Ideally keep it behind a VPN and give your family members access to it that way, and let local devices on your LAN connect to it without a VPN.
But I'm not all about getting something like Tailscale to work with my elderly mother's Roku device, nor teaching her how to use it.
I dunno if Tailscale works on Roku but otherwise that would indeed be entirely viable too, last I saw Jellyfin’s app on there is really good. Likely need a server powerful enough to transcode, though, lots of (all?) Roku devices don’t have hardware decoding for newer codecs like h.265. That’s one big benefit of an Apple TV, it can hardware decode damn near everything.
Y'all (collectively) have some good ideas.
But she likes the Roku. She's even got silicone skins for the remotes (plural; spares!), and two of them are tethered near the chairs that her and dad tend to sit in.
Also: The Roku stuff already exists, and is paid for, and it works with Plex (without a VPN, because my local Plex container didn't come with the caveat to avoid exposing it to the world).
Buying them one or more Apple TV devices to use instead seems expensive and likely to fail somehow.
Switching them to (cheap? linux?) PCs also sounds expensive and bad, particularly with my dad. He's certainly had more years to learn how to use a computer than I have, but he's spent most of the recent decades deliberately avoiding them. He hates them, and he doesn't want to learn them. He'd fall apart and give up on television entirely if I gave him a PC with a slick Logitech K400 to run it with. (He can drive a Roku with Youtube TV and Plex like a pro, but that's mostly only a D-pad and a back button.)
---
But since you and others have mentioned it: Transcoding. That's really not a big problem for many vaguely-recent PCs. With Plex, at least: The quite old i7-6700k desktop box I use for this transcodes to h.264 like a beast using its paltry iGPU, and does h.265 just fine with an old nVidia RTX 2080 if I elect to use that instead. Either way works well and never breaks a sweat.
It may have been a powerful machine a decade ago, but a used computer with a 6700k (or so) to serve media with is cheap these days. (And a brand-new power-sipping N150 box does transcoding waaaay better, even in credit-card form factor.)
If their router supports it, configure the VPN there so it's available for the entire network.
Set up a Raspberry Pi (or similar) on their network that is configured with the VPN and runs a reverse proxy to expose the Jellyfin instance.
But yeah, either of those is going to increase your support burden.
By the way, I switched from Jellyfin to plain SMB + Nova Player (Android), which has basically the same interface, but no user profiles, and works over SMB, obviously. No transcoding, best format support, and best performance for large files I've found yet for my TCL Android TV.
One thing is when it can’t see the server it doesn’t just say it can’t see it, it acts like the issue is you’re not logged in and then when you log in (having to type your password manually each time, on a TV) it then fails.
This is only really diagnosable if you can access both the client and server and is a complete failure and very tedious experience if you only have client access.
Feels like I experience this at least once a month so couldn’t ever set this up for family members remotely.
Just mind your ACLs
"Bothering" with client-side password hashing, in the absence of TLS, is security theater. It provides only the most trivial protection against eavesdroppers.
If someone can steal an unhashed password, then they can also steal whatever hash you send instead. If you try to fix this with some kind of ad-hoc challenge-response protocol, then the attacker can just steal your session cookie after login.
There shouldn't even be a question of using insecure HTTP for anything that requires authentication.
Filtering out unsophisticated attackers I would not classify as "theater".
Read this, and let me know if the implications of port forwarding your server (or putting it on IP6) is readily apparent:
https://jellyfin.org/docs/general/post-install/networking/#s...
A lot of these users are not very sophisticated themselves. The least sophisticated attackers are likely to be the most numerous.
This is bad. People who say it's not bad (or worse, suggesting anyone dumb enough to publicly expose their server without TLS) are engaging in security snobbery.
