This is fair, and does solve the problem. I didn't explicitly state that I needed it to be convenient, so you're right. Having one network that is LAN only and switching to it to use Jellyfin, and having a second network that is WAN only and using ProtonVPN there would probably be the most secure setup. Unfortunately, it still doesn't solve the issue of encryption in transit over the LAN, but that might be fixable with Tailscale. The LAN could even be ethernet-only, to mitigate wireless attacks.
That makes me wonder if there's a way I could simply plug an ethernet cord from my phone to the airgapped Pi and use it that way. Is that possible? Surely it is. Could ProtonVPN be used on the phone even while the phone is connected physically to the Pi?
Just out of curiosity, why is your network not a trusted party?
Part of my threat model is essentially "anything that can connect to the internet poses a security risk". Since networks are the literal gateway to the internet, it is reasonable not to trust them. Routers don't run as secure operating systems as Qubes OS, secureblue, or GrapheneOS. If a malicious party found a way to connect to the network, all unencrypted activities can be intercepted. If the router itself has malicious code, any unencrypted traffic can be sent to a third party. Those are just the basics, but trying to put band-aid solutions on a fundamentally broken system is a losing battle.
GrapheneOS distrusts networks as much as possible, so I do too. Even if I own the network, I am not a network engineer, so the chances of fault are high. In the simplest case, the network is a gateway to all activity that happens on the LAN, and it only takes one zero day to make that happen. The best mitigation is proper encryption and no self-signed certificates (where possible).
Good eye! I'd like to avoid trusting my network, but I did consider this option. It also becomes a hassle to enable my VPN per-device each time I leave my house and connect to another network. This still doesn't solve the problem of encrypting Jellyfin in transit over the LAN.
This would mean that you only want to access Jellyfin when you, and the device you are watching your show/movie on, are at home, where the Pi/server also is.
Is this correct?
Yes.
If so, then questions about VPN, Certificates, DNS,.... do not matter.
They do, because if ProtonVPN blocks LAN connections then the only other option is exposing the server to the WAN
I'm familiar with some parts of networking, but selfhosted VPNs are something I am unfamiliar with, so thank you for helping me out!
No need to use Tailscale if you’re just using your Wi-Fi or Ethernet.
I want it to be encrypted during transit, even if it is over the LAN.
Tailscale/Headscale creates it’s own VPN network which will need its own IP space.
This is what I was afraid of, because this means it probably can't run alongside ProtonVPN, since it would fill up the VPN slot on Android, right?
If so, it means we've come full circle. Unless there is a way to use Tailscale alongside ProtonVPN or a way to get Jellyfin clients to trust self-signed certificates, I don't see any other option than buying a domain and exposing the server to the internet. Am I missing something?
Wireguard was written with the explicit goal of having sane, secure defaults.
Wireguard is much easier because it simply refuses to give you the choice to do things incorrectly.
Security my beloved
I totally feel you w.r.t. openvpn or ipsec, since it’s easy to do something wrong.
This is one reason I've avoided selfhosting for this long. I am not a network engineer, and I have no plans to be. That means if I am managing an entire server from my physical home location, that's a recipe for disaster. There's simply no way to ensure you've done things correctly, especially since a lot of the selfhosting community has an... aversion to good security practices (which is why I had to make this post to begin with).
w.r.t. the certificate thing, you could set up a reverse proxy and do HSTS to ensure nobody can load up a rogue CA on your devices.
Would that work while having ProtonVPN still enabled?
trust on first use
My favorite food
This would let you use a self-signed certificate if you do desired.
Jellyfin clients don't accept self-signed certificates, as I mentioned. Is there a way around that (or does HSTS somehow solve it)? From what I've learned about HSTS up until know, it is simply there to require the use of proper certificates and HTTPS. Am I wrong about that?
I wish it were that simple, but as I mentioned that would require paying for ProtonVPN to allow LAN connections (which isn't the worst thing in the world, but I'd prefer to avoid subscriptions where possible) and clients don't allow self-signed certificates.
You want to use it only locally (on your home), but it can’t be a local-only instance.
By "local-only" I meant on-device
You want to e2ee everything, but fail to mention why.
Privacy and security.
There is no reason to do that on your own network.
Networks are not a trusted party in any capacity.
I do not know why you want to use a VPN and what you want to do with it. Where do you want to connect to?
A VPN such as ProtonVPN or Mullvad VPN are used to displace trust from your ISP into your VPN provider and obscure your IP address while web browsing (among other benefits that I don't utilize).
What is the attack vector you’re worried about? Are there malicious entities on your network?
These are good questions but not ones I can answer briefly.
Does Headscale conflict with ProtonVPN/Mullvad VPN (i.e. can I use those alongside Headscale)? Android has a limited number of VPN slots, so that's why I ask.
I'm uneasy about this, because I don't trust myself to do it securely. VPNs are a very complex piece of software, so I highly prefer to stick with widely used setups (i.e. "stock" VPN software such as ProtonVPN, Mullvad VPN, etc.)
It's what I have on hand at the moment. I don't have proper server hardware yet.
and a microSD to host Jellyfin.
Beyond that, SD cards are terrible for this kind of task and you’d be much better served with an SSD as your boot/data drive for robustness. I can’t even count the number of failed SD cards I’ve had over the years.
I will keep this in mind, thank you!
Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files.
I haven't tried playing videos from my Raspberry Pi, but I've been able to run extremely modern video codecs on some pretty old hardware without any issues. Since I've never had issues with video codecs, I'm not experienced in what hardware can and can't handle it.
This is fair, and does solve the problem. I didn't explicitly state that I needed it to be convenient, so you're right. Having one network that is LAN only and switching to it to use Jellyfin, and having a second network that is WAN only and using ProtonVPN there would probably be the most secure setup. Unfortunately, it still doesn't solve the issue of encryption in transit over the LAN, but that might be fixable with Tailscale. The LAN could even be ethernet-only, to mitigate wireless attacks.
That makes me wonder if there's a way I could simply plug an ethernet cord from my phone to the airgapped Pi and use it that way. Is that possible? Surely it is. Could ProtonVPN be used on the phone even while the phone is connected physically to the Pi?