This post is part of the Self-Hosting Without Pain series
A real-world guide to running Immich, Nextcloud, Jellyfin, and more using Cloudflare, Tailscale, and Proxmox — without broken uploads, buffering, or exposed ports.
I love Jellyfin. Self-hosted streaming is amazing — no subscriptions, no corporate “features,” just your media, your rules.
But the first time I tried to expose Jellyfin over Cloudflare Tunnel, I learned a harsh lesson:
“Oh… right. Cloudflare doesn’t like streaming.”
Buffering. Range request errors. Random disconnects. My 4K movies suddenly felt like dial-up.
So I had two options:
- Open ports to the internet (nope).
- Rethink my architecture.
Option 2 won.
Why Cloudflare Tunnel breaks streaming
Cloudflare Tunnel is a reverse proxy. It’s perfect for dashboards, APIs, and websites. But video streaming is different:
- Streaming clients rely on range requests to pull chunks of video
- Long-lived connections are sensitive to timeouts
- Adaptive bitrate streaming constantly opens new connections
Cloudflare adds an extra layer between your server and the client. Every byte has to go through a proxy. For large media files, this is a recipe for buffering nightmares.
The principle that saves everything
Just like Immich and Nextcloud:
Split public vs private traffic.
- Cloudflare → Landing pages, image sharing
- Tailscale → Streaming, admin, transcoding, uploads
Once you separate them, Jellyfin behaves perfectly — fast, reliable, and fully private.
The Jellyfin + Proxmox + Tailscale setup
This is exactly how I configured mine:
Public Access Layer (optional)
- A landing page like
https://media.example.xyz - Shows a “login” or “catalog” page
- Used only for informational purposes, not for actual streaming
Private Access Layer (Tailscale)
- Tailscale installed on Proxmox host as a subnet router
- Jellyfin VM reachable via Tailscale IP or MagicDNS
- Used for:
- Streaming from desktop or mobile app
- Admin tasks (dashboard, library management)
- Uploading media to the library
Control Plane (Proxmox)
- One install of Tailscale on Proxmox is enough
- Every VM is automatically part of your private network
- No need to expose Jellyfin to the public internet
Real-world results
After switching Jellyfin to this architecture:
- 4K movies stream instantly over Wi-Fi or mobile
- No buffering or dropped connections
- No Cloudflare configuration tweaks required
- Admin interface loads reliably
- Security stays tight — no ports open, WireGuard encryption everywhere
And the best part? It scales naturally. Add a new device, add it to the Tailscale network, done.
Optional public links
If you want some public access:
- Keep a landing page on Cloudflare
- Or a read-only public share
- All actual playback goes over Tailscale
This preserves the “share without exposing the server” model.
Why this approach is better than opening ports
Opening ports to your Jellyfin VM is tempting, but:
- Exposes your server to the internet
- Forces you to manage SSL certificates manually
- Breaks easily if your ISP changes IPs
- Can make your home network vulnerable
Tailscale + Proxmox eliminates all of that, while keeping optional public links for friends/family.
TL;DR: Jellyfin series principle
- Cloudflare Tunnel → visibility only
- Tailscale → everything that matters
- Proxmox → centralized control
Once you split traffic like this, streaming becomes solid again — which is exactly what you want.
Up next in the series:
- Immich Upload Limit Fix: Cloudflare Tunnel + Tailscale on Proxmox (Best Practice)
- Nextcloud, Cloudflare, and Tailscale: How I Finally Stopped Fighting Upload Limits
Mohammad Dahamshi is a skilled Embedded Software Engineer and web developer. With experience in C/C++, Linux, WordPress, and DevOps tools, he helps businesses solve technical challenges and build reliable digital solutions. Fluent in Arabic, Hebrew, and English, he also runs Saratec, offering web design and digital marketing services.
[…] Up next in the series:– Immich Upload Limit Fix: Cloudflare Tunnel + Tailscale on Proxmox (Best Practice)– Jellyfin, Cloudflare, and Tailscale: Stop Buffering and Streaming Headaches […]
[…] ➡️ Jellyfin deep dive → […]