Thanks for all the detail Alex. I love it. Other “explainer” videos often leave out crucial bits that leave more novice or intermediate learners stuck even after consulting a lot of other resources.
"Sorry, I've spent far too long explaining where the tilde button is on the keyboard." Brilliant video and this line made my day :-) keep up the great videos Alex, love them.
Awesome video, just immensely convoluted. When I had an ISP behind CGNAT, I achieved the exact same thing by spinning up a VPS, installing docker, wireguard server, and NGiNX Proxy Manager. I then connected to the VPS from my Jellyfin LXC and proxied it over the wireguard IP through NPM. Took like 10 minutes to setup.
(Reposting as I realized the other video link is not unlisted.) Thanks for the video Alex. You don't go into much detail about the benefits of having this as a remote VPS / reverse proxy. Are there inherent security benefits of using a VPS + remote proxy vs. self-hosting caddy and opening a port? I suspect opening the port isn't great but couldn't someone break into the VPS and using Tailscale, get free reign of my home network?
A VPS means you can access the proxy from anywhere without worrying about network topologies or needing Tailscale installed on the client device. It also makes it really easy to proxy services across multiple sites and reduce reliance on bandwidth constrained solutions like Tailscale's Funnel or Cloudflare's tunnels. For example, say that you're not on your home LAN and you want to hit that reverse proxy from a non Tailscale client (for me this is commonly a relatives phone wanting to stream an audiobook from my self-hosted audiobookshelf instance), they need to be able to route those packets to Caddy somehow in order for the data to flow. You need to solve for your WAN IP changing (dynamic dns), and open ports in your firewall. This is what I did for many years before Tailscale came along. But this solution removes all those pain points with the slight exception of needing to pay for a cloud VPS (but that can be useful for other things besides just this). HTH -Alex
Excellent video! I was trying to share my immich instance over the public internet and all the information you presented here was extremely helpful in getting it up and running. I just had one question though - Is there a reason why you're using Caddy with the Cloudflare plugin? I ask this because my setup is the same as yours, but with a barebones Caddy, and I was able to get the TLS certificates up and running just fine. I think that plugin is only necessary when data is proxied over CF, or when we don't want to open ports on our firewall (local homelabs). If we're going to expose HTTP/HTTPS anyway, we can just let Caddy do the HTTP ACME challenge to get the certificates. This should eliminate the step of getting and applying the CF API key in our setup process! Unless ofcourse there is some other reason for it which I missed completely. If so, do let me know.
Awesome video! I got everything working on AWS with Caddy for my Jellyfin setup, and Tailscale was fun to integrate. Ran into Let's Encrypt rate limits, but once it worked, the video playback was super smooth - much better than using a tunnel. Is there a way to make it work again with a different reverse proxy that doesn’t rely on Let's Encrypt? Thanks for the clear guidance!
@@thoufics How many certificates are you generating that you're hitting rate limits with LE? Their rate limits are fairly generous for a completely free service.
I see that you are also installing docker on the digital ocean droplet through cloud init but I do not see it used anywhere. Is it really needed? Also, I want to enable a firewall on the droplet. Is it enough to have 80/tcp and 443/tcp open as incoming ports? Love your in depth videos with IaC. Keep them coming (more Azure focus instead of AWS would be nice)!
Hello from Mexico!! Question: Could you please do a step-by-step tutorial on how to configure my DS 923+ Synology Nas to be able to access Jellyfin from outside my local network? On my synology nas I installed the Jellyfin server and I want to share it with my family and friends
I am getting a Raspberry Pi soon and am excited in trying out self hosting things... Now I just have to figure out how to setup the reverse proxy on Vultr because I already have VPSs there.
Hey Alex, love your video mate. I'm trying to see if I can do the same thing using Racknerd (their pricing is pretty good) but I can't find anything about their api or communicating programmatically... Do you have some suggestions? Thanks a lot
Great video! What's the benefit of using a VPS, rather than just running Caddy on the same local network as Jellyfin? It kinda seems like an unecessary middle man to me. Thanks again :)
Was literally about to ask this! Nice wizard work but its not necessary. I've Traefik running in an LXC with Tailscale installed in there too. Works perfectly fine.
A VPS means you can access the proxy from anywhere without worrying about network topologies or needing Tailscale installed on the client device. It also makes it really easy to proxy services across multiple sites and reduce reliance on bandwidth constrained solutions like Tailscale's Funnel or Cloudflare's tunnels. For example, say that you're not on your home LAN and you want to hit that reverse proxy from a non Tailscale client (for me this is commonly a relatives phone wanting to stream an audiobook from my self-hosted audiobookshelf instance), they need to be able to route those packets to Caddy somehow in order for the data to flow. You need to solve for your WAN IP changing (dynamic dns), and open ports in your firewall. This is what I did for many years before Tailscale came along. But this solution removes all those pain points with the slight exception of needing to pay for a cloud VPS (but that can be useful for other things besides just this). HTH -Alex
For my family, the client is the price of entry. Only devices I authorise on Tailscales admin console can access the container that contains the reverse proxy. As far as DNS goes I simply have wildcards in Cloudflare pointing at the LAN IP address of the container so I achieve 2 things - 1 URL resolution inside my LAN without the client and outside with the client installed. 2 Don't need to host the DNS myself either. No open ports, no care of what public IP address I have nor any care about unauthorised access as I have approved only the devices that I want to have access. Having the VPS just allows anyone with the URL to access stuff inside my network. Unless of course you do what I did but then there's no point in hosting it elsewhere and having the pay for it.
Tried doing this but on immich instead of jellyfin, i tried uploading a couple of photos but after that it stops uploading everything. am i getting rate limited by cloudflare or something?
Will this solution through VPC take on the limited transfer bandwidth? Or how is the direct connection made between a remote peer (which is not connected to Tailscale) browsing into the server through VPC?
Same is true of things like Cloudflare tunnels too, they specifically have ToS terms which restrict things like video streaming. With this solution you have no such restrictions. -Alex
@@Tailscale does the funnel bandwidth limit appear if the funnel flag shows up on the client in the console even when the serve config has funnel set to false?
does this sort of setup use the cloud instance as a "relay"? meaning all the bandwidth used for streaming go through the cloud provider? wouldn't that generate quite a bill?
They are :) Bought them 10 years ago as a graduation gift to myself and haven’t ever felt the need to replace them. Paired with a 10” sub they more than fill my office with glorious noise. -Alex
Thanks for all the detail Alex. I love it. Other “explainer” videos often leave out crucial bits that leave more novice or intermediate learners stuck even after consulting a lot of other resources.
"Sorry, I've spent far too long explaining where the tilde button is on the keyboard." Brilliant video and this line made my day :-) keep up the great videos Alex, love them.
Maceió, Curitiba, Salvador, and Fortaleza are the names of Brazilian cities. I live in Brazil and have visited all of them 😄.
Amazing video as always!
Awesome video, just immensely convoluted. When I had an ISP behind CGNAT, I achieved the exact same thing by spinning up a VPS, installing docker, wireguard server, and NGiNX Proxy Manager. I then connected to the VPS from my Jellyfin LXC and proxied it over the wireguard IP through NPM. Took like 10 minutes to setup.
that sounds exactly as convoluted
(Reposting as I realized the other video link is not unlisted.) Thanks for the video Alex. You don't go into much detail about the benefits of having this as a remote VPS / reverse proxy. Are there inherent security benefits of using a VPS + remote proxy vs. self-hosting caddy and opening a port? I suspect opening the port isn't great but couldn't someone break into the VPS and using Tailscale, get free reign of my home network?
A VPS means you can access the proxy from anywhere without worrying about network topologies or needing Tailscale installed on the client device. It also makes it really easy to proxy services across multiple sites and reduce reliance on bandwidth constrained solutions like Tailscale's Funnel or Cloudflare's tunnels.
For example, say that you're not on your home LAN and you want to hit that reverse proxy from a non Tailscale client (for me this is commonly a relatives phone wanting to stream an audiobook from my self-hosted audiobookshelf instance), they need to be able to route those packets to Caddy somehow in order for the data to flow. You need to solve for your WAN IP changing (dynamic dns), and open ports in your firewall. This is what I did for many years before Tailscale came along. But this solution removes all those pain points with the slight exception of needing to pay for a cloud VPS (but that can be useful for other things besides just this). HTH -Alex
Thanks Alex! I’ve been looking for demo for this exact set up. Hopefully I can do it with Emby.
jellyfin is one of the main reason I used tailscale😁
Excellent video!
I was trying to share my immich instance over the public internet and all the information you presented here was extremely helpful in getting it up and running.
I just had one question though - Is there a reason why you're using Caddy with the Cloudflare plugin?
I ask this because my setup is the same as yours, but with a barebones Caddy, and I was able to get the TLS certificates up and running just fine.
I think that plugin is only necessary when data is proxied over CF, or when we don't want to open ports on our firewall (local homelabs).
If we're going to expose HTTP/HTTPS anyway, we can just let Caddy do the HTTP ACME challenge to get the certificates.
This should eliminate the step of getting and applying the CF API key in our setup process!
Unless ofcourse there is some other reason for it which I missed completely.
If so, do let me know.
Awesome video! I got everything working on AWS with Caddy for my Jellyfin setup, and Tailscale was fun to integrate. Ran into Let's Encrypt rate limits, but once it worked, the video playback was super smooth - much better than using a tunnel. Is there a way to make it work again with a different reverse proxy that doesn’t rely on Let's Encrypt? Thanks for the clear guidance!
Glad to hear you got this going! Why wouldn't you want TLS? Jellyfin clients in particular hate self-signed certs.
Not planning to use self-signed certs. I'm switching to AWS ACM for trusted SSL since Let's Encrypt hit rate limits. Not sure if it’ll work though!
@@thoufics How many certificates are you generating that you're hitting rate limits with LE? Their rate limits are fairly generous for a completely free service.
I see that you are also installing docker on the digital ocean droplet through cloud init but I do not see it used anywhere. Is it really needed? Also, I want to enable a firewall on the droplet. Is it enough to have 80/tcp and 443/tcp open as incoming ports? Love your in depth videos with IaC. Keep them coming (more Azure focus instead of AWS would be nice)!
Hello from Mexico!!
Question: Could you please do a step-by-step tutorial on how to configure my DS 923+ Synology Nas to be able to access Jellyfin from outside my local network?
On my synology nas I installed the Jellyfin server and I want to share it with my family and friends
I am getting a Raspberry Pi soon and am excited in trying out self hosting things... Now I just have to figure out how to setup the reverse proxy on Vultr because I already have VPSs there.
Hey Alex, love your video mate.
I'm trying to see if I can do the same thing using Racknerd (their pricing is pretty good) but I can't find anything about their api or communicating programmatically...
Do you have some suggestions?
Thanks a lot
Does traffic flow via Tailnet infra or is it completely independent?
Great video! What's the benefit of using a VPS, rather than just running Caddy on the same local network as Jellyfin? It kinda seems like an unecessary middle man to me. Thanks again :)
Was literally about to ask this! Nice wizard work but its not necessary. I've Traefik running in an LXC with Tailscale installed in there too. Works perfectly fine.
CGNAT, ISP's that block 80/443 inbound etc. unfortunately not all of us can get public external IP's these days :(
A VPS means you can access the proxy from anywhere without worrying about network topologies or needing Tailscale installed on the client device. It also makes it really easy to proxy services across multiple sites and reduce reliance on bandwidth constrained solutions like Tailscale's Funnel or Cloudflare's tunnels.
For example, say that you're not on your home LAN and you want to hit that reverse proxy from a non Tailscale client (for me this is commonly a relatives phone wanting to stream an audiobook from my self-hosted audiobookshelf instance), they need to be able to route those packets to Caddy somehow in order for the data to flow. You need to solve for your WAN IP changing (dynamic dns), and open ports in your firewall. This is what I did for many years before Tailscale came along. But this solution removes all those pain points with the slight exception of needing to pay for a cloud VPS (but that can be useful for other things besides just this). HTH -Alex
For my family, the client is the price of entry. Only devices I authorise on Tailscales admin console can access the container that contains the reverse proxy.
As far as DNS goes I simply have wildcards in Cloudflare pointing at the LAN IP address of the container so I achieve 2 things - 1 URL resolution inside my LAN without the client and outside with the client installed. 2 Don't need to host the DNS myself either.
No open ports, no care of what public IP address I have nor any care about unauthorised access as I have approved only the devices that I want to have access.
Having the VPS just allows anyone with the URL to access stuff inside my network. Unless of course you do what I did but then there's no point in hosting it elsewhere and having the pay for it.
By using this method, will streaming jellyfin work when under CGNAT?
Yup! 👍
Can i use a digital ocean vps and a raspberry pis on my home server with a docker swarm cluster with tailscale?
Tried doing this but on immich instead of jellyfin, i tried uploading a couple of photos but after that it stops uploading everything. am i getting rate limited by cloudflare or something?
Will this solution through VPC take on the limited transfer bandwidth? Or how is the direct connection made between a remote peer (which is not connected to Tailscale) browsing into the server through VPC?
One nitpick - doctl != doc tail, doctl = digital ocean control :)
Why not serve and funnel for this use case?
Serve is for inside your tailnet
Funnel is bandwidth constrained for QoS reasons and therefore not suited for video streaming specifically
Ahh didn’t realize the bandwidth constraint! Thanks.
Same is true of things like Cloudflare tunnels too, they specifically have ToS terms which restrict things like video streaming.
With this solution you have no such restrictions. -Alex
@@Tailscale does the funnel bandwidth limit appear if the funnel flag shows up on the client in the console even when the serve config has funnel set to false?
Meaning would it impact serve bandwidth in that case.
does this sort of setup use the cloud instance as a "relay"? meaning all the bandwidth used for streaming go through the cloud provider? wouldn't that generate quite a bill?
It does transit through the VPS yes so you'd want to pick your provider and VPS size (and therefore accompanying bandwidth allocation) accordingly.
What are your sterio speakers?
OK, it appears to be KEF LS50, they seem pretty nice!
They are :)
Bought them 10 years ago as a graduation gift to myself and haven’t ever felt the need to replace them. Paired with a 10” sub they more than fill my office with glorious noise. -Alex
windows 11 install ?
I Remotely access anything from anywhere with using tailscale
The "fake words" are cities in Brazil, very real ones.
You even got the icon right ... not like another big Tech channel from Canada *cough cough*
Pure digital ocean markings campaign ❤