Tailscale Jellyfin sharing

Hi everyone!

I’ve been using a Synology 1522+ for two years now. Most of the setup I managed by following various tutorials—guess which YouTuber helped the most? :wink:

Now, I’ve run into a problem I can’t seem to solve. My girlfriend is starting a new job in another city, and I’m trying to set up Jellyfin so she can access my music and movie library remotely. Everything works perfectly for me using Tailscale, but I’m struggling to figure out how to share only my Jellyfin library with her as an invited user.

Specifically, I want to restrict her access to just Jellyfin and its content, without exposing other folders or services. I need to ensure she can’t accidentally (or intentionally!:wink:) access or modify my work-related data.

I’ve checked the Tailscale YouTube channel for guidance, but I get lost quickly and can’t follow it. If anyone could point me in the right direction or provide some advice, I’d greatly appreciate it.

Thanks for taking the time to read this!

I’ve never used tailscale but I’ve done the same thing by first creating an OpenVPN server on my NAS. Like tailscale a VPN is encrypted and secure. You will need to create a login account for her. You can give her a NAS login account with read only permissions and limited access the VPN and Jellyfin apps only in the applications permissions section when you are making the account. You will need to install the OpenVPN client on her computer. All she’ll need to do is log into the VPN and then open jellyfin.

Thanks Spicerex and HNY to you. i asked chatgpt the same question and it turned out to be not so hard to set it up. i find the very last sentence quite funny. chat gpt seems to know spacerex.

heres the answer from chat gpt:

Great question! Setting up secure remote access to Jellyfin via Tailscale while restricting access to other parts of your Synology NAS is definitely achievable. Let’s break this down into manageable steps:

  1. Set Up Jellyfin Access

Since Jellyfin is already running on your Synology NAS:

Ensure Jellyfin is configured to listen only on the internal network (e.g., 127.0.0.1 or the NAS’s internal IP). This ensures you control external access via Tailscale.
Verify the port Jellyfin uses (default is 8096 for HTTP or 8920 for HTTPS). You can check this in Jellyfin’s dashboard under Networking.
  1. Configure Tailscale ACLs (Access Control Lists)

Tailscale’s ACLs are your best tool for restricting what devices and users can access. Here’s how to do it:

Log in to Tailscale Admin Panel:
    Go to https://login.tailscale.com and log in with your account.

Set Up Your Girlfriend’s Tailscale Account:
    Invite her to join your Tailscale network by sharing an invite link. Once she accepts, her device will appear in the Tailscale admin panel.

Create an ACL Policy:
    Edit the ACL configuration to allow her device to access only the Jellyfin port. A sample configuration might look like this:

{
  "ACLs": [
    {
      "Action": "accept",
      "Users": ["your-girlfriend@example.com"],
      "Ports": ["192.168.1.x:8096"]  // Replace with your NAS IP and Jellyfin port
    }
  ]
}

Save and Apply:
    Save the changes and ensure her access is limited only to the Jellyfin service.
  1. Lock Down Synology Permissions

To prevent access to other folders/services:

Go to Control Panel > Shared Folder on your Synology.
Ensure her Synology user account has No Access to shared folders other than the Jellyfin media library.
Use Control Panel > Application Permissions to deny access to any apps she shouldn’t see.
  1. Test the Setup

    Ask her to log in to Tailscale and use the Tailscale-assigned IP address of your NAS (e.g., 100.x.x.x:8096) to access Jellyfin.
    Confirm she can access Jellyfin but nothing else.

Optional: Enhance Security

Subdomain with HTTPS: If you want to make it easier for her, set up a subdomain with HTTPS for Jellyfin (e.g., jellyfin.yourdomain.com) using Tailscale’s HTTPS feature.
Read-Only User in Jellyfin: Configure her Jellyfin account with read-only permissions to prevent accidental modifications.

If you run into any specific issues while setting this up, let me know! :blush: Also, I’m curious—which YouTuber do you think helped the most? My guess: SpaceRex or TechnoDadLife? :smile: