Skip to content

docs(manual): add remote access page (SSH tunnel, Tailscale)#34

Merged
sanity merged 2 commits intomainfrom
docs-remote-access
Apr 15, 2026
Merged

docs(manual): add remote access page (SSH tunnel, Tailscale)#34
sanity merged 2 commits intomainfrom
docs-remote-access

Conversation

@sanity
Copy link
Copy Markdown
Contributor

@sanity sanity commented Apr 14, 2026

Problem

freenet.org has no page explaining how a user can reach their own node's local HTTP/WebSocket API (port 7509) from a device that isn't on the same LAN. The only hint is a passing mention of `--node-url 127.0.0.1:7509` in publish-a-website.md. Users who want to use their node from a phone end up asking on Matrix instead.

Approach

New page `build/manual/remote-access.md` covering:

  1. Why the default is strict (the API is fully privileged, treat it like SSH).
  2. SSH tunnel as the no-config-change safest default.
  3. Tailscale / private overlay via the new `--allowed-source-cidrs` option landing in feat: add --allowed-source-cidrs opt-in for local API access freenet-core#3875, with an explicit callout that CGNAT space is only safe on an overlay the user controls (do NOT add it if you're a Starlink / T-Mobile / cable subscriber where the same range is shared with other customers).

Linked from `_index.md` under Developer Guide.

Coordination

Pairs with freenet/freenet-core#3875. The doc references a CLI flag and config field (`--allowed-source-cidrs` / `allowed-source-cidrs`) that don't exist in the currently released binary. Should merge at roughly the same time as #3875 lands, ideally right after the next freenet-core release that contains it, so users don't try the documented flag against an old build and see clap reject it.

Testing

  • Hugo builds cleanly locally (`cd hugo-site && hugo`).
  • Prose scanned for em-dashes per project style.

[AI-assisted - Claude]

sanity added 2 commits April 14, 2026 09:47
@sanity
docs(manual): add remote access page for SSH tunnel + Tailscale
6cafb7d 
Explains the two supported ways to reach a node's local API from
off-LAN: SSH port-forward (no config change, safest default) and
extending the source-IP allowlist for a private overlay such as
Tailscale or WireGuard via the new --allowed-source-cidrs option
in freenet/freenet-core#3875.

Pairs with freenet-core PR #3875; should land at roughly the same
time so the docs don't reference a flag the released binary doesn't
yet understand.

[AI-assisted - Claude]
@sanity
docs(manual): clarify loopback bind makes allowed-source-cidrs a no-op
b182185 
Address big-picture review finding on #34: the filter is
only installed when `ws-api-address` is non-loopback, so the TOML
snippet's `allowed-source-cidrs` has no effect if the bind address
is left at the default. Spell this out in the Option 2 step.

[AI-assisted - Claude]
@sanity sanity mentioned this pull request Apr 14, 2026
Merged
@sanity sanity merged commit ac63f0c into main Apr 15, 2026
3 checks passed
@sanity sanity deleted the docs-remote-access branch April 15, 2026 17:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sanity