Hi. I am a software engineer with a background in IT security. My girlfriend is a literal network security engineer.

I showed her this thread and she said: don't bother, just use http on your local network.

Anyways, I am going to disengage from this thread now. Skepticism against things one doesn't fully understand can be healthy, but this is an insane mix of paranoia and naïveté.

You are not a target; the things you are afraid of will never happen; and if they did, they would not have the consequences you think they would.

Your router will NOT magically expose your traffic to the internet (what would that even mean?? Like, if it spontaneously started port forwarding to your Jellyfin server (how? By just randomly guessing the port and IP???), someone would still need to actively request that traffic, AND know your login credentials, AND CARE).

Your ISP does not give a shit about you owning or streaming copyrighted material over your local network. It has no stake in that.

Graphene is not an ultimate arbiter of IT security, but the reason it "distrusts networks" is because you take your phone with you, constantly moving into actual untrusted networks (i.e. ones you do not own).

Hosting Jellyfin on Graphene will not make it more secure, whatsoever.

If every device is assumed compromised, and compromising devices with knowledge that you watch media is a threat in your model, then even putting an SD card with media in your phone and clicking play is dangerous. Which is stupid.

If you actually assume your router is malicious, then please assume that when you initially downloaded your VPN client, it was also compromised and your VPN is not trustworthy.

The way I see it, you have two options:

1. educate yourself on network security to the point of being able to trust your network setup; or
2. forget about hosting anything

I don't plan to access it anywhere but home

Okay so what's all this faffing about for? Just don't open it up to the internet and access it with your servers local ip address on your home network

Just run it on the LAN and don't expose it to the Internet. That's 99% of the way there. HTTPS only secures the connection, and I doubt you're sending any sensitive info to or from Jellyfin (but you can still run it in docker and use caddy or something with Let's Encrypt).

The bigger target is making sure jellyfin itself and the host it runs on are updated and protected. You could use a WAF too.

I applaud your accomplishment as a penetration tester. I am disappointed at your lack of understanding regarding non-public networking.

Move your VPN to your router. Don’t bother with HTTPS on anything not exposed to the Internet.

If that does not satisfy your concerns, you may want to give up using electronic devices.

Your post is very confusing. You want to use it only locally (on your home), but it can't be a local-only instance.

You want to e2ee everything, but fail to mention why. There is no reason to do that on your own network.

I do not know why you want to use a VPN and what you want to do with it. Where do you want to connect to?

What is the attack vector you're worried about? Are there malicious entities on your network?

Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That's the simplest.

A better option would be getting an OpenWRT router and start building proper infrastructure for doing something like this. You'll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.

This is one of the funniest posts I've seen here so far. Thanks for that! I unfortunately don't otherwise have anything to add that hasn't already been said, just wanted you to know that I enjoyed it a lot :)

After reviewing the entire thread, I have to say that this is quite an interesting question. In a departure from most other people's threat models, your LAN is not considered trusted. In addition, you're seeking a solution that minimizes subscription costs, yet you already have a VPN provider, one which has a -- IMO, illogical -- paid tier to allow LAN access. In my book, paying more money for a basic feature is akin to hostage-taking. But I digress.

The hard requirement to avoid self-signed certificates is understandable, although I would be of the opinion that Jellyfin clients that use pinned root certificates are faulty, if they do not have an option to manage those pinned certificates to add a new one. Such certificate pinning only makes sense when the client knows that it would only connect to a known, finite list of domains, and thus is out-of-place for Jellyfin, as it might have to connect to new servers in future. For the most part, the OS root certificates can generally be relied upon, unless even the OS is not trusted.

A domain name is highly advised, even for internal use, as you can always issue subdomains for different logical network groupings. Or maybe even ask a friend for a subdomain delegation off of their domain. As you've found, without a domain, TLS certificates can't be issued and that closes off the easy way to enable HTTPS for use on your untrusted LAN.

But supposing you absolutely do not want to tack on additional costs, then the only solution I see that remains is to set up a private VPN network, one which only connects your trusted devices. This would be secure when on your untrusted LAN, but would be unavailable when away from home. So when you're out and about, you might still need a commercial VPN provider. What I wouldn't recommend is to nest your private VPN inside of the commercial VPN; the performance is likely abysmal.

I think the easiest way would be to have two vlans on your local network. One that is connected to the internet and another that is local only. I think you'd have to switch networks when wanting to access the jellyfin server in that instance, but would negate the main issue, which is your VPN.

Edit: that's about the most secure you can get I think. If you bought a different physical router to host it, you'd have about as secure a setup as possible.

Hang on.

Would it not be better to run a VPN server on your router to force all WAN-bound traffic through the VPN? This way, you could still access your local devices.

So you want a self hosted jellyfin instance that you only plan to access at home, as secure and simply as possible?

Buy an HDMI splitter.

If you are willing to swap to mullvad then you can also install tailscale. You can then choose to connect to your jellyfin server (over LAN) or (over tailscale-wireguard tunnel over LAN) while the rest of the traffic flows through mullvad.

Fwiw jellyfin apps don't even allow you to use a self signed cert.

You're overthinking. Just host it on any server with a domain name and use let's encrypt certs if you want to access it from anywhere. TLS offers good encryption, I don't get how you need a VPN on top of that.

For local access only, I'd just host it on a machine over the lan, self-signed certs for TLS, hell I would even settle with http in this case. As for your VPN app preventing you to access a local resource on your lan, if true, you should get rid of that nonsense.

I can't answer your question as I rely on Plex rather than fooling around with my own security, but I'd suggest reconsidering the Pi and a microSD to host Jellyfin. Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files. Beyond that, SD cards are terrible for this kind of task and you'd be much better served with an SSD as your boot/data drive for robustness. I can't even count the number of failed SD cards I've had over the years.