Setting Up Remote Access

Table of Contents

Overview

If you’ve installed Backup Brain on a local computer, and want to access it from anywhere on the internet, this doc will tell you how.

If you’ve installed it on a public host like Digital Ocean, Netlify, or Fly.io it’s already publicly accessible, but you’ll probably want to give it an SSL Certificate to encrypt communications to and from it. Most importantly, your password during login.

⚠ This will involve command line geekery. There’s no getting around that.

If you shut down your Backup Brain, or turn off the computer it’s installed on, you won’t be able to access it from the internet. These instructions just create a public endpoint that connects to your machine, and encrypts the traffic.

Remotely Accessing Your Backup Brain

This assumes you’ve installed it on a computer on your home network.

There are multiple ways to solve this problem. Ngrok is probably the most popular or well known, but the problem with Ngrok is that you need to pay them a monthly fee ($8 as of June 2024) in order to get a stable domain name.

I had 3 requirements when researching services for this:

  • must be free
  • must offer a stable domain name on the free plan (doesn’t change every time you restart the process)
  • must offer a SSL encrypted connection to your locally hosted site.
  • involves minimal geekery Port tunneling without geekery just isn’t a thing yet. Sorry.

I’ve only found 2 services that meet these criteria. One of them is essentially unheard of, and has no income, and no obvious business plan. The other is Tailscale, a company that’s well regarded, and has a very real business model, and customers who pay them. So that’s the solution I’m going to discuss.

It should be noted that the service we’ll be using “Tailscale Funnel” is kind-of an “oh, we also do that” feature. They don’t discuss it a lot. Also, the domain name you end up with will on the free plan will be something like https://<machine_name>.<random characters>.ts.net/

Tailscale Funnel

  1. Create a Tailscale account.

  2. Install their VPN app. They make this very obvious after signing in.

    Don’t ask me how this interacts with your company’s VPN. Exposing a local app to the public internet from inside your company’s firewall probably violates your security promises or NDA or something anyway.

  3. The setup process will want you to configure multiple machines. Don’t bother unless you want to. You only need to add the machine your Backup Brain is running on.

    They want you to configure multiple machines because their main product is all about easily sharing things within your company’s network. We don’t care about other machines within the network. We care about machines outside of the network.

    Whatever you name your machine in their system will be the first part of the domain name that you end up with.

  4. Configure the Tailscale Command Line Interface (cli) if you’re on macOS ( no configuring neeed on Linux or Windows )

  5. Test the funnel

  6. Run it in the background

Configuring the CLI on macOS

Tailscale doesn’t offer a separately installed CLI or a way to download one. Instead they expect you to use the one hidden inside the secret folder of their app. All mac apps are fancy hidden folders, but this is still annoying.

Ignore their instructions involving the GUI. They only apply to a version they don’t tell you how to download. You got yours from the Mac App Store so we’re going to make that work.

Their command line tool is located at

/Applications/Tailscale.app/Contents/MacOS/Tailscale

We want a nice alias for it. For Bash or ZSH shells (macOS runs ZSH by default these days) you’ll want to add the following to your ~/.bashrc or ~/.zshrc

alias tailscale="/Applications/Tailscale.app/Contents/MacOS/Tailscale"

If you use Fish shell then you’ll add the following to your ~/.config/fish/config.fish

alias tailscale /Applications/Tailscale.app/Contents/MacOS/Tailscale

Testing it out.

The full documentation for Tailscale Funnel discusses all the various options you can pass it, but we only need one.

First invoke it with tailscale funnel 3334

Note: 3334 is just the default port Backup Brain runs on. If you’ve changed it in your .env file, then use whatever port you’ve chosen. It doesn’t matter if Backup Brain is running now or not. We’ll restart it before we’re done anyway.

The first time you do this you’ll be presented with an url to click to enable Tailscale Funnel on your account. It should look something like this:

❯ tailscale funnel 3334

Funnel is not enabled on your tailnet.
To enable, visit:

         https://login.tailscale.com/f/funnel?node=XXXXXXXXXXXXXXXXX

Go there, and enable it. Once you do, it’ll tell you Success and give you an URL you can visit your site on.

Success.
Available on the internet:

https://bb-dev.XXXXXXXXXX.ts.net/
|-- proxy http://127.0.0.1:3334

Press Ctrl+C to exit.
  1. Copy the domain name it gives you ( bb-dev.XXXXXXXXXX.ts.net in the example above), and edit your Backup Brain’s .env file.
  2. Replace the value of HOST_NAME with that domain. For example: HOST_NAME=bb-dev.XXXXXXXXXX.ts.net
  3. Replace the value of HOST_USES_SSL with true
  4. (re)start your Backup Brain in a separate terminal.
  5. Visit the URL it gave you.

You should see your Backup Brain.

Making it last

This public access will stop working if you close the window where you launched the tailscale agent. We can fix that by having it run in the background. We do this by passing it the --bg flag.

Shut down the current tailscale agent by typing control+c (control not command). Then launch tailscale again but with the --bg flag. This tells it to run in the background.

tailscale funnel --bg 3334

You can then stop it with

tailscale funnel --https=443 off

You can check if it’s currently running with the following command. This is also useful if you forgot what the domain name was.

tailscale status
Mastodon