Secure Remote Media Server Setup
Table of Contents
- Introduction
- Requirements
- Wake-on-LAN (WOL)
- Jellyfin Setup
- WireGuard VPN Setup
- Testing
- Troubleshooting
Introduction
In this guide, I will walk you through setting up a secure remote media server using:
- Wake-on-LAN (WOL) – remotely power on your Debian machine
- Jellyfin – free, open-source media streaming
- WireGuard VPN – secure encrypted access to your server
This setup allows you to:
- Wake up your server from anywhere
- Access Jellyfin securely from your phone
- Stream content exactly as if you were on your home network
- Avoid exposing sensitive services directly to the internet
Requirements
Before you begin, make sure you have:
- A Debian-based server
- A home router with NAT/PAT support
- An Android smartphone
- Basic terminal knowledge
Wake-on-LAN (WOL)
Step 1 — Enable WOL in the BIOS
Look for options such as:
- Wake on LAN
- Power on by PCI-E
- Resume by LAN
Enable the appropriate setting.
Step 2 — Enable WOL on Debian
Install ethtool:
sudo apt install ethtoolEnable WOL on your network interface:
sudo ethtool -s eth0 wol g(Replace eth0 with your actual interface using ip link.)
Step 3 — Make WOL Persistent
Create /etc/systemd/system/wol.service:
[Unit]
Description=Wake-on-LAN configuration
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/ethtool -s eth0 wol g
[Install]
WantedBy=multi-user.targetEnable the service:
sudo systemctl enable wolStep 4 — Configure Router & Mobile App
On your router:
- Assign a static DHCP lease
- Forward UDP 9 → port 9 of the server
On Android (app: Wake On LAN – by MR-Webb):
- Name: any label
- Group: Bookmarked
- MAC address: server NIC MAC
- Broadcast/Host: server LAN IP
- Public IP: router’s WAN IP
- Port: 9
Installing and Configuring Jellyfin
Step 1 — Install Jellyfin
curl https://repo.jellyfin.org/install-debuntu.sh | sudo bash
sudo systemctl enable jellyfin
sudo systemctl start jellyfinStep 2 — Access the Web Interface
Navigate to:
http://YOUR_SERVER_IP:8096Follow the setup steps:
- Create your account
- Add media libraries (Movies, Series, Music, etc.)
!!! Warning: Do NOT expose Jellyfin directly to the internet !!!
Always place Jellyfin behind a VPN such as WireGuard.
WireGuard VPN Setup
Step 1 — Install WireGuard
sudo apt install wireguardInstall the official Android app:
WireGuard – WireGuard Development Team
Step 2 — Generate Keys
Server keys:
wg genkey | tee server_private.key | wg pubkey > server_public.keyPhone keys:
wg genkey | tee phone_private.key | wg pubkey > phone_public.keyDisplay keys:
cat server_private.key
cat server_public.key
cat phone_private.key
cat phone_public.keyNever share private keys.
Step 3 — Configure /etc/wireguard/wg0.conf
Example VPN subnet:
- VPN network:
10.10.0.0/24 - Server:
10.10.0.1 - Phone:
10.10.0.2
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE; ip6tables -A INPUT -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s31f6 -j MASQUERADE; ip6tables -D INPUT -p udp --dport 51820 -j ACCEPT
SaveConfig = true
[Peer]
PublicKey = <PHONE_PUBLIC_KEY>
AllowedIPs = 10.10.0.2/32Replace enp0s31f6 with your interface name.
Step 4 — Enable IP Forwarding
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-wireguard.conf
sudo sysctl --systemStep 5 — Configure Router Port Forwarding
Forward:
- UDP 51820 → server LAN IP
Step 6 — Start WireGuard
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo wgStep 7 — Configure WireGuard on Android
[Interface]
PrivateKey = <PHONE_PRIVATE_KEY>
Address = 10.10.0.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = YOUR_PUBLIC_IP:51820
AllowedIPs = 192.168.1.0/24, 10.10.0.0/24
PersistentKeepalive = 25Step 8 — Generate QR Code (Optional)
sudo apt install qrencode
qrencode -t ansiutf8 < phone.confScan it directly in the WireGuard app.
Testing the Setup
- Send WOL packet from your phone
- Wait for the Debian server to boot
- Activate WireGuard tunnel on your phone
- Open Jellyfin via LAN IP:
http://192.168.1.50:8096(Replace with your own server IP)
Troubleshooting
Common issues:
- Incorrect router port forwarding
- Wrong key pasted in configs
- Firewall blocking VPN traffic
UFW Firewall Configuration (if applicable)
Allow WireGuard:
sudo ufw allow 51820/udpAllow VPN subnet:
sudo ufw allow from 10.10.0.0/24Add NAT rules in /etc/ufw/before.rules before *filter:
# WireGuard NAT masquerading
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.0.0/24 -o enp0s31f6 -j MASQUERADE
COMMITEnsure forwarding rules are present:
-A ufw-before-forward -i wg0 -j ACCEPT
-A ufw-before-forward -o wg0 -j ACCEPTRestart UFW:
sudo ufw disable
sudo ufw enable