Please take this discussion to this post: https://lemmy.ml/post/28376589
Main content
Selfhosting is always a dilemma in terms of security for a lot of reasons. Nevertheless, I have one simple goal: selfhost a Jellyfin instance in the most secure way possible. I don’t plan to access it anywhere but home.
TL;DR
I want the highest degree of security possible, but my hard limits are:
- No custom DNS
- Always-on VPN
- No self-signed certificates (unless there is no risk of MITM)
- No external server
Full explanation
I want to be able to access it from multiple devices, so it can’t be a local-only instance.
I have a Raspberry Pi 5 that I want to host it on. That means I will not be hosting it on an external server, and I will only be able to run something light like securecore rather than something heavy like Qubes OS. Eventually I would like to use GrapheneOS to host it, once Android’s virtual machine management app becomes more stable.
It’s still crazy to me that 2TB microSDXC cards are a real thing.
I would like to avoid subscription costs such as the cost of buying a domain or the cost of paying for a VPN, however I prioritize security over cost. It is truly annoying that Jellyfin clients seldom support self-signed certificates, meaning the only way to get proper E2EE is by buying a domain and using a certificate authority. I wouldn’t want to use a self-signed certificate anyways, due to the risk of MITM attacks. I am a penetration tester, so I have tested attacks by injecting malicious certificates before. It is possible to add self-signed certificates as trusted certificates for each system, but I haven’t been able to get that to work since it seems clients don’t trust them anyways.
Buying a domain also runs many privacy risks, since it’s difficult to buy domains without handing over personal information. I do not want to change my DNS, since that risks browser fingerprinting if it differs from the VPN provider. I always use a VPN (currently ProtonVPN) for my devices.
If I pay for ProtonVPN (or other providers) it is possible to allow LAN connections, which would help significantly, but the issue of self-signed certificates still lingers.
With that said, it seems my options are very limited.
This would require paying for a VPN to allow LAN connections, which is an option but not my preferred one.
This is a matter of threat model, and I would prefer not to expose my TV preferences unencrypted over the network.
Does Caddy require a custom DNS in order to point the domain to a local IP address?
This is easy with securecore, since it updates daily. The rest of the semantics for the actual hosting side aren’t too difficult.
You don’t need a VPN for LAN connections. You’re already on the LAN. You’d only need it for access from the WAN.
If you’re using Let’s Encrypt, you should probably purchase a domain. I don’t think they support .internal domains. Or you could set up your own CA and run it however you want, even issuing certs to access by IP address if you wanted.
ProtonVPN by default blocks LAN connections, and can only be changed using their paid tier.
For that aspect, I would recommend changing to a provider that doesn’t have such ridiculous restrictions.
I kind of get it from Proton’s POV. If they have a free tier that allows a limited number of devices they’ll want to make sure you don’t tunnel all you devices through that one.
The only other providers I would use are Mullvad VPN or IVPN, both of which are paid.
I agree it is ridiculous.
But if you don’t plan to access it anywhere but home (your words), then it doesn’t have outside access, and putting it on your LAN is done.
Edit: if you do want to access it from outside, running a wire guard vpn locally is pretty easy to do.
I still want security in transit, no matter where it is being broadcast from.
You don’t trust your home network?
You do‽ I know the person who runs it and they’re completely inept! /s
Yeah, but the user is also inept, so it evens out.
Honestly though, they could run a pair of docker containers, one with jellyfin one with wire guard and only have access to the jellyfin instance when logged into the micro sized vpn? (I think docker will let you play with networks that way, I’m experienced enough to be dangerous but not useful)
deleted by creator