I am not very knowledgeable about networking. I found I can connect to my Jellyfin server if I set under Networking “Allow remote connections” and in the remote IP address filter I put the remote IP that Tailscale assigns to my iPhone.

Is this how it’s supposed to work? I didn’t expect to have to use Remote Access Settings. I thought the point of Tailscale is to make it like you are on a local network.

top 12 comments

sorted by: hot top controversial new old

[–] [email protected] 3 points 1 year ago (1 children)

Some services usually just listen to 127.0.0.1 which makes it's only available for the current machine.
The service needs to listen to 0.0.0.0 or the IP of the network adapter to be able to be reached outside the machine, this is what remote access means, both your local network and the internet are "remote access" to the services running inside a machine.

So, yes, it's normal you have to enable remote access to be able to connect via tailscale.

Extra note: it's good to be extra sure your services can be only accessed by you, this is what the ip address filter does, but if this is running inside a normal ISP's router network then it's already closed to the outside internet, so the filter would be a bit annoying in the case you want to share it with your other devices or any guest inside your network, you'll need to remember to update that list, and also if your IP changes for some reason.
With tailscale you can just remember to close all your ports and use your tailIP to connect to the service

[–] [email protected] 1 points 1 year ago (1 children)

Not quite sure I followed all that. I’ve disabled a specific white list for now. When I have access to another computer I will confirm I can’t connect unless I am running Tailscale with the appropriate IP addresses.

[–] [email protected] 2 points 1 year ago (1 children)

Yes, that's the idea, if you're not running tailscale in both machines then you won't be able to connect to them (unless you do some other networking configurations).
Once you have tailscale running in both machines or devices, you only need to use the Tail IP to connect to them, they will find each regardless if they are in the same local network (connected to your home router) or across the internet.
If you want to have access to your jellyfin without connecting to tailscale it'll require more configuration depending on your set up and you'll have to take care of the security implications of the internet being able to reach your computer or server.

A bit more information:
My jellyfin runs in my computer, so with tailscale I have at least these IP addresses

127.0.0.1: The machine itself (or localhost)
192.168.X.X: The address in your local network (usually your ISP's router)
100.X.X.X: The Tail IP.

Now, in my phone I can be at several places and I can access jellyfin like this:

Same local network: 192.168.X of my computer, 100.X tail IP of my computer (if I'm connected to tailscale).
Mobile data or any other wifi: 100.X tail IP of my computer only when connected to tailscale.

Again, I won't recommend you on making your jellyfin instance public to the internet, just make sure to always be connected to tailscale.
If you want to share your instance then you can check to share it within tailscale to the specific people you want.

[–] [email protected] 1 points 1 year ago

Thank you that is tremendously helpful! I expect this post will help others that come along.

So confirming for your setup, you do need Remote Access enabled to use 100.x while home on your local network on wifi as well (and of course while away on cellular).

That’s how it seems to be for me, so I think I’m set up correctly. I don’t believe I’ve opened any unusual ports or anything like that.

[–] [email protected] 3 points 1 year ago (1 children)

When you install Tailscale on a device, that device is now a part of a virtual private network, and gets its own IP, usually starting with 100.*

So if you usually access your Jellyfin instance 192.168.0.1:8096, and you install Tailscale on your server and a client device, check which IP Tailscale assigned your server and replace 192.168.0.1 with that IP. Make sure to keep the port in the url (the thing after the colon. Jellyfin’s default webui port is 8096).

The main benefit here is not having to open a port. You can still access the port that Jellyfin’s webui is behind without exposing it to the internet.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Thanks for the explanation. That part is clear, and I can access the server/Mac computer from my iPhone using the 100.x IP address. But if I’m on cellular I need to have Remote Access Settings enabled in order to connect.

Edit: Actually on Wifi too on the same local network I need remote access enabled if I’m using the 100.x IP addresses. Using the usual IP pre-Tailscale I don’t need remote access on wifi.

[–] [email protected] 2 points 1 year ago (1 children)

I use tailscale and it connects as if I'm on the local network. I use the work profile on my phone to isolate Jellyfin and tailscale so I don't have to drop off my main VPN when I'm not home.

[–] [email protected] 1 points 1 year ago (2 children)

When I turn Tailscale on my iPhone disconnects from AdGuard DNS/VPN. Could I avoid this by using a profile like you described?

[–] [email protected] 1 points 1 year ago

I'm not familiar with the work profile on iOS, but on Android, the work profile runs on a separate network. This allows one to have two VPNs running at a time. One for non-work profile and others in the work profile.

[–] [email protected] 1 points 1 year ago

Reading on how iOS work, I don't think they separate the network layer. It's just a storage container and they limit what apps can interact within the work container.

The only option for you would be to provide an exit node on your network that's behind the VPN you want. I think.. if you want to use tailscale.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

I have put

127.0.0.1/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10

In Networking > Server address settings > LAN networks

No idea if this is correct/secure/best practice but it works

Note the description of this setting:

Comma separated list of IP addresses or IP/netmask entries for networks that will be considered on local network when enforcing bandwidth restrictions. If set, all other IP addresses will be considered to be on the external network and will be subject to the external bandwidth restrictions. If left blank, only the server's subnet is considered to be on the local network.

Also while I have your attention, set your Tailscale network to use Quad9 (9.9.9.9) as the global dns server. This will somewhat limit the amount of snooping your ISP can do into your internet activity.

https://tailscale.com/kb/1054/dns/

Or you can run PiHole in a docker container, put its IP into Tailscale and completely get rid of all ads as long as you’re connected to Tailscale!

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

I have Networking > Server address settings > LAN networks blank/default. That sounds like a feature that allows you to specify things as local (maybe that allows for higher bit rate streaming while away or something). I haven’t looked into this at all. For me when I’m away from home lower bandwidth is probably better.