You could use TailScale or Zerotier, join all your devices to a private subnet, then use UFW on the Jellyfin server to deny all connections except those from your private subnet. Then all your devices in your Tailscale/Zerotier account can access one another from anywhere. Also works for shared folders in Windows, remote desktop, SSH, etc.. It's easy enough so that most enthusiasts can handle it without being 100% proficient in a Linux shell, VPNs, or firewalls. Should be lots of guides available with these ingredients.

Or you could just WireGuard to your jelling server direct

You should absolutely hand off the security to something else - just exposing this publicly is asking to get hacked.

I use Wireguard for my private online stuff, that works nicely. Expose Jellyfin only on the loopback address and use Nginx to forward your domain to it, then setup your DNS entry to be the VPN address of your server. Just be aware that if you have your own local DNS server then you might need to configure it to allow serving up DNS entries with private network addresses in them, as these are often blocked for security reasons; or else just modify your /etc/hosts equivalent to manually add the mapping.

Can you easily use your services on mobile devices that way? I currently reverse proxy every service I need through nginx, but I kinda feel like this isn't enough security-wise. I did blacklist most countries and don't expose any port other than 80+443.

Does it require you to run a VPN app on your phone constantly and does that cause troubles?

Yes you would need the Wireguard app on your phone, and certainly for me it works beautifully (I use Android - I can't speak for the iOS app but there is one). I don't actually remotely host Jellyfin, but I do use a range of other things like Bitwarden, Nextcloud, Dovecot/Postfix, and some small web apps, and it's really smooth. The only public port on the server is the VPN.

iOS etc have wireguard clients, but I personally have found it much easier to configure a long random path as part of the server URL and use that as a "password". (https://server.com/$randomPath/

It's not ideal, since the password's obviously saved in any user's browser history, but it's less of a pain than dealing with a VPN, especially since I let friends use the server, and it's secure enough for my threat model.

The trouble with that is that you still have to make 80/443 public, which means you have to trust that your web server will stand up to 24/7 probing. I guess I'm a bit more paranoid than I really need to be but if the port isn't open then the chances of a bad guy getting in that way because of a zero-day or because I forgot something should be zero.

Hopefully you at least have something like fail2ban installed?

If someone is going around popping up-to-date nginx servers, then they have much bigger targets than my media server, and I also have much bigger problems.

My threat model does not include someone using an nginx zero-day to find out what movies I'm watching.

You don't need to be targetted deliberately; there's a whole load of automated scanning that happens. If they get in then it's more likely they'll be interested in using your server to DDoS someone else, or serve up objectionable and/or illegal content. Protecting yourself is not just about your data.

I understand that, but my point is that an nginx config to just allow one path is easy to get right, and so for someone to get in, it wouldn't be automated scanning but rather a targeted attack with an nginx zero-day..... and if you have such an attack, there are a ton of banks and other companies you'd go after first.

If you don't have the confidence to open up port 443, that's fine of course, but I have the confidence in my abilities and setup to open up 443 and know that it's secure enough for my threat model.

Like, the nginx config is a single location block with a 30-character-plus random string in the path as the password, it's running on nixos with an automated `nix flake update` bot that updates and redeploys the server every week so nginx and linux get updated over time, I get an email if the `nixos-rebuild build` fails after the automated update so I know to fix it.

I'm not particular worried about automated scanners.

It's exactly the automated scanners that I'm scared of. But there I feel the same: an up to date nginx server, Serving some pages over port 80/443 doesn't feel like a huge target on my back.

I use Tailscale for this, it works great.

It's super simple to set up, you can do it in 15 minutes. Install Tailscale on your Jellyfin server and on your personal devices, create a tailnet and connect them to it. That's it, you're done. You can now access Jellyfin from any of the devices using the Tailscale IP or hostname of the Jellyfin server.

A lot of people are suggesting VPNs, or putting oauth or such in front of it.

Unfortunately, oauth doesn't work since the jellyfin clients (like the android tv client, iOS client, etc) don't understand oauth.

Using VPNs is annoying if you want to share it with a friend, or you want to use it on a random third-party device, like a TV in a hotel or something.

I think all Jellyfin clients all support appending a path to the URL, so adding a password in the form of a long random path works pretty well in my opinion, i.e.

    https://my-jellyfin-server.com/ahY9eig3/

And you can then just have the server return 404 or such to all other requests, you can send the link like normal to friends, and you can manually type it in if you need to.

That should be enough to avoid some random copyright scanner.

I've been using CF tunnels to expose my jellyfin instance, with github oauth in front to prevent brute forcing.

You can use a reverse proxy like Caddy or nginx to block, eg, non-local IPs, do subdomain routing, manage certs.

I setup a VPN with OpenVPN, I can access Jellyfin from anywhere provided I have a login and key.

You want a VPN (nost likely wireguard) with an exit point in your LAN. My router has that option.

you can whitelist incoming IPs on Jellyfin.