I hope to replace WireGuard with Pomerium for my homelab. While I see no obvious blockers, I wanted to ask for input on a few points.
- Would you think it’s safe to expose Pomerium on 443 in a home setup without additional security measures? This would be on a Proxmox VM which gets this port forwarded from a basic consumer fibre router. (Currently all ports are closed except one for WireGuard. My home IP is dynamic, I’m updating Cloudflare DNS when it changes.)
- Does anyone have experience with Jellyfin Mobile Apps and Pomerium? I’m wondering if authentification is going to work smoothly.
- Any recommendations for an IdP provider? IIUC both Amazon and Google should be free for up to 50 users.
Thanks!
Hi @blue.koala!
Thanks for considering Pomerium!
Exposing port 443 on your home router is fine. I do it myself to run Pomerium! See Configure port 443 to allow inbound access in our docs.
I’m currently using Pomerium Zero in my home lab. I’d suggest using it for yours as well. It’s the fastest way to get set up with Pomerium. You get a managed control plane, which makes it nice for configuring routes and other settings while still having the access plane running at your network’s edge.
I’d have to look into Jellyfin as I’ve never used it, but I know with Pomerium you can convert OIDC to a Basic Auth header. I’d have to test it out. I think it’d work if passwords were the same for your IdP user/Jellyfin user, but if you changed passwords in either you’d probably need to keep them in sync.
You could also just protect it with Pomerium, you log in with your IdP and then you’ll get sent to the Jellyfin login. Just means you have to log in to Jellyfin after is all.
That would work for web most likely, but not sure about mobile.
I know my co-worker Wes had a PR up for external JWT auth, but I don’t think the Jellyfin team is going to go that route.
