|
A Bag of Milk posted:Jellyfin is maybe 90% as good as Plex and still getting better, though I think it might reach that final 10% asymptotically, for lack of a better word. I have simple streaming needs, so the foss aspect of Jellyfin pushes through those last bit of rough edges for me personally. I've been a long time XBMC and then Kodi user, but I finally decided to give Jellyfin a try last night. It was trivial to get it running and I have good initial impression of it. I like the idea of being able to easily access my media when I'm on the go and it'd be nice to just login to Jellyfin on whatever smart TV at an airbnb to be able to do that. I am hesitant to expose Jellyfin on the public internet though, and if I stick it behind VPN or even basic HTTP auth with fail2ban, it makes it that much harder for me to use it from some rando TV while traveling. Those of you using Jellyfin or one of the other similar solutions, do you have it exposed on the public internet with just their built in authentication?
|
#
?
Nov 17, 2022 23:44
|
|
|
|
| # ? May 23, 2024 17:47 |
|
|
No, it's internal only - though we have other internal services (homeassistant, specifically) available when outside the house. What we've done is to set up wireguard on the router. We can connect the laptops to it, but the main way we use it is to have configured as an always-on per-application VPN in Android, to let the homeassistant app (and only that app) permanently live on the IoT subnet at home. I imagine you could so something similar? Set up wireguard, and connect your phone/laptop when you want to use Jellyfin. You'd have to use HDMI to get it onto a hotel TV, but that's probably doable. Just how hard or easy it would be to set up WG at home depends on your router, of course. Our Mikrotik has it built in (and it's neither more nor less arcane than anything else in that OS), while with other routers you may have to forward a port and run WG on a separate machine. Computer viking fucked around with this message at 00:14 on Nov 18, 2022 |
|
#
?
Nov 18, 2022 00:11
|
|
|
Computer viking posted:No, it's internal only - though we have other internal services (homeassistant, specifically) available when outside the house. What we've done is to set up wireguard on the router. We can connect the laptops to it, but the main way we use it is to have configured as an always-on per-application VPN in Android, to let the homeassistant app (and only that app) permanently live on the IoT subnet at home. Thanks for the details! I have a VPN setup at home already (Unifi UID) that I use for other apps. For watching stuff on the go I've been using my trusty old Subsonic server, and I usually end up plugging an HDMI cable into whatever TV to watch things while traveling. I was also thinking about the use case of giving a friend or family member access to this, but if it's anything more complicated than "download the Jellyfin app on your smart TV and login" I think it will be a lost cause. However, unless I'm willing to expose it on the public internet, doesn't seem like there's any way around that.
|
|
#
?
Nov 18, 2022 00:19
|
|
|
Port knocking would probably be secure enough for this use case.
|
|
#
?
Nov 18, 2022 00:24
|
|
|
fletcher posted:Thanks for the details! I have a VPN setup at home already (Unifi UID) that I use for other apps. For watching stuff on the go I've been using my trusty old Subsonic server, and I usually end up plugging an HDMI cable into whatever TV to watch things while traveling. I was also thinking about the use case of giving a friend or family member access to this, but if it's anything more complicated than "download the Jellyfin app on your smart TV and login" I think it will be a lost cause. However, unless I'm willing to expose it on the public internet, doesn't seem like there's any way around that. You're probably right; this feels like one of those cases where there's no great tradeoffs to be found on the scale from "insecure" to "you need to be an engineer to even use this". Saukkis posted:Port knocking would probably be secure enough for this use case. Prooobably, but I'm not sure if that's easier to talk someone through setting up if they just want to view your content on their TV?
|
|
#
?
Nov 18, 2022 00:24
|
|
|
This whole space is just begging for someone to create a convenient and easy to use wireguard endpoint in a box
|
|
#
?
Nov 18, 2022 01:08
|
|
|
Computer viking posted:No, it's internal only - though we have other internal services (homeassistant, specifically) available when outside the house. What we've done is to set up wireguard on the router. We can connect the laptops to it, but the main way we use it is to have configured as an always-on per-application VPN in Android, to let the homeassistant app (and only that app) permanently live on the IoT subnet at home. I bought a cheap android HDMI stick just for hotel TV stuff. It has Wireguard + a few media apps (including a Jellyfin client), so all I need to do is connect it to the TV and network to get access to my files at home without exposing everything to the internet.
|
|
#
?
Nov 18, 2022 02:08
|
|
|
I mean, shout out to all the myriad pfSense devices, from the questionable at best all the way up to Netgate's lineup? (Other shout out to pcEngines for having a very good option, and thankfully he's git production running again.)
|
|
#
?
Nov 18, 2022 03:02
|
|
|
Hughlander posted:How noisy is a single NAS drive going to be? I'd like to put some rather large directly attached storage on a desktop and was thinking of getting a 7200RPM 18TB NAS drive around Cyber Monday. Though more I think about it I probably need to experiment and confirm that 1G ethernet won't be sufficient for the use case I have in mind... I’d be surprised if you could hear that device more than a foot or so away from it. Like the pc fans will probably just as loud, though sometimes the drive noises are a bit more noticeable because they’re irregular. I have four 3.5” HDDs on my desk and they’re barely audible from the couch eight feet away, though they can be annoying if you turn everything else off and sit in the room with them at night when there’s no traffic.
|
|
#
?
Nov 18, 2022 06:43
|
|
|
VostokProgram posted:This whole space is just begging for someone to create a convenient and easy to use wireguard endpoint in a box I'm pretty sure the GL.iNet guys had done this already. Checking out their website this upcoming Brume 2 device looks very on point. Personally I use Tailscale with a self-hosted control server (headscale) as an always-on VPN for accessing my services, both from home and elsewhere. Very convenient, but perhaps not so easy (yet?) to host yourself.
|
|
#
?
Nov 18, 2022 09:59
|
|
|
tuyop posted:I’d be surprised if you could hear that device more than a foot or so away from it. Like the pc fans will probably just as loud, though sometimes the drive noises are a bit more noticeable because they’re irregular. Counterpoint: I have two 14TB drives in a minitower under a desk, and when it runs the nightly scans and things, you can easily hear them crunching away in the entire (admittedly small) living room. I don't really notice them outside those few minutes of 100% activity, but they are there if I listen for them. Probably depends a lot on your case and mounting, mine are bolted directly into a steel case with no vibration dampening.
|
|
#
?
Nov 18, 2022 11:28
|
|
|
fletcher posted:Thanks for the details! I have a VPN setup at home already (Unifi UID) that I use for other apps. For watching stuff on the go I've been using my trusty old Subsonic server, and I usually end up plugging an HDMI cable into whatever TV to watch things while traveling. I was also thinking about the use case of giving a friend or family member access to this, but if it's anything more complicated than "download the Jellyfin app on your smart TV and login" I think it will be a lost cause. However, unless I'm willing to expose it on the public internet, doesn't seem like there's any way around that. What exactly is your hesitancy to expose it to the internet? Just lack of knowledge regarding networking and security? I've helped a lot of less technically inclined friends setup Unraid servers running a bunch of docker containers, and people's biggest concerns is always exposing it to the internet. Something like Plex (with options like 2FA login) is going to be easier to setup from a security perspective and less hassle overall - you might have to open one port, but all of the traffic is encrypted using SSL certs and HTTPS only. Opening a port on your network and exposing it to the internet doesn't just create some huge glaring security hole in your network.
|
|
#
?
Nov 18, 2022 15:56
|
|
|
Tailscale announced Funnel which may be able to get people past a lot of the horrors of publicly exposing their Plex servers but it's mostly useful for a small number of users or for purely personal use with its pricing plans. With 20 devices supported for free plans it's suitable for a fair number of devices at least.
|
|
#
?
Nov 18, 2022 16:15
|
|
|
Keito posted:I'm pretty sure the GL.iNet guys had done this already. Checking out their website this upcoming Brume 2 device looks very on point. I travel for work and have a Slate AX that I love and used a Beryl for a bunch of years before that, they work fantastic.
|
|
#
?
Nov 18, 2022 16:53
|
|
|
Keito posted:I'm pretty sure the GL.iNet guys had done this already. Checking out their website this upcoming Brume 2 device looks very on point.
|
|
#
?
Nov 18, 2022 19:37
|
|
|
Gay Retard posted:What exactly is your hesitancy to expose it to the internet? Just lack of knowledge regarding networking and security? I've helped a lot of less technically inclined friends setup Unraid servers running a bunch of docker containers, and people's biggest concerns is always exposing it to the internet. Something like Plex (with options like 2FA login) is going to be easier to setup from a security perspective and less hassle overall - you might have to open one port, but all of the traffic is encrypted using SSL certs and HTTPS only. Opening a port on your network and exposing it to the internet doesn't just create some huge glaring security hole in your network. My hesitancy comes from a lack of trust in the software. Once a vulnerability is disclosed publicly, it's only a matter of hours before some bot hits my server with it. A battle hardened VPN or SSH endpoint is the only thing I'd be comfortable exposing publicly for anything on my home network. I've got a separate server in a colo that I use for hosting publicly accessible things, so I was thinking about doing it there. Docker itself doesn't have a great track record in terms of security and isolation, so if Jellyfin has an unauthenticated RCE or something, it could be a bad time. I'm comfortable with the networking and security config aspects, it's just this lack of trust in the software listening on those ports.
|
|
#
?
Nov 18, 2022 19:57
|
|
|
fletcher posted:My hesitancy comes from a lack of trust in the software. Once a vulnerability is disclosed publicly, it's only a matter of hours before some bot hits my server with it. A battle hardened VPN or SSH endpoint is the only thing I'd be comfortable exposing publicly for anything on my home network. I've got a separate server in a colo that I use for hosting publicly accessible things, so I was thinking about doing it there. Docker itself doesn't have a great track record in terms of security and isolation, so if Jellyfin has an unauthenticated RCE or something, it could be a bad time. I'm comfortable with the networking and security config aspects, it's just this lack of trust in the software listening on those ports. A bot hits my server on my open TCP Plex or Jellyfin port and then what happens? They maybe see encrypted streaming traffic going in and out? I sure as hell trust opening my own port over leaving UPnP on and letting any software choose what ports it wants to use. Edit: I guess there's always the possibility of a security vulnerability being exposed, but for me, the convenience of these services (and most IoT services) outweighs the possibility of a problem. My docker services auto-update daily. I've been running a Plex server for almost a decade - have we heard of anything like this happening with that? Edit2: It's worth noting that I don't open any ports for my Jellyfin - I setup a reverse proxy with Nginx Proxy + Cloudflare to my own jelly.gayretard.com address. You can do the same with plex here: https://www.plexopedia.com/plex-media-server/general/plex-nginx-reverse-proxy/ Corb3t fucked around with this message at 21:30 on Nov 18, 2022 |
|
#
?
Nov 18, 2022 20:37
|
|
|
Gay Retard posted:Edit: I guess there's always the possibility of a security vulnerability being exposed, but for me, the convenience of these services (and most IoT services) outweighs the possibility of a problem. My docker services auto-update daily. I've been running a Plex server for almost a decade - have we heard of anything like this happening with that? Not that I know of for Plex but... https://en.m.wikipedia.org/wiki/Log4Shell
|
|
#
?
Nov 18, 2022 21:40
|
|
|
fletcher posted:My hesitancy comes from a lack of trust in the software. Once a vulnerability is disclosed publicly, it's only a matter of hours before some bot hits my server with it. A battle hardened VPN or SSH endpoint is the only thing I'd be comfortable exposing publicly for anything on my home network. As opposed to TCP, which needs to listen and respond to connection negotation before any actual data can flow (and is therefore detectable), unless Wireguard can decrypt and authenticate packets, it will silently drop the packets and leave them unanswered. So to any port scanner, or other attemps to connect, the port looks unused. Wireguard depends on proper setup using public keys on each peer, so no password authentication. I'm using it as split VPN on my mobile devices (phone and tablet), so that I can access my home network and also use the adblocking DNS resolver running on my NAS from anywhere. None of these services are accessible on the public internet. Needs some sort dynamic DNS, tho, if you don't have a fixed IP on your home router. It's also pretty lightweight. I have them enabled 24/7 when away from home Wifi, and I don't notice on battery. Combat Pretzel fucked around with this message at 22:21 on Nov 18, 2022 |
|
#
?
Nov 18, 2022 22:19
|
|
|
necrobobsledder posted:Tailscale announced Funnel which may be able to get people past a lot of the horrors of publicly exposing their Plex servers but it's mostly useful for a small number of users or for purely personal use with its pricing plans. With 20 devices supported for free plans it's suitable for a fair number of devices at least. Just curious, what does this offer over a Docker implementation of Tailscale?
|
|
#
?
Nov 18, 2022 22:23
|
|
|
People on the internet can hit your HTTPS service without having to know anything about Tailscale
|
|
#
?
Nov 18, 2022 22:26
|
|
|
Thanks Ants posted:People on the internet can hit your HTTPS service without having to know anything about Tailscale Very interesting.
|
|
#
?
Nov 18, 2022 22:32
|
|
|
It's a bit like Azure AD Application Proxy
|
|
#
?
Nov 18, 2022 22:34
|
|
|
Gay Retard posted:A bot hits my server on my open TCP Plex or Jellyfin port and then what happens? They maybe see encrypted streaming traffic going in and out? I sure as hell trust opening my own port over leaving UPnP on and letting any software choose what ports it wants to use. A reverse proxy and cloudflare certainly covers what I would be concerned about in this situation. If I needed external access for this kind of thing, I'd do similar. I wouldn't expose these services directly.
|
|
#
?
Nov 18, 2022 23:33
|
|
|
Combat Pretzel posted:Wireguard. VPN solution that uses UDP.
|
|
#
?
Nov 19, 2022 00:41
|
|
|
Combat Pretzel posted:Wireguard. VPN solution that uses UDP. What's the Wireguard & Jellyfin setup like for the non-tech family members?
|
|
#
?
Nov 19, 2022 00:53
|
|
|
fletcher posted:What's the Wireguard & Jellyfin setup like for the non-tech family members? If they're using any iOS devices, it's a Test Flight beta app, which I know concerned some of my more privacy centric friends due to more advanced logging with beta apps. User also have to manually enter the Jellyfin server address when adding a new device.
|
|
#
?
Nov 19, 2022 05:38
|
|
|
Gay Retard posted:If they're using any iOS devices, it's a Test Flight beta app, which I know concerned some of my more privacy centric friends due to more advanced logging with beta apps. User also have to manually enter the Jellyfin server address when adding a new device. No that's very outdated info, Jellyfin has been out on the iOS App Store for years at this point. It's also not what fletcher was asking about. fletcher posted:What's the Wireguard & Jellyfin setup like for the non-tech family members? The WireGuard mobile apps can scan in configs from QR codes, so presumably you'd send them one along with some instructions. They would need to install two apps, scan this QR code, and then as Gay Retard wrote in Jellyfin they would have to enter the domain name that the server runs on before logging in. It's not something I'd do but I'm sure they could manage without a degree in engineering.
|
|
#
?
Nov 19, 2022 10:14
|
|
|
BlankSystemDaemon posted:If memory serves, this is mostly true, except for the -sV flags on nmap, which can detect things if the probe format is known by nmap (which it will be given sufficient time, if it isn't already). While the Wireguard packet header is clear text to allow for some signaling flags to indicate things like session initiation, the payload is still encrypted, and it can do so because each peer needs to know the public key of the other. And if the packets don't decrypt (and authenticate via private key), even the session initiation ones, they get dropped and there's no response. Not sure what nmap is gonna parse in that case. I mean, nmap -sV doesn't get far here: code:
|
|
#
?
Nov 19, 2022 14:57
|
|
|
Combat Pretzel posted:I've quickly read up on these flags. They still seem to require a response. Basically, what I'm asking is, what does nc -z 192.168.1.72 51820 output?
|
|
#
?
Nov 19, 2022 15:14
|
|
|
BlankSystemDaemon posted:Right, sure - I'm just confused then, because it seemed to me like you were saying that a foreign system would see the port as being closed (which only happens when a TCP RST is received)? I would think "filtered" is the preferred result. It either tells us that the target isn't using Wireguard and their firewall is dropping the packets, or they are using WG but the key doesn't match and it is dropping the packet. Trying to guess the key is hopeless, so the only option is to try sending exploit payloads to all possible ports. If the result was "closed" we would know the target is using neither Wireguard nor firewall.
|
|
#
?
Nov 19, 2022 15:36
|
|
|
BlankSystemDaemon posted:Right, sure - I'm just confused then, because it seemed to me like you were saying that a foreign system would see the port as being closed (which only happens when a TCP RST is received)? As far as nc goes: code:
|
|
#
?
Nov 19, 2022 20:07
|
|
|
Combat Pretzel posted:I figured unused on an UDP port implies no communication. More like miscommunication, amirite? Since nc is returning nothing, it means there should be en exit code printed if you do echo $? - but it'll likely be 1, which is just a catch-all indicating that an unspecified error has happened, so you'd likely need to use the -v flag to increase verbosity. However, I just realized that it defaults to TCP with nothing specified (which is confirmed in src/contrib/netcat/netcat.c), so nc -uz is the proper invocation.
|
|
#
?
Nov 19, 2022 20:54
|
|
|
BlankSystemDaemon posted:I think my point got away from me, but part of it was that it's not like it's impossible to tell that Wireguard is running on the port - it's just that nmap (or at least the version on in FreeBSDs base system) isn't up-to-date enough to recognize Wireguard. Is that actually possible? It's UDP, so you just fire a package and hope for an answer, and if you never hear anything back it's hard to know exactly why.
|
|
#
?
Nov 19, 2022 22:44
|
|
|
Computer viking posted:Is that actually possible? It's UDP, so you just fire a package and hope for an answer, and if you never hear anything back it's hard to know exactly why. debdrup@geroi.local:~ % nc -zu router.local 53 Connection to router.local 53 port [udp/domain] succeeded! I'll be honest, I don't remember how -z works. BlankSystemDaemon fucked around with this message at 23:03 on Nov 19, 2022 |
|
#
?
Nov 19, 2022 22:58
|
|
|
Computer viking posted:Is that actually possible? It's UDP, so you just fire a package and hope for an answer, and if you never hear anything back it's hard to know exactly why. BlankSystemDaemon posted:
--edit: nc manpage says -z doesn't send anything. So I'm not sure how it can check for something, if it doesn't attempt to trigger a response. It probably tickles the TCP port instead or something, because it doesn't make sense otherwise. Combat Pretzel fucked around with this message at 23:06 on Nov 19, 2022 |
|
#
?
Nov 19, 2022 23:01
|
|
|
Combat Pretzel posted:Yea, and because Wireguard drops anything that can't be decrypted and authenticated via public keys or the session keys, you will not get a response. So it's not detectable. As for netcat, it says that it scans for listening daemons, without sending any data. Those are two different things.
|
|
#
?
Nov 19, 2022 23:06
|
|
|
BlankSystemDaemon posted:But the nmap you ran showed that it found something running on the 51820/udp, and it doesn't take long to figure out what's probably running on that port. How, though? I mean, it's not telepathic.
|
|
#
?
Nov 19, 2022 23:12
|
|
|
Computer viking posted:How, though? I mean, it's not telepathic.
|
|
#
?
Nov 19, 2022 23:14
|
|
|
|
| # ? May 23, 2024 17:47 |
|
|
BlankSystemDaemon posted:But the nmap you ran showed that it found something running on the 51820/udp, and it doesn't take long to figure out what's probably running on that port. Luckily my router does filter all ICMPs and keeps them from leaving the local network, so things should be generally invisible (i.e. when no port responds with anything, the computer/IP is "offline"). And I'm not portmapping Wireguard to its default port, anyway. Combat Pretzel fucked around with this message at 23:33 on Nov 19, 2022 |
|
#
?
Nov 19, 2022 23:26
|
|