Self‑Hosting Media on a VPS: A Practical Response to the Declining Value of Streaming Services

## Background: The Erosion of Free Streaming Experience In late 2025, Spotify announced a price increase in Germany that forced many Premium subscribers to reconsider their subscriptions. When the plan eventually expired, the author re‑trialled Spotify’s free tier, only to find an aggressive shuffle‑mode enforcement, a disabled progress scrubber, and other limitations that were not present a decade earlier. Similar degradations are observable across the industry: Amazon Prime introduced ads to its paid tier; Netflix rolled out new UI and a paid ad‑supported version; Disney+ cracked down on password sharing; and YouTube's adverts increasingly target low‑quality apps. The bottom line is that service providers are attempting to squeeze more revenue while simultaneously diluting the user experience. For a seasoned software consultant whose day‑to‑day work revolves around monetisation, this trend is uncomfortable. It raises the question: Is there a technology‑driven refuge that offers uncompromised control and quality? ## Self‑Hosting as a Solution The author’s answer is to run a fully self‑managed media server on a cloud Virtual Private Server (VPS). The combination of Hetzner’s CAX21 instance, Hetzner Storage Box (for scalable media storage), open‑source Jellyfin, and a WireGuard VPN tunnel provides a repeatable, secure, and cost‑effective stack that competes with mainstream services on privacy and flexibility. ### Infrastructure Choice - **Hetzner VPS** – CAX21 with 4 vCPU, 8 GB RAM, 80 GB SSD, 20 TB monthly traffic. The price of €30.90/month offers ample headroom for a personal media library and a stable network overlay. - **Hetzner Storage Box** – Dedicated, network‑attached storage that can be mounted via SMB on any client device. This keeps the VPS disk usage minimal while allowing straightforward media backup and retrieval. - **WireGuard** – A lightweight, modern VPN that is easy to configure on routers (FRITZ!Box), laptops, phones, and even televisions that lack native VPN support. - **Docker Compose** – Simplifies the deployment of containerised services while providing isolation between the VPN layer and the media server. ### Docker‑Compose Blueprint ```yaml version: "3.9" services: wireguard: image: linuxserver/wireguard:latest container_name: wireguard cap_add: - NET_ADMIN - SYS_MODULE environment: - PUID=1000 - PGID=1000 - TZ=Etc/UTC - SERVERPORT=51820 - SERVERURL= volumes: - ./wireguard/config:/config - /lib/modules:/lib/modules:ro ports: - "51820:51820/udp" sysctls: - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped jellyfin: image: jellyfin/jellyfin:latest container_name: jellyfin network_mode: "service:wireguard" user: 1000:1000 volumes: - ./jellyfin/config:/config - /mnt/storagebox:/media:ro environment: - TZ=UTC restart: unless-stopped depends_on: - wireguard ``` Key points: - **`network_mode: "service:wireguard"`** causes the Jellyfin container to share the WireGuard container’s network stack, eliminating the need for port mapping while keeping traffic encrypted. - **`/mnt/storagebox:/media:ro`** mounts the Hetzner Storage Box as a read‑only volume inside Jellyfin, which preserves media integrity. - **No public HTTP ports** are exposed; only the WireGuard UDP port (51820) is reachable by authorised clients. ### WireGuard Configuration The server configuration demonstrates how to add peers and manage IP ranges: ```ini [Interface] Address = 10.13.13.1/24 ListenPort = 51820 PrivateKey = PostUp = iptables -A INPUT -i wg0 -p tcp --dport 8096 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT PostDown = iptables -D INPUT -i wg0 -p tcp --dport 8096 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT [Peer] PublicKey = AllowedIPs = 10.13.13.2/32 [Peer] PublicKey = AllowedIPs = 10.13.13.3/32 [Peer] PublicKey = AllowedIPs = 10.13.13.4/32 ``` Each peer is limited to a unique internal IP, ensuring that only the specified client can access Jellyfin’s port (8096). The `PostUp` and `PostDown` hooks insert firewall rules to grant temporary ingress for that port when the VPN is active. Client configuration snippets (e.g., on a MacBook) are analogous, specifying the server public key, the client private key, and the `AllowedIPs` field that defines the virtual tunnel address. ### Access Patterns - **Home Network** – The FRITZ!Box router hosts the WireGuard client, allowing all devices on the subnet to connect to Jellyfin without installing a VPN client on each device. This also enables media discovery on a smart TV that lacks native VPN support. - **Remote Work** – Devices on the go simply run a WireGuard client that connects to the VPS, granting secure, low‑latency access to media without exposing the server to the public internet. ## Evaluating the Trade‑Offs | Criterion | Self‑Hosting | Commercial Streaming Service | |-----------|--------------|------------------------------| | Cost | Roughly €32/month + media costs. | Variable tiers (free with limitations, Premium ~€9–12/month). | | Control | Full data ownership, customisable UI, no ads. | Closed ecosystem; data used for targeted ads. | | Maintenance | Requires server admin, security patches, backup management. | Zero maintenance for the user; provider handles everything. | | Flexibility | Unlimited library size, custom front‑ends. | Dependent on service catalog and licensing. | | User Experience | Customisable, ad‑free, private. | Varies; often UI/UX degrades with new features or ads. | For the author's scenario—moderate media collection and a willingness to manage a tiny infrastructure—the benefits outweigh the upkeep. However, large libraries or non‑technical users may find the barrier to entry prohibitive. The decision hinges on the value placed on privacy, autonomy, and the willingness to shoulder operational responsibilities. ## Conclusion The narrative of streaming services eroding user value is well documented by the incremental price hikes, ad‑insertion, and UI changes that have surfaced since 2025. By leveraging a modest Hetzner VPS, a dedicated Storage Box, Jellyfin, and WireGuard, one can create a resilient, private media ecosystem that rival the convenience of paid services while offering complete control. For professionals who value cost efficiency, data sovereignty, and an unblemished user experience, self‑hosting remains a compelling, albeit hands‑on, alternative to mainstream music and video platforms.