I am running into some roadblocks connecting a relatives home to my shared media services that online research hasn’t provided a clear solution on, so am soliciting community thoughts.
The situation is as follows:
In my home
Jellyfin running in docker container, pointing to NAS appliance share for media
Unifi UDM Pro with VPN server running to allow remote clients to connect, with restrictions on access for VPN clients to just Jellyfin
In Relative’s Home
Windows PC with VPN configuration set up
Apple TV
Currently my father watches my Jellyfin library via the VPN connection on his computer, but he would like to also be able to watch on the Apple TV. For windows/iOS/MacOS clients setting up a VPN connection was straightforward, but the AppleTV doesn’t appear to have those options available to the end user in the settings.
Looking at what apps I could load on the AppleTV it appears to support Tailscale, which I have heard about but never used. I like the Idea and it appears similar to my current experience with Ubiquiti’s VPN setup on the UDM Pro in that Client setup is extraordinarily simple. However, Tailscale support on UDM Pro seems incomplete/unstable from what I have read, and I’m reluctant to work outside the box with installing additional programs to it unless strictly necessary. Tailscale also seems to require some form of Google or third party login system, which I don’t like.
Am I barking up the wrong tree and should just abandon the AppleTV? The UI is perfect for older relatives, which is why he has it in the first place.
I don’t like the idea of a linode subscription to set up a VPN that way since the whole effort has been to remove all subscriptions, even ones to reputable companies.
Unifi seems to support a Site to SIte VPN, but I worry that might introduce security concerns having some form of direct connection between our two home networks, and potential for malware transmission, and that would require buying him a UDM of some form.
I am not a network engineer, and my experience thus far has been based on online research and trial and error. I have tried my best to go with the most simple and secure route for networking, hence the VPN rather than an open port or reverse proxy setup, and If possible I’d like to keep it that way.
There’s nothing one can’t do themselves relative to Tailscale, there’s no magic,… it’s just painful to DIY randezvous and firewall hole punching. You can always replace it after the fact.
You can add relatives apple tv to your tailnet, ACL it to only be able to access Jellyfin.
But a docker container is interesting, because of docker networking. Turns out, you can add Tailscale to Jellyfin, and run it within Jellyfin container without it creating a tun interface, and it can appear as a host on the tailnet and it can proxy TCP connections to Jellyfin using the “serve” feature.
How are you running Jellyfin? Are you using docker-compose or what are you using to configure the container today?
The solution to your problem really depends on your security needs.
I have a similar situation to you where I give my friends access to my own nextcloud and game servers that I run at home. Personally, I do the best I can for security while making it easy for friends and family to use my server. So if you trust Cloudflare, thats the path I would take and not worry about a vpn because for some reason family don’t understand computers and a vpn comlicates things.
Cloudflare DDNS can obscure your home IP address, making it harder for bad actors to find your server, so this can add a layer of security for you. Also, cloudflare tunnels is a good option that I am investigating and trying to use for somone else right now, its rather easy to setup and you don’t need to poke holes in your firewall.
My solution to your problem (your security comfort level depending), would be to:
get a domain
setup cloudflare tunnel in a docker container
sertup the apps on your families appletv / pc to point to the domain which goes through the tunnel.
NetworkChuck has a great tutorial you might want to look at, just skip the ad.
if you don’t want to do this, then putting the VPN onto your families router would be the only other way that I can think of, this will redirect the AppleTV traffic to your server. But be aware that ALL of you families internet will be re-directed through your internet and could cause a lot of lag for both your family and you.
I cant double check this at home since I dont have a VPN set up, but if you set the VPN connection up in the UDM Pro you should be able to make a traffic rule for the specific device, for the traffic that you want, and then select the interface to go out of as the VPN connection. So basically the router is handling directing the media traffic through the VPN instead of individual devices logging in to the VPN directly. This would be under “Settings → Routing → Traffic Routes”. Doing this method you could set up a rule for the AppleTV and another for the relative’s PC so that when the Jellyfin server IP is accessed the router does the proper VPN routing and you wont have to manually start up the VPN on the PC anymore either.
Update! thank you everyone for your input, due to the complexities of docker networking, the limited settings of the AppleTV, and my desire for high security and simplicity of installations in relatives homes, I think I’m going to go the following route:
The AppleTV can accept internet via ethernet, so my plan is to plant a super small footprint low power device next to it to feed it a VPN connection, as explained in this article here LINK
it seems that either a windows or MacOS device will fulfill this purpose, so the next question is, what would be the best device for doing exclusively that one task, with the focus on low power/low footprint?
MacOS side I’m thinking Mac Mini, and PC side something like a NUC but way lower specs, maybe one with a Celeron. Aiming for 50$ or less.
As usual, thoughts and insight are always appreciated. When given the choice I typically take PC over apple when possible, but opinions either way would be welcomed.