Charger8232

You don’t need a VPN for LAN connections.

ProtonVPN by default blocks LAN connections, and can only be changed using their paid tier.

You want to use it only locally (on your home), but it can’t be a local-only instance.

By "local-only" I meant on-device

You want to e2ee everything, but fail to mention why.

Privacy and security.

There is no reason to do that on your own network.

Networks are not a trusted party in any capacity.

I do not know why you want to use a VPN and what you want to do with it. Where do you want to connect to?

A VPN such as ProtonVPN or Mullvad VPN are used to displace trust from your ISP into your VPN provider and obscure your IP address while web browsing (among other benefits that I don't utilize).

What is the attack vector you’re worried about? Are there malicious entities on your network?

These are good questions but not ones I can answer briefly.

Alright, I'm slowly learning, bare with me here:

• ProtonVPN is always-on and blocks connections without VPN
• Jellyfin and Headscale are hosted on the Pi (or does Headscale need its own server?)
• Tailscale and a Jellyfin client are installed on the phone

Then:

• Will that will run fully on the LAN?
• Will it be encrypted during transit?
• Does ProtonVPN need to allow LAN connections?

So:

• ProtonVPN is installed on my Android phone
• Android has Always-on VPN enabled
• Android has Block connections without VPN enabled
• Host Jellyfin on my Raspberry Pi 5
• Install Headscale on my Raspberry Pi 5
• Install Headscale on my Android phone
• Install a Jellyfin client on my Android phone
• Configure everything

And that will work? It will be encrypted during transit? And only run on the LAN? Does ProtonVPN need to allow LAN connections (I assume it does)?

Does Headscale conflict with ProtonVPN/Mullvad VPN (i.e. can I use those alongside Headscale)? Android has a limited number of VPN slots, so that's why I ask.

I still want security in transit, no matter where it is being broadcast from.

but I’d suggest reconsidering the Pi

It's what I have on hand at the moment. I don't have proper server hardware yet.

and a microSD to host Jellyfin.

Beyond that, SD cards are terrible for this kind of task and you’d be much better served with an SSD as your boot/data drive for robustness. I can’t even count the number of failed SD cards I’ve had over the years.

I will keep this in mind, thank you!

Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files.

I haven't tried playing videos from my Raspberry Pi, but I've been able to run extremely modern video codecs on some pretty old hardware without any issues. Since I've never had issues with video codecs, I'm not experienced in what hardware can and can't handle it.

Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That’s the simplest.

I have no idea how to do this. Do you have any resources? Does it cost a subscription fee?

A better option would be getting an OpenWRT router

This is what I have planned. OpenWrt Two my beloved

You’ll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.

I also don't know how to do this. Resources are much appreciated :)

Just run it on the LAN and don’t expose it to the Internet.

This would require paying for a VPN to allow LAN connections, which is an option but not my preferred one.

HTTPS only secures the connection, and I doubt you’re sending any sensitive info to or from Jellyfin

This is a matter of threat model, and I would prefer not to expose my TV preferences unencrypted over the network.

but you can still run it in docker and use caddy or something

Does Caddy require a custom DNS in order to point the domain to a local IP address?

The bigger target is making sure jellyfin itself and the host it runs on are updated and protected.

This is easy with securecore, since it updates daily. The rest of the semantics for the actual hosting side aren't too difficult.

!lemmysilver

Other people beat me to it on the other post, but none here!