Charger8232

This is fair, and does solve the problem. I didn't explicitly state that I needed it to be convenient, so you're right. Having one network that is LAN only and switching to it to use Jellyfin, and having a second network that is WAN only and using ProtonVPN there would probably be the most secure setup. Unfortunately, it still doesn't solve the issue of encryption in transit over the LAN, but that might be fixable with Tailscale. The LAN could even be ethernet-only, to mitigate wireless attacks.

That makes me wonder if there's a way I could simply plug an ethernet cord from my phone to the airgapped Pi and use it that way. Is that possible? Surely it is. Could ProtonVPN be used on the phone even while the phone is connected physically to the Pi?

Just out of curiosity, why is your network not a trusted party?

Part of my threat model is essentially "anything that can connect to the internet poses a security risk". Since networks are the literal gateway to the internet, it is reasonable not to trust them. Routers don't run as secure operating systems as Qubes OS, secureblue, or GrapheneOS. If a malicious party found a way to connect to the network, all unencrypted activities can be intercepted. If the router itself has malicious code, any unencrypted traffic can be sent to a third party. Those are just the basics, but trying to put band-aid solutions on a fundamentally broken system is a losing battle.

GrapheneOS distrusts networks as much as possible, so I do too. Even if I own the network, I am not a network engineer, so the chances of fault are high. In the simplest case, the network is a gateway to all activity that happens on the LAN, and it only takes one zero day to make that happen. The best mitigation is proper encryption and no self-signed certificates (where possible).

No, it can run along anything, as long as you don’t conflict the IP space assigned to a VPN.

I tried Tailscale on Android, and it isn't working because it requires the active VPN slot occupied by ProtonVPN.

Idk if proton allows you to download config files on a free account

I remember a time a few years ago when I managed to do something similar... I'll look into this!

Edit: It seems so

https://protonvpn.com/support/vpn-config-download/

https://protonvpn.com/support/wireguard-configurations/

Thank you! I'd like to avoid extra costs, since I already have the Pi on hand, but when I have the money I will switch to a proper server.

Good eye! I'd like to avoid trusting my network, but I did consider this option. It also becomes a hassle to enable my VPN per-device each time I leave my house and connect to another network. This still doesn't solve the problem of encrypting Jellyfin in transit over the LAN.

Okay, so you might be unfamiliar with networking

I'm familiar with some parts of networking, but selfhosted VPNs are something I am unfamiliar with, so thank you for helping me out!

No need to use Tailscale if you’re just using your Wi-Fi or Ethernet.

I want it to be encrypted during transit, even if it is over the LAN.

Tailscale/Headscale creates it’s own VPN network which will need its own IP space.

This is what I was afraid of, because this means it probably can't run alongside ProtonVPN, since it would fill up the VPN slot on Android, right?

If so, it means we've come full circle. Unless there is a way to use Tailscale alongside ProtonVPN or a way to get Jellyfin clients to trust self-signed certificates, I don't see any other option than buying a domain and exposing the server to the internet. Am I missing something?

The only other providers I would use are Mullvad VPN or IVPN, both of which are paid.

I agree it is ridiculous.

I know. It's very unfortunate, but I understand why.