Tailscale. It's free. Insanely easy to set up.
Just install on your devices and connect via the given tailscale ip for the jellyfin server.
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil.
No spam.
Posts are to be related to self-hosting.
Don't duplicate the full text of your blog or readme if you're providing a link.
Submission headline should match the article title.
No trolling.
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.
AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Tailscale. It's free. Insanely easy to set up.
Just install on your devices and connect via the given tailscale ip for the jellyfin server.
I would also propose going with Tailscale instead If a VPN + DynDNS solution. Imho it is a lot easier to Setup compared to VPN + DynDNS If you are a beginner and just starting out.
If at some point you need more and then is available in the free Tier of Tailscale and you do not want to pay for it (and you have built up some knowledge!) you can switch to something like Headscale or Netbird.
Or head scale if you don’t want something you don’t control that requires an account with google/apple/microsoft
Tailscale. It’s free.
Something about Tailscale rubs me the wrong way. That "free" aspect, specifically. No company ever runs a free service without some sort of compromise somewhere.
wanted a free solution
ends up buying a domain
Welcome to the club, buddy!
Cheap domains are basically free though so it doesn't count!
Until you have dozens of them... Lol.
And they keep rising in price or you didn't notice the dark pattern where it was actually the price for the first year.
https://netbird.io/ for your own private network of trusted devices, it's free and doesn't require a separate Big Tech account to use (unlike Tailscale)
And then if you want to share Jellyfin with someone who isn't in your Netbird network... believe it or not, also Netbird
This
That's the whole point of a domain. Your IP changes every now and again you need people to know where to reach you. You give them a domain, and you configure the name records so that the domain always points to the right IP address.
Your options:
Domain is the cleanest option.
I am telling you how annoying it is because that's how likely your friends are to adopt it and how secure it is because depending on your country you are doing something illegal and you really don't want anyone to find out and you gotta keep it updated more often if you don't want people to exploit it. There's an endless supply of very smart people out there who use known bugs to target public services.
Edit: I forgot DDNS, see below comments.
You left out DDNS. It's free, easy to set up with lots of detailed guides online, and works as well as a static IP.
Thank you. I've bought a domain. I'd like to go with this option. Just researching how to do it on cloud flare
On Cloudflare, you’ll want to set a DNS record to point any relevant subdomains to your current WAN IP address. IPv4 will be an A Name record. IPv6 would be an AAAA Name record, but I’m not going to deal with IPv6 for this… Here is an example of mine, with info blocked out:


So for instance, maybe you have a peepee.example.com subdomain, a poopoo.example.com subdomain, etc which all point to your WAN IP address. That will basically tell Cloudflare’s DNS to forward any traffic for those subdomains to your WAN IP. Each subdomain can also choose whether or not to proxy the content, or just directly send it to your WAN with DNS. Basically, when Cloudflare propagates the DNS records to the various DNS servers, you can choose whether that record has your WAN IP (DNS Only) or one of Cloudflare’s (Proxied). Proxy support means you can take advantage of some additional CF protections, but it also means passing all of the data through CF’s server. In most cases, you’ll want DNS Only. Proxy support will depend on the individual service. Some will work fine with it, some won’t. And it’s also possible that you don’t want services proxied through CF for privacy reasons.
Next, you’ll want to set up a reverse proxy service. This will be something like Nginx Proxy Manager, Caddy, etc that you run on a device on your LAN. It can even be on the same machine running your various services. The big reverse proxies all offer Docker images, so you can incorporate it directly into an existing Docker stack if you already have one. Personally I use NPM, but Caddy is also very popular.
You’ll tell this reverse proxy “when you receive valid traffic addressed to {subdomain}, forward it to {relevant service on your LAN}.” You can also set some additional options for each subdomain, like automatically upgrading to https. For instance, maybe peepee.example.com forwards to 192.168.1.100:42069 on your LAN, and is configured to automatically upgrade any http traffic to https, and to require https.
You can also set up automatic TLS certificate renewal, so https traffic can be properly encrypted. The reverse proxy will need an API key, and it will allow the service to automatically check expiration dates and pull a fresh TLS cert for your domain if the date is coming up soon.
You’ll probably want to use a wildcard certificate, (basically *.example.com) because the TLS certificates are open to the public. So if you do individual certs for all of your various services, bots will scrape the public records and you’ll inevitably get a lot of bot traffic probing your various subdomains. A wildcard domain usually means the bots hit the standard example.com and www.example.com first, which makes them super easy to detect and block. I even have rules set up to automatically block anything that tries to access my www subdomain, because I specifically don’t host a landing page and don’t have anything available there. So I know that any traffic hitting that www subdomain is a bot trying to access common subdomains.
Next, you’ll want to forward ports 80 and 443 to your reverse proxy. Port 80 is the standard port for http traffic, and 443 is the standard port for https traffic. These will be the ports that your reverse proxy actually receives the traffic on, before forwarding it to the various services. Note that lots of lazy devs default to using 80 and 443 for lots of things, so you may want to configure your router to use a different port (like 81 or 444) for its config page if you’re able. Otherwise, you may end up accidentally locking yourself out of your router’s config page, because it will attempt to use 80 to reach the page, then get automatically forwarded to the reverse proxy instead.
Finally, for some ease-of-maintenance, you may want to consider adding a DDNS service (like Cloudflare-DDNS) to your docker stack. This will occasionally check your current WAN IP, and update it with Cloudflare if necessary. For example, if you have an outage and your router gets a new WAN IP when it boots back up again. Normally you would need to manually go to Cloudflare and update the IP info to point at your new address. But DDNS does that automatically.
The way traffic flows when it is all set up is along these lines:
peepee.example.com. It doesn’t know where to find that site, so it asks a DNS server.peepee.example.com can be found at {your IPv4 WAN address}”.http://peepee.example.com/.”peepee.example.com subdomain, finds it has a valid TLS cert, finds it is configured to automatically upgrade to https, and responds “Yes, please upgrade to https. Http traffic is not allowed.”https://peepee.example.com/. Your reverse proxy goes “thank you, here is the TLS cert and my half of the TLS security handshake.”192.168.1.100:42069.But notably, keep in mind that the reverse proxy didn’t do any actual user authentication. If your service has a weak password, a reverse proxy will act as a gateway for any potential hackers to gain access to the service. The same way an open port is a gateway directly to the service, the reverse proxy is now a gateway that simply requires an attacker to use a subdomain instead of an IP and port number. And if you make your subdomain something like jellyfin.example.com it will probably be dead simple for a bot to guess. And any vulnerabilities in the service will still be exploitable via the reverse proxy, because the reverse proxy is simply making sure the request is valid, and then passing the traffic back and forth. It isn’t actually inspecting the content of that traffic, so it’s not going to stop things like attackers. When you hear digital security folks talk about things like attack vectors, this is what they’re referring to. Your reverse proxy is a potential vector of attack for your configured services. Use strong passwords, keep your services updated, etc…
You can technically add authentication to a reverse proxy. So for instance, maybe a service doesn’t have any built-in way to add a password. You can have the reverse proxy act as an authentication gate, so it will prompt the user for a username+password before they can even reach the service. This will make the services more secure (yes, even the ones that already have passwords, as long as you use a different password for your reverse proxy authentication) but it will break most apps that are designed to work with a service. For instance, Jellyfin has several apps that work, but those apps won’t have any way to get past the reverse proxy’s password gate. So those apps will simply break if you add a second layer of authentication with your reverse proxy.
There are also some security options you’ll likely want to enable on Cloudflare’s side, but this comment is already long enough.
@Vegan_Joe — if you’re still stuck, try this: install Tailscale → join your tailnet → expose Jellyfin container port 8096 as 443. That’s it. No nginx, no static IP hunting. I wrote a 3-command cheatsheet here https://cxgo.ai/l/5bwrT9m that I wish existed when I started fumbling with docker-compose overrides. Works on a $20 raspberry pi and a 2014 Mac mini, so your hardware shouldn’t matter.
for a beginner with just a few remote clients, tailscale all the way.
though I still like doing it the old way with a custom nginx setup, fail2ban and a domain name, but its more work to make it secure and even then it's still somewhat of a liability.
How stable is tail scale in teal life? I constantly have issues with relay servers not being available, spontaneous logouts, etc..
I want to use it, but I also want my wife to use it and she will need a "no matter what, it must work" solution or she won't use it
Personally I didn’t want to have to hand out VPN credentials to everyone, so I went with a cloudflare tunnel with Authelia as the method of authentication.
+1 for Cloudflare Tunnels/Zero Trust. The free tier is more than generous for a homelab
Not to mention, the amount of data you can run through it is nuts. I’ve been running Stremio web through it for months without issue to watch content at work.
I ended up using duckdns for a free domain. It sucks that I had to tie it to a google account, and maybe one day this might be an area where I buy a proper domain instead.
I have a glinet Flint3 router that makes it easy to spin up Wireguard servers on it. It was a bit more finnicky, but eventually I was able to get into the advanced settings and configure the router to sync the dynamic IP with DuckDNS too.
So I have Wireguard on my phone and my wife's phone. We have one pair of close friends who have a connection on their router too (and vice-versa) and their own Jellyfin server.
I'm using wireguard with wg-easy. It's a gui that let you easely setup wireguard. My isp is giving a fixed ipv4. So i don't have to think about dns or other complicated things. I have Jellyfin and wg-easy installed on truenas as docker apps.
There are official app for any os you want.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| CA | (SSL) Certificate Authority |
| CGNAT | Carrier-Grade NAT |
| DHCP | Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network |
| DNS | Domain Name Service/System |
| ISP | Internet Service Provider |
| NAT | Network Address Translation |
| Plex | Brand of media server package |
| SSO | Single Sign-On |
| TLS | Transport Layer Security, supersedes SSL |
| UDP | User Datagram Protocol, for real-time communications |
| VPN | Virtual Private Network |
| VPS | Virtual Private Server (opposed to shared hosting) |
| nginx | Popular HTTP server |
[Thread #41 for this comm, first seen 5th Jul 2026, 18:30] [FAQ] [Full list] [Contact] [Source code]