Help Setting up Firewall rules to access reverse proxied Jellyfin domain from Wireguard tunnel & adjacent local vlan

AllUpSide · March 26, 2025, 6:53pm

Background

I need help setting up the firewall/routing rules to allow remote and local access to a Jellyfin server behind an Ngnix Reverse Proxy.

I have two sites connected through the cloud via a wireguard tunnel on routers running OpenWrt 23.05.5 as shown in the, redacted, diagram below:

I am able to get everything working using ip addresses, but this means that the connection between the Jellyfin client and the Jellyfin server is via http, which is less than ideal.

I have the Jellyfin Server behind an Ngix Proxy Manager reverse proxy, which allows https access at jf.example.com (redacted) and I'd like to use this domain name instead of using ip addresses.

Because the ip address setup works, the router and devices have connectivity with each other, so I just need to determine the correct firewall rules for using domain names.

I have two use-cases:

1. Access the Jellyfin server remotely via a wireguard tunnel

This use case is to allow the Remote Untrusted Device A at Site A on the guest vlan to access the Jellyfin server on the lan vlan at Site B.

I am able to get this working using ip addresses with the following Firewall Traffic Rules.

The firewall rule on Site A to route traffic from the Jellyfin client into the wireguard tunnel:

config rule
	option name 'Allow-Site-B-Jellyfin'
	option src 'guest'
	option dest 'vpn_to_site_b'
	list dest_ip '10.30.30.22'
	option dest_port '8096'
	option target 'ACCEPT'
	list src_ip '10.10.10.10'

The firewall rule on Site B to route traffic from the wireguard tunnel to the Jellyfin server:

config rule
	option name 'Allow-Site-A-Jellyfin'
	option src 'vpn_to_site_a'
	list src_ip '10.10.10.10'
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '10.30.30.22'
	option dest_port '8096'

Unfrotunately. the Firewall Traffic Rules only accept CIDR notation and do not accept domain names, so I can not just substitute jf.example.com for 10.30.330.22.

I think that I need to use policy based routing (PBR), but I don't have any experience with it.

Question 1.1 : On Site A, do I install the luci-app-pbr package and create a policy to route from 10.10.10.10 to jf.example.com?

Question 1.2 : On Site B, do I create a firewall rule that routes 10.10.10.10 to the Nginx Proxy Manager ip address, 10.30.30.11?

Something like this:

config rule
	option name 'Allow-Site-A-Jellyfin'
	option src 'vpn_to_site_a'
	list src_ip '10.10.10.10'
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '10.30.30.11'

Question 1.3: Is there anything else I need to do on Site B to prevent the remote device accessing any other reverse proxies on the Nginx Proxy Manager?

2. Access the Jellyfin server locally from an adjacent vlan

This is to allow the Local Untrusted Device B at Site B on the guest vlan to access to the Jellyfin server on the lan vlan at Site B.

I am able to get this working using ip addresses with the following Site B Firewall Traffic Rule.

config rule
	option name 'Allow-Local-Jellyfin-Access'
	option src 'guest'
	list src_ip '10.20.20.20'
	option dest 'lan'
	option target 'ACCEPT'
	option dest_port '8096'
	list dest_ip '10.30.30.11'

PBR doesn't seem to be suitable to route to the lan vlan, but I may be wrong. So I'm not sure how to do this for domain names.

Question 2.1: How do I establish a jf.example.com connection from the local guest vlan?

I've also thought of using this rule to allow 10.20.20.20 access to the Nginx Proxy Manager ip address, but this allows access to all reverse proxies located there, not just jf.example.com, which is unacceptable. There may be a way to setup ports to restrict access to the Jellyfin server only, but it's not something I've investigated.

config rule
	option name 'Allow-Local-Jellyfin-Access'
	option src 'guest'
	list src_ip '10.20.20.20'
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '10.30.30.22'

AllUpSide · March 27, 2025, 7:04pm

After many hours of fiddling around I concluded that I had the following options:

Firewall Traffic Rules using http ip addresses the jellyfin host.
This is the ip address solution I detail in my original post. It allows access to the Jellyfin server via http on a guest network, but this allows someone on that network to sniff Jellyfin credentials.
Keep Option 1 rules above and add a self signed certificate to the Jellyfin server.
This is possible but requires messing around generating certificates etc. Most online advice suggests setting up a reverse proxy instead.
Change the Nginx Proxy Manager rules for jf.example.com to listen on a unique port for that reverse proxy only, and adjust Firewall Traffic Rules of Option 1 above.
This would allow https access to jf.example.com reverse proxy only.
Setup domain name traffic rules, which was the original request of this post
I tried using PBR on the Site A router. I'm not an expert in PBR, but I could only get all traffic from Untrusted Device A routed, not jf.example.com traffic only. So this is not easy (or possible) to do, I couldn't find help online and I didn't receive any replies to this post.

So I decided to go with Option 3, as I was able to get it to work!

Here is what I did.

On the Nginx Proxy Manager (NPM)

Navigate to the jf.example.com Proxy Host Edit dialog (Hosts / Proxy Hosts / scroll to the jf.example.com entry / hamburger menu / Edit)
Go to the Advanced tab

Enter the following in the Custom Ngnix Configuration box:

# Listen on an additional port and force ssl
listen 8096 ssl;

Hit Save

This enables NPM to listen on the additional 8096 port, so existing Jellyfin clients can still have access and a traffic rule for Untrusted Device A and Untrusted Device B can be setup for port 8096.

On the Site A Router

Add the firewall rule for traffic from the Jellyfin client (Untrusted Device A) into the wireguard tunnel:

config rule
	option name 'Allow-Site-B-Jellyfin-Access'
	option src 'guest'
	list src_ip '10.10.10.10'
	option dest 'vpn_to_site_b'
	list dest_ip '10.30.30.11'
	option dest_port '8096'
	option target 'ACCEPT'

On the Site B Router

Add the firewall rule for traffic from Untrusted Device A in the wireguard tunnel to the Jellyfin server:

config rule
	option name 'Allow-Site-A-Jellyfin-Access'
	option src 'vpn_to_site_a'
	list src_ip '10.10.10.10'
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '10.30.30.11'
	option dest_port '8096'

Add the firewall rule for traffic from Untrusted Device B to the Jellyfin server:

config rule
	option name 'Allow-Guest-Jellyfin-Access'
	option src 'guest'
	list src_ip '10.20.20.20'
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '10.30.30.11'
	option dest_port '8096'

Testing

Untrusted Devices A and B can now only access the Jellyfin Server on Site B. I tested the following scenarios from the devices:

http request -> NPM forces https access
jf.example.com:8096 -> Jellyfin server access
10.30.30.11:8096 -> Jellyfin server access
jf.example.com -> no access
other NPM reverse proxies, such as x.example.com -> no access
x.example.com:8096 -> Jellyfin server access (x.example.com:8096 resolves to 10.30.30.11:8096)
10.30.30.1 -> no access
10.30.30.11 -> no access

Final Thoughts

I didn't update the title of the post, or mark this post solved, to enable someone else to post a solution to the original question, if it is at all possible.

I hope this helps out someone else.