Is they're an easy way to make my Jellyfin accessible outside of my home network for free?
from Vegan_Joe@anarchist.nexus to selfhosted@lemmy.world on 05 Jul 17:41
https://anarchist.nexus/c/selfhosted/p/773580/is-they-re-an-easy-way-to-make-my-jellyfin-accessible-outside-of-my-home-network-for
from Vegan_Joe@anarchist.nexus to selfhosted@lemmy.world on 05 Jul 17:41
https://anarchist.nexus/c/selfhosted/p/773580/is-they-re-an-easy-way-to-make-my-jellyfin-accessible-outside-of-my-home-network-for
I have docker installed, but only have a vague idea of how it works.
Back in the day, I would just port forward, but even then, I would need a static IP somehow.
I have heard a reverse proxy is an option, but that is an entirely new topic to me.
Surely there is an easy way to access Jellyfin outside of my home network that I’m just missing.
*Edit: I am blown away by all the help and support! I currently have tailscale running, and I’m in the process of purchasing a domain.
Thanks everyone!
#selfhosted
threaded - newest
There are things like duckdns if you cannot get a static IP, but there are also things like wireguard.
An easy way? I guess the term ‘easy’ depends on your expertise with networking, firewalls, etc. Sounds like you and I are at about the same level there. In which case the answer is: no, there’s no easy way from what I can tell. I’ve looked into it and it’s a lot more involved than, say, Plex (because Plex does a bunch of the routing and stuff for you, but at a cost).
That is the answer my intuition was leading me to, but I hoped I was wrong. It looks like this is an opportunity to learn something outside of my comfort zone.
consider zerotier or tailscale
Tailscale is incredibly easy. Install, start, sign in on both devices. Boom. Jellyfin from anywhere
I’m sold! Setting it up now!
Let me know if you have any trouble!
Yes, a VPN. And dynamic DNS if you don’t have a static IP address.
To be clear, your suggesting I set up my home computer as a virtual private Network server that I would connect to from the TV or device outside of my home network?
Yes, it works great for me. Probably not for a TV though, for that you’d probably need some travel router VPN client. But I don’t know how often you’d be at a random TV and need to get to jellyfin.
Got it! I think this is the plan of attack I’m going with
Yeh, exactly.
And the “dynamic DNS” part handles your public IP address changing with 0 pain.
You either buy a domain (like example.com), or there are free domain name providers that give you a subdomain (like mycooldomain.example.com) of one of their domains.
You then run an additional service on your home server that checks what the current public IP address is. If it changes, it notifies the DNS responsible for your domain/subdomain, which then points to your new public IP.
To connect to your VPN, you only ever care about “mycooldomain.example.com” and never the underlying IP address.
…
As long as your ISP isn’t running CG-NAT of course 😵💫
I forward my port to my bastion host, and reverse tunnel to it when I want to access my stuff.
My router allows you to set a device in the DMZ zone which will let you use your routers IP as its address.
A VPN such as Tailscale.
That is a new concept to me, but I’ll definitely look into it.
it’s actually the recommended way if you use jellyfin, theres a few security/privacy vulnerabilities with publicly exposing the jellyfin server anyway, they are being worked on but, the safest way to do it is just use a vpn regardless.
Plus it enables you to access everything. If you have radarr or sonarr or whatever, you can get to those and add media while out and about.
Personally I use Mealie and pull up ingredient lists while I’m im at the grocery store.
Just be aware that if you want anyone else to connect to your Jellyfin, you’ll still have to route it through a domain and reverse proxy, unless you’re comfortable letting them log in to your tailnet.
It’s a bit of a fiddle to set up, but once it’s done it’s quite satisfying.
It’s my go to method super easy to set up and use on both the device hosting your JellyFinn server and whatever your steaming on
That’s the whole point of a domain. Your IP changes every now and again you need people to know where to reach you. You give them a domain, and you configure the name records so that the domain always points to the right IP address.
Your options:
Domain is the cleanest option.
I am telling you how annoying it is because that’s how likely your friends are to adopt it and how secure it is because depending on your country you are doing something illegal and you really don’t want anyone to find out and you gotta keep it updated more often if you don’t want people to exploit it. There’s an endless supply of very smart people out there who use known bugs to target public services.
Edit: I forgot DDNS, see below comments.
I appreciate your response!
It looks like a VPN is the option I’m leaning towards, but I’ll definitely put the idea of buying a domain in my back pocket for a while.
Some .xyz domains cost less than 1$. Mine is 0,85$/year
What do you do, randomise it every year?
Nah same domain, 0,85$/year. It’s 8 numbers + .xyz
Wow thanks!! Looks like it works with 6-9 numbers
You get to pick your numbers
<img alt="Hmm" src="https://lemmy.world/pictrs/image/c278174f-4c71-4127-bcc7-5de1033fb374.jpeg">
You left out DDNS. It’s free, easy to set up with lots of detailed guides online, and works as well as a static IP.
I added a reference to your comment
yeah I forgot that one. I had to rush the comment a bit.
Tailscale. It’s free. Insanely easy to set up.
Just install on your devices and connect via the given tailscale ip for the jellyfin server.
I would also propose going with Tailscale instead If a VPN + DynDNS solution. Imho it is a lot easier to Setup compared to VPN + DynDNS If you are a beginner and just starting out.
If at some point you need more and then is available in the free Tier of Tailscale and you do not want to pay for it (and you have built up some knowledge!) you can switch to something like Headscale or Netbird.
I forgot to mention that one because I kinda thought it belongs with radmin and hamachi, but it’s my choice as well currently.
I am using it with my own Headscale though, so add a domain to that as well.
And I finally need to switch my vaultwarden to work over tailscale & LAN finally, it’s a huge security risk to expose that one.
Or head scale if you don’t want something you don’t control that requires an account with google/apple/microsoft
Headscale is great but requires port forwarding which, aside from having its own iasues, is something op wants to avoid.
What you want is Tailscale. The downside of Tailscale is that you have to connect to a VPN to access your services, the advantage - it is so easy to set up on the server it feels like magic.
You don’t need a static IP, you just have to keep track of what your current dynamic IP is.
You can do this with either a free or a paid DNS service.
There are a few different ‘free dns’ services that will delegate a subdomain of theirs to you at no cost. Admittedly, I’ve never actually used one of these so their names escape me. Hopefully someone else can point one of those out if that’s what you really want.
I purchased a domain via google domains, when they existed. It’s now transferred to squarespace, because they bought out google domains a few years ago.
It was around $13/year when I first got it a decade ago. It’s now around $28/year.
This allows me full control over the domain: I can use as many subdomains as I want to give each service I use it’s own unique name. (Instead of using their own separate ports that you’ve gotta remember) My domain will also forward all inbound email to my gmail account; this lets me use email addresses like <servicename>@mydomain.example. This way, I don’t share my real email and can immediately tell who sold my info to the highest bidder when I get spam. (I could also host my own email service if I really wanted, but I haven’t bothered)
Add Cloudflare ontop (for free); and it can filter out known attacks, ddos attempts, geofence your services to regions you’ll actually be in, provide/autorenew ssl certs for https, show you usage analytics, cache static data reducing server/network load, etc.
Ultimately, the paid option is well worth it IMO. $2/month (which I typically pay in 3-10 year blocks) is hardly anything.
/edit; vpns are good and all, but they require you to setup software on the remote device to connect to it, and that typically routes most if not all your traffic back to the vpn server then out to the internet. That can create speed/bandwidth issues.
A domain allows you to access your services from any Internet connection with 0 configuration on the client side. Just accessing it like any other website.
I also host a vpn directly from my network, that I access/find via my domain. This means I’m not dependent on a public service like tailscale, but can still add additional security to access private only services (stuff I don’t expose to the open internet)
As averse as I am to spending money on subscription services, having my own domain for less than 30 bucks a year might be worth it.
I think I’m going to try out the tailscale VPN route first before I fully warm up to buying a domain.
*Edit-You’ve definitely got me sold on getting a domain! Thank you so much for all the info!
Glad I could help. I’m not always immediately available, but I don’t mind answering questions if you run into troubles. Just send me a DM and I’ll do what I can. :)
You still need a public IP address. More and more often, IPv4 services are provided behind CGNAT, which won’t be able to work as you describe.
If you don’t have a public IPv4 for your LAN you can use IPv6. Or, you can reverse proxy your services through a gateway with a public IPv4.
I use a a reverse proxy (Pangolin) running on a VPS. A Newt tunnel connects my LAN to to Pangolin, exposing my local services via subdomains.
Tailscale, ZeroTier, and other similar services generally establish direct tunnels between devices, without a separate VPN server. They use a central service merely as a sort of common meeting point (STUN/TURN) for the devices to figure out how to establish direct tunnel(s).
Fair points.
I’ve been lucky enough to have never been behind cgnat, so I keep forgetting about it.
My bigger concern with tailscale is being required to install software on the client. Not every device I use, I have permission to install a vpn client, nor would I want to.
For example, I have a fileshare using Filebrowser where I store work related files that I don’t want to loose access to or need access to from multiple machines (non proprietary info, stuff IT/MGT wouldnt get mad at me for ofc. I’ve actually cleared it with my managers, so no worries). That’s also a handy way to (temporarily) share large files with people or provide a way for friends to upload large files to me.
I also like to access my emby server (using sufficiently limited accounts), from things like the TV in the work break room, or a friends PC while I’m visiting.
Tailscale is a hurdle that I just don’t need/want.
I mean not for free, but I did it for cheap. A good domain can cost you $5 a year, and you simply route your jellyfin to a sublevel like watch.mydomain.com
Fun part is you can also route your sonarr like sonarr.mydomain.com
Any suggestions on where to start when looking into buying and setting up a domain?
I’d recommend buying a domain through Cloudflare. Once you have one, you can create subdomains and point them to services running on your home server. Cloudflare’s dashboard makes the DNS side pretty straightforward.
I mean I cheated and used chatgpt to help figure it out. But it’s more or less 3 programs max running on whatever server you’re using and using the cloudflare UI to redirect the traffic to the right place
I’ve been with NameCheap for over a decade. They’re a relatively quiet company that’s been around a while.
They’ve never done anything to make me want to change providers. Have my email through them as well. Good uptime. Ok-ish prices. Good customer service the one time I’ve needed it. Web site takes some getting used to, but it’s also never changed since I started using them.
Only thing they did once was lock me out of my account with endless CAPTCHAs, even with 2FA enabled.
Eventually they fixed it
A cheap way to start is noip.com. You can get a domain name for free, you just need to check in every 3 months to say you are still using it. It’s big enough that many routers support it.
After 2 years of checking in every 3 months I paid for their next tier of service where you don’t have to check in and get multiple domains etc. So their free service marketing worked.
As others have said, Tailscale is the most pragmatic solution. It’s a mesh VPN based on Wireguard. It’s implemented in such a way that you don’t need a static IP and don’t need to open any ports on your firewall. The caveat is that you either need to register an account on tailscale.com (it’s free for small-scale use) or set up a self-hosted alternative like Headscale on a VPS. Then you have to install the Tailscale client on each of the hosts you want to access and log into your account.
Tailscale nodes will be accessible using an internal, private address in the
100.64.0.0/10address space. You can also set up a split DNS that allows you to access your hosts using a DNS name likehostname.your-tailnet-name.ts.net.Domain and vps pointed to your ip. Or if behind cgnat reverse proxy to vps
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
[Thread #41 for this comm, first seen 5th Jul 2026, 18:30] [FAQ] [Full list] [Contact] [Source code]
Used to have a tool specifically to route my dynamic IP to something static, without buying a domain name, back when I first hosted a website on my own regular home PC as a teen called “No-IP.”
Not sure if it’s still a thing.
Free ones are less common now (no-ip went paid.) Afraiddns is still free but requires regular account logins.
Personally I purchased a domain, and use Caddy for a reverse proxy. My ISP gives me a static IP for free, but I don’t think that makes a difference in this situation. Tailscale would be safer but requires more setup from friends. My friends seem to like how simple the setup is, and I also use requestrr so they can add movies/shows via a discord command.
If the goal is doing this in a simple fashion, then use Tailscale funnels (https://tailscale.com/docs/features/tailscale-funnel).
Funnels automate the process and act as a reverse proxy into specific servers within your tailnet.
The downside is there is no authentication to funnels, so whatever you're running (Jellyfin in this case so that's not an issue) needs it's own authentication setup. You might consider running fail2ban on that machine and have it watch for login attempts, but otherwise that is the simplest setup I think you could do.
Protip: Don’t fucking do this
The responses I received were exponentially more helpful than scouring for the information myself (which I had done).
Everyone here had experience and expertise that I did not, and I had a working solution running on my computer within 10 minutes of asking.
Part of the purpose of a community like this is evident in posts like this.
Your response, though funny, is damaging to the community, and unhelpful at best.
I understand where you were coming from, but please don’t.
This is how I would have done it in 2001.
It is my understanding that the only reason to go this route in this day and age is if you prefer to survive off the tears of cybersecurity professionals.
who needs cybersecurity? nothing bad should happen.
<img alt="1000004275" src="https://lemmy.world/pictrs/image/426c23e7-b5f6-463d-a68c-30033ce991e0.jpeg">
This is how I started.
I have a dynamic IP and a router provided by my ISP. IP assignations, DHCP, are managed by the router. I went with DuckDNS for a free DNS service. Select a name and you get a myname.duckdns.org that you need to assign to your dynamic IP. duckdns has instructions to create a cronjob to update your dynamic IP on duckdns.org. (Routers come in all shapes and configs, chances are that this won’t work for most people) On the router, I assigned a static IP to the server hosting Jellyfin, in case of a reboot Jellyfin would always have the same IP. On the Ports page I opened up the default port for Jellyfin at that IP. I could then access Jellyfin outside of my local network using myname.duckdns.org:1234
This is not what I have right now, but it helped my get started.
@Vegan_Joe
try tailscale
I second this, if it’s only you that needs access then Tailscale will be all that you need. You can use Tailscale funnel if you want it to be available to the wider web, but then you have to manage SSL certificates and it is slightly less secure.
I would caution against port forwarding and leaving your server open to the wider web.
Personally I didn’t want to have to hand out VPN credentials to everyone, so I went with a cloudflare tunnel with Authelia as the method of authentication.
+1 for Cloudflare Tunnels/Zero Trust. The free tier is more than generous for a homelab
Can I ask, how much of a limit does the free tier have on bandwidth if you’re doing something like hosting Jellyfin?
On my mobile, but to give you an idea, I stream Navidrome probably 12-15 hours a day. I really don’t think they have a bandwidth limit per se, but when I get back to my desktop where I can actually see, lol, I can do some digging for you.
My understanding is that there is no hard limit. At some point they will decide “this is business level traffic” at which point they will start harassing you to purchase a business plan.
That cutover point is unknown. I’ve never even seen an estimation of when it happens, so it could very well be the type of traffic instead of the amount.
They also only allow HTTP traffic for the free tier, which is another way they push you towards business tiers.
I don’t think that’s true. I’m pretty certain all of my domains are HTTPS only, but maybe that’s because I own the domain? Does cloudflare offer free domain names for tunneled traffic?
HTTPS traffic is still HTTP traffic. There’s just an encryption layer in there.
And yes cloudflare absolutely supports https.
Okay. Carry on. I was thinking that you meant the free tier didn’t support HTTPS encrypted traffic. I didnt want someone to rule out that option based on a false assumption. Sorry for the confusion.
In the past, Argo Tunnel has been priced based on bandwidth consumption as part of Argo Smart Routing, Cloudflare’s traffic acceleration feature. Starting today, we’re excited to announce that any organization can use the secure, outbound-only connection feature of the product at no cost. You can still add the paid Argo Smart Routing feature to accelerate traffic.
Cloudflare Zero Trust pricing is based on number of users. Unlike some of our peers, Cloudflare does not charge for increased bandwidth, number of app connectors, or volume of threats mitigated.
I honestly cannot find a hard bandwidth cap. Now, that is not to say that if you are sharing your JF with 20 other users, that they would not frown on that. However, from what I can tell, there is no real bandwidth cap.
Not to mention, the amount of data you can run through it is nuts. I’ve been running Stremio web through it for months without issue to watch content at work.
Yup. OP was asking about bandwidth caps, I haven’t experienced any, nor can I find any documentation to support bandwidth caps. I stream Navidrome around the house from the time I get up to the time I go to bed and it has worked flawlessly.
is that against ToS? i want to do it but dont want to get banned
What are your concerns about Cloudflare and getting ‘banned’? There used to be a clause in the TOS that prohibited streaming video. However, as one user here has pointed out, that has been since superseded. Now, I’m not going to tell you that you can share your JF with 20 other users and not raise an eyebrow with Cloudflare. I don’t have a clue what they would do in that case. As far as streaming, I run Navidrome around the house from the time I get up in the morning, until I go to bed at night, and have had no issues. There also isn’t a bandwidth cap that I can find anywhere in Cloudflare’s documentation.
WireGuard
Netbird or tailscale
I use pangolin and subdomains on my domain. It works really well, and enables SSO login to all services on the network.
I can’t get it working with the app unless I disable auth in pangolin, but it works beautifully with web
Yeah, for certain apps you may need to do that. I’ve had to do that with Nextcloud and Linkwarden. But Immich will happily work with a shareable link.
I actually commented a solution on a pangolin ticket, and they were like “good idea!” And implemented it, but then made it an enterprise only feature 😭
I’m currently testing out jellyfin. Have it through my reverse proxy and using the ldap authentication with authentik. Works fine and nice having two-factor authentication.
You can still just open it to the internet. Just do it on IPv6 instead. You won’t find it by scanning IP ranges like they do on IPv4. You’ll want to set up DNS for it though. Also get a free TLS cert from LetsEncrypt. It’s a bit of work initially.
Assuming their ISP and everything else supports ipv6. An even so it’ll still be visible through scanning, through brute force, or if anyone is reading cert transparency reports anf scanning the domains that show up.
This. Better to hide it on a non standard port of an existing domain
Or to not do security by obscurity at all.
Was going to comment something along the lines of “Inb4 someone posts that obscurity will keep you secure” but here you are. No, you won’t be secure just because it’s on IPv6. And TLS certs are open to the public, (they literally have to be, since any device attempting to access your server needs to be able to validate the cert) so bots will scrape them and instantly have whatever you made it for. So it wouldn’t even keep you obscure.
Look into nginx proxy manager. Pretty easy to setup and deploy.
I’m using wireguard with wg-easy. It’s a gui that let you easely setup wireguard. My isp is giving a fixed ipv4. So i don’t have to think about dns or other complicated things. I have Jellyfin and wg-easy installed on truenas as docker apps.
There are official app for any os you want.
www.wireguard.com/install/
https://netbird.io/ for your own private network of trusted devices, it’s free and doesn’t require a separate Big Tech account to use (unlike Tailscale)
And then if you want to share Jellyfin with someone who isn’t in your Netbird network… believe it or not, also Netbird
https://docs.netbird.io/manage/reverse-proxy
Does it work with a reverse proxy?
It has functionality to let you set up a reverse proxy (in beta). But you can access all your services by using the zero trust vpn
Nice! Maybe I’ll try the beta. Been wanting to tinker around with my set up recently
is this much different than nginx?
Yes, it is easier and safer for someone who doesn’t know what they are doing to set up.
Tailscale has an option for OIDC. That should be avoiding the tech mafia enough no?
This
I have setup NetBird with Authentik. Netbird is on a VPS and authentik on my home server.
NetBird allows to expose a service through a subdomain. Or you can use the netbird client as a VPN and allow peer to peer connection.
Device -> VPN Tunnel (ideally WireGuard) -> Home Router / Server.
The only port that needs to be opened is your WireGuard server which typically is :51820.
The issue with this is you have explain VPN’s and WireGuard to people which, in my experience turns people away as they see it as a hassle.
Alternatively buy a domain, setup DDNS so that your home IP is associated with your domain, setup a reverse proxy and open port :443 on your router however, I would suggest a blacklist-first approach and only whitelist the few known IP’s you can trust.
Free vps in oracle cloud with Pangolin. Never have to worry about explaining VPNs.
If I’m not mistaken I tried setting up pangolin to work along side my already running Traefik setup and it was just an absolute nightmare.
I just don’t have the time nor energy to reinvent my already running configuration.
I’ve set it up next to my NPM and it’s more complicated, but so much more capable. Traefik is what it uses to proxy things. You’re comparing a full suite of tools with just one piece.
I mean, that’s debatable. Taking a look at their
docker-compose.ymlthere are 3 containers they recommend running, with a 4 optional container.To say this is a “full-suite” is a bit much when majority of the heavy lifting is done by Traefik, the middleware’s you assign to Traefik and WireGuard. Pangolin if I’m reading this correctly;
Which is great! However as I mentioned previously, does not integrate well when these services are already setup to work standalone.
I suspect the same reaction from folks when they hear “download pangolin from the App Store, and use xyz credentials to connect.” And “download WireGuard from the App Store, and use xyz file to connect.”
Pangolin uses gerbil with newt for those wireguard tunnels. That’s a massive improvement already. It also adds a bunch more features like vpn, you can crowdsec, and more that I don’t use. To say it’s debatable if it’s a suite of tools is just wrong.
How is it wrong to say it is debatable when Traefik and WireGuard have quite literally done majority of the development. Pangolin is just a man in the middle.
According to the Newt ReadMe -
Seems to me that WireGuard is their primary dependency, without WireGuard what use is it?
According to Pangolin docs they rely on the Crowdsec middleware offered by Traefik.
People’s IP addresses usually change so that might be annoying keeping a whitelist up to date.
A good alternative is something like fail2ban to ban ip addresses that spam your server looking for a way in and potentially geo-restricting access to your country.
I did the last one. Bought a domain for $5 per year from cloudflare and used a cloudflared tunnel to direct traffic to Caddy (reverse proxy). Set up everything as deny-by-default, requiring log in to access things like sonarr, and let things like Jellyfin and Immich bypass the login requirement. Took a bit to get it all figured out, but it worked.
There is also a way to use the cloudflared tunnel for free that gives you a domain as well (sort of anyways).
All of that is run via docker containers, minus the
Documentation on all of this is fragmented and a challenge to figure out. Happy to help anyone who wants to message me about it.
I took this a step further as I use a wireguard tunnel to make use of my router level ad blocking. So I added an entry for my domain to route back to caddy and serve it all locally. This is proving to be a challenge due to the way some browsers handle forced https, but I’m making due.
This is DDNS, a popular, free alternative would be ddclient. Essentially updating an A Record so that your dynamic IP is remains associated with your domain.
While cloudflare is also my registrar as well, I don’t use any of the “features” they offer, and opted to use Keycloak for my authentication needs.
I’ve debated setting up Authelia or something similar because cloudflare is sooo slow to load their login page, but haven’t landed on anything yet… Plus I worry I set something up wrong and expose my network
I can’t be much of a help with Caddy however, for Traefik you can use the OIDC Middleware to forward requests to your authentication service.
The only port that would need opening is :443, leave port :80 closed so that people cannot connect to your services insecurely. Slap fail2ban or geoblock on it and call it a day. Also, DDNS allowlist for that deny-first approach.
The current config routes through the cloudflared tunnel so no ports are open externally at the moment, so that’s nice, but yea, I’d have to imagine there’s some documentation out there for caddy.
Caddy has been a pain, though, so I might give one of the others a try. Thanks for the tips!
Not securely
Consider a Tor Onion Service with client side certs for auth
Not 100% sure what you mean, but if you’re suggesting making it accessible publicly only through tor, that’s a bad idea (not to mention the people running tor don’t recommend streaming video through it).
Tor is extremely secure. Onion Services let you auth clients with a certificate. See also how Onion Share works.
Also I don’t think Tor etiquette says not to stream video. It says not to torrent.
Hm I could be wrong on the streaming videos etiquette, I can’t remember nor can I find where I originally heard that from.
Still think it’s a bad idea though. As another reason: Won’t you have an awfully slow connection to your server (tor is already slow just to access a plain html website)?
Nah, Tor works great. But I only stream in 1080
Streaming videos puts a huge burden on the TOR network. Please don’t do it if you don’t need to, setting up a VPN is faster and doesn’t slow TOR down.
Link?
Here, a random link explaining why using bandwidth for no reason while people provide it to you for free might be ethically questionable
tor.stackexchange.com/…/tor-streaming-videos-is-i…
Should I explain it further?
I was looking for something from torproject.org. an official source.
wanted a free solution
ends up buying a domain
Welcome to the club, buddy!
Cheap domains are basically free though so it doesn’t count!
@Vegan_Joe — if you’re still stuck, try this: install Tailscale → join your tailnet → expose Jellyfin container port 8096 as 443. That’s it. No nginx, no static IP hunting. I wrote a 3-command cheatsheet here cxgo.ai/l/5bwrT9m that I wish existed when I started fumbling with docker-compose overrides. Works on a $20 raspberry pi and a 2014 Mac mini, so your hardware shouldn’t matter.
I ended up using duckdns for a free domain. It sucks that I had to tie it to a google account, and maybe one day this might be an area where I buy a proper domain instead.
I have a glinet Flint3 router that makes it easy to spin up Wireguard servers on it. It was a bit more finnicky, but eventually I was able to get into the advanced settings and configure the router to sync the dynamic IP with DuckDNS too.
So I have Wireguard on my phone and my wife’s phone. We have one pair of close friends who have a connection on their router too (and vice-versa) and their own Jellyfin server.