I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?

  • beerclue@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    7 months ago

    Oh, I get that, but it just doesn’t make any sense to me to be physically next to the server, and connect to it via VPN…

    • dan@upvote.au
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      My point is that since the VPN uses a different subnet, it’s fine to keep it connected even at home. It’ll only use the VPN if you access the server’s VPN IP, not its regular IP.

      In any case, Tailscale and Wireguard are peer-to-peer, so the connection over the VPN is still directly to the server and there’s no real disadvantage of using the VPN IP on your local network.

      • beerclue@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        7 months ago

        Right, but I have wireguard on my opnsense. So when I want to reach https://jellyfin.example.com/ , if I am at home, it goes phone -> DNS -> proxy -> jellyfin (on the same network). If I am connected to the VPN, it goes from phone -> internet -> opnsense public ip -> wireguard subnet -> local subnet -> DNS -> proxy -> jellyfin. I see some unneeded extra steps here… Am I wrong?

        • dan@upvote.au
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          7 months ago

          Oh yeah, there’ll be some overhead if you’re running Wireguard on a router. Hitting your router’s public IP won’t go out to the internet though - the router will recognize that it’s its IP.

          It’s common to run Wireguard on every computer/phone/tablet/etc where possible rather than just on the router, since this takes advantage of its peer-to-peer nature. For home use, that’s how it was originally designed to be used. Tailscale makes it a lot easier to configure it this way though - it’s a bit of work for vanilla Wireguard. Tailscale does support “subnet routers” if you have any devices that you want to access over the VPN that can’t run Tailscale.