A secure, production-ready Docker-based solution for remotely accessing your home Jellyfin media server without exposing your home network directly to the internet.
This project provides a complete, production-ready implementation for securely exposing a Jellyfin media server to the internet. It solves common challenges faced by home media server enthusiasts:
- Accessing your media when away from home
- Sharing your media library with friends and family
- Avoiding the security risks of direct port forwarding
- Working around ISP restrictions (CGNAT, blocked ports, etc.)
The solution uses a VPS (Virtual Private Server) as a secure gateway to your home Jellyfin server:
Internet → VPS (Nginx + Let's Encrypt) ↔ Tailscale VPN ↔ Home Network (Jellyfin)
- Nginx: Reverse proxy that handles HTTPS traffic and forwards requests to Jellyfin
- Certbot: Automatically obtains and renews Let's Encrypt SSL certificates
- Tailscale: Creates a secure private network between your VPS and home server
- Jellyfin: Media server running on your home network
- 🔒 End-to-end encryption via Tailscale and HTTPS
- 🚫 No ports opened on your home network
- 📜 Automatic SSL certificate management
- 🔄 Optimized Nginx configuration for media streaming
- 🐳 Complete Docker Compose setup for easy deployment
- 🛡️ Security hardening out of the box
- A VPS with a public IP address (DigitalOcean, Linode, etc.)
- A domain name pointed to your VPS
- Docker and Docker Compose installed on your VPS
- Jellyfin installed on your home server
- Tailscale account and configured tailnet
- Basic familiarity with the command line and Docker
-
Clone this repository to your VPS:
git clone https://github.com/ggfevans/jellyfin-remote-access.git cd jellyfin-remote-access -
Copy the example configuration files:
cp .env.example .env cp tailscale.env.example tailscale.env cp init-letsencrypt.sh.example init-letsencrypt.sh chmod +x init-letsencrypt.sh
-
Set up your Tailscale network:
- Create a Tailscale account at https://tailscale.com
- Install Tailscale on your home Jellyfin server
- Generate an auth key in the Tailscale admin console
- Update
tailscale.envwith your hostname and auth key
-
Configure your environment:
- Edit
.envwith your domain and email - Update the Jellyfin Tailscale IP in
.env - Edit
init-letsencrypt.shwith your domain
- Edit
-
Initialize SSL certificates:
./init-letsencrypt.sh
-
Start the services:
docker compose up -d
-
Visit your domain in a web browser to access Jellyfin!
Update your domain settings in the following files:
init-letsencrypt.sh- Setdomainsarraydata/nginx/app.conf- Replaceyourdomain.comwith your domainnginx/jellyfin.conf- Replaceyour_domain.comwith your domain
The Tailscale container creates a secure tunnel between your VPS and home network:
-
Edit
tailscale.env:TS_HOSTNAME=your_tailscale_hostname TS_AUTHKEY=tskey-auth-yourauthkeyhere -
Make sure Jellyfin on your home network is reachable via Tailscale:
- Install Tailscale on your home Jellyfin server
- Note the Tailscale IP address (e.g.,
100.x.y.z)
-
Update
nginx/jellyfin.confto point to your Jellyfin Tailscale IP:set $upstream_jellyfin "http://100.x.y.z:8096";
The included configurations are already optimized for Jellyfin, but you may need to adjust:
moz_ssl- SSL parameters based on Mozilla's recommendationsproxy_params- Proxy settings for Jellyfinwebsite.conf- Main Nginx configuration for your domain
Run the initialization script to set up Let's Encrypt:
chmod +x init-letsencrypt.sh
./init-letsencrypt.shThis script will:
- Create a temporary Nginx configuration
- Obtain initial certificates from Let's Encrypt
- Set up automatic renewal
Launch all services:
docker compose up -dVerify all containers are running:
docker compose psIf Certbot fails to obtain certificates:
- Ensure your domain is correctly pointed to your VPS
- Check that ports 80 and 443 are open on your VPS
- Examine Certbot logs:
docker compose logs certbot
If you can't connect to Jellyfin:
- Verify Tailscale is connected on both the VPS and home server
- Check Tailscale connectivity:
tailscale ping your-jellyfin-hostname - Ensure Jellyfin is accessible directly via its Tailscale IP
- Examine Nginx logs:
docker compose logs nginx
If videos buffer or play poorly:
- Check your home upload bandwidth
- Adjust Jellyfin transcoding settings
- Consider modifying Nginx buffer settings in
proxy_params
This setup provides several security advantages:
- No open ports on your home network
- End-to-end encryption between VPS and home server
- HTTPS encryption for all external traffic
- Isolated containers with minimal permissions
- Content Security Policy headers to prevent XSS attacks
Additional hardening you might consider:
- Setting up SSH key-only authentication on your VPS
- Configuring a firewall (UFW) on your VPS
- Enabling rate limiting in Nginx for login attempts
- Regular security updates for all components
Custom error pages are located in data/nginx/html/. You can modify:
404.html- Not found errorsmaintenance.html- Displayed during maintenance
The included Nginx configuration is optimized for media streaming, with:
- Efficient proxy buffering
- Connection keep-alive settings
- Browser caching for static assets
- Gzip compression
To add additional domains:
- Update the domains array in
init-letsencrypt.sh - Add server blocks for each domain in
data/nginx/website.conf - Run the initialization script again
To update the components:
docker compose pull
docker compose down
docker compose up -dConsider adding these monitoring solutions:
- Prometheus for metrics collection
- Grafana for visualization
- Uptime Kuma for availability monitoring
Contributions are welcome! Please read our Contributing Guidelines and Code of Conduct before submitting a Pull Request.
- Check existing issues before creating a new one
- Use the issue templates provided
- Include logs and configuration (without sensitive data)
See CONTRIBUTING.md for development setup instructions.
For security concerns, please read our Security Policy.
This project is licensed under the MIT License - see the LICENSE file for details.
- Jellyfin for the amazing media server
- Tailscale for the secure networking solution
- Nginx for the powerful reverse proxy
- Let's Encrypt for free SSL certificates
- Docker for containerization