You did not answer what VPN tech you are using.
Without that knowledge i would recommend setting up tailscale and having your users use that. If you want to be fully self hosted you can also run Headscale as the control plane instead of relying on Tailscales own service.
I recommend tailscale as it is very easy to grant a user privileges to ONLY use an endpoint as an exit node but also grant access to any other endpoints as needed (such as your future jellyfin server) via theor ACLs.
If you want simple you’ll have to manually decrypt each time it needs doing.
If you want it to be “automatic” then your best bet is something network based. A “simple” would be to just have a script ssh’s somewhere, pulls the decryption key, and then decrypts the disks. There’s plenty of flaws with this though as while a threat actor couldn’t swipe a single encrypted disk they could just log in as root, get your script, and pull the decryption key themselves.
The optimal solution would be to also encrypt the root partition but now you need to do network based decryption at boot which adds further complexity. I’ve previously used Clevis and Tang to do this.
I personally don’tencrypt my server root and only encrypt my data disks. Then ssh in on a reboot or power event and manually decrypt. It is the simplest and most secure option.
I prefer restic for my backups. There’s nothing inherently wrong with just making a copy if that is sufficient for you though. Restic will create small point in time snapshots as compared to just a file copy so I’m the event that perhaps you made a mistake and accidentally deleted something from the “live” copy and managed to propagate that to your backup it is a nonissue as you could simply restore from a previous snapshot.
These snapshots can also be compressed and deduplicated making them extremely space efficient.
The primary reason a private track is private is to make it feasible to maintain a curated community. Many users are not good torrent citizens. Many users are not good netizens in the first place. More than a few will look to actively do harm. Keeping a mostly closed community allows the vetting of users and those who end up breaking the rules are dealt with swiftly.
The extra barrier of entry also helps prevent bad actors from operating on the site. This is of course not a full proof thing but it is obviously much better than a public site.
Additionally running a private tracker and site takes server resources that are not free. Limiting the total number of users is a way of maintaining uptime by staying within your operational limits.
I’m sure there are other benefits for private trackers but these are at least a few.
I am not going to explain why someone on the internet was mean to you. Given the tone of this post I wouldn’t be surprised if it was deserved.
Symlinks likely wouldn’t work for a torrent, because that’s more like a shortcut; The symlink doesn’t actually point to the file, it just points to another filepath.
They are kinda like a shortcut but they are resolved directly by the filesystem and in the fast majority of cases should work perfectly fine if done correctly. In OPs case I’d probably leave the original file intact and create the link at the new desired destination.
You can’t have a hardlink for your C: drive on your D: drive
Thats why I didn’t recommend hardlinks. But I misread OPs post and I see the data will all live on the same drive so I revise my original suggestion and also recommend hardlinks.
But a torrent client likely won’t be able to handle the “oh actually you need to go visit location B” instructions, and will just crash/freeze/refuse to seed.
You’re just pulling that out of your ass.
*all of this is largely under the context of linux but should translate to windows
In the scope of wireguard it’ll just be a matter of you building appropriate firewall rules.
Since you want their internet traffic to go through you then i assime you’re effectively pushing a 0.0.0.0/0 route to your clients. You then need to add firewall rules on your server to block traffic to its local subnet and in the future allow traffic to only your jellyfin server.
This is also pretty simple and nothing wrong with that setup.