THIS

While I would make the modification to use Android’s Private Space instead of a work profile (or Shelter instead of Insular), this was such an obvious solution, and I feel stupid for not seeing it. I might use Wireguard instead of Tailscale, I don’t know yet, but thank you! Consider yourself an outside the box thinker!

We all got hung up on trying to fix Proton, when Android was the issue here!

Thank you for this!

Is OPNsense like dd-wrt or OpenWrt?

The thing is (and this is by no means a knock on you) if you are doing pen testing then you definitely need to increase your knowledge on networking.

I have background in Wi-Fi hacking and LAN attacks, and I understand the structure of networking (LAN, WAN, layers of the internet, DNS, CAs, etc.). My head starts to hurt when RADIUS is involved, ad hoc networking (which I understand the concepts of, just not how it works. I want to learn this first), mDNS, and other complicated topics. I’m trying to push past those mental roadblocks and learn as best I can, but it’s a tricky topic!

https://wiki.freeradius.org/

There’s something to check out just to get some concepts. You can do plenty of things to harden your security that could give you the comfort you need without defaulting to encrypted connections over LAN.

Thank you! I’ll definitely check this out. You’ve been a huge help!

Since I always have ProtonVPN enabled, and Android devices only have one VPN slot enabled, I cannot use something such as Tailscale for encryption.

This is fair, and does solve the problem. I didn’t explicitly state that I needed it to be convenient, so you’re right. Having one network that is LAN only and switching to it to use Jellyfin, and having a second network that is WAN only and using ProtonVPN there would probably be the most secure setup. Unfortunately, it still doesn’t solve the issue of encryption in transit over the LAN, but that might be fixable with Tailscale. The LAN could even be ethernet-only, to mitigate wireless attacks.

That makes me wonder if there’s a way I could simply plug an ethernet cord from my phone to the airgapped Pi and use it that way. Is that possible? Surely it is. Could ProtonVPN be used on the phone even while the phone is connected physically to the Pi?

No, it can run along anything, as long as you don’t conflict the IP space assigned to a VPN.

I tried Tailscale on Android, and it isn’t working because it requires the active VPN slot occupied by ProtonVPN.

Okay, so you might be unfamiliar with networking

I’m familiar with some parts of networking, but selfhosted VPNs are something I am unfamiliar with, so thank you for helping me out!

No need to use Tailscale if you’re just using your Wi-Fi or Ethernet.

I want it to be encrypted during transit, even if it is over the LAN.

Tailscale/Headscale creates it’s own VPN network which will need its own IP space.

This is what I was afraid of, because this means it probably can’t run alongside ProtonVPN, since it would fill up the VPN slot on Android, right?

If so, it means we’ve come full circle. Unless there is a way to use Tailscale alongside ProtonVPN or a way to get Jellyfin clients to trust self-signed certificates, I don’t see any other option than buying a domain and exposing the server to the internet. Am I missing something?

I know. It’s very unfortunate, but I understand why.

Alright, I’m slowly learning, bare with me here:

• ProtonVPN is always-on and blocks connections without VPN

• Jellyfin and Headscale are hosted on the Pi (or does Headscale need its own server?)

• Tailscale and a Jellyfin client are installed on the phone

• Will that will run fully on the LAN?

• Will it be encrypted during transit?

• Does ProtonVPN need to allow LAN connections?

So:

• ProtonVPN is installed on my Android phone
• Android has Always-on VPN enabled
• Android has Block connections without VPN enabled
• Host Jellyfin on my Raspberry Pi 5
• Install Headscale on my Raspberry Pi 5
• Install Headscale on my Android phone
• Install a Jellyfin client on my Android phone
• Configure everything

And that will work? It will be encrypted during transit? And only run on the LAN? Does ProtonVPN need to allow LAN connections (I assume it does)?

Does Headscale conflict with ProtonVPN/Mullvad VPN (i.e. can I use those alongside Headscale)? Android has a limited number of VPN slots, so that’s why I ask.

Run in at home and get Tailscale setup with a Headscale server, or just use Tailscale straight out of you want. That’s the simplest.

I have no idea how to do this. Do you have any resources? Does it cost a subscription fee?

A better option would be getting an OpenWRT router

This is what I have planned. OpenWrt Two my beloved

You’ll have many different options for decentralized and NAT traversing VPNs with this option. GL.Inet Flint is a great choice.

I also don’t know how to do this. Resources are much appreciated :)

I used GNOME Disks to modify /etc/crypttab and /etc/fstab to auto decrypt and auto mount on boot. Jellyfin still loses its access each time I restart, even though the jellyfin group still displays having access to the files.

Edit: Turns out it does have access, but it’s no longer under the /media/username directory. I have to point Jellyfin to /mnt/UUID instead. This fixed it!

I agree with this comment, it has very good points.

You device has to do all the processing which would lead to lower battery life.

The way iOS does it is it will only process it when your phone is plugged in and idle (e.g. when you’re asleep at night).

Both. If your hardware isn’t designed like a server to run 24/7 it can be unhealthy for it, especially if it isn’t properly maintained. It can cause wear to it. As far as the OS, restarting is good to clear caches, fully install some software, and keep the system sanitary overall.

Can I do this with NextCloud or on my phone without killing the battery?

I suppose not. That’s a fair point. Although I will mention, if your camera supports it, location metadata can be embedded automatically. Aves and many other gallery apps support viewing photos with location data on the map.

I’ve made a point not to perpetually leave my home computer on simply because frequent restarts are healthy for it. Another reason is compartmentalization. I would want to keep my selfhosted server separate from where I game or browse the internet, if at least to keep it more secure.

I mentioned in the edit: I’m not asking why things should be selfhosted instead of run on a cloud provider, I’m asking why things are selfhosted on a server that could be run entirely on-device. The latter I argue provides more privacy and less cost. Again, there are some cases as I mentioned in the post where selfhosting on a server is useful (storage or processing power), but I keep seeing a lot of server-based selfhosting that could instead be run on the device itself.

and allows us to share them publicly with others using explicit links.

That’s something I hadn’t considered. I’m somewhat used to everything being completely local, no exceptions. It’s why I started selfhosting so late, I never saw much of a point to it. I also don’t feel completely comfortable opening any part of my home internet to the public, but I’m sure there’s safe ways of going about it.

Another bias of mine is having a lot of compartmentalization. For example, none of my desktop account credentials are stored on my phone’s password manager, and vice versa. If one device is compromised, I want to isolate the risk as much as I can. That also means that if I were to ever set up a movie library, for example, I would want to keep those isolated per-device as well.

Backups are a bit of a special case. You can either selfhost an automatic cloud backup, or use something simple like a USB stick you manually backup to. Besides that, though, I would argue you maintain more control over software that doesn’t rely on an external device to begin with. I gave examples, such as Aves, Joplin, or Feeder. If those are on my phone only (and properly backed up), I maintain full control knowing that I don’t need to rely on my own server at home to manage the data that I have in my pocket.

This has helped me see some new benefits of selfhosting, though. I’ve spent my whole life without a SIM card, so it isn’t always easy finding a network (especially a trustworthy one) to connect to on the go to connect to my server with. Even in the moments I could connect to a network, they had heavy censorship (blocked VPNs and certain IP addresses). That’s why I like having everything on-device.

I use Immich because I have multiple devices and multiple people uploading photos to it , so we can all organize together.

Would something like Syncthing work for this instead?

Sure, and I agree backups are important. I still don’t like that Immich requires another server to function in the first place. It would be difficult to recommend Immich as a gallery app to someone who doesn’t have experience in selfhosting. I personally backup my phone to my own USB stick every few days or so, that way if my phone is ever lost or stolen I still have a backup without the need for a server.