this post was submitted on 31 Mar 2025
213 points (98.2% liked)

Selfhosted

52533 readers
2079 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?

you are viewing a single comment's thread
view the rest of the comments
[–] dan@upvote.au 1 points 6 months ago* (last edited 6 months ago) (1 children)

If you have a separate subnet for it, then why do you only want it to be connected when you're not on home wifi? You can just leave it connected all the time since it won't interfere with accessing anything outside that subnet.

One of the main benefits of Wireguard (and Tailscale) is that it's peer-to-peer rather than client-server. You can use the VPN IPs at home too, and it'll add barely any overhead.

(leaving it connected is assuming you're not routing all your traffic through one of the peers)

[–] beerclue@lemmy.world 1 points 6 months ago (1 children)

My network is not publicly accessible. I can only access the internal services while connected to my VPN or when I'm physically at home. I connect to WG to use the local DNS (pihole) or to access the selfhosted stuff. I don't need to be connected while I'm at home... In a way, I am always using the home DNS.

Maybe I'm misunderstanding what you're saying...

[–] Lem453@lemmy.ca 2 points 6 months ago (2 children)

He's saying that while there is no benefit to being connect to WG at home, there is also no downside so many people just stay connected all the time.

[–] dan@upvote.au 1 points 6 months ago

Yeah, this. Plus if you leave it connected, you can use the VPN IPs while at home instead of having to use a different IP when at home vs when out (or deal with split horizon DNS)

[–] beerclue@lemmy.world 1 points 6 months ago (1 children)

Oh, I get that, but it just doesn't make any sense to me to be physically next to the server, and connect to it via VPN...

[–] dan@upvote.au 1 points 6 months ago (1 children)

My point is that since the VPN uses a different subnet, it's fine to keep it connected even at home. It'll only use the VPN if you access the server's VPN IP, not its regular IP.

In any case, Tailscale and Wireguard are peer-to-peer, so the connection over the VPN is still directly to the server and there's no real disadvantage of using the VPN IP on your local network.

[–] beerclue@lemmy.world 1 points 6 months ago* (last edited 6 months ago) (1 children)

Right, but I have wireguard on my opnsense. So when I want to reach https://jellyfin.example.com/ , if I am at home, it goes phone -> DNS -> proxy -> jellyfin (on the same network). If I am connected to the VPN, it goes from phone -> internet -> opnsense public ip -> wireguard subnet -> local subnet -> DNS -> proxy -> jellyfin. I see some unneeded extra steps here... Am I wrong?

[–] dan@upvote.au 1 points 6 months ago* (last edited 6 months ago) (1 children)

Oh yeah, there'll be some overhead if you're running Wireguard on a router. Hitting your router's public IP won't go out to the internet though - the router will recognize that it's its IP.

It's common to run Wireguard on every computer/phone/tablet/etc where possible rather than just on the router, since this takes advantage of its peer-to-peer nature. For home use, that's how it was originally designed to be used. Tailscale makes it a lot easier to configure it this way though - it's a bit of work for vanilla Wireguard. Tailscale does support "subnet routers" if you have any devices that you want to access over the VPN that can't run Tailscale.

[–] beerclue@lemmy.world 1 points 6 months ago

I don't think I've ever encountered what you say... I use WG it to access a network, not a device. I have a few dozen devices, physical and virtual, why should I set up wg on all of them? Tailscale, maybe, it's a different story, but I prefer to "self host" and not rely on a 3rd party provider. Wireguard was relatively easy to set up too, a few years ago... and in the meantime, if I need to add a new client, it's a two minute job.