Skip to content

How to Access OpenCode Remotely: Cloudflare Tunnel vs Tailscale

Purpose

I wanted to access my OpenCode web UI from my phone while away from my desk. OpenCode runs locally, accessible only via localhost:3000. When I’m at a coffee shop or traveling, I need a way to connect securely without exposing my machine to the internet.

In this post, I’ll show you two free solutions: Cloudflare Tunnel and Tailscale. Both work well, but they serve different needs.

The Problem

OpenCode is a local AI coding assistant with a web UI. The problem is simple: it only runs on your machine, accessible at http://localhost:3000.

Here’s what happens when you’re away:

terminal output
# On your local machine
$ opencode web
Server running at http://localhost:3000
# But you can't access this from your phone at a coffee shop

Common challenges I faced:

  • Wanting to continue conversations on mobile
  • Needing always-on access from a VPS
  • Avoiding the security nightmare of port forwarding
  • Finding a free, reliable solution

The naive solution would be to open a port on your router. I tried that once. Never again. Exposing ports directly is a security disaster waiting to happen.

Solution A: Cloudflare Tunnel

Cloudflare Tunnel creates a secure connection from your machine to Cloudflare’s network. No port forwarding needed. Your machine stays hidden behind Cloudflare’s infrastructure.

Why I Considered This

From Reddit discussions, I found this recommendation:

“Pro tip: you can use a cloudflare tunnel to access the web ui over the Internet. The mobile interface is pretty good. You can add extra security with cloudflare Access. Best part, it’s all free”

The benefits are clear:

  • Free public URL for your OpenCode web UI
  • Built-in DDoS protection
  • Optional Cloudflare Access for authentication
  • No port forwarding required
  • Works behind NAT/firewalls

Installation

Here’s what I did on macOS:

install cloudflared on macOS
# Install cloudflared
brew install cloudflare/cloudflare/cloudflared
# Authenticate with Cloudflare
cloudflared tunnel login

For Linux:

install cloudflared on Linux
# Download and install
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
chmod +x cloudflared
sudo mv cloudflared /usr/local/bin/
# Authenticate
cloudflared tunnel login

Quick Tunnel (No Domain Required)

The fastest way to test is using Cloudflare’s quick tunnel:

quick tunnel command
# Run OpenCode first
opencode web &
# Create a quick tunnel
cloudflared tunnel --url http://localhost:3000

Output looks like:

tunnel output
Your quick Tunnel has been created! Visit it at:
https://random-name-abc123.trycloudflare.com

Now you can access OpenCode from anywhere at that URL. But there’s a catch - the URL changes every time you restart the tunnel.

Named Tunnel (With Custom Domain)

For a stable URL, create a named tunnel:

create named tunnel
# Create tunnel
cloudflared tunnel create opencode
# Route to your domain (you need a domain on Cloudflare)
cloudflared tunnel route dns opencode opencode.yourdomain.com
# Run the tunnel
cloudflared tunnel run --url http://localhost:3000 opencode

Adding Authentication

The best part of Cloudflare Tunnel is Cloudflare Access. You can require authentication before anyone can access your OpenCode instance:

  1. Go to Cloudflare Zero Trust dashboard
  2. Navigate to Access > Applications
  3. Add your tunnel URL as an application
  4. Configure authentication (email OTP, GitHub, Google, etc.)

Now your OpenCode is accessible from anywhere, but only by people you authorize.

Solution B: Tailscale

Tailscale creates a private mesh network between your devices. It’s like a VPN, but simpler to set up and manage.

Why I Considered This

From Reddit:

“I’ve been using opencode desktop app, and opencode web on the phone while away from desk. All this made possible by Tailscale.”

Another user:

“I’ve setup a vps with opencode web. Using web UI direct from phone (via tailscale) or opencode attach.”

The benefits:

  • Free for personal use
  • No public URL exposure
  • Works like a private VPN
  • Simple setup
  • Excellent for trusted device access

Installation

On macOS:

install tailscale on macOS
brew install tailscale
# Connect to your network (opens browser for auth)
sudo tailscale up

On Linux:

install tailscale on Linux
curl -fsSL https://tailscale.com/install.sh | sh
# Connect
sudo tailscale up

Finding Your Tailscale IP

get tailscale ip
tailscale ip

Output:

tailscale ip output
100.x.y.z

Accessing OpenCode

Once Tailscale is running on both your OpenCode host and your phone:

  1. Install Tailscale app on your phone
  2. Log in with the same account
  3. Access OpenCode at http://100.x.y.z:3000 (your Tailscale IP)

You can also use MagicDNS for a friendlier name:

magicdns example
http://your-machine-name.tailnet-name.ts.net:3000

Comparison: Which One to Choose?

After trying both, here’s my decision matrix:

comparison diagram
+------------------+----------------------+--------------------+
| Feature | Cloudflare Tunnel | Tailscale |
+------------------+----------------------+--------------------+
| Cost | Free | Free (personal) |
| Public URL | Yes | No |
| Setup complexity | Medium | Low |
| Authentication | Cloudflare Access | Device auth only |
| Mobile access | Excellent | Excellent |
| Behind NAT | Works | Works |
| Custom domain | Yes | MagicDNS |
| Best for | Sharing access | Personal use |
+------------------+----------------------+--------------------+

Use Cloudflare Tunnel When:

  • You want a public URL (share with teammates)
  • You need fine-grained access control
  • You already use Cloudflare for other services
  • You want to access from devices you don’t control

Use Tailscale When:

  • You only need personal access
  • You want the simplest setup
  • You access from your own trusted devices
  • You don’t need a public URL
  • You’re already using Tailscale for other things

Solution C: VPS Deployment (Always-On Access)

If you want OpenCode running 24/7 without leaving your personal machine on, deploy to a VPS.

vps setup outline
# On your VPS
# 1. Install OpenCode
curl -fsSL https://opencode.ai/install.sh | sh
# 2. Start OpenCode
opencode web
# 3. Add Tailscale or Cloudflare Tunnel for secure access

This gives you always-on access from any device. Combine it with Tailscale for private access or Cloudflare Tunnel for public access with authentication.

Common Mistakes to Avoid

I made these mistakes so you don’t have to:

  1. Exposing ports directly: Never port-forward without authentication. I did this once and saw login attempts within minutes.

  2. Skipping authentication: Always enable Cloudflare Access or ensure only your devices are on Tailscale.

  3. Ignoring mobile optimization: The OpenCode web UI works great on mobile. One Reddit user said: “Last week I started using tmux to connect from my mobile. It’s good. I’ve just tried the web. It’s awesome.”

  4. Overcomplicating setup: Both Cloudflare Tunnel and Tailscale have simple one-command installs. Don’t overthink it.

Summary

In this post, I showed you two free ways to access OpenCode remotely:

  • Cloudflare Tunnel: Best for public access with optional authentication. Use when you need a shareable URL or fine-grained access control.
  • Tailscale: Best for personal use. Simpler setup, private network, no public URL exposure.

Both methods avoid the security nightmare of port forwarding. Try both and choose based on your needs - public accessibility vs. private network simplicity.

My recommendation: Start with Tailscale for simplicity. If you later need to share access with teammates, switch to Cloudflare Tunnel with Access authentication.

Final Words + More Resources

My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me

Here are also the most important links from this article along with some further resources that will help you in this scope:

Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!

Comments