Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
That depends a lot on what you do with them…
VLANs work on a layer where devices can either reach each other or they cannot.
Let’s say you have your main desktop computer in the “main” VLAN, and your Jellyfin server in the “jellyfin” VLAN, and a third server for your home-assistant in the “home-assistant” VLAN, and finally some IOT devices in the “iot” VLAN.
You connect the VLANs as follows:
Remember that all connected VLANs much be bidirectional.
Now someone compromises your Jellyfin. They now control and has access to everything on the Jellyfin server, but they also have network reachability to your main computer, because your “main” and “home-assistant” VLANs are connected. They can now try to exploit your main computer.
If they are successful in exploiting your main computer, then they can use your main computer to jump to the home-assistant server because again, these two VLANs are connected. And you likely have the credentials for accessing home-assistant available on your main computer somewhere.
Now they are on your home-assistant server, and they can now start trying to exploit your IOT devices.
If VLANs are connected, they don’t care which direction the traffic flows.
If you want to control traffic flow directions you need a firewall. A firewall can sit between VLANs and block traffic coming from one to other, but not the other to the one.
I’ve got a firewall. I also have two managed switches to route the VLANs that I’ll be setting up in the coming days. I’ve got a handful of guides I’ve visited and will be revisiting in order to do it the way I want, which I believe will be a reasonable level of security. Acknowledging that you were just trying to be a friendly neighbor, does this plan still hold up to your wisdom thus far?
Yes, that does indeed sound like you have all the stuff necessary to make this work.
In my home network this wouldn’t work, as I’m running all my stuff in containers on multi-purpose servers, and therefore I can’t really split things per VLAN. Most other people in the homelab/self host community also use their servers for multiple purposes at the same time, so VLANs alone often doesn’t cut it.
Thanks. I’ve been doing a lot of research, and the beginning of it took a while to stick, so it’s good to hear I’m not a complete idiot. What “multiple purposes” are you referring to that would make the VLAN setup less effective? Because I’ll acknowledge that this could lead to two devices being completely compromised if I’m breached, but that will only cost me time to get set back up, as opposed to compromising personal devices on the main VLAN.
The containers in my setup are running in a Kubernetes cluster. My Kubernetes cluster consists of 3 physical servers (one old desktop computer and 2 Intel NUCs).
On that cluster I run many different things, Jellyfin, Plex, *arr-stack, downloader, Immich, zigbee2mqtt, home-assistant, audiobookshelf, calibre-web, Forgejo, ArgoCD, Homebox, Paperless, Factorio servers, Velero, and a bunch of other stuff.
Because I run so many different things on the same 3 physical machines, using containers, then there’s no way to split this into VLANs.
I could make a “kubernetes” VLAN, but everything else on my network would need to be connected with it anyway. All my computers, phones and TVs need to access Kubernetes (Jellyfin), and Kubernetes need to access everything else such as EV charger, heat pump, and the power monitoring in my power meter. Therefore I need to control my networking at a different level.