All systems operational 21 cryptocurrencies accepted · Monero welcome No-KYC policy
ChainVPS

Media · no KYC

Host Jellyfin on an Offshore VPS

Run a fully self-hosted Jellyfin media server on an offshore, no-KYC VPS and stream your library from anywhere without a subscription or an account tied to your identity.

What it is

Jellyfin is a free, open-source media server that organizes and streams your movies, TV, music, and photos to any device through a web browser or native apps. Unlike commercial platforms it has no license keys, no telemetry, and no cloud dependency — you own the server and the data.

Why host it offshore

Hosting Jellyfin on a no-KYC, crypto-paid VPS keeps your media library and viewing habits off any provider's identity records, and offshore privacy-tier jurisdictions add legal distance from data-retention regimes. Unmetered bandwidth means large libraries and multiple remote streams don't rack up per-gigabyte transfer bills the way they would on a mainstream cloud.

The deploy

A working reference setup

Copy this onto a fresh ChainVPS instance. Replace the placeholders, then bring it up.

docker-compose.yml
# 1. Create data directories on the host
#   mkdir -p /srv/jellyfin/{config,cache} /srv/media
#
# 2. Save this as /srv/jellyfin/docker-compose.yml and run:  docker compose up -d
#   Web UI is then reachable on http://SERVER_IP:8096 (put a reverse proxy + TLS in front for production)

services:
  jellyfin:
    image: jellyfin/jellyfin:latest
    container_name: jellyfin
    user: "1000:1000"          # run as an unprivileged host user that owns the volumes
    restart: unless-stopped
    ports:
      - "8096:8096"            # HTTP web interface / API
      - "8920:8920"            # optional HTTPS (only if you terminate TLS in the container)
      - "7359:7359/udp"        # optional LAN client auto-discovery
      - "1900:1900/udp"        # optional DLNA
    volumes:
      - /srv/jellyfin/config:/config
      - /srv/jellyfin/cache:/cache
      - /srv/media:/media:ro   # your library, mounted read-only for safety
    environment:
      - TZ=Europe/Amsterdam
    # For Intel/AMD hardware transcoding (VAAPI), also add:
    # devices:
    #   - /dev/dri:/dev/dri

Firewall

Ports to open

PortProtocolPurpose
8096TCPPrimary HTTP web UI and API — the only port you normally expose (behind a TLS reverse proxy)
8920TCPOptional built-in HTTPS if you let Jellyfin terminate TLS instead of a proxy
7359UDPOptional LAN client auto-discovery — leave closed on a public VPS
1900UDPOptional DLNA/SSDP — leave closed on a public VPS

Right-sizing

Which plan you need

Light

VPS Small (2 vCPU / 4 GB)

1-2 direct-play streams, no transcoding — files play as-is. Fine for a personal library streamed to modern clients.

Medium

VPS Pro (4+ vCPU / 8 GB)

A few simultaneous 1080p software transcodes. CPU is the bottleneck; more cores = more concurrent transcodes.

Heavy

GPU VPS or Dedicated (+ Storage plan for the library)

4K and many concurrent transcodes: add a GPU for NVENC/QSV/VAAPI hardware transcoding, and pair with a Storage plan when the library outgrows local NVMe.

Best locations: Any of the 15 locations work, but for a private media server the six privacy-tier jurisdictions (NL, CH, RO, IS, MD, LU) are the best fit: Switzerland and Iceland for the strongest data-protection posture, and the Netherlands and Romania for high-throughput European peering that keeps remote streaming smooth on unmetered links. Pick the location closest to where you actually watch to minimize latency and transcode buffering.

Lock it down

Hardening checklist

  • Never expose port 8096 raw to the internet — put Nginx/Caddy in front with a valid TLS certificate so credentials and streams are encrypted, and only publish the HTTPS endpoint.
  • In Jellyfin Dashboard > Networking, disable 'Enable automatic port mapping (UPnP)' and turn off remote DLNA; mount your media volume read-only (:ro) as shown so a compromised container can't alter source files.
  • Create a dedicated non-admin user for daily streaming and reserve the admin account for configuration; enable the built-in brute-force/failed-login protection and use long, unique passwords.
  • Keep the container on a pinned/updated image and run `docker compose pull && docker compose up -d` on a schedule — Jellyfin ships frequent security fixes; the unprivileged user:"1000:1000" mapping limits blast radius.
  • Front the server with the included DDoS protection and consider restricting the admin/dashboard path by IP allowlist or a VPN, so only the public streaming endpoint is reachable.

Questions

Hosting Jellyfin — FAQ

Do I need a GPU to run Jellyfin?

No. If your clients can direct-play your files (matching codec/container), Jellyfin just streams them and CPU load is minimal. A GPU only matters for hardware transcoding when clients need a different format or resolution — for 4K or many concurrent transcodes, a GPU plan is a large efficiency win over software transcoding.

Will unmetered bandwidth really cover a media server?

Yes — that's the point of running it here. Remote streaming is bandwidth-heavy (a 1080p stream can run 8-15 Mbps), and on metered clouds that turns into surprise transfer bills. ChainVPS unmetered links let you stream a large library to multiple devices without per-gigabyte charges.

Where do I store a library too big for the VPS disk?

Pair the compute plan with a Storage plan and mount it as your /media volume, or attach block storage. Keep the Jellyfin /config and /cache on fast NVMe for a responsive UI, and put the bulk media on the larger, cheaper storage tier.

Is running Jellyfin here private?

Jellyfin itself sends no telemetry and needs no account with any vendor. Combined with no-KYC signup, crypto payment, and an offshore privacy-tier location, there's no identity record linking you to the server or its contents. Always add TLS so the stream between you and the server is encrypted in transit.

How do I keep it updated safely?

Because it's a single container, updates are `docker compose pull && docker compose up -d`. Your data lives in the mounted /config and /media volumes, so pulling a new image doesn't touch your library or settings. Back up the /config directory periodically to preserve metadata and user accounts.

Spin up Jellyfin
in the next 60 seconds.

Unmetered bandwidth · DDoS included · 21 cryptocurrencies · no KYC.