Don't port forward it's a pain in the ass to expose your home network to the internet. Just use something like Tailscale VPN (p2p wireguard) and buy a domain to point to the internal Tailscale IP.
“Don’t click a few buttons in your router UI to forward a port and setup a dynamic DNS client in the same way that has worked for 25 years. Instead use a bunch of other 3rd party shit that builds a VPN and tough shit if people are using a TV.”
What you’ve described is a pain in the ass from a setup perspective. I think what you were trying to say is “be careful about jellyfin vulnerabilities”, but that’s definitely not what came out.
Exposing a port to the internet is a huge pain nowadays. You never know if it is going to work, and even if it works it is incredibly flaky. What's changed is that a lot of ISPs are using double NAT or CGNAT now, which wasn't as common before. Which means router based DDNS will simply not work. On top of that every single router I've used is extremely unpredictable about respecting uPNP or whatever. So for most people a tailscale vpn or cloudflare tunnel is the best option.
In my situation at home, port forwarding is stupid-simple and just works.
My ISP does not saddle me with CGNAT (or any other form of NAT). I don't use UPnP.
I have a real (dynamic, but just-for-me and almost never changing) IPv4 address to use, and I simply use it.
It works predictably. It works reliably. It is not even a little bit flaky. There is no voodoo involved.
And it doesn't require me to teach my elderly mother how to use Tailscale with her Roku STB.
(I recognize that others may have different situations. But the existence of different situations doesn't mean that one must declare a particular solution to be the "best", does it? KISS.)
Exactly, my old ISP and current ISP both use double NAT. I literally tried calling to get a level 2 tech to get them to reconfigure my modem to use bridge mode.
Have you managed to get TLS working with a setup like this? I have a custom domain that isn't used but I'd like to point it to a machine that's on Tailscale. Do you just put your Tailscale DNS on public DNS servers or do you use an internal one? Do you use a reverse proxy to route port 80/443 to the port your app is running on?
And then internally inside of tailscale you could have your own dns server, which serves subdomains of your domain, and for all subdomains you can use the same wildcard certificate.
This also does not 'expose' your subdomains on Certificate Transparency logs
Depends, if you only want dns and nothing more, then probably dnsmasq. That's basically one of the most used dns/dhcp servers.
Otherwise you could use solutions like AdGuard Home or PiHole, which both have a Web Interface for configuration, and the ability to block ads and tracking domains.
Note that I don't use Tailscale myself, so I don't know if Tailscale 'needs' something else. But I use pure wireguard, and all of the services mentioned above work with 'pure wireguard'.
I must be a networking genius because I run about 30 websites in dockers behind a reverse proxy(one static IP) with gazillions of port forwards and static routes over a consumer router and I have no issues.
Look, if you're serious about this, set up a proper DMZ. Segment your network, throw in some DNS magic with internal and external zones, and slap a reverse proxy in there for good measure. That way, you can have your cake and eat it too - internal and external access without compromising security.
I use Google as my SSO provider, all of my personal devices are under my own email. For friends, I just made a throwaway Gmail account which I give out the username and password for so they can connect their computers to the tailnet.
Whole bunch of alternatives too - https://github.com/anderspitman/awesome-tunneling. I will advocate for zrok.io as I work on its parent project, OpenZiti. zrok is open source and has a free SaaS with more security hardening/authN/authZ than Funnel.
