Jellyfin works beautifully on the sofa and then you leave the house and the app says it can't find the server :)
Remote access is the one part of self-hosting Jellyfin that has no single right answer, so instead of pretending there's one, here are the four setups that work, ranked by how much I trust them, plus Quick Connect and phone setup at the end since those questions always come together.
One mental model first.... Your Jellyfin server address has two versions: the local one (something like http://192.168.1.20:8096) that only works on the same network, and a public one that works anywhere. Every method below is a different way of creating that public address. If your server already lives on a VPS rather than in your closet, you were born with one; skip to the reverse proxy section, since exposing it properly is the whole game there.
Option 1: a VPN like WireGuard or Tailscale (safest)
A VPN puts your phone or laptop virtually inside the home network, so the local address keeps working from anywhere. Nothing about Jellyfin gets exposed to the internet, which means the server's login page never meets the credential-stuffing bots. Tailscale is the ten-minute version (an account, an app on the server, an app on the phone, done) and plain WireGuard is the no-third-party version; we've covered the pattern in our Tailscale remote access guide and it transfers to Jellyfin unchanged.
The trade-off: everyone who watches needs the VPN app installed and running. Fine for you, harder to sell to the relatives streaming on a smart TV. VPN is my answer for personal access and admin work, rarely for the whole family.
Option 2: Reverse proxy with a domain and HTTPS (the proper public setup)
This is the setup that scales past your own devices: a domain name pointing at your server, with Caddy or Nginx in front of Jellyfin terminating HTTPS on port 443 and forwarding to 8096 internally. Clients connect to https://jellyfin.example.com, certificates come free from Let's Encrypt and every Jellyfin app on any platform accepts that address without ceremony.
Caddy earns my recommendation for this because the entire config is two lines:
jellyfin.example.com {
reverse_proxy 127.0.0.1:8096
}
Certificates issue and renew themselves. The Nginx equivalent takes thirty lines and a certbot timer, and it's the road most tutorials take; our Nginx reverse proxy walkthrough shows the pattern if you're already an Nginx shop. Either way, once the proxy handles the public side, close direct access to 8096 from the internet in your firewall so the proxy is the only door. Which ports do what, and which to leave shut, is covered in the Jellyfin ports guide.
On a home connection you'll also need a DNS record that follows your changing IP (dynamic DNS) and a router that port-forwards 80 and 443. On a VPS none of that exists: the IP is static, the record is set once and you can check propagation with a DNS checker and be done. That difference is most of why my own Jellyfin moved off the home NAS; a small Jellyfin VPS with the 1-click template gave it a public address with none of the router archaeology.
Option 3: Plain port forwarding (works, but naked)
Forward external port 8096 to the server in your router and the public address is http://YOUR_HOME_IP:8096, which you can find with a what's-my-IP tool. It works in five minutes and I'd still talk you out of it as a permanent setup: no HTTPS means credentials and your viewing travel in plain text, and the login page sits exposed. As a temporary bridge while you build option 2, fine. Enable it, watch the auth logs fill with strangers' attempts, and let that motivate the upgrade.
Option 4: Tunnels for the CGNAT crowd
Some ISPs (mobile internet, many fiber providers) put you behind CGNAT, where no amount of port forwarding helps because you don't have a public IP at all. Tunnels punch out from inside: Cloudflare Tunnel is the famous one, with a real terms-of-service catch for media streaming that deserves its own discussion, which it gets in our Cloudflare Tunnel for Jellyfin guide. The self-hosted alternative is renting a tiny VPS and running WireGuard from home to it, using the VPS's public IP as your front door. More moving parts, zero third-party terms to violate.
Quick Connect, and what it is not
Quick Connect solves a different problem than people think. It's not remote access; it's easy login on devices where typing passwords hurts. Enable it in Dashboard » General, then when a TV app offers "Quick Connect" it shows a six-digit code; open Jellyfin on a device where you're already signed in, go to your user Settings » Quick Connect, enter the code and the TV logs in. The TV still needs to reach the server address by one of the four methods above. No route to the server, no Quick Connect.
Connecting your phone once it's public
Install the official Jellyfin app (Android, iOS), open it and enter the full server address including scheme and port: https://jellyfin.example.com for a proxied setup, or http://IP:8096 for the raw ones. The classic failure is typing the bare domain and missing that the app defaults to trying port 8096 on it; with a reverse proxy on 443, spell the https:// out and it connects first try. Sign in, and if typing the password on the phone annoys you too, that's Quick Connect's actual job.
Wherever you land, the ranking holds: VPN for yourself, reverse proxy for the household, forwarding only as scaffolding and tunnels when the ISP forces your hand.
The half-hour spent on option 2 is the last time you think about any of this.

