How to Fix Jellyfin Not Working With Tailscale Step by Step

Jellyfin, an open-source media server solution, offers users complete control over their digital content. It’s celebrated among enthusiasts who want an alternative to subscription-based media servers. Meanwhile, Tailscale, a VPN powered by WireGuard, allows simplifying private network creation using secure peer-to-peer connections. When both tools work together seamlessly, users can stream their personal media servers from anywhere in the world. However, sometimes setting up Jellyfin to work over Tailscale doesn’t go as planned. This guide breaks down the steps to diagnose and fix when Jellyfin isn’t working with Tailscale.

Understanding the Problem

When Jellyfin and Tailscale don’t work together as intended, several symptoms may arise:

• You can access Jellyfin locally but not over Tailscale.
• Tailscale is running fine on both devices, but the connection to the Jellyfin server fails or times out.
• Firewall or DNS resolution issues prevent remote access.

This step-by-step guide covers how to troubleshoot and correct these issues so that you can stream your media using Jellyfin over a secure Tailscale network effortlessly.

Step 1: Verify Device Connection in Tailscale

Ensure that both the Jellyfin server and the client device are connected to the same Tailscale network and can see each other.

1. Open Tailscale on both devices and verify they are logged in under the same account or network.
2. Check the Tailscale admin console at Tailscale Admin Panel to confirm your devices appear in the device list.
3. Ping the Jellyfin server device using its Tailscale IP from the client device. For example:
   ping 100.x.x.x

If the ping fails, there may be a routing or ACL (Access Control List) issue on Tailscale that’s preventing connectivity.

Step 2: Check Jellyfin’s Listening IP and Port

Next, ensure that Jellyfin is listening for traffic on the correct IP address, especially one accessible by the Tailscale network.

1. On the machine running Jellyfin, navigate to the Jellyfin dashboard via http://localhost:8096.
2. Go to Dashboard » Networking.
3. Check the Bind Address. It should be:
   • 0.0.0.0 to accept traffic on all interfaces (including the Tailscale interface).
   • Or set specifically to your machine’s Tailscale IP (e.g. 100.x.x.x)

Also, ensure Jellyfin is using the expected ports (by default, 8096 for HTTP and 8920 for HTTPS if configured).

Step 3: Examine Your OS Firewall Rules

In many cases, a device’s built-in firewall may be blocking traffic from Tailscale peers. You need to ensure that connections to Jellyfin’s ports are allowed.

For Linux users (iptables or ufw enabled):

sudo ufw allow from 100.0.0.0/8 to any port 8096

For Windows users:

Go to Windows Firewall settings and add an inbound rule allowing the Tailscale IP range (100.0.0.0/8) for ports 8096 and 8920.

Step 4: Confirm Localhost Binding Isn’t Blocking Remote Access

If Jellyfin is only listening on localhost or 127.0.0.1, remote devices, including those connected through Tailscale, won’t be able to access the server.

To test:

1. Run this command on the Jellyfin server:

   netstat -tulnp | grep 8096

2. If it returns 127.0.0.1:8096, then it’s restricted to localhost. You’ll need to edit Jellyfin’s configuration file typically located at:
   
   /etc/jellyfin/networking.json or ~/.config/jellyfin

Change the bind address to 0.0.0.0 and restart the Jellyfin service:

sudo systemctl restart jellyfin

Step 5: Use Tailscale’s MagicDNS

If you’re trying to access Jellyfin using hostnames rather than Tailscale IPs, you can take advantage of MagicDNS to resolve device names internally.

1. Enable MagicDNS from the Tailscale admin dashboard.
2. Ensure both devices have MagicDNS enabled in their respective Tailscale apps.
3. Now try loading Jellyfin using the device name, for example:
   http://jellyfin-server-name.tailnet-yourname.ts.net:8096

Step 6: Test Jellyfin Remotely via Tailscale

Now that the networking setup has been corrected, test access from a different device on a separate network (such as a mobile phone on cellular data):

• Open your browser or Jellyfin app.
• Enter the connection URL using:
  
  http://tailscale-IP:8096 or http://device-name.tailnet.ts.net:8096

If you’re still unable to connect, double-check:

• No ISP or carrier firewall blocking connections.
• All devices have an active Tailscale connection.

Step 7: Set Up HTTPS (Optional)

While Jellyfin does function using HTTP over Tailscale, you may wish to set up HTTPS for a more secure experience, especially on public devices.

There are two ways to do this:

1. Enable HTTPS directly in Jellyfin, providing your own SSL certificate and key.
2. Use a reverse proxy like Caddy or Nginx, configured to terminate SSL on the Tailscale address.

FAQs

• Q: Is it safe to expose Jellyfin over Tailscale compared to port forwarding?
  
  A: Yes, Tailscale offers peer-to-peer, encrypted connections and is inherently more secure than traditional port forwarding.
• Q: Can I use Tailscale on a Raspberry Pi running Jellyfin?
  
  A: Absolutely. Both Jellyfin and Tailscale work well on Raspberry Pi. Ensure PiOS firewall settings allow connections from Tailscale peers.
• Q: What if MagicDNS isn’t resolving my device names?
  
  A: Make sure all devices have MagicDNS enabled, and there are no local DNS overrides blocking Tailscale entries.
• Q: Do I need a Tailscale subscription for these features?
  
  A: Core functionality, including MagicDNS and device routing, is available on the free plan. Advanced ACLs and sharing may require a paid tier.
• Q: Can I share access to Jellyfin over Tailscale with family?
  
  A: Yes, you can share your Tailscale network or use Tailscale’s “device sharing” to give limited access to trusted users.

Setting up Jellyfin to work over Tailscale isn’t overly complex if you follow these key troubleshooting steps. Once configured, the combination provides a truly powerful, secure, and private media experience accessible from virtually anywhere.