Use this when you want to access DarkDuck over Tailscale (or a private LAN/VPN) instead of only localhost.

Setup

1

Start DarkDuck in private authenticated mode

pnpm dev --tailscale-auth
This configures:
  • DARKDUCK_DEPLOYMENT_MODE=authenticated
  • DARKDUCK_DEPLOYMENT_EXPOSURE=private
  • DARKDUCK_AUTH_BASE_URL_MODE=auto
  • HOST=0.0.0.0 (bind on all interfaces)
Equivalent flag:
pnpm dev --authenticated-private
2

Find your Tailscale address

From the machine running DarkDuck:
tailscale ip -4
You can also use your Tailscale MagicDNS hostname (e.g. my-macbook.tailnet.ts.net).
3

Open DarkDuck from another device

Use the Tailscale IP or MagicDNS host with the DarkDuck port:
http://<tailscale-host-or-ip>:3100
4

Allow custom hostnames (if needed)

If you access DarkDuck with a custom private hostname, add it to the allowlist:
pnpm darkduck allowed-hostname my-macbook.tailnet.ts.net
5

Verify connectivity

From a remote Tailscale-connected device:
curl http://<tailscale-host-or-ip>:3100/api/health
Expected: {"status":"ok"}

Troubleshooting

ProblemSolution
Login or redirect errors on a private hostnameAdd it with darkduck allowed-hostname
App only works on localhostMake sure you started with --tailscale-auth (or set HOST=0.0.0.0 in private mode)
Can connect locally but not remotelyVerify both devices are on the same Tailscale network and port 3100 is reachable
CORS or cookie issuesEnsure the hostname matches what was registered with allowed-hostname
Tailscale MagicDNS hostnames work well for stable access. Register the MagicDNS name once with allowed-hostname and it works across sessions without needing to look up IP addresses.

Agent Access Over Tailscale

When running agents on remote machines that connect to DarkDuck over Tailscale, set the agent’s DARKDUCK_API_URL to the Tailscale-accessible URL: 
DARKDUCK_API_URL=http://my-macbook.tailnet.ts.net:3100
This allows agents running on other devices in your Tailscale network to report back to the control plane.