Depends on what you mean by “secure.” My personal setup is Jellyfin LXC on proxmox --> Wireguard to VPS -> Nginx reverse proxy on VPS.

This setup relies somewhat on Jellyfin’s auth, but I’m comfortable with that risk. The LXC is blocked from sending local traffic on my network by firewall rules. Yes, someone could exploit a vulnerability in Jellyfin (though looking through the CVEs I’m not overly worried about that), then escape the LXC and fuck with my server. But that’s a lot of work for no profit.

For more protection (in sense of reducing traffic that even interacts with your server), I’d recommend getting a wildcard cert for the domain so that the actual subdomain jellyfin is on is undisclosed to anyone not using your service.

Security isn’t about making everything impregnable, it’s about making attacks more trouble than they’re worth. Otherwise, we’d all live in fortified bunkers surrounded by landmines. 🙃

if theyre close, add them to your tailscale, if not and you have a web serve, use a reverse proxy.

for tailscale, you’d probably have to walk them through setting it up but then its one and done

Ask them to use the Jellyfin web, and you expose it to the public via Netbird / Pangolin locked behind SSO

call me crazy but I just use a couldflare tunnel since my domain is already provided through them. They make it really easy to add sub-domains attached to specific ports on the local machine and automatically adds the proper DNS entries. Additionally they have a ton of domain security/anti-bot measures you can set up.

Reverse proxy with fail2ban or crowdsec. It’s possible to set up things like Pangolin which ultimately use a VPN between external and internal access points but not at the client, though it takes more setup if you want to use apps over pangolin instead of just the browser.

If they could be using web UI (I’m not sure how a client would work with auth like that) then it kind of depends on how much hassle they can live with and how secure you want to be

Simplest would be to use https://doc.traefik.io/traefik/reference/routing-configuration/http/middlewares/basicauth/
You set up username and password and share those with the user. But it can be brute-forced

Something more secure but also a bit more demanding would be some kind of email otp
https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_email/
Set up authentik to send time-limited link to their email that well let them through. But they would have to authenticate every time they access

At the very minimum stick a reverse proxy in front like caddy, nginx, or Traefik. Then have some middleware like crowdsec to inspect what’s going on. Then whitelist the IP or the country IP block.

There is much more but those would be the bare minimum.

Possibly mTLS, which you’d configure in your reverse proxy. You could email them the certificate and instructions on installing it. I believe for Chromium browsers on Windows you basically just double click the cert and click through the wizard. Firefox I know has a thing in the settings for importing the cert. Android you just tap on the cert and make sure it opens with ‘Certificate Installer’ if it gives you the option.

Reverse proxy with auth in front of the actual jellyfin login. Like pangolin.

Why no VPN?

I agree with reverse proxy + middleware. I’d also suggest something like Jellyswarm as the front end. That way I can connect to other friends’ servers too.

Adding onto the other comments, if you have admin access to your network router/firewall you can configure the incoming port forward itself to only allow specific IP addresses while dropping traffic from any other internet WAN IPs. It’s a bit like using the Jellyfin whitelist/blacklist but doing it at the network level. This drops all unwanted internet traffic to that port at the firewall before ever reaching the Jellyfin software. Downside is having to occasionally update the firewall whenever there are IP address changes.

This is probably only feasible if you only have some specific Jellyfin clients in mind to accept connections from, not any random person from any random WAN IP address.

you don’t.

of you’re intent on “spreading your legs” to the world, get a WAF.

How much access do you have to their system? I would set up a script on their end to poll https://ipv4.icanhazip.com/ and send you their IP. I would then trigger a firewall rule change on your end to that information. This keeps the access to only their IP, with maybe a few minutes between polls where it might be different.

Does Tailscale count as a VPN for you? It’s how I roll. Well, I run my own headscale server, but the free Tailscale tier is going to be fine for any reasonably sized personal project.