As the title suggests - networking has never been my strongest point but I’m trying to figure it out slowly!
I’m looking for the easiest way to access my Jellyfin and Immich remotely but I don’t have a static IP. So far I’ve been managing by just using the direct IP/forwarded port but from what I’ve been reading setting up either a cloudflare tunnel or tailscale would be the easiest way - what’s the best “idiot proof” guide I can use, or any better alternatives? I already have a couple of domain names I can use.
Thanks in advance.
I have a vps with WireGuard and my home server connects to it, this way I access my local services from anywhere, Jellyfin included.
There are many ways to access your Jellyfin instance remotely. Depending on your need and skill, some might be easier / preferable than others. I’ll list some for completeness’ sake:
- VPS: You could rent a cheap VPS and run your Jellyfin server over there, given that the VPS provider’s policy allows it. Some providers allow for a free trial or pay-as-you-go pricing. Oracle’s Always Free pricing allows for free VPS compute granted that you stay within resource consumption limits.
- DDNS: You might use your server to frequently provide its IP to a dynamic-dns provider. Then, your dynamically-assigned IP address is resolved without much issue. DuckDNS (free) is an example of such provider.
- VPN: If you don’t plan on exposing your Jellyfin instance to the world, your server could listen on some address inside a VPN it forms a part of. With the added benefit of surpassing CGNAT, only those with access to the VPN can talk to your server which is great for security. ServerHost, for example, I think provides a cheap plan. You could host your own VPN if you like, although you’d need for it to be reachable by a given address.
- Tunneling: As you mentioned, Tailscale and Cloudfare besides others provide tunneling and protect your traffic.
Personally, I’d opt to use a DDNS provider on my own network and hide the Jellyfin instance under a self-hosted VPN. If you got another VPS, you might get away with hosting a publicly-accessible tunneling service on it which your Jellyfin service can consume on your premise network.
You should be careful if you’re planning on using Cloudfare to deliver media. Their terms of service on Content Delivery Networks if I recall correctly mention that you must use their specific Paid Services to serve video and other large files. I’m unsure if much has changed so it’s worth looking into, as well as the terms for other providers of course.
Also, you should consider protecting your server if you’re planning on it being remotely accesible. Although it might impact perfomance, I’d recommned perhaps:
- Hiding your server behind a secure reverse proxy, or if not planning to expose it to the internet, hiding it under a VPN entirely (which you could self host if you want).
- Encrypting traffic, with TLS and renewing certificates
- Geofiltering and rate-limiting access to your server to combat malicious traffic and DDoS attacks
- Isolating your server from your home/other networks, and perhaps consider adding network firewall solutions.
- Deploying the Jellyfin instance as a container, if anything, for the fail-over and isolation it can provide.
- Closing all unnecesary ports, including SSH if not remotely managed (if you’re managing it from home, you might not even need to remotely manage it). Since its Jellyfin serving media, likely only opening HTTPS is enough.
- Backing up your media both locally and remotely, in case your server gets compromised or crashes.
All these security measures above are a recommendation and you likely know best what degree of compromise between security and ease of access you’d prefer. They are definitively not the easiest to set up but I figured it might be worth your while if you’re planning to host a publicly accessible server.
Edit: As pointed out below, a (dynamic) DNS is not an access technology, but rather a way to have your IP associated with a domain name. You will likely want to use it for routinely registering your current IP to your domain name if hosting your own public-facing server.
Have it be noted that VPSs commonly have an static public-facing IP address, and opting for (non self-hosted) VPNs or tunneling usually means your server likely isn’t directly facing the internet. On those cases, you might not need a DDNS. That’s why I listed it as an separate item on the list even though it isn’t an access technology like the others might be.
Tailscale is very easy. If it is just you, do that
Just you (or maybe one other) - Tailscale.
Can’t use Cloudflare tunnel as it’s against their TOS (no streaming video)
Instead look at reverse proxy to do it.
For its ease and security, Tailscale.
I use this setup and it works like a charm.
I don’t have a static IP either. I just use DDNS so that the domain gets updated with the new IP automatically when it ever changes. Don’t use a cloud flare tunnel. It just adds extra overhead and complexity to your setup.
If you already have things set up to hook up a domain name to your IP, the least-effort option is to set up dynamic DNS. As someone else mentioned, DuckDNS works well. You can also run your own (there is a docker container for ddclient that is pretty quick to get running)
I use wg-easy instead of tailscale.
Tailscale worked great once I thoroughly read the instructions
Tailscale on home server and connect remotely
What you need is dynamic dns, or ddns. You may have such a service built into your router I know Asus and TP-Link do probably others too. Otherwise there are many free services out there.
A domain, dns service and a reverse proxy and optionally a local dns server to resolve the domains locally to your network but still being accessible outside said network.
Another option while doing the above would be to setup a vpn for certain services that shouldn’t be exposed to the internet, gets you up and secure first.
I have a bunch of beginner user tutorials for setting up reverse proxy ie https://sub.domain.com will load jellyfin and anything else selfhosted. I have tutorials for dynamic ip or static IPs. If you have either one check out my channel.
https://youtube.com/playlist?list=PLBPISPhIa389lXVii915nwA8YE_ej3-Ju
This is very similar to my situation. I’m behind a CGNAT, and I access my Jellyfin and Immich via Tailscale. I have it set up with some Docker containers, but installing Tailscale on bare metal is the simplest way to do it.
Just to clarify for OP DDNS (Dynamic Domain Name System) is not an access method like VPN or Tunnelling. It’s simply a way of keeping a domain name pointing at the correct IP when you have a non-static IP that changes periodically. It’s independent from those other concepts and DDNS would be useful to pair with any of the setup / access method you choose so it would always point to your server whether it be hosted on a VPS or at home and access via a VPN or Tunnel.
Mentioning that in case OP is not aware. The way it’s listed together with the access methods might result in confusion for new people.
You’re right, I didn’t make the distinction clear. Thanks for pointing it out, I’ll add a small edit 
Unless I’m understanding you wrong, Tailscale doesn’t require a static IP or a domain. Tailscale is incredibly easy to set up. Install it on the Jellyfin server. Install it on the client. Input the Tailscale IP address for the Jellyfin server in the client. Done.
LOL because it just works.
I can access my arr services from anywhere by just typing my 100.xxx URL + the appropriate port. I never had to tamper with anything, nor would I be able to, and it just.works.
Why are you saying it does not work?
The other guy suggested a VPS with a VPN relay back to the house. Both about the same. Not sure why your way is superior, sounds more like you’re just triggered by “tailscale” being said. I’d work on that.
As for my suggestion. Id do a custom domain. My Asus router has the ability to give me a dynamic IP with a choice of services (including a free mydomain.asuscomm.com domain). If your router doesn’t have this built in I’d say buying a $10/yr domain from cloudflare and use one of the many DDNS updaters to update the IP. That’s what I do it’s not super hard to setup. If your familiar with docker this stuff is all easy level one type setups nothing too hard. I would consider using a reverse proxy tho to only have port 80/443 accessible to something robust like nginx.
