docs/docs/guides/remote-access.md
This page gives a few pointers on how to access your Immich instance from outside your LAN. You can read the full discussion in Discord
:::danger Never forward port 2283 directly to the internet without additional configuration. This will expose the web interface via http to the internet, making you susceptible to man in the middle attacks. :::
You may use a VPN service to open an encrypted connection to your Immich instance. OpenVPN and Wireguard are two popular VPN solutions. Here is a guide on setting up VPN access to your server - Pihole documentation
If you are unable to open a port on your router for Wireguard or OpenVPN to your server, Tailscale is a good option. Tailscale mediates a peer-to-peer wireguard tunnel between your server and remote device, even if one or both of them are behind a NAT firewall.
:::tip Video tutorial You can learn how to set up Tailscale together with Immich with the tutorial video they created. :::
A reverse proxy is a service that sits between web servers and clients. A reverse proxy can either be hosted on the server itself or remotely. Clients can connect to the reverse proxy via https, and the proxy relays data to Immich. This setup makes most sense if you have your own domain and want to access your Immich instance just like any other website, from outside your LAN. You can also use a DDNS provider like DuckDNS or no-ip if you don't have a domain. This configuration allows the Immich Android and iphone apps to connect to your server without a VPN or tailscale app on the client side.
If you're hosting your own reverse proxy, Nginx is a great option. An example configuration for Nginx is provided here.
You'll also need your own certificate to authenticate https connections. If you're making Immich publicly accessible, Let's Encrypt can provide a free certificate for your domain and is the recommended option. Alternatively, a self-signed certificate allows you to encrypt your connection to Immich, but it raises a security warning on the client's browser.
A remote reverse proxy like Cloudflare increases security by hiding the server IP address, which makes targeted attacks like DDoS harder.