How to Access OpenCode Remotely: Cloudflare Tunnel vs Tailscale
Purpose
I wanted to access my OpenCode web UI from my phone while away from my desk. OpenCode runs locally, accessible only via localhost:3000. When I’m at a coffee shop or traveling, I need a way to connect securely without exposing my machine to the internet.
In this post, I’ll show you two free solutions: Cloudflare Tunnel and Tailscale. Both work well, but they serve different needs.
The Problem
OpenCode is a local AI coding assistant with a web UI. The problem is simple: it only runs on your machine, accessible at http://localhost:3000.
Here’s what happens when you’re away:
# On your local machine$ opencode webServer running at http://localhost:3000
# But you can't access this from your phone at a coffee shopCommon challenges I faced:
- Wanting to continue conversations on mobile
- Needing always-on access from a VPS
- Avoiding the security nightmare of port forwarding
- Finding a free, reliable solution
The naive solution would be to open a port on your router. I tried that once. Never again. Exposing ports directly is a security disaster waiting to happen.
Solution A: Cloudflare Tunnel
Cloudflare Tunnel creates a secure connection from your machine to Cloudflare’s network. No port forwarding needed. Your machine stays hidden behind Cloudflare’s infrastructure.
Why I Considered This
From Reddit discussions, I found this recommendation:
“Pro tip: you can use a cloudflare tunnel to access the web ui over the Internet. The mobile interface is pretty good. You can add extra security with cloudflare Access. Best part, it’s all free”
The benefits are clear:
- Free public URL for your OpenCode web UI
- Built-in DDoS protection
- Optional Cloudflare Access for authentication
- No port forwarding required
- Works behind NAT/firewalls
Installation
Here’s what I did on macOS:
# Install cloudflaredbrew install cloudflare/cloudflare/cloudflared
# Authenticate with Cloudflarecloudflared tunnel loginFor Linux:
# Download and installcurl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflaredchmod +x cloudflaredsudo mv cloudflared /usr/local/bin/
# Authenticatecloudflared tunnel loginQuick Tunnel (No Domain Required)
The fastest way to test is using Cloudflare’s quick tunnel:
# Run OpenCode firstopencode web &
# Create a quick tunnelcloudflared tunnel --url http://localhost:3000Output looks like:
Your quick Tunnel has been created! Visit it at:https://random-name-abc123.trycloudflare.comNow you can access OpenCode from anywhere at that URL. But there’s a catch - the URL changes every time you restart the tunnel.
Named Tunnel (With Custom Domain)
For a stable URL, create a named tunnel:
# Create tunnelcloudflared tunnel create opencode
# Route to your domain (you need a domain on Cloudflare)cloudflared tunnel route dns opencode opencode.yourdomain.com
# Run the tunnelcloudflared tunnel run --url http://localhost:3000 opencodeAdding Authentication
The best part of Cloudflare Tunnel is Cloudflare Access. You can require authentication before anyone can access your OpenCode instance:
- Go to Cloudflare Zero Trust dashboard
- Navigate to Access > Applications
- Add your tunnel URL as an application
- Configure authentication (email OTP, GitHub, Google, etc.)
Now your OpenCode is accessible from anywhere, but only by people you authorize.
Solution B: Tailscale
Tailscale creates a private mesh network between your devices. It’s like a VPN, but simpler to set up and manage.
Why I Considered This
From Reddit:
“I’ve been using opencode desktop app, and opencode web on the phone while away from desk. All this made possible by Tailscale.”
Another user:
“I’ve setup a vps with opencode web. Using web UI direct from phone (via tailscale) or opencode attach.”
The benefits:
- Free for personal use
- No public URL exposure
- Works like a private VPN
- Simple setup
- Excellent for trusted device access
Installation
On macOS:
brew install tailscale
# Connect to your network (opens browser for auth)sudo tailscale upOn Linux:
curl -fsSL https://tailscale.com/install.sh | sh
# Connectsudo tailscale upFinding Your Tailscale IP
tailscale ipOutput:
100.x.y.zAccessing OpenCode
Once Tailscale is running on both your OpenCode host and your phone:
- Install Tailscale app on your phone
- Log in with the same account
- Access OpenCode at
http://100.x.y.z:3000(your Tailscale IP)
You can also use MagicDNS for a friendlier name:
http://your-machine-name.tailnet-name.ts.net:3000Comparison: Which One to Choose?
After trying both, here’s my decision matrix:
+------------------+----------------------+--------------------+| Feature | Cloudflare Tunnel | Tailscale |+------------------+----------------------+--------------------+| Cost | Free | Free (personal) || Public URL | Yes | No || Setup complexity | Medium | Low || Authentication | Cloudflare Access | Device auth only || Mobile access | Excellent | Excellent || Behind NAT | Works | Works || Custom domain | Yes | MagicDNS || Best for | Sharing access | Personal use |+------------------+----------------------+--------------------+Use Cloudflare Tunnel When:
- You want a public URL (share with teammates)
- You need fine-grained access control
- You already use Cloudflare for other services
- You want to access from devices you don’t control
Use Tailscale When:
- You only need personal access
- You want the simplest setup
- You access from your own trusted devices
- You don’t need a public URL
- You’re already using Tailscale for other things
Solution C: VPS Deployment (Always-On Access)
If you want OpenCode running 24/7 without leaving your personal machine on, deploy to a VPS.
# On your VPS# 1. Install OpenCodecurl -fsSL https://opencode.ai/install.sh | sh
# 2. Start OpenCodeopencode web
# 3. Add Tailscale or Cloudflare Tunnel for secure accessThis gives you always-on access from any device. Combine it with Tailscale for private access or Cloudflare Tunnel for public access with authentication.
Common Mistakes to Avoid
I made these mistakes so you don’t have to:
-
Exposing ports directly: Never port-forward without authentication. I did this once and saw login attempts within minutes.
-
Skipping authentication: Always enable Cloudflare Access or ensure only your devices are on Tailscale.
-
Ignoring mobile optimization: The OpenCode web UI works great on mobile. One Reddit user said: “Last week I started using tmux to connect from my mobile. It’s good. I’ve just tried the web. It’s awesome.”
-
Overcomplicating setup: Both Cloudflare Tunnel and Tailscale have simple one-command installs. Don’t overthink it.
Summary
In this post, I showed you two free ways to access OpenCode remotely:
- Cloudflare Tunnel: Best for public access with optional authentication. Use when you need a shareable URL or fine-grained access control.
- Tailscale: Best for personal use. Simpler setup, private network, no public URL exposure.
Both methods avoid the security nightmare of port forwarding. Try both and choose based on your needs - public accessibility vs. private network simplicity.
My recommendation: Start with Tailscale for simplicity. If you later need to share access with teammates, switch to Cloudflare Tunnel with Access authentication.
Final Words + More Resources
My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me
Here are also the most important links from this article along with some further resources that will help you in this scope:
Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!
Comments