My understanding is that it’s technically against their TOS but loosely enforced. They don’t specify precise limits since they probably change over time and region. Once you get noticed, they’ll block your traffic until you pay. Hence you can find people online that have been using it for years no problem, while other folks have been less lucky.

Basically their business strategy is to offer too-good-to-be-true free services that people start using and relying on, then charging once the bandwidth gets bigger.

It used to be worse, and all of cloudflare’s services were technically limited to HTML files, but selectively enforced. They’ve since changed and clarified their policy a bit. As far as I’ve ever heard, they don’t give a toss about the legality of your content, unless you’re a neo Nazi.

I’m guessing the cloudflared daemon isn’t connecting to jellyfin. You want to use http://. Also is jellyfin the hostname of the VM? Using localhost or 127.0.0.1 might be better ways to specify the same VM without relying on DNS for anything.

Personal opinion, but I wouldn’t bother with fail2ban, it’s a bit of effort to get it to work with cloudflare tunnel and easy to lock yourself out. Cloudflare’s own zero trust feature would be more secure and only need fiddling around cloudflare’s dashboard.