I’m pretty new to Immich, and I want to use it for me and my dad. But currently, all the three options currently have red flags for me:
VPN to home network : it requires me to use a VPN constantly on both my phone, my dad’s phone and my computer, and I really don’t want to constantly use a VPN on the three devices for obvious reasons
Tailscale : I liked it at first, very easy to use, no compromise, but I noticed that when enabled, the phone doesn’t have any Internet access when Tailscale is enabled, but this issue doesn’t exist on the PC
Reverse proxy : I really just don’t have the skills for it
So I am going to give you some bad news. A reverse proxy is your best option. That’s what I use currently through Cloudflare. It’s free and although it takes some setting up, it is better than just opening up your ports to the public.
NGINX Proxy Manager is easy to deploy and has a GUI to use. My NPM is port forwarded but only to Cloudflare’s IP addresses. Any public ping of my services shows CFs and not my own IP. Their SSL certs are free and you can even use Lets Encrypt if you own your own domain.
VPN to home network. There’s pretty advanced VPN apps like Surge (iOS) that allows you to keep it on all the time and just proxy specific traffic to your home (e.g Immich) and let other connections use the current network or other VPNs/Proxies.
I use a wire guard server on Unraid, and a Surge wire guard client to expose my home network to my personal devices. Leave it on all the time so I can override cellular DNS and maintain privacy by monitoring and routing my phone traffic.
Cloudflare tunnel works pretty good. One benefit is you dont need to open any public facing ports on yoir router(but ofcourse all data goes through cloudflare servers, so they could technically ‘see’ the traffic which is a tradeoff, but I think thats better than exposing your home server out to internet by opening ports). Just need a registered domain added to cloudflare and a cloudflare tunnel client app running on the immich server that proxies everything over the tunnel to cloudflare (from inside home/lan network to out, so no need to open ports on public facing home router/firewall). I’ve been using it for a while, its pretty similar to a accessing over lan. photo/video uploads work well too over the remote/tunnel connection.
VPN. Don’t know the “obvious problems” but they don’t really exist.
I have local only, no external access into it (I have other apps through a reverse proxy but Immich is sensible). It just uploads my photos when I’m at home.
Immich is configured in my phone to wait for wifi, if I’m connected to another wifi it just doesn’t sync, no problems at all. I miss an option to “wait for X wifi” or “wait for X vpn” but it’s ok this way. I don’t need inmediate sync.
Tailscale all the way, especially if you are being CGNAT. I do have internet on my mobile using my mobile service provider when I am connecting to Immich server at home via Tailscale.
I have setup the domain name to local IP mapping 192.168.x.y in PiHole hosted at home. Exposed the home network (will change to specific IPs after some more tuning) subnet on the tailscale node (so the node is essentially acting as a tailscale subnet router). Tailscale tailnet DNS is pointed to the tailscale node where the PiHole is also running (make sure to switch the override to ON). Now I can access the immich server with same domain name from both inside home or outside using tailnet.
Refer https://www.reddit.com/r/Tailscale/comments/1aiwtpm/how_to_access_services_using_local_domain_names/
If you have Public IP, better to setup your own Wireguard VPN, it will have lot more control.
To the moderators, please excuse the other photo app in the diagram. I had drawn this for a help post on tailnet sub. I was not sure if there is any limitation to either app using tailnet, hence both was under consideration.
I’d say Tailscale might be worth troubleshooting further since it’s usually pretty straightforward and secure. Maybe check their forums or support for the mobile issue, could be a simple fix.
Wireguard (and I think many VPNs) has the ability to only route local traffic through the VPN and just use the regular internet for normal traffic, so there really isn’t much of a downside to this approach if you’re worried about speeds or something.
If you’re worried about battery, in my testing I haven’t found wireguard to have any noticeable impact either.
If your phone is losing its Internet connection when connected to Tailscale, something is wrong.
As a point of clarification, Tailscale is one kind of VPN.
But it you want to be able to access Immich from any device, regardless of whether it has a VPN client (including a Tailscale client), a reverse proxy is your best bet.
Another poster recommended NPM, which I use as well. It’s not as complicated as it might seem. If you can set up an Immich container, you can set up an NPM container. Then you forward ports 80 and 443 on your router to NPM.
You’ll need a DDNS service on your network as well (my Asus router has its own, for free). Let’s say that gets you a name like immichnewbie.asuscomm.com. Register a domain name and edit the CNAME records to point a subdomain to the ddns name. For example, point photos.mynewdomain.com to immichnewbie.asuscomm.com.
Lastly, within NPM, create an entry that points any request for photos.mynewdomain.com to your LOCAL IP address and port for Immich. (If they’re on the same docker network, you can do this with the immich service name instead of the IP address). NPM can automatically request an SSL certificate from Let’s Encrypt so that photos.mynewdomain.com works over https.
Some people prefer other reverse proxies, like caddy or trafaek. The concepts are the same but the approach to configuring them is a little different.
As of right now I use Wireguard server on my UDM Pro. I setup an automation on my iPhone to turn off VPN while I am on my home Wifi, and turn on VPN anytime that I am away from my home Wifi. So far it seems to work pretty good. I don’t understand the “obvious reasons” either. Setting up VPN clients on my UDM Pro is pretty seamless.
I wish I could use Cloudflare for my Plex and Channels DVR but that goes against TOS and Channels doesn’t work with Cloudflare. I would love to get rid of my static IP but unfortunately I can’t.
Personally I used nginx manager gui to setup a reverse proxy using a free dynamic DNS from afraid.org using their their generated cron job example that I copy and pasted into crontab -e. I setup nginx manager in docker in network host mode, so I can forward to localhost port 2283 in nginx manager so the only ports open in my firewall are 80 and 443 for https. Only connect via https to avoid man the middle attacks.
If you are using ipv4 you might need to port forward port 80 and 443 in your router settings and set a static IP. I personally use ipv6 as it’s provides less latency in my case.
It doesn’t require any more skills than it’s takes to setup immich in first place… So it’s not too hard
I’m a mix between Tailscale and Nginx Proxy Manager. One issue I kept running into with Nginx Proxy Manager with Immich is that when I upload a large photo or video on the website, it throws me an error every time because the file is too big. I tried to fix the Ngnix Proxy max body size in the configuration but still didn’t work for some reason. However, If I upload it through my phone with the website URL, it doesn’t give me any errors. Currently, I’m transitioning to use Tailscale more because I’m running Headscale which manages my VPN connection (doesn’t go through Tailscale servers to relay to my server). Plus it’s more secure than https.
What about not using any encryption ? The docs say that it’ll raise a security issue on the client browser, but what if the client is using the app ?
Edit : btw, where could there be a tutorial on how to set up the reverse proxy for Immich ? I don’t really see any tutorial on how to set it up in the docs, even though it’s said that it’s complex to set up
You can also create a tunnel to a local NPM and protect the access through their “Access” app.
On Immich side, Google authentication can be used directly through OAuth so you can have the best of two worlds.