Replies: 4 comments 3 replies
-
The Traefik labels must be set on the server side where the Traefik container has access to the DWT server network. I can give a better example later when I am free if you're still confused. |
Beta Was this translation helpful? Give feedback.
-
@eiqnepm :3 need help plz :3 |
Beta Was this translation helpful? Give feedback.
-
I've tested this by running Jellyfin from my home server and then using docker-wireguard-tunnel on my VPC and it appears to work correctly for me by following example-tls-traefik.md and using the following config. Provided you've setup the DNS entries for VPC Server
services:
traefik:
image: traefik:v2.9
container_name: traefik
restart: unless-stopped
ports:
- "80:80"
- "443:443"
# (Optional) Expose Dashboard
# - "8080:8080" # Don't do this in production!
volumes:
- ./traefik:/etc/traefik
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- "traefik"
wireguard-tunnel-server:
image: ghcr.io/digitallyrefined/docker-wireguard-tunnel:v3
container_name: wireguard-tunnel-server
environment:
# Update to your domain
- DOMAIN=wireguard-tunnel.example.com
# Number of peers to auto generate config for
- PEERS=1
# Services to expose format (comma-separated)
# SERVICES=peer-id:peer-container-name:peer-container-port:expose-port-as
- SERVICES=peer1:jellyfin:8096:8096
cap_add:
- NET_ADMIN
volumes:
- ./wireguard/config:/etc/wireguard
restart: unless-stopped
ports:
- '51820:51820/udp'
networks:
- "traefik"
labels:
traefik.enable: true
traefik.http.routers.nginx.entrypoints: web,websecure
traefik.http.routers.nginx.rule: Host(`jellyfin.example.com`) # Update to your domain
traefik.http.routers.nginx.tls: true
traefik.http.routers.nginx.tls.certresolver: production
traefik.http.services.nginx.loadbalancer.server.port: 8096
networks:
traefik:
external: true
global:
checkNewVersion: false # handled by watchtower
sendAnonymousUsage: false # true by default
# (Optional) Log information
# ---
log:
level: WARNING #ERROR # DEBUG, INFO, WARNING, ERROR, CRITICAL
# format: common # common, json, logfmt
# filePath: /var/log/traefik/traefik.log
# (Optional) Accesslog
# ---
# accesslog:
# format: common # common, json, logfmt
# filePath: /var/log/traefik/access.log
# (Optional) Enable API and Dashboard
# ---
api:
dashboard: false # true by default
debug: false
insecure: false # Don't do this in production!
# Entry Points configuration
# ---
entryPoints:
web:
address: :80
# (Optional) Redirect to HTTPS
# ---
http:
redirections:
entryPoint:
to: websecure
scheme: https
priority: 1000
websecure:
address: :443
ping:
entryPoint: web
# Configure your CertificateResolver here...
# ---
certificatesResolvers:
staging:
acme:
email: my-email@example.com # Change me!
storage: /etc/traefik/certs/acme.json
caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
production:
acme:
email: my-email@example.com # Change me!
storage: /etc/traefik/certs/acme.json
caServer: "https://acme-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
serversTransport:
insecureSkipVerify: true
providers:
docker:
exposedByDefault: false # Default is true
file:
# watch for dynamic configuration changes
directory: /etc/traefik
watch: true Home Server
services:
wireguard-tunnel-peer:
image: ghcr.io/digitallyrefined/docker-wireguard-tunnel:v3
container_name: wireguard-tunnel-peer
environment:
# Note that DOMAIN & PEERS are not required for the peer
# Services to expose format (comma-separated)
# SERVICES=peer-id:peer-container-name:peer-container-port:expose-port-as
- SERVICES=peer1:jellyfin:8096:8096
cap_add:
- NET_ADMIN
volumes:
- ./config:/etc/wireguard
restart: unless-stopped
links:
- jellyfin
jellyfin:
image: jellyfin/jellyfin:latest
container_name: jellyfin
user: 1000:1000
restart: unless-stopped
volumes:
- ./jellyfin/config:/config
- ./jellyfin/cache:/cache
- ./jellyfin/media:/media
# See notes on hardware accelerated transcoding
devices:
- "/dev/dri:/dev/dri"
environment:
- TZ=Etc/UTC # Change me!
- DOCKER_MODS=linuxserver/mods:jellyfin-opencl-intel However, you might want to consider using a service like Tailscale if you don't want to expose it directly to the internet. |
Beta Was this translation helpful? Give feedback.
-
I did some research to remove Tailscale, if I redirect port 51820 to my server but only for a specific IP address, does that seem OK to you in terms of security? |
Beta Was this translation helpful? Give feedback.
-
Hey, I've been trying for several days to pass my Jellyfin service through a wireguard tunnel but it doesn't work... Here my conf
docker-compose.yml on host side
peer side
On all my tests, I have bad gateway or 404 errors. Nginx and Nginx-demo work perfectly :/
Beta Was this translation helpful? Give feedback.
All reactions