After 14 years with Plex, I finally moved my video library to Jellyfin. Why rising costs, feature restrictions and digital ownership pushed me towards FOSS.
This article doesn’t mention the limitations of remote access for Jellyfin, which requires some tricks like reverse proxy or Tailscale. I think Jellyfin is a great option if you only watch/listen on your home network, but if anyone wants to replicate the remote access capabilities of Plex, I typically warn them they are going to have to roll their sleeves up.
That seems like a rather arrogant tone to take. Reverse proxies are complicated. Easy to set up, but challenging to configure depending on what your needs are. Not everyone wants a homelab.
Everyone’s journey starts somewhere and sometimes people’s needs just don’t extend beyond the easier choices available.
You shouldn’t even have Jellyfin on a reverse proxy, because it shouldn’t be externally available. There are several known security vulnerabilities (all marked as “closed” due to inactivity on git) that the devs have said will likely never be patched. Because patching them requires breaking away from the Emby fork that the entire project is built on.
It should only be externally available via a private VPN. And that alone excludes a lot of “I want to share my library with friends/family” scenarios, because step 0 will be getting their devices connected to your VPN.
At the very least, set up some form of access control/username+PW directly on your reverse proxy as a secondary security measure. Because if you can reach the JF landing page, you can exploit those vulnerabilities without needing a valid JF login. So you should configure your reverse proxy to act as a gatekeeper, and ensure attackers can’t even reach JF at all without having a valid login to your reverse proxy. But this will break most JF apps (except for browsers) because they likely won’t have any way to give an initial user+pass to the reverse proxy before they hit the JF server.
Honestly for video I agree, for audio, it’s just me and only in my house or phone so tailscale is fine. If my friends really want audio, they can pay streaming for it.
But Jellyfin! It solves all your problems, you don’t have to pay for it (because fuck paying for software of any type even if it provides you some value), and did I mention Jellyfin‽
Why aren’t you using it yet? Are you a plex sympathizer? Get outta here with that!
What?
I don’t care if you have a good use case for using plex / Emby / Kodi / VLC / WMC / etc; you will assimilate and use Jellyifn!
Not something that unfortunately works as easily for me to connect my ailing mom’s TV to, and do NOT want to manage the reverse proxy + cert + etc setup for a number of reasons
You do then still have to expose JF to the open internet. That’s not without risk. Neither is Plex but they do make it a point to secure all their endpoints before login.
The point is that you now have another app to manage or learn about just for remote viewing, and the general public can’t and won’t manage something like that. People like us, no problem, its easy, but my dad would never be able to, for example. He can install plex and just log in to an app anywhere to use it though.
Also, dont forget that many households have non-static IP addresses, so now you need more management for that issue (again, easy for us).
But Jellyfin! It solves all your problems, you don’t have to pay for it (because fuck paying for software of any type even if it provides you some value), and did I mention Jellyfin‽
Why aren’t you using it yet? Are you a plex sympathizer? Get outta here with that!
What?
I don’t care if you have a good use case for using plex / Emby / Kodi / VLC / WMC / etc; you will assimilate and use Jellyifn!
Yeah it can be more limiting. Personally I got lucky and my mom’s TV runs Android so I could just install a wireguard client.
I will probably at some point bridge her network with mine since I want to install a TrueNAS box at her house for remote backup. So the VPN client will be moot at that point.
Which part? For the TV there was literally a wireguard app. I just had to install it on the TV and configure the connection to my wireguard server.
For the bridging I gave her my old router which I haven’t tested but I believe should support VPN bridging. I already have her on a subnet that won’t conflict with my network for that reason.
If you have a machine at her place that is on most of the time you can have tailscale on that device and then make it ssh into itself with ssh portforwarding on!
Edit: You can also selfhost headscale and do the same as the comment below said
That doesn’t slove the problem if your Smart TV doesn’t support tailscale or something like Wireguard. Using another machine connected to a VPN like for example Tailscale/Headscale and then using ssh portforwarding allows you to access the service(jellyfin) on the device without support.
It would be like this:
Jellyfin <-- Tailscale/Headscale <— Machine forwarding the jellyfins port <-- Smart TV
Most people are not gonna go that route unfortunately. I want to love JF, but the remote access is a big sticking point, especially for non tech relatives.
It bugs me when people just say tailscale like that solves it all. It’s very useful and solves a lot of problems, but not all. Unfortunately.
I completely agree, Tailscale will not just solve your issues. If you want to have is as simple as possible for your users you are going to need to expose it publicly for your users. And the reason I posted the comment above is to share a solution that has worked for me to get my users "Smart"TVs to work. Honestly if someone where to make a service that provides a “plex networking” solution for jellyfin I think allot of people would consider using it and leave plex for good!
I set up a free dns from duckdns.org and pointed it to my jellyfin server. All my parents had to do was to use that https://randomserver.duckdns.org/ as the server url in the jellyfin app.
It’s been running on caddy + duckdns for 5 years or more now. I use a non standard jellyfin port for the port forwarding, so that probably helps. Also, there’s probably an aspect of security by obscurity.
Yeah then this might not be a great idea for you, unless you have the possibility to fix a machine if you visit. But I want to make it clear this is not a fix all thing just trying to help :D
Making an account and giving it to uncle fred with a website address is a LOT easier than telling him to install an app on his phone/computer, inviting him via email, then trying to explain to him how to turn it on and off and telling him not to mess with the settings and route all his traffic through my home network.
Yes the solution is different hardware, like a Google TV, older firestick, raspAP, or flash openwrt on a router. But that’s no longer plug and play and may have other caveats. Besides costing money.
No shade, it’s just not QUITE that simple every time.
Someone breakes in, then moves laterally to your home assistant running frigate to watch you sleep at night. Then uses your residential uplink as a proxy to resell on an open market.
After that, the possibilities are practically endless.
Yeah docker isn’t the isolation sandbox some people make it out to be. It’s not meant for that. You very well may have a setup that’s meant for that but it’s more than I’m willing to expose.
No reason to connect jellyfin to any sort of local network, router will still hairpin for local connection.
With that setup its honestly more secure than 99% of IOT devices, and like 50% of routers.
edit: and if youre running it in the pentagon or something just toss authentication like keycloak in front of it, plus a bit of crowdsec/fail2ban and an IP whitelist, I’d be surprised if you’d even get an attack, much less one violating that strict of a threat models.
There is a third option, the program that Jellyfin was originally forked from back in 2018, Emby.
Sort of the middle child between the two. Nearly identically to Jellyfin for obvious reasons, several third party apps for Jellyfin work with it as well like Jellyseer, it has apps for nearly every device, and easy external connections via their servers like Plex does.
They do however have a premium subscription system like Plex to support things like those servers. It’s not as expensive as Plex, even before the recent rate hike, but it is there and some stuff is locked behind that premium license.
I can’t recommend emby because their business practices are pretty scummy. After accepting open source contributions for years, they went closed-source in 2018 and took all those contributions with them (they had a CLA). The very next update, they added hardware acceleration and locked it behind a paywall. They had a pretty big ‘security incident’ a few years ago, which probably would have been averted if they were still open source, as users in the community flagged it as an issue long before the devs took action.
So all the bad things of both, still a proprietary product that you can funnel your cotent through servers you don’t control while simultaneously not being plex.
I only personally have experience with jellyfin, but the docs of Emby look to support the same remote access as Plex (without the TURN server).
So essentially you can use a login instead of a server IP, but it does require port forwarding or upnp on your router - which you may already have enabled.
At this point if I were to switch from Plex I would go with Emby just because a bunch of sweaty nerds don’t simp over it every time Plex comes up in the news.
I found it annoying at first when I started because I didnt know about any management tools. I was updating the firewall rules everywhere myself to allow each remote IP at the router and machine level lol
This article doesn’t mention the limitations of remote access for Jellyfin, which requires some tricks like reverse proxy or Tailscale. I think Jellyfin is a great option if you only watch/listen on your home network, but if anyone wants to replicate the remote access capabilities of Plex, I typically warn them they are going to have to roll their sleeves up.
Don’t selfhost if you think a reverse proxy is tricky.
That seems like a rather arrogant tone to take. Reverse proxies are complicated. Easy to set up, but challenging to configure depending on what your needs are. Not everyone wants a homelab.
Everyone’s journey starts somewhere and sometimes people’s needs just don’t extend beyond the easier choices available.
You shouldn’t even have Jellyfin on a reverse proxy, because it shouldn’t be externally available. There are several known security vulnerabilities (all marked as “closed” due to inactivity on git) that the devs have said will likely never be patched. Because patching them requires breaking away from the Emby fork that the entire project is built on.
It should only be externally available via a private VPN. And that alone excludes a lot of “I want to share my library with friends/family” scenarios, because step 0 will be getting their devices connected to your VPN.
At the very least, set up some form of access control/username+PW directly on your reverse proxy as a secondary security measure. Because if you can reach the JF landing page, you can exploit those vulnerabilities without needing a valid JF login. So you should configure your reverse proxy to act as a gatekeeper, and ensure attackers can’t even reach JF at all without having a valid login to your reverse proxy. But this will break most JF apps (except for browsers) because they likely won’t have any way to give an initial user+pass to the reverse proxy before they hit the JF server.
Theres not a single high risk security issue in there as far i can see. Can you point them out?
Honestly for video I agree, for audio, it’s just me and only in my house or phone so tailscale is fine. If my friends really want audio, they can pay streaming for it.
If you can spin up a podman container, you can use a caddyfile. Hell, if you can nano and read, you can set uo a caddyfile.
There are literaly zero limitations by Jellyfin to remotely access your media. You are free to access your instance in any way you want. Fuck plex
The next time there’s a zero day in one of their packages you get pwned because their login doesn’t protect their ‘internal’ endpoints.
Keep that thing wrapped up or you will eventually regret it.
But Jellyfin! It solves all your problems, you don’t have to pay for it (because fuck paying for software of any type even if it provides you some value), and did I mention Jellyfin‽
Why aren’t you using it yet? Are you a plex sympathizer? Get outta here with that!
What?
I don’t care if you have a good use case for using plex / Emby / Kodi / VLC / WMC / etc; you will assimilate and use Jellyifn!
JELLYFIN!!!11!1!1!1!1!. /s
You’re right, I missed that.
I personally use a reverse proxy and Wireguard setup to access remotely.
Not something that unfortunately works as easily for me to connect my ailing mom’s TV to, and do NOT want to manage the reverse proxy + cert + etc setup for a number of reasons
There are a ton of reverse proxy options that manage the cert for you
You do then still have to expose JF to the open internet. That’s not without risk. Neither is Plex but they do make it a point to secure all their endpoints before login.
The point is that you now have another app to manage or learn about just for remote viewing, and the general public can’t and won’t manage something like that. People like us, no problem, its easy, but my dad would never be able to, for example. He can install plex and just log in to an app anywhere to use it though.
Also, dont forget that many households have non-static IP addresses, so now you need more management for that issue (again, easy for us).
In this scenario, your dad just installs Jellyfin and logs in.
You’ve set up the reverse proxy to your server, its transparent to him.
You can update DNS records automatically so its also a fire and forget kind of thing.
But I guess, give your data to the corpos because its easier.
There’s lots of reasons I don’t want to set this up
But Jellyfin! It solves all your problems, you don’t have to pay for it (because fuck paying for software of any type even if it provides you some value), and did I mention Jellyfin‽
Why aren’t you using it yet? Are you a plex sympathizer? Get outta here with that!
What?
I don’t care if you have a good use case for using plex / Emby / Kodi / VLC / WMC / etc; you will assimilate and use Jellyifn!
JELLYFIN!!!11!1!1!1!1!. /s
I just wish they’d fucking take their security seriously and we could wipe plex out.
Me too. But they also need a lot more features.
Like Tautulli and Plexamp.
Jellystat isn’t bad for a Taut alternative
This is like the 3rd thread I’ve seen you have a complete meltdown when someone mentions Jellyfin.
Because it’s the app to use! Forget everything else!!! JELLYFIN!!!1!1!1!1!
(That’s what you all sound like)
Jellyfin once located my lost puppy. Which Plex had stolen.
Damn, Jellyfin can swim through land, too.
Surprisingly, that is what the fin is for
I believe it! Emby probably kicked the dog whole plex stole it.
Yeah it can be more limiting. Personally I got lucky and my mom’s TV runs Android so I could just install a wireguard client.
I will probably at some point bridge her network with mine since I want to install a TrueNAS box at her house for remote backup. So the VPN client will be moot at that point.
just syncthing it :)
How do you go about doing that?
Which part? For the TV there was literally a wireguard app. I just had to install it on the TV and configure the connection to my wireguard server.
For the bridging I gave her my old router which I haven’t tested but I believe should support VPN bridging. I already have her on a subnet that won’t conflict with my network for that reason.
FYI, scrcpy can be an excellent tool for remote support, but you’d better trust the network the interface is on
If you have a machine at her place that is on most of the time you can have tailscale on that device and then make it ssh into itself with ssh portforwarding on!
Edit: You can also selfhost headscale and do the same as the comment below said
What in the goddamn fuck, sir
Step 1) Install tailscale (headscale also exists if you wanna fully self-host it)
Step 2) Done, solved
That doesn’t slove the problem if your Smart TV doesn’t support tailscale or something like Wireguard. Using another machine connected to a VPN like for example Tailscale/Headscale and then using ssh portforwarding allows you to access the service(jellyfin) on the device without support.
It would be like this:
Jellyfin <-- Tailscale/Headscale <— Machine forwarding the jellyfins port <-- Smart TV
This can be done with a command like this:
ssh -L 0.0.0.0:8096:jellyfin_tailnet_ip:8096 -f -N user@machine
You know, there’s probably a market for a hardware solution to do that. Wrap it up in a nice user interface, Family VPN bridge, expose JF servers.
Most people are not gonna go that route unfortunately. I want to love JF, but the remote access is a big sticking point, especially for non tech relatives.
It bugs me when people just say tailscale like that solves it all. It’s very useful and solves a lot of problems, but not all. Unfortunately.
I completely agree, Tailscale will not just solve your issues. If you want to have is as simple as possible for your users you are going to need to expose it publicly for your users. And the reason I posted the comment above is to share a solution that has worked for me to get my users "Smart"TVs to work. Honestly if someone where to make a service that provides a “plex networking” solution for jellyfin I think allot of people would consider using it and leave plex for good!
My mom lives 900 miles away and she can barely turn a computer on
I set up a free dns from duckdns.org and pointed it to my jellyfin server. All my parents had to do was to use that https://randomserver.duckdns.org/ as the server url in the jellyfin app.
Doesn’t that mean your jellyfin server is directly exposed to the Internet? The very thing everyone constantly warns against?
I’m still on Plex, one of my biggest hangups with JF is that the remote access is kludgy
It’s been running on caddy + duckdns for 5 years or more now. I use a non standard jellyfin port for the port forwarding, so that probably helps. Also, there’s probably an aspect of security by obscurity.
Yeah then this might not be a great idea for you, unless you have the possibility to fix a machine if you visit. But I want to make it clear this is not a fix all thing just trying to help :D
<3
Tailscale truly could not be easier/simpler.
Repectfully, I think you’re wrong.
Making an account and giving it to uncle fred with a website address is a LOT easier than telling him to install an app on his phone/computer, inviting him via email, then trying to explain to him how to turn it on and off and telling him not to mess with the settings and route all his traffic through my home network.
That is still one spot where plex holds an edge.
Not for all clients, like Roku for example.
Yes the solution is different hardware, like a Google TV, older firestick, raspAP, or flash openwrt on a router. But that’s no longer plug and play and may have other caveats. Besides costing money.
No shade, it’s just not QUITE that simple every time.
Just fucking yeet it online
expected advice from typical JF users.
What’s the worst that can happen. Someone watches your movies
Someone breakes in, then moves laterally to your home assistant running frigate to watch you sleep at night. Then uses your residential uplink as a proxy to resell on an open market.
After that, the possibilities are practically endless.
It’s a rootless container. Chances are they are not going to do any of that.
Things are on the internet all the time.
Yeah docker isn’t the isolation sandbox some people make it out to be. It’s not meant for that. You very well may have a setup that’s meant for that but it’s more than I’m willing to expose.
No reason to connect jellyfin to any sort of local network, router will still hairpin for local connection.
With that setup its honestly more secure than 99% of IOT devices, and like 50% of routers.
edit: and if youre running it in the pentagon or something just toss authentication like keycloak in front of it, plus a bit of crowdsec/fail2ban and an IP whitelist, I’d be surprised if you’d even get an attack, much less one violating that strict of a threat models.
Good grief. If you’re doing all that, just set up Wireguard
I mean containers make the networking pretty easy, everything beyond that is optional based on your threat model.
Same as hosting anything networked, you can do it easy or do it safe.
(but also wireguard is kinda an O(n) problem while exposing to wan is an O(1) problem - at least IT man hours wise)
Yup! That’s the worst thing that can happen. Now would you be so be kind as to send us the link to your private unsecured Jellyfin server?
I’m tempted to. But I’m not. Just because I dont want to fox my domain here.
Is running in a rootless podman container. I’m confident
A reverse proxy is a trick? That’s like standard practice for web servers.
How does Plex get around that? I’ve only ever used jellyfin.
Plex operates TURN servers
That’s why I’m running both. I use jellyfin, everyone else uses Plex 🤣
There is a third option, the program that Jellyfin was originally forked from back in 2018, Emby.
Sort of the middle child between the two. Nearly identically to Jellyfin for obvious reasons, several third party apps for Jellyfin work with it as well like Jellyseer, it has apps for nearly every device, and easy external connections via their servers like Plex does.
They do however have a premium subscription system like Plex to support things like those servers. It’s not as expensive as Plex, even before the recent rate hike, but it is there and some stuff is locked behind that premium license.
I can’t recommend emby because their business practices are pretty scummy. After accepting open source contributions for years, they went closed-source in 2018 and took all those contributions with them (they had a CLA). The very next update, they added hardware acceleration and locked it behind a paywall. They had a pretty big ‘security incident’ a few years ago, which probably would have been averted if they were still open source, as users in the community flagged it as an issue long before the devs took action.
So all the bad things of both, still a proprietary product that you can funnel your cotent through servers you don’t control while simultaneously not being plex.
But also benefits of both, reduced cost with easier remote setup, while simultaneously not being plex
Wait, does emby do remote access similar to Plex? And without VPN like JF? That’s literally the only thing keeping me on Plex.
I only personally have experience with jellyfin, but the docs of Emby look to support the same remote access as Plex (without the TURN server).
So essentially you can use a login instead of a server IP, but it does require port forwarding or upnp on your router - which you may already have enabled.
Also you dont have to be lumped in with the frothing at the mouth Jellyfin users.
Beats frothing for a company, if I gotta froth
It’s only frothing if you insist that installing tailscale on your grandma’s DSL modem is the best way to share home movies
Funny enough I’m in the “open it to the wan just practise basic web access hygiene” camp, I hope that makes me at least a little frothy
At this point if I were to switch from Plex I would go with Emby just because a bunch of sweaty nerds don’t simp over it every time Plex comes up in the news.
Look at me guys, I’m contrarian! Look! Look!
Can’t you just setup a dyndns and port forwarding?
Yes, and if that falls within your risk tolerance it’s rather easy to set up.
Most of the people in the discussion here don’t want to open a port to the internet.
To be fair Plex also requires open ports (or worse upnp) to remotly stream at full quality, without transcoding.
Oh, 100%. I was just trying to sum up the feelings in here.
Its just a pain in the ass to manage at home and easy to leave your ass open for attacks.
It’s just another attack surface. Threat tolerance is up to each person.
I found it annoying at first when I started because I didnt know about any management tools. I was updating the firewall rules everywhere myself to allow each remote IP at the router and machine level lol
Oooof, yeah that would suck.