I have a setup with one central computer as my TVheadend server (backend) and several sbc odroids and pi's as my clients (frontend). I have thought about using my VPN on this setup but I am a little confused on where to place configure the vpn for best effect. Should it go on the server computer or the clients? I would think it should be placed on the server since everything goes from the server to the clients. The client units would never be at risk for ip exposure with tvheadend? Am I right on this? Thanks.
Use a decent router with a proper firewall (maybe even threat protection built-in) to protect the TVH server behind it, and port-map from non-standard ports on the router WAN IP (obscurity not security, but avoids some probing) to the standard ports on the TVH server. I wouldn't bother with VPN as TVH provides access to public broadcast video streams not personal data.
Thanks for the heads up about the port security as I have thought about doing port knocking as an obscurity measure. I have reading up on it more.
Just to clarify nothing is leaked on the internet by the client add on since everything goes through back end server? Thanks again.
I forget whether TVH supports TLS by default, but if not you can probably reverse proxy the connection from nginx which easly supports letsencyrpt and then all client/server comms runs through a encrypted tunnel.
Port knocking sounds wonderful until you try and find client apps that support it .. be prepared for a long wait.