We are also changing how remote playback works for streaming personal media (that is, playback when not on the same local network as the server). The reality is that we need more resources to continue putting forth the best personal media experience, and as a result, we will no longer offer remote playback as a free feature. This—alongside the new Plex Pass pricing—will help provide those resources. This change will apply to the future release of our new Plex experience for mobile and other platforms.
How do you do this on Jellyfin? The only ways I’m familiar with is to expose Jellyfin to the internet or access it through Tailscale, would love to hear alternatives.
It’s not that hard to get a reverse proxy up, get a free DDNS, and a SSL certificate from let’s encrypt.
https://www.linuxserver.io/blog/2020-08-21-introducing-swag
This is a pretty solid one stop shop for handling all reverse proxy for jellyfin and other applications like sonarr, radarr, transmission, ombi and lists of others that are pretty much drag and drop configuration files if you’re not mucking with the application’s default ports.
That exposes Jellyfin to the internet, so it’s not the same feature
And somehow you think that Plex isn’t exposing your server to the Internet for streaming while not on your local network?
Okay there Mr. Madison.
It’s not, not directly at least, and that’s what everyone is ignoring here. You probably understand the value on Authelia/Authentik but you’re failing to see that the Plex relay server is taking that same mantle here, so even if someone managed to compromise the relay server it’s still not on your home server, whereas exposing jellyfin directly to the internet only requires one service to be compromised.
My dude if you are connecting from outside your local network you are “exposed” to the Internet in some way. What magic are you thinking Plex is doing? Is someone hand deliverying the packets via USPS?
Plex runs relay servers where your Plex server will connect to the relay and your player will also connect to the relay, making both ends of the connection egress type as far as routing and access control goes. https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/
It’s optional and likely not everyone uses it, but this provides a way for Plex to do remote streaming without the Plex server being reachable directly from the internet.
Separately, it costs money for Plex to run.
In some way is different from directly, on Plex you’re behind a relay server so it’s akin to being behind a VPS running Authentik/Authelia in front of the service on your home. Compromising the relay server does not necessarily compromises your home server, so it’s not direct like putting Jellyfin on a reverse Proxy would be.
My home connection is behind cgnat so I got a free VPS from oracle (provides a public ip address), install caddy on VPS, install tailscale on VPS and router, expose routes from LAN to tailscale network.
Now you can use caddy to expose, for example, a docker container (jellyfin) at 192.168.1.100 to subdomain.exampledomain.com with ssl cert provided by caddy.
VPS also requires some other stuff like ddclient and fail2ban.
I pieced this all together myself… it’s doable if you spend some time reading.
That exposes Jellyfin to the internet
Yes exactly. What do you think plex is doing?
Using a relay server to separate online from home connection
I don’t see anything in the linked article about a relay server
No, the article only mentions the feature by name, the docs for the feature mentions the relay https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/
I see. So if you read that instruction you’ll see it’s the exact same setup that I outlined. They use a vpn to connect your client to your server and just negotiate the meeting in the middle. It’s the exact same risk scenario as running a reverse proxy on your own vps. Unless I’m missing something else?
You are, authentication on the VPS, you’re relying on Jellyfin authentication against the internet. Correct me if I’m wrong, but this is your suggested setup: [home server] Jellyfin -> [remote server] Reverse Proxy -> [remote machine] users. Let’s imagine a scenario where Jellyfin has a bug that if you leave the password empty it logs you in (I know, it’s an exaggeration but just for the sake of argument, an SQL injection or other similar attacks would be more plausible but I’m trying to keep things simple), on your setup now anyone can log into your Jellyfin and from there it’s one jump to your home server. On Plex’s solution even if Plex authentication gets compromised the attacker only got access to the remote server, and would now need to find another vulnerability to jump to your Plex at home.
Putting something like Authelia/Authentik on a VPS in front of Jellyfin is a similar approach, but the Jellyfin client can’t handle third party authentication AFAIK
Reverse proxy
That exposes Jellyfin to the internet, so it’s my option 1.