I was just in your exact Situation with my Jellyfin home server. I was using Tailscale for a while, but ran into a problem: my new server is really bad at encoding, so I can only use direct play, which uses more bandwidth than the tail scale relay servers can give.

The problem with tail scale is, I basically only ever use the relay servers because my home is cgnat and most of the time when I want to stream outside of home I am on mobile data with cgnat or at college (restrictive firewall).

My solution which I implemented last weekend was to buy the cheapest VPS I could get from my trusted provider and harden it and install nginx proxy manager and tailscale. With that, I can make a direct (no relay server) connection to my home server and proxy Jellyfin to a public domain.

I am still figuring out how to secure Jellyfin, but I have also seen some comments that Jellyfin is secure by default and therefore ok to have exposed.

Actually no, it is insecure, do not expose it to the internet. I will be adding separate authentication to access it via proxy.

I wouldn’t rely on the thief not knowing how to read linux partitions. That very well may be the case, but the person they sell your hardware to will know better, considering they are in the market of purchasing used server hardware.

I self host and my threat model is the thief selling my server to someone who knows what to do with it, but not knowing how to extract encryption keys from the memory of a running server before unpluging it. That being said I haven’t figured out encryption yet so watching this thread.

This is simultaneously cool and cursed af.