Progress so far - https://mander.xyz/post/47833580
My next objective is configuring Jellyfin for secure external access. It is fully operational on my LAN and is performing significantly better than the Windows instance I previously ran.
I have installed Tailscale on the Proxmox VE host shell to enable remote access and have also enabled multi-factor authentication on my proxmox account. While everything appears to be functioning properly, I am still relatively new to Tailscale and want to ensure I am implementing this securely.
My initial assumption was that I would also need to install Tailscale within the Jellyfin LXC container. However, I have encountered conflicting information suggesting this may introduce security concerns, particularly when dealing with container privileges and root access. As a result, I am uncertain whether this is the appropriate approach.
What is the recommended and secure method to provide external access to Jellyfin in this setup?
anywhere from the internet.
Tailscale Funnel will let you expose a host to everyone on the internet. You’ll need the Tailscale client running on either the Jellyfin host or a reverse proxy pointing to it. Tailscale itself will act as a reverse proxy with TLS encryption, plus a DNS server.
Exposing a service to the internet will always present some risk. You should definitely run your LXCs as unprivileged, unless needed otherwise, to mitigate the potential damage if an attacker escapes the container, or put the services in full virtual machines.
Just remember that using funnel for streamimg servicies it is against the toss.
Tailscale actually has good documentation on this Funnel and I read the same. Thank you!