Where to run WireGuard for a Docker-based Mac mini media server

Jellyfin and Navidrome are running in Docker on ports 8096 and 4533, and remote devices need secure access to both services through . The intended setup would allow to send requests only to the media services and return their responses through the same protected route. Navidrome does not automatically punish repeated failed logins, so another tool such as Fail2Ban may be needed.

The main choice is whether to run inside Docker or install it directly on the server’s . Running it in Docker could limit access between services, but it may make and more complicated. A direct installation may be simpler, although its security boundaries need to be compared with Docker’s isolation.

Devices already on the home network should also remain able to reach the without using the remote connection.

Key points

  • Jellyfin uses port 8096, while Navidrome uses port 4533.
  • Remote requests and responses should travel only through .
  • Navidrome may need Fail2Ban to block repeated failed login attempts.
  • Putting in Docker may improve isolation but complicate .
  • Devices on the home network should keep their existing local access.
Read original