Skip to main content
This is only helpful for secure cross-device access to self-hosted Khoj. You do not need this if you’re using Khoj Cloud.

Overview

Tailscale simplifies creating a private VPN using Wireguard and OAuth. So you can host and access services on your devices from anywhere. The instructions below are one way to simply and securely access your self-hosted Khoj from your phone, laptop, and other devices.

Minimal Setup

1

Setup Khoj

Setup Khoj on your preferred machine following the standard steps.
2

Install Tailscale

Sign up to Tailscale and install the app on machines you want to access Khoj from. This usually includes:
  • Your Khoj server
  • Your phone
  • Your laptop
Note the Tailscale IP of your Khoj server.
3

Start Khoj with Tailscale IP

Start Khoj on your server by including the flag:
khoj --host <your_server_tailscale_ip>
4

Access Khoj

Open http://<your_server_tailscale_ip>:42110 to access Khoj from any device on your Tailscale network!

HTTPS Certificate Setup

Tailscale uses Wireguard to encrypt and route traffic between your machines. So HTTPS isn’t required with Tailscale for secure access. HTTPS with Tailscale is only useful for browsers to not complain about security and block certain features like clipboard access unless HTTPS is enabled.
1

Enable MagicDNS and HTTPS

Enable MagicDNS and HTTPS toggle on your Tailscale admin console DNS page.Note your unique Tailscale domain name (usually ends with .ts.net).
2

Generate Certificate

Create an HTTPS certificate for your Khoj server by running:
# Assuming the server is named "server" and your tailnet is "black-forest.ts.net"
# Note path of the .crt and .key files generated
tailscale cert server.black-forest.ts.net
3

Start Khoj with HTTPS

Start Khoj to be served via HTTPS on standard port:
sudo KHOJ_DOMAIN=server.black-forest.ts.net \
khoj \
--sslcert /path/to/your/tailscale.crt \
--sslkey /path/to/your/tailscale.key \
--host=server.black-forest.ts.net \
--port 443
4

Access via HTTPS

You should now be able to access Khoj on https://server.black-forest.ts.net from any device on your private Tailscale network!

Benefits of Using Tailscale

Secure Access

All traffic is encrypted via Wireguard VPN

No Port Forwarding

No need to configure router or open firewall ports

Cross-Platform

Access from any device with Tailscale installed

Easy Setup

Simple configuration with automatic IP assignment
For more general information about remote access to self-hosted Khoj, see the Remote Access guide.

Build docs developers (and LLMs) love

Get started for freeTalk to us