Jellyfin through Wireguard #7

ElPenguin · 2023-11-25T15:45:14Z

ElPenguin
Nov 25, 2023

Hey, I've been trying for several days to pass my Jellyfin service through a wireguard tunnel but it doesn't work... Here my conf

docker-compose.yml on host side

services:
  traefik:
    image: "traefik:v2.9"
    container_name: "traefik"
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      # (Optional) Expose Dashboard
      # - "8080:8080"  # Don't do this in production!
    volumes:
      - /home/rocky/wireguard/traefik:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - "traefik"

  wireguard-tunnel-server:
    image: ghcr.io/digitallyrefined/docker-wireguard-tunnel:v3
    container_name: wireguard-tunnel-server
    environment:
      # Update to your domain
      - DOMAIN=wireguard.mywebsite.com
      # Number of peers to auto generate config for
      - PEERS=1
      # Services to expose format (comma-separated)
      # SERVICES=peer-id:peer-container-name:peer-container-port:expose-port-as
      - SERVICES=peer1:jellyfin:8096:8096
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    volumes:
      - /home/rocky/wireguard/config:/etc/wireguard
    restart: unless-stopped
    ports:
      - '51820:51820/udp'
      - '8096:8096'
    networks:
      - "traefik"
    labels:
      traefik.enable: true

      traefik.http.routers.nginx.entrypoints: websecure
      traefik.http.routers.nginx.rule: Host(`nginx.mywebsite.com`) # Update to your domain
      traefik.http.routers.nginx.tls: true
      traefik.http.routers.nginx.tls.certresolver: myresolver
      traefik.http.services.nginx.loadbalancer.server.port: 8096

networks:
  traefik:
    external: true

peer side

version: "2.4"

services:
  jellyfin:
    container_name: jellyfin
    image: jellyfin/jellyfin:10.8.11
    restart: always
    user: ${PUID}:${PGID}
    devices:
      - /dev/dri/renderD128:/dev/dri/renderD128
      - /dev/dri/card0:/dev/dri/card0
    group_add:
      - "107"
      - "44"
    networks:
      - traefik-public
    volumes:
      - some_volumes
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.jellyfin.entryPoints=websecure"
      - "traefik.http.routers.jellyfin.rule=Host(`${DOMAINNAME}`)"
      - "traefik.http.routers.jellyfin.tls=true"
      - "traefik.http.routers.jellyfin.tls.certResolver=myresolver"
      - "traefik.http.routers.jellyfin.tls.domains=${DOMAINNAME}"
      - "traefik.http.routers.jellyfin.middlewares=jellyfin-mw"
      - "traefik.http.middlewares.jellyfin-mw.headers.customResponseHeaders.X-Robots-Tag=noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      - "traefik.http.middlewares.jellyfin-mw.headers.SSLRedirect=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.SSLHost=${DOMAINNAME}"
      - "traefik.http.middlewares.jellyfin-mw.headers.SSLForceHost=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.STSSeconds=315360000"
      - "traefik.http.middlewares.jellyfin-mw.headers.STSIncludeSubdomains=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.STSPreload=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.frameDeny=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.browserXSSFilter=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.customFrameOptionsValue='allow-from https://${DOMAINNAME}'"
      - "com.centurylinklabs.watchtower.enable=true"
  wireguard-tunnel:
    image: ghcr.io/digitallyrefined/docker-wireguard-tunnel:v3
    container_name: wireguard-tunnel-peer
    environment:
      # Note that DOMAIN & PEERS are not required for the peer
      # Services to expose format (comma-separated)
      # SERVICES=peer-id:peer-container-name:peer-container-port:expose-port-as
      - SERVICES=peer1:jellyfin:8096:8096
    volumes:
      - /home/tom/wireguard:/etc/wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    restart: unless-stopped
    links:
      - jellyfin:jellyfin

networks:
  traefik-public:
    external: true

On all my tests, I have bad gateway or 404 errors. Nginx and Nginx-demo work perfectly :/

eiqnepm · 2023-11-25T15:51:41Z

eiqnepm
Nov 25, 2023

The Traefik labels must be set on the server side where the Traefik container has access to the DWT server network.

I can give a better example later when I am free if you're still confused.

1 reply

ElPenguin Nov 25, 2023
Author

This part give me a direct access to my server

labels:
      - "traefik.enable=true"
      - "traefik.http.routers.jellyfin.entryPoints=websecure"
      - "traefik.http.routers.jellyfin.rule=Host(`${DOMAINNAME}`)"
      - "traefik.http.routers.jellyfin.tls=true"
      - "traefik.http.routers.jellyfin.tls.certResolver=myresolver"
      - "traefik.http.routers.jellyfin.tls.domains=${DOMAINNAME}"
      - "traefik.http.routers.jellyfin.middlewares=jellyfin-mw"
      - "traefik.http.middlewares.jellyfin-mw.headers.customResponseHeaders.X-Robots-Tag=noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      - "traefik.http.middlewares.jellyfin-mw.headers.SSLRedirect=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.SSLHost=${DOMAINNAME}"
      - "traefik.http.middlewares.jellyfin-mw.headers.SSLForceHost=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.STSSeconds=315360000"
      - "traefik.http.middlewares.jellyfin-mw.headers.STSIncludeSubdomains=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.STSPreload=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.frameDeny=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.browserXSSFilter=true"
      - "traefik.http.middlewares.jellyfin-mw.headers.customFrameOptionsValue='allow-from https://${DOMAINNAME}'"
      - "com.centurylinklabs.watchtower.enable=true"

when i try with

traefik.http.routers.nginx.entrypoints: websecure
      traefik.http.routers.nginx.rule: Host(`nginx.mywebsite.com`) # Update to your domain
      traefik.http.routers.nginx.tls: true
      traefik.http.routers.nginx.tls.certresolver: myresolver
      traefik.http.services.nginx.loadbalancer.server.port: 8096

error 404, etc...

ElPenguin · 2023-11-30T14:39:08Z

ElPenguin
Nov 30, 2023
Author

@eiqnepm :3 need help plz :3

0 replies

DigitallyRefined · 2023-12-23T18:20:01Z

DigitallyRefined
Dec 23, 2023
Maintainer

I've tested this by running Jellyfin from my home server and then using docker-wireguard-tunnel on my VPC and it appears to work correctly for me by following example-tls-traefik.md and using the following config.

Provided you've setup the DNS entries for wireguard-tunnel.example.com, jellyfin.example.com and have setup your internet facing servers firewall to allow connections on 80/TCP 443/TCP and 51820/UDP.

VPC Server

docker-compose.yml

services:
  traefik:
    image: traefik:v2.9
    container_name: traefik
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      # (Optional) Expose Dashboard
      # - "8080:8080"  # Don't do this in production!
    volumes:
      - ./traefik:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - "traefik"

  wireguard-tunnel-server:
    image: ghcr.io/digitallyrefined/docker-wireguard-tunnel:v3
    container_name: wireguard-tunnel-server
    environment:
      # Update to your domain
      - DOMAIN=wireguard-tunnel.example.com
      # Number of peers to auto generate config for
      - PEERS=1
      # Services to expose format (comma-separated)
      # SERVICES=peer-id:peer-container-name:peer-container-port:expose-port-as
      - SERVICES=peer1:jellyfin:8096:8096
    cap_add:
      - NET_ADMIN
    volumes:
      - ./wireguard/config:/etc/wireguard
    restart: unless-stopped
    ports:
      - '51820:51820/udp'
    networks:
      - "traefik"
    labels:
      traefik.enable: true

      traefik.http.routers.nginx.entrypoints: web,websecure
      traefik.http.routers.nginx.rule: Host(`jellyfin.example.com`) # Update to your domain
      traefik.http.routers.nginx.tls: true
      traefik.http.routers.nginx.tls.certresolver: production
      traefik.http.services.nginx.loadbalancer.server.port: 8096

networks:
  traefik:
    external: true

traefik/traefik.yml

global:
  checkNewVersion: false # handled by watchtower
  sendAnonymousUsage: false  # true by default

# (Optional) Log information
# ---
log:
 level: WARNING #ERROR  # DEBUG, INFO, WARNING, ERROR, CRITICAL
#   format: common  # common, json, logfmt
#   filePath: /var/log/traefik/traefik.log

# (Optional) Accesslog
# ---
# accesslog:
  # format: common  # common, json, logfmt
  # filePath: /var/log/traefik/access.log

# (Optional) Enable API and Dashboard
# ---
api:
  dashboard: false # true by default
  debug: false
  insecure: false # Don't do this in production!

# Entry Points configuration
# ---
entryPoints:
  web:
    address: :80
    # (Optional) Redirect to HTTPS
    # ---
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          priority: 1000

  websecure:
    address: :443

ping:
  entryPoint: web

# Configure your CertificateResolver here...
# ---
certificatesResolvers:
  staging:
    acme:
      email: my-email@example.com # Change me!
      storage: /etc/traefik/certs/acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      httpChallenge:
        entryPoint: web

  production:
    acme:
      email: my-email@example.com # Change me!
      storage: /etc/traefik/certs/acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      httpChallenge:
        entryPoint: web

serversTransport:
  insecureSkipVerify: true

providers:
  docker:
    exposedByDefault: false  # Default is true
  file:
    # watch for dynamic configuration changes
    directory: /etc/traefik
    watch: true

Home Server

docker-compose.yml

services:
  wireguard-tunnel-peer:
    image: ghcr.io/digitallyrefined/docker-wireguard-tunnel:v3
    container_name: wireguard-tunnel-peer
    environment:
      # Note that DOMAIN & PEERS are not required for the peer
      # Services to expose format (comma-separated)
      # SERVICES=peer-id:peer-container-name:peer-container-port:expose-port-as
      - SERVICES=peer1:jellyfin:8096:8096
    cap_add:
      - NET_ADMIN
    volumes:
      - ./config:/etc/wireguard
    restart: unless-stopped
    links:
      - jellyfin

  jellyfin:
    image: jellyfin/jellyfin:latest
    container_name: jellyfin
    user: 1000:1000
    restart: unless-stopped
    volumes:
      - ./jellyfin/config:/config
      - ./jellyfin/cache:/cache
      - ./jellyfin/media:/media
    # See notes on hardware accelerated transcoding
    devices:
      - "/dev/dri:/dev/dri"
    environment:
      - TZ=Etc/UTC # Change me!
      - DOCKER_MODS=linuxserver/mods:jellyfin-opencl-intel

However, you might want to consider using a service like Tailscale if you don't want to expose it directly to the internet.

0 replies

ElPenguin · 2024-01-28T01:02:27Z

ElPenguin
Jan 28, 2024
Author

I've tested this by running Jellyfin from my home server and then using docker-wireguard-tunnel on my VPC and it appears to work correctly for me by following example-tls-traefik.md and using the following config.

Provided you've setup the DNS entries for wireguard-tunnel.example.com, jellyfin.example.com and have setup your internet facing servers firewall to allow connections on 80/TCP 443/TCP and 51820/UDP.

VPC Server

docker-compose.yml

services:
  traefik:
    image: traefik:v2.9
    container_name: traefik
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      # (Optional) Expose Dashboard
      # - "8080:8080"  # Don't do this in production!
    volumes:
      - ./traefik:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - "traefik"

  wireguard-tunnel-server:
    image: ghcr.io/digitallyrefined/docker-wireguard-tunnel:v3
    container_name: wireguard-tunnel-server
    environment:
      # Update to your domain
      - DOMAIN=wireguard-tunnel.example.com
      # Number of peers to auto generate config for
      - PEERS=1
      # Services to expose format (comma-separated)
      # SERVICES=peer-id:peer-container-name:peer-container-port:expose-port-as
      - SERVICES=peer1:jellyfin:8096:8096
    cap_add:
      - NET_ADMIN
    volumes:
      - ./wireguard/config:/etc/wireguard
    restart: unless-stopped
    ports:
      - '51820:51820/udp'
    networks:
      - "traefik"
    labels:
      traefik.enable: true

      traefik.http.routers.nginx.entrypoints: web,websecure
      traefik.http.routers.nginx.rule: Host(`jellyfin.example.com`) # Update to your domain
      traefik.http.routers.nginx.tls: true
      traefik.http.routers.nginx.tls.certresolver: production
      traefik.http.services.nginx.loadbalancer.server.port: 8096

networks:
  traefik:
    external: true

traefik/traefik.yml

global:
  checkNewVersion: false # handled by watchtower
  sendAnonymousUsage: false  # true by default

# (Optional) Log information
# ---
log:
 level: WARNING #ERROR  # DEBUG, INFO, WARNING, ERROR, CRITICAL
#   format: common  # common, json, logfmt
#   filePath: /var/log/traefik/traefik.log

# (Optional) Accesslog
# ---
# accesslog:
  # format: common  # common, json, logfmt
  # filePath: /var/log/traefik/access.log

# (Optional) Enable API and Dashboard
# ---
api:
  dashboard: false # true by default
  debug: false
  insecure: false # Don't do this in production!

# Entry Points configuration
# ---
entryPoints:
  web:
    address: :80
    # (Optional) Redirect to HTTPS
    # ---
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          priority: 1000

  websecure:
    address: :443

ping:
  entryPoint: web

# Configure your CertificateResolver here...
# ---
certificatesResolvers:
  staging:
    acme:
      email: my-email@example.com # Change me!
      storage: /etc/traefik/certs/acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      httpChallenge:
        entryPoint: web

  production:
    acme:
      email: my-email@example.com # Change me!
      storage: /etc/traefik/certs/acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      httpChallenge:
        entryPoint: web

serversTransport:
  insecureSkipVerify: true

providers:
  docker:
    exposedByDefault: false  # Default is true
  file:
    # watch for dynamic configuration changes
    directory: /etc/traefik
    watch: true

Home Server

docker-compose.yml

services:
  wireguard-tunnel-peer:
    image: ghcr.io/digitallyrefined/docker-wireguard-tunnel:v3
    container_name: wireguard-tunnel-peer
    environment:
      # Note that DOMAIN & PEERS are not required for the peer
      # Services to expose format (comma-separated)
      # SERVICES=peer-id:peer-container-name:peer-container-port:expose-port-as
      - SERVICES=peer1:jellyfin:8096:8096
    cap_add:
      - NET_ADMIN
    volumes:
      - ./config:/etc/wireguard
    restart: unless-stopped
    links:
      - jellyfin

  jellyfin:
    image: jellyfin/jellyfin:latest
    container_name: jellyfin
    user: 1000:1000
    restart: unless-stopped
    volumes:
      - ./jellyfin/config:/config
      - ./jellyfin/cache:/cache
      - ./jellyfin/media:/media
    # See notes on hardware accelerated transcoding
    devices:
      - "/dev/dri:/dev/dri"
    environment:
      - TZ=Etc/UTC # Change me!
      - DOCKER_MODS=linuxserver/mods:jellyfin-opencl-intel

However, you might want to consider using a service like Tailscale if you don't want to expose it directly to the internet.

I did some research to remove Tailscale, if I redirect port 51820 to my server but only for a specific IP address, does that seem OK to you in terms of security?

2 replies

DigitallyRefined Jan 28, 2024
Maintainer

Port 51820 is used by WireGuard, which requires authentication via a known public/private key to set up the connection. If you know the IP address or IP range of the peer that will be connecting, you could further lock it down by restricting which IP address(es) are allowed to connect.

ElPenguin Jan 28, 2024
Author

My server and my local networks have a fixed IP, my internet box allows me to redirect traffic from a port to a device without going through a DMZ, I can also configure it to authorize access only from a specific IP. But do you think that security level is OK?

Uh oh!

Jellyfin through Wireguard #7

Uh oh!

Uh oh!

ElPenguin Nov 25, 2023

Replies: 4 comments · 3 replies

Uh oh!

Uh oh!

eiqnepm Nov 25, 2023

Uh oh!

Uh oh!

ElPenguin Nov 25, 2023 Author

Uh oh!

ElPenguin Nov 30, 2023 Author

Uh oh!

Uh oh!

DigitallyRefined Dec 23, 2023 Maintainer

VPC Server

Home Server

Uh oh!

ElPenguin Jan 28, 2024 Author

VPC Server

Home Server

Uh oh!

DigitallyRefined Jan 28, 2024 Maintainer

Uh oh!

ElPenguin Jan 28, 2024 Author

ElPenguin
Nov 25, 2023

Replies: 4 comments 3 replies

eiqnepm
Nov 25, 2023

ElPenguin Nov 25, 2023
Author

ElPenguin
Nov 30, 2023
Author

DigitallyRefined
Dec 23, 2023
Maintainer

ElPenguin
Jan 28, 2024
Author

DigitallyRefined Jan 28, 2024
Maintainer

ElPenguin Jan 28, 2024
Author