My setup: Locally (all in docker):

• JF for managing and local access
• JF with read only mounted volumes that uses the network of my Wireguard client container
• Wireguard client opening a tunnel to Wireguard server on VPS ** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn’t manage it otherwise)

VPS (Oracle Cloud free tier, also everything in docker):

• Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to)
• fail2ban to block IPs that try to bruteforce credentials
• Wireguard server

Usernames are not shown in the frontend and have to be entered. Passwords are generated by a password manager and can’t be changed by the user.

So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn’t have to open any ports on my side. If someone is interested I can share the docker compose files later.

Edit: Here the link to the setup description. Please tell me if something is not clear or you find an error. https://codeberg.org/skjalli/jellyfin-vps-setup