If I connect my iPhone to Tailscale and open the Jellyfin client, I can add my server by entering http://100.124.6.128:8096. As far as my phone is concerned, my iOS client and server are on the same network.
If I wanted to access my Jellyfin server from any Tailscale connected device, I would simply open a browser window and enter 100.124.6.128:8096. Because this is a private, secure network - I don't need a reverse proxy or SSL and it doesn't matter where in the world the computers are as long as they are all connected to the same Tailscale account and logged in.
The same goes for Jellyfin clients. If I connect my iPhone to Tailscale and open the Jellyfin client, I can add my server by entering http://100.124.6.128:8096. As far as my phone is concerned, my iOS client and server are on the same network.
Limitations
The biggest limitation is that you have to have Tailscale installed and be signed in on your server at all times, and you must have Tailscale installed and be logged in for any client to work. On the upside you can leave Tailscale running full time and it will not interfere with browsing or internet activities. Thought Tailscale is, technically, a VPN - it does not change your computer IP or otherwise function as a VPN unless you access one of the other computers on your Tailscale network directly.
Give it a try and let me know what you think!
Give it a try and let me know what you think!