Skip to main content

Web Server and Remote Access

Tailscale Remote Access

Secure remote access to pinakea with a private network

This page explains Tailscale, a service which enables secure remote access to pinakea’s Web Server.

Tailscale is an easy way to securely access your pinakea Web UI when you’re not on the same Wi‑Fi network (for example from cellular, a hotel network, or a coworking space).

It’s optional — Tailscale is only needed for remote access — but it’s the recommended way to do remote access without exposing your Mac to the public internet.

Important

Web Server, including Tailscale remote access and the Apple Shortcut path, is available on Free, Pro Monthly, and Pro Lifetime. Tailscale must still be enabled on the Mac and the device you are using, and the Mac running pinakea must be signed in and active on the account.

Set scope

Web Server (including via Tailscale) shows the currently selected Set only. To change libraries, switch Sets inside pinakea. See Sets (Libraries).

a blue and purple background with lines of light

Important

This page explains Tailscale in plain language based on our best understanding at the time of writing. It is not official Tailscale documentation and not a legal or security guarantee. For authoritative details, review Tailscale’s own documentation and policies.

Tip

Tailscale offers a free plan for personal use (at the time of writing).

What Tailscale is (in plain English)

Tailscale creates a private network (“Tailnet”) between your devices.

Once installed on your Mac and phone/tablet, your devices get private IP addresses (usually starting with 100.). Devices in the same Tailnet can talk to each other as if they were on the same local network — even when they’re not.

For pinakea, that means:

  • Your phone can open http://<tailscale-ip>:8080/
  • The connection is encrypted
  • Web Server is not exposed to the public internet

Why it’s secure

Tailscale is designed to be a secure “tunnel” between your devices:

  • End-to-end encrypted traffic: the connection between your devices is encrypted (WireGuard-based).
  • No public exposure: you do not need port forwarding or a public IP.
  • Access is explicit: only devices that you add to your Tailnet can connect.
Note

Tailscale tries to connect devices directly. If a direct connection isn’t possible (some networks block it), it can relay traffic via Tailscale’s DERP network. Your traffic stays end‑to‑end encrypted either way.

Direct connections vs. relays (is there a “middle-man”?)

Most of the time, devices in your Tailnet talk directly to each other (peer-to-peer). That means your Mac and your phone connect like they were on the same network, without a public server sitting in the middle of the data stream.

Sometimes a network won’t allow a direct peer-to-peer connection. In that case, Tailscale can route the encrypted packets through a relay (DERP). In that situation there is a “middle” server carrying the packets — but it still can’t read the content, because the packets are encrypted end-to-end between your devices.

What Tailscale can access (and what it can’t)

Tailscale needs some information to make your private network work, but it is not a service that can “log into” your devices or read your pinakea data.

Tailscale does run a coordination service that helps your devices authenticate and find each other (think “secure address book”). This coordination step is separate from your actual traffic: your pinakea browser-access pages do not get routed through a central “Tailscale server” that can read them.

What Tailscale (the service) can typically see

  • Your Tailnet account identity (who is signed in)
  • Which devices are connected to your Tailnet (device list)
  • Network metadata needed to connect devices (for example device public keys, device names, and connection/relay status)

What Tailscale can’t see or access

  • The contents of your traffic (for example the pages you view through pinakea Web Server, your notes, your exports, chat content)
  • Files stored on your devices or pinakea’s database
  • Your Web Server password (that’s handled by pinakea)
Tip

Remote access is still under your control: only devices in your Tailnet can reach your Mac over the Tailscale network, and pinakea can reject Tailscale requests unless you explicitly enable “Remote Access (Tailscale)” in Settings.

Why Google and Apple sign-in helps

Tailscale uses your sign-in (often Google or Apple) as your identity. This helps security because:

  • You don’t need to create and maintain yet another password.
  • You can rely on your existing account protections (for example strong passwords and multi-factor authentication).
  • You can manage device access from one place (your Tailnet).

Who can access your Tailnet?

Only devices that are signed in to your Tailnet can access services on that Tailnet.

In other words: nobody can “discover” your pinakea Web Server from the outside. A device must be part of your Tailnet first.

If you ever invite other people into your Tailnet or share a device with them, they may be able to reach services on your Tailnet too — so keep Tailnet membership limited to devices and people you trust.

You can always:

  • See which devices are connected
  • Remove a device (for example if a phone is lost)

Why pinakea uses Tailscale for remote access

pinakea chose Tailscale because it gives you a secure remote connection without complicated setup:

  • No router configuration (no port forwarding)
  • No need to set up HTTPS certificates yourself
  • Remote access stays opt-in and private by default

You still keep control: pinakea requires a Web Server password, and remote access has to be explicitly enabled in Settings.

Setup checklist (for pinakea)

Before you start:

  • Make sure Web Server is enabled in pinakea; Web Server is available on Free, Pro Monthly, and Pro Lifetime.
  1. Install Tailscale on your Mac and on the device you want to use remotely.
  2. Sign in on both devices using the same account (so they are in the same Tailnet).
  3. Confirm both devices show as Connected in the Tailscale app.
  4. In pinakea → Settings → Web Server, enable Enable Remote Access (Tailscale).
  5. Open the Tailscale IP URL listed in Settings (it looks like http://100.x.x.x:8080/). Tip: use Copy Tailscale URL to copy it.

Troubleshooting

  • The Tailscale URL doesn’t load: make sure both devices are connected in Tailscale and pinakea’s Web Server is running.
  • The page says Sign in, Refresh Status, or Activate this Mac: open pinakea on the Mac running Web Server and follow that action. Choose Activate this Mac only when this Mac is inactive; if the account already has five active Macs, deactivate one first.
  • It works on Wi‑Fi but not on cellular: ensure Tailscale is enabled on your phone and remote access is enabled in pinakea Settings.
  • A device should no longer have access: remove it from your Tailnet (in the Tailscale admin / device list).
  • Web Server will not start: check that Web Server is enabled, the password is saved, the port is available, and macOS local-network/firewall permission is allowed.