How safe is media server remote access through ngrok? (I'm behind a CGNAT)

[DeS_2002]

Idk if this belongs here, but I hope you people can help me.

 

So I have a jellyfin media server (jellyfin is the open source version of Emby, basically like Plex but everything is free).

 

And I have it all set up for local streaming and it works awesome.

 

I want to stream the media remotely, outside of my home LAN, and to do that I know I have to set up port forwarding and enable remote access.

 

But the problem is my ISP puts me behind a CGNAT (carrier grade network address translation layer, like another router or series of routers on my way to the internet).

 

So my public IP (which is dynamic), (which is the IP that I get when I go to websites like https://whatismyipaddress.com/ is not the WAN IP I put in my router (I don't have a modem, my ISP gives every user in my neighborhood a direct ethernet cable to their house, so it's not like my modem has a public ip).

 

Which means as far as I understand, port forwarding on my router won't do anything to make my localhost visible to the internet because there are other NATs between my router and the internet and those routers won't know where to sent the traffic unless the ports were forwarded on those routers too.

 

My ISP charges insane rates for public IPs and static public IPs so that isn't really an option. 

 

So what I just set up is ngrok, which from what I understand tunnels traffic on a specific tcp port, which I set to the port that jellyfin uses, and I can access it from outside my lan, and it's working for now.

 

It's over http, should I set up https with self signed certificates?

 

How secure is what I'm doing right now?

 

Can my pc be compromised if someone gets access to the server in some way?

I have very secure passwords for the media server accounts, do they help in any way?

[xhavest]

Cgnats can be a huge pain for inbound connections i work for an ISP that does cgnat and its a good way to make use of the limited amounts of ipv4 that are available to ISP but inbound is totally broken( on the upside your super safe behind one good luck getting into the any systems on a cgnat) . the only easy way to work around this;  as you already found, is to have a service outside the cgnat that you connect remotely that's connects to  as session in the outbound directions and works like a proxy to tunnel back into the network. 

 

This does solve the issues however it dose expose your device to remote access so make user you trust who your using for this. my suggestion would be to segregate the device on your local network as much as possible and look setting up a good intrusion previsions or detection system to watch of odd connections if you are worried about security of local data(worst case they get access to the server you have running the media center on and delete the data)

 

Most of the time you should be ok on http. i ran my emby server on http for years before moving to https and i would say to look into this when you can as its a good way to secure the system but also keep remote users to having limited access and as a rule never log in as admin remotely on http run local Antivirus and firewalls on all other devices i would not lose ay sleep over it.

 

 

hope this helps

[DeS_2002]

6 hours ago, xhavest said:

Cgnats can be a huge pain for inbound connections i work for an ISP that does cgnat and its a good way to make use of the limited amounts of ipv4 that are available to ISP but inbound is totally broken( on the upside your super safe behind one good luck getting into the any systems on a cgnat) . the only easy way to work around this;  as you already found, is to have a service outside the cgnat that you connect remotely that's connects to  as session in the outbound directions and works like a proxy to tunnel back into the network. 

 

This does solve the issues however it dose expose your device to remote access so make user you trust who your using for this. my suggestion would be to segregate the device on your local network as much as possible and look setting up a good intrusion previsions or detection system to watch of odd connections if you are worried about security of local data(worst case they get access to the server you have running the media center on and delete the data)

 

Most of the time you should be ok on http. i ran my emby server on http for years before moving to https and i would say to look into this when you can as its a good way to secure the system but also keep remote users to having limited access and as a rule never log in as admin remotely on http run local Antivirus and firewalls on all other devices i would not lose ay sleep over it.

 

 

hope this helps

Thanks for the reply!

 

So I have a question, would using Plex here be a better option? 

 

Plex automagically works with certificate provides and gives users ssl certificates and gives me that oh so wonderful lock icon for https when I run remote access using the same way with ngrok.

I do not exactly understand how any of this works because I'm a networking noob but Here's an article that explains this better.

Would it be more secure if I use Plex then for remote access?

Or rather is using Plex this way with https any less secure than, say if I had a static public IP and just forwarded ports from my router?

[xhavest]

using HTTPS for remote access is always better then plan http regardless of where or not you ISP gives you a public ip as it secures he commutation between the server and the client( your remotely accessing device). if you use usernames and passwords to log into services outside your local LAN connections i would never suggest you do it on http if you can avoid it. 

 

If plex offers this and an easy to use solution then yes i would be the easier option. i use Emby and it was a bit more hands on to do the same thing but i did not mind the extra work as it gave me more experience and knlowage or how it works, 

jellyfin does have SSL but its not automated like plex it seems so its really how you want to go about it.

plex is more push button and jellyfin you might have to work at it a bit. The end result is the same it will not really be more or less secure in terms of https access.