Using CAAL Outside Home Network

[nerd8east-a11y]

Hi Corey, I was wondering if you use CAAL outside of your local home network. What do you recommend as a good way to be able to do that? Thanks.

[cmac86]

Hey @nerd8east-a11y , Tailscale is the easiest way to access CAAL remotely. It creates an encrypted WireGuard tunnel that makes your devices act like they're on the same LAN. You need Tailscale installed on both devices. Two setup options:

---

Option 1: Simple (recommended)

Just point CAAL at your Tailscale IP. No TURN, no special certs needed — Tailscale provides direct connectivity so it behaves like a LAN. Still works locally too (Tailscale routes on-network traffic directly).

# 1. Install Tailscale on your server and client devices
# https://tailscale.com/download

# 2. Delete old self-signed certs (they're issued for your LAN IP)
rm ./certs/server.*

# 3. Update .env
CAAL_HOST_IP=<your-tailscale-ip>    # tailscale ip -4
# Leave HTTPS_DOMAIN commented out

# 4. Restart (no rebuild needed — certs and config are volume-mounted)
docker compose down && docker compose up -d

# 5. Access from any Tailscale device:
#    https://<tailscale-ip>:3443
#    Accept the self-signed cert warning in your browser

---

Option 2: Dual-access (LAN + remote, no browser warnings)

Keep your LAN IP for local use, add Tailscale domain for remote. This enables LiveKit's TURN relay so media streams work even when the client can't reach the LAN IP. Requires real Tailscale certs because TURN/TLS silently rejects self-signed.

# 1. Install Tailscale
# https://tailscale.com/download

# 2. Enable HTTPS certs on your tailnet
#    Tailscale Admin → DNS → Enable HTTPS

# 3. Generate trusted certs
tailscale cert your-machine.tailnet.ts.net
cp your-machine.tailnet.ts.net.crt ./certs/server.crt
cp your-machine.tailnet.ts.net.key ./certs/server.key

# 4. Update .env
CAAL_HOST_IP=192.168.x.x                        # keep your LAN IP
HTTPS_DOMAIN=your-machine.tailnet.ts.net         # uncomment and set

# 5. Restart
docker compose down && docker compose up -d

# 6. Access:
#    Local:  https://<lan-ip>:3443 (self-signed warning)
#    Remote: https://your-machine.tailnet.ts.net:3443 (no warning)

Cheers!
Corey

[nerd8east-a11y]

Thanks for the info. I installed it on my CAAL server and on my iPhone. I can see the front end page now, but for some reason I cannot get it to work when I click on the “talk to CAAL” button. I tested the n8n and home assistant settings from my iPhone and it gives me the green checkmark. I will double check the logs when I get home.

[nerd8east-a11y]

I removed the certificates from the /caal/certs folder and ran the tailscale cert command and got the files in there. Do the files need to be named a certain way? Mine have the tailscale domain name as part of the name for both (.crt and .key).
Thanks for your help

[cmac86]

Yep they need to be named server.crt and server.key.

tailscale cert your-machine.tailnet.ts.net
cp your-machine.tailnet.ts.net.crt ./certs/server.crt
cp your-machine.tailnet.ts.net.key ./certs/server.key

[nerd8east-a11y]

ok. I appreciate the help.

[nerd8east-a11y]

I followed the instructions for option 2 (using the DNS feature in tailscape) and now I can get to the front end from outside my network. The only issue now is that when I click on the Talk To CAAL button nothing happens. Not sure what I am missing, I removed the original certificate files from ./certs and ran the tailscape command to create new ones. Then renamed them and put them in the ./certs folder. The docker compose starts up without issues. CAAL works sometimes from the echo show 5 android app, but not from anywhere else. I am thinking on deleting everything and starting fresh and see if that helps.

[cmac86]

Hey @nerd8east-a11y , sorry for the delay. I have been away this week.

There is a mistake in my instruction. You need to rebuild the frontend after changing HTTPS_DOMAIN in the .env.

With Option 2, step 5 should be this:

# 5. Restart
docker compose down 
docker compose build frontend
docker compose up -d

I just tried this from a hotel through Tailscale and it worked.

Cheers!
Corey

[nerd8east-a11y]

No worries.
I will give this a try.
Hope I can get it to work, I have a couple of things I want to try while I am out of the house.
Thanks man

[qmmatei-boop]

Hi Corey, thank you for your great work, I really appreciate what you've done with the CAAL project. My problem is that using Tailscale with the Android app, I can't get CAAL to work. I used Option 2 (LAN + Tailscale) and I keep getting this error: "Connection failed: LiveKitException: [ConnectException] Timed out waiting for SignalJoinResponseEvent." I can connect to CAAL just fine using the mobile browser, but not with the app. Any ideas?

[cmac86]

@qmmatei-boop thanks for the kind words! I have a question to help narrow this down.

From the android app are you trying to connect using http or https?
and
Are you using tailscale domain (your-machine.tailnet.ts.net) or tailscale ip (100.x.x.x) ?

Thanks
Corey

[qmmatei-boop]

I'm using https with the Tailscale domain name ...ts.net:3443 and I got the green"Connected to CAAL server"text. It pulls all the the settings (TTS provider, Ollama, Integrations, minus the custom prompt) but after saving and then hitting talk to CAAL, this "...SignalJoinResponseEvent." error comes up. Again, it works fine if I use the same Tailscale link in the mobile browser. More so, the mobile browser option also imports the prompt I use, becouse I tweaked CAAL to speak in 2 languages in the same session, but this is another disscusion (maybe an app update?).

[nerd8east-a11y]

Would you be able to make a video showing us how you got it setup with tailscale? I have been trying to get it done, but I have not been able to. For some reason, I can get CAAL to work on my phone (on chrome) using the ...ts.net:3443, but only while I am on my WIFI network (which defeats the purpose). The android app on my echo show 5 works fine, even though I have it setup using http://ip:3000.

Using the tailscale IP does not work (inside or outside my network). Running CAAL using https://MyIP:3443 does not work at all either. I have a mess of configurations I know :). I have all the necessary pieces (ollama, n8n, caal server, home assistant) each running on separate hardware, so I am wondering if I need to have them all running on tailscale. I only have the CAAL Server (and my iphone) running tailscale at the moment. Any suggestions would be greatly appreciated. Thanks

[cmac86]

Let me investigate what's going on here. I think some readme and config updates are needed to add clarity and to make this easier. I'm flying out of country today, so give me a bit of time to get to the bottom of this.

Regards,
Corey

[cmac86]

Hey guys — found the issue and pushed a fix. Turns out TURN relay (which mobile devices need for remote connections) was silently broken. Two things were wrong:

1. A TLS config issue meant TURN connections failed at the handshake — so it's been broken for everyone, not just you
2. The TURN port (5349) doesn't work with iOS/Android WebRTC — had to move it to port 443

I tested this from Mexico on my iPhone over Tailscale and it's working now.

To update:

git pull
docker compose up -d livekit

One thing to note — port 443 needs to be free on your server. If something else is using it, you can set TURN_TLS_PORT in your .env to override, but non-443 ports won't work for iOS.

More details in the discussion post: #84

@qmmatei-boop your SignalJoinResponseEvent timeout should be fixed — that was exactly the TURN failure. Let me know if the Android app works after updating.

@nerd8east-a11y I still owe you that Tailscale setup walkthrough. For now the short version: set HTTPS_DOMAIN to your .ts.net domain, run tailscale cert <domain>, copy the certs to ./certs/server.crt and ./certs/server.key, and pull this latest fix. Will put together something more detailed soon.

Corey

[cmac86]

Thanks for confirming! To be clear, you have tls on a different port now? What did you set it to? I tried an alternate port and it didn't work for me.

[nerd8east-a11y]

Hi Corey, my setup also works now on my iPhone. I can now use chrome and talk to CAAL on my iPhone when I am away from home. Thanks for helping us out. Hope you are enjoying your trip.

[qmmatei-boop]

This is the setup that worked for me:

1. make sure that Tailscale is running on android (as I noticed that it tends to shutdown after a while)
2. CAAL_HOST_IP=100.10........ the Tailscale IP
3. HTTPS_DOMAIN=desk............. the Tailscale domain name
4. TURN_TLS_PORT=5349 - a random open port, as the 443 port was used by docker for some reason

I should note that the"Option 2: Dual-access (LAN + remote, no browser warnings)" didn't work for me, I had to use CAAL_HOST_IP=100.10....IP instead of CAAL_HOST_IP=192.168.x.x .

[nerd8east-a11y]

My setup matches your first three bullet points (I am running Tailscale on iPhone though), but I did not have to change the TURN_TLS_PORT. I am also running with both Taiscale IP and Tailscale domain name on my .env file.
Mixing the local IP with the Tailscale domain did not work for me either.

[qmmatei-boop]

The down side of using the mixed Tailscale IP and domain, is that if I use a n8n_create_caal_tool workflow (witch I'm working on right now and it's one of the reasons I stated using CAAL), the announcement and reload-tools nodes don't work. So it's a trade off right now, remote CAAL access with no n8n meta tool access or local CAAL access with n8n tools.
Maybe I'm doing something wrong, I don't know yet, I'm still testing.