Thanks for all the detail Alex. I love it. Other “explainer” videos often leave out crucial bits that leave more novice or intermediate learners stuck even after consulting a lot of other resources.
"Sorry, I've spent far too long explaining where the tilde button is on the keyboard." Brilliant video and this line made my day :-) keep up the great videos Alex, love them.
Awesome video, just immensely convoluted. When I had an ISP behind CGNAT, I achieved the exact same thing by spinning up a VPS, installing docker, wireguard server, and NGiNX Proxy Manager. I then connected to the VPS from my Jellyfin LXC and proxied it over the wireguard IP through NPM. Took like 10 minutes to setup.
(Reposting as I realized the other video link is not unlisted.) Thanks for the video Alex. You don't go into much detail about the benefits of having this as a remote VPS / reverse proxy. Are there inherent security benefits of using a VPS + remote proxy vs. self-hosting caddy and opening a port? I suspect opening the port isn't great but couldn't someone break into the VPS and using Tailscale, get free reign of my home network?
A VPS means you can access the proxy from anywhere without worrying about network topologies or needing Tailscale installed on the client device. It also makes it really easy to proxy services across multiple sites and reduce reliance on bandwidth constrained solutions like Tailscale's Funnel or Cloudflare's tunnels. For example, say that you're not on your home LAN and you want to hit that reverse proxy from a non Tailscale client (for me this is commonly a relatives phone wanting to stream an audiobook from my self-hosted audiobookshelf instance), they need to be able to route those packets to Caddy somehow in order for the data to flow. You need to solve for your WAN IP changing (dynamic dns), and open ports in your firewall. This is what I did for many years before Tailscale came along. But this solution removes all those pain points with the slight exception of needing to pay for a cloud VPS (but that can be useful for other things besides just this). HTH -Alex
I see that you are also installing docker on the digital ocean droplet through cloud init but I do not see it used anywhere. Is it really needed? Also, I want to enable a firewall on the droplet. Is it enough to have 80/tcp and 443/tcp open as incoming ports? Love your in depth videos with IaC. Keep them coming (more Azure focus instead of AWS would be nice)!
I am getting a Raspberry Pi soon and am excited in trying out self hosting things... Now I just have to figure out how to setup the reverse proxy on Vultr because I already have VPSs there.
Awesome video! I got everything working on AWS with Caddy for my Jellyfin setup, and Tailscale was fun to integrate. Ran into Let's Encrypt rate limits, but once it worked, the video playback was super smooth - much better than using a tunnel. Is there a way to make it work again with a different reverse proxy that doesn’t rely on Let's Encrypt? Thanks for the clear guidance!
@@thoufics How many certificates are you generating that you're hitting rate limits with LE? Their rate limits are fairly generous for a completely free service.
Hey Alex, love your video mate. I'm trying to see if I can do the same thing using Racknerd (their pricing is pretty good) but I can't find anything about their api or communicating programmatically... Do you have some suggestions? Thanks a lot
Will this solution through VPC take on the limited transfer bandwidth? Or how is the direct connection made between a remote peer (which is not connected to Tailscale) browsing into the server through VPC?
does this sort of setup use the cloud instance as a "relay"? meaning all the bandwidth used for streaming go through the cloud provider? wouldn't that generate quite a bill?
Great video! What's the benefit of using a VPS, rather than just running Caddy on the same local network as Jellyfin? It kinda seems like an unecessary middle man to me. Thanks again :)
Was literally about to ask this! Nice wizard work but its not necessary. I've Traefik running in an LXC with Tailscale installed in there too. Works perfectly fine.
A VPS means you can access the proxy from anywhere without worrying about network topologies or needing Tailscale installed on the client device. It also makes it really easy to proxy services across multiple sites and reduce reliance on bandwidth constrained solutions like Tailscale's Funnel or Cloudflare's tunnels. For example, say that you're not on your home LAN and you want to hit that reverse proxy from a non Tailscale client (for me this is commonly a relatives phone wanting to stream an audiobook from my self-hosted audiobookshelf instance), they need to be able to route those packets to Caddy somehow in order for the data to flow. You need to solve for your WAN IP changing (dynamic dns), and open ports in your firewall. This is what I did for many years before Tailscale came along. But this solution removes all those pain points with the slight exception of needing to pay for a cloud VPS (but that can be useful for other things besides just this). HTH -Alex
Not sure why people think opening a port to reverse proxy is secure. It's more secure than nothing. But a reverse proxy is not an impenetrable layer. A professional solution is just much safer.
For my family, the client is the price of entry. Only devices I authorise on Tailscales admin console can access the container that contains the reverse proxy. As far as DNS goes I simply have wildcards in Cloudflare pointing at the LAN IP address of the container so I achieve 2 things - 1 URL resolution inside my LAN without the client and outside with the client installed. 2 Don't need to host the DNS myself either. No open ports, no care of what public IP address I have nor any care about unauthorised access as I have approved only the devices that I want to have access. Having the VPS just allows anyone with the URL to access stuff inside my network. Unless of course you do what I did but then there's no point in hosting it elsewhere and having the pay for it.
Tried doing this but on immich instead of jellyfin, i tried uploading a couple of photos but after that it stops uploading everything. am i getting rate limited by cloudflare or something?
Same is true of things like Cloudflare tunnels too, they specifically have ToS terms which restrict things like video streaming. With this solution you have no such restrictions. -Alex
@@Tailscale does the funnel bandwidth limit appear if the funnel flag shows up on the client in the console even when the serve config has funnel set to false?
They are :) Bought them 10 years ago as a graduation gift to myself and haven’t ever felt the need to replace them. Paired with a 10” sub they more than fill my office with glorious noise. -Alex
Thanks for all the detail Alex. I love it. Other “explainer” videos often leave out crucial bits that leave more novice or intermediate learners stuck even after consulting a lot of other resources.
Maceió, Curitiba, Salvador, and Fortaleza are the names of Brazilian cities. I live in Brazil and have visited all of them 😄.
Amazing video as always!
"Sorry, I've spent far too long explaining where the tilde button is on the keyboard." Brilliant video and this line made my day :-) keep up the great videos Alex, love them.
Awesome video, just immensely convoluted. When I had an ISP behind CGNAT, I achieved the exact same thing by spinning up a VPS, installing docker, wireguard server, and NGiNX Proxy Manager. I then connected to the VPS from my Jellyfin LXC and proxied it over the wireguard IP through NPM. Took like 10 minutes to setup.
Thanks Alex! I’ve been looking for demo for this exact set up. Hopefully I can do it with Emby.
(Reposting as I realized the other video link is not unlisted.) Thanks for the video Alex. You don't go into much detail about the benefits of having this as a remote VPS / reverse proxy. Are there inherent security benefits of using a VPS + remote proxy vs. self-hosting caddy and opening a port? I suspect opening the port isn't great but couldn't someone break into the VPS and using Tailscale, get free reign of my home network?
A VPS means you can access the proxy from anywhere without worrying about network topologies or needing Tailscale installed on the client device. It also makes it really easy to proxy services across multiple sites and reduce reliance on bandwidth constrained solutions like Tailscale's Funnel or Cloudflare's tunnels.
For example, say that you're not on your home LAN and you want to hit that reverse proxy from a non Tailscale client (for me this is commonly a relatives phone wanting to stream an audiobook from my self-hosted audiobookshelf instance), they need to be able to route those packets to Caddy somehow in order for the data to flow. You need to solve for your WAN IP changing (dynamic dns), and open ports in your firewall. This is what I did for many years before Tailscale came along. But this solution removes all those pain points with the slight exception of needing to pay for a cloud VPS (but that can be useful for other things besides just this). HTH -Alex
jellyfin is one of the main reason I used tailscale😁
I see that you are also installing docker on the digital ocean droplet through cloud init but I do not see it used anywhere. Is it really needed? Also, I want to enable a firewall on the droplet. Is it enough to have 80/tcp and 443/tcp open as incoming ports? Love your in depth videos with IaC. Keep them coming (more Azure focus instead of AWS would be nice)!
I am getting a Raspberry Pi soon and am excited in trying out self hosting things... Now I just have to figure out how to setup the reverse proxy on Vultr because I already have VPSs there.
Awesome video! I got everything working on AWS with Caddy for my Jellyfin setup, and Tailscale was fun to integrate. Ran into Let's Encrypt rate limits, but once it worked, the video playback was super smooth - much better than using a tunnel. Is there a way to make it work again with a different reverse proxy that doesn’t rely on Let's Encrypt? Thanks for the clear guidance!
Glad to hear you got this going! Why wouldn't you want TLS? Jellyfin clients in particular hate self-signed certs.
Not planning to use self-signed certs. I'm switching to AWS ACM for trusted SSL since Let's Encrypt hit rate limits. Not sure if it’ll work though!
@@thoufics How many certificates are you generating that you're hitting rate limits with LE? Their rate limits are fairly generous for a completely free service.
Hey Alex, love your video mate.
I'm trying to see if I can do the same thing using Racknerd (their pricing is pretty good) but I can't find anything about their api or communicating programmatically...
Do you have some suggestions?
Thanks a lot
One nitpick - doctl != doc tail, doctl = digital ocean control :)
Will this solution through VPC take on the limited transfer bandwidth? Or how is the direct connection made between a remote peer (which is not connected to Tailscale) browsing into the server through VPC?
does this sort of setup use the cloud instance as a "relay"? meaning all the bandwidth used for streaming go through the cloud provider? wouldn't that generate quite a bill?
It does transit through the VPS yes so you'd want to pick your provider and VPS size (and therefore accompanying bandwidth allocation) accordingly.
Does traffic flow via Tailnet infra or is it completely independent?
By using this method, will streaming jellyfin work when under CGNAT?
Yup! 👍
Great video! What's the benefit of using a VPS, rather than just running Caddy on the same local network as Jellyfin? It kinda seems like an unecessary middle man to me. Thanks again :)
Was literally about to ask this! Nice wizard work but its not necessary. I've Traefik running in an LXC with Tailscale installed in there too. Works perfectly fine.
CGNAT, ISP's that block 80/443 inbound etc. unfortunately not all of us can get public external IP's these days :(
A VPS means you can access the proxy from anywhere without worrying about network topologies or needing Tailscale installed on the client device. It also makes it really easy to proxy services across multiple sites and reduce reliance on bandwidth constrained solutions like Tailscale's Funnel or Cloudflare's tunnels.
For example, say that you're not on your home LAN and you want to hit that reverse proxy from a non Tailscale client (for me this is commonly a relatives phone wanting to stream an audiobook from my self-hosted audiobookshelf instance), they need to be able to route those packets to Caddy somehow in order for the data to flow. You need to solve for your WAN IP changing (dynamic dns), and open ports in your firewall. This is what I did for many years before Tailscale came along. But this solution removes all those pain points with the slight exception of needing to pay for a cloud VPS (but that can be useful for other things besides just this). HTH -Alex
Not sure why people think opening a port to reverse proxy is secure. It's more secure than nothing. But a reverse proxy is not an impenetrable layer. A professional solution is just much safer.
For my family, the client is the price of entry. Only devices I authorise on Tailscales admin console can access the container that contains the reverse proxy.
As far as DNS goes I simply have wildcards in Cloudflare pointing at the LAN IP address of the container so I achieve 2 things - 1 URL resolution inside my LAN without the client and outside with the client installed. 2 Don't need to host the DNS myself either.
No open ports, no care of what public IP address I have nor any care about unauthorised access as I have approved only the devices that I want to have access.
Having the VPS just allows anyone with the URL to access stuff inside my network. Unless of course you do what I did but then there's no point in hosting it elsewhere and having the pay for it.
Can i use a digital ocean vps and a raspberry pis on my home server with a docker swarm cluster with tailscale?
I Remotely access anything from anywhere with using tailscale
Tried doing this but on immich instead of jellyfin, i tried uploading a couple of photos but after that it stops uploading everything. am i getting rate limited by cloudflare or something?
Why not serve and funnel for this use case?
Serve is for inside your tailnet
Funnel is bandwidth constrained for QoS reasons and therefore not suited for video streaming specifically
Ahh didn’t realize the bandwidth constraint! Thanks.
Same is true of things like Cloudflare tunnels too, they specifically have ToS terms which restrict things like video streaming.
With this solution you have no such restrictions. -Alex
@@Tailscale does the funnel bandwidth limit appear if the funnel flag shows up on the client in the console even when the serve config has funnel set to false?
Meaning would it impact serve bandwidth in that case.
The "fake words" are cities in Brazil, very real ones.
What are your sterio speakers?
OK, it appears to be KEF LS50, they seem pretty nice!
They are :)
Bought them 10 years ago as a graduation gift to myself and haven’t ever felt the need to replace them. Paired with a 10” sub they more than fill my office with glorious noise. -Alex
windows 11 install ?
You even got the icon right ... not like another big Tech channel from Canada *cough cough*
Pure digital ocean markings campaign ❤