Tailscale
Gray uses Tailscale as the path between your phone and your box. The box never opens a public port; only devices in your tailnet can even see it.
Why Tailscale
Section titled “Why Tailscale”- No exposure. The server binds to loopback (
127.0.0.1:8848) and is published only inside the tailnet over HTTPS. - Real certificates.
tailscale serveterminates HTTPS with a certificate for<hostname>.<tailnet>.ts.net— a stable, real HTTPS origin instead of a raw IP. - It’s free for personal use, and the installer sets it up.
- The installer installs Tailscale on the box if needed.
sudo tailscale upon the box, sign in.- In the Tailscale admin console, enable MagicDNS and HTTPS certificates (Settings → DNS).
- Install the Tailscale app on your phone and sign in to the same tailnet.
- The box’s address is
https://<hostname>.<tailnet>.ts.net:8443— that’s what the Gray app connects to.
The installer runs the publish step itself once the box is signed in (re-run
the install one-liner after tailscale up if it couldn’t). The equivalent
manual command:
tailscale serve --yes --bg --https=8443 http://127.0.0.1:8848Phone side
Section titled “Phone side”Tailscale on the phone runs as a VPN profile. Gray works wherever the tailnet reaches — home, LTE, hotel wifi. If the app reports the box unreachable, check the Tailscale app is connected first; see Connection problems.
Without Tailscale?
Section titled “Without Tailscale?”Technically the server is just HTTP on loopback — any private ingress you
trust (your own VPN, a tunnel, a reverse proxy) can front it, but you own the
TLS story and the box’s HTTPS origin (GRAY_RP_ID/GRAY_RP_ORIGIN).
Unsupported territory; the documented path is Tailscale.