I remember you were worried about your ISP messing things up for you, hence the VPN. I would recommend creating a “Virtual Machine” that does all of your downloading to whatever hard drive you’re using. That VM can have proton installed. Then, on your regular computer (not within the VM), you can host Jellyfin with no VPN involved, making it accessible at 192.168.0.xx.

I think this hits your goals without needing to expose Jellyfin to the Internet. Plus it has minimal technical complexity. Your downloading traffic will be VPN protected, but Jellyfin will still be accessible to your local network.
edit: You can set up a password for Jellyfin, protecting it from your internal threats.

edit2: You can use letsencrypt to create a certificate that picky clients will accept. Buy a domain, any domain, and configure the “A record” to point to 192.168.0.xx (your Jellyfin IP). Then tell your client to go to whatever domain you get, like “luigiliterallydidnothingwrongplzfree.com”, then the client will have to use the internet to ask DNS what the IP address is, but after that, it will just use your local network.

edit3: Since you just have the raspberry PI, instead of using a Virtual Machine, you could have 2 separate SD cards. One only has the downloader and VPN installed, the other only has Jellyfin installed (no VPN). Then swap as needed.

I’d be mindful about being so prescriptive with solutions like that. What works well for you may not work well for someone else. But I do appreciate your input! Maybe try sharing it with more “I statements”?

It’s a somewhat common thing with ADHD folks. As different parts of the brain start to fall asleep, there’s a sweet spot where our brains are finally balanced. In other words, our limited executive function has adequate energy to manage just the fraction of the brain that’s still awake.

I agree that straight up using Tailscale would likely be easier. But to answer your question, you’re looking to “push routes” because what you actually want to do is “route” but that’s kinda hard to Google haha. This looks maybe promising: https://forums.freebsd.org/threads/wireguard-how-to-route-another-subnet-through-it.89744/

This approach largely works, with the caveat that it then requires you to always be on the tailnet. If someone wants to connect locally AND via tailnet using the same URL, they’ll need to push/advertise routes (or do some other hacky thing)

Right now, I’ve only got the spoons to provide rough guidance, not details. In order to use non-tailnet IPs, you’ll need to configure your tailnet host to “advertise routes/push routes”. In more laymen terms, tailnet needs to say, “hey network client, I do know where 192.168.0.69 is! So I can route that request”. By default, each tailnet host only advertises the other tailnet hosts. Anything else fails.

Also, I really appreciate how detailed your question is!

I just did it by thinking up this UUID: 4d6b3a08-e1b5-407c-bb6c-cbac830ff4bd

“the annual risk of a given person being hit by a meteorite is estimated to be one chance in 17 billion, which means the probability is about 0.00000000006 (6 × 10−11), equivalent to the odds of creating a few tens of trillions of UUIDs in a year and having one duplicate. In other words, only after generating 1 billion UUIDs every second for the next 100 years, the probability of creating just one duplicate would be about 50%.”

Broadly, a person can only control their reactions to situations; they can’t control others. It’s part of establishing healthy boundaries. Your scenario would be an excellent topic to bring up in therapy because it’s a real and recurring issue that probably has a lot of interesting depth to explore

Can you clarify what you mean by that? It sounds strangely gatekeepy to me, but maybe I’m misunderstanding