Using CAAL Outside Home Network

[nerd8east-a11y]

Hi Corey, I was wondering if you use CAAL outside of your local home network. What do you recommend as a good way to be able to do that? Thanks.

[cmac86]

Hey @nerd8east-a11y , Tailscale is the easiest way to access CAAL remotely. It creates an encrypted WireGuard tunnel that makes your devices act like they're on the same LAN. You need Tailscale installed on both devices. Two setup options:

---

Option 1: Simple (recommended)

Just point CAAL at your Tailscale IP. No TURN, no special certs needed — Tailscale provides direct connectivity so it behaves like a LAN. Still works locally too (Tailscale routes on-network traffic directly).

# 1. Install Tailscale on your server and client devices
# https://tailscale.com/download

# 2. Delete old self-signed certs (they're issued for your LAN IP)
rm ./certs/server.*

# 3. Update .env
CAAL_HOST_IP=<your-tailscale-ip>    # tailscale ip -4
# Leave HTTPS_DOMAIN commented out

# 4. Restart (no rebuild needed — certs and config are volume-mounted)
docker compose down && docker compose up -d

# 5. Access from any Tailscale device:
#    https://<tailscale-ip>:3443
#    Accept the self-signed cert warning in your browser

---

Option 2: Dual-access (LAN + remote, no browser warnings)

Keep your LAN IP for local use, add Tailscale domain for remote. This enables LiveKit's TURN relay so media streams work even when the client can't reach the LAN IP. Requires real Tailscale certs because TURN/TLS silently rejects self-signed.

# 1. Install Tailscale
# https://tailscale.com/download

# 2. Enable HTTPS certs on your tailnet
#    Tailscale Admin → DNS → Enable HTTPS

# 3. Generate trusted certs
tailscale cert your-machine.tailnet.ts.net
cp your-machine.tailnet.ts.net.crt ./certs/server.crt
cp your-machine.tailnet.ts.net.key ./certs/server.key

# 4. Update .env
CAAL_HOST_IP=192.168.x.x                        # keep your LAN IP
HTTPS_DOMAIN=your-machine.tailnet.ts.net         # uncomment and set

# 5. Restart
docker compose down && docker compose up -d

# 6. Access:
#    Local:  https://<lan-ip>:3443 (self-signed warning)
#    Remote: https://your-machine.tailnet.ts.net:3443 (no warning)

Cheers!
Corey

[nerd8east-a11y]

Thanks for the info. I installed it on my CAAL server and on my iPhone. I can see the front end page now, but for some reason I cannot get it to work when I click on the “talk to CAAL” button. I tested the n8n and home assistant settings from my iPhone and it gives me the green checkmark. I will double check the logs when I get home.

[nerd8east-a11y]

I removed the certificates from the /caal/certs folder and ran the tailscale cert command and got the files in there. Do the files need to be named a certain way? Mine have the tailscale domain name as part of the name for both (.crt and .key).
Thanks for your help

[cmac86]

Yep they need to be named server.crt and server.key.

tailscale cert your-machine.tailnet.ts.net
cp your-machine.tailnet.ts.net.crt ./certs/server.crt
cp your-machine.tailnet.ts.net.key ./certs/server.key

[nerd8east-a11y]

ok. I appreciate the help.