Private and Self-Hosted VSCode: Harnessing code-server via Tailscale

I frequently leave my computer at home. My personal daily driver is a 2015 15-inch MacBook Pro that runs bare metal Arch Linux (btw). It's bulky, heavy, and with a 4th generation Intel CPU, it runs hot. If I'm headed out and about, I'm inclined to throw my M1 iPad Pro in the bag for the day instead.

In recent years, Apple has made more of an attempt to make the iPad fully featured (see their infamous "What's a computer?" advertisement from 2018). This may be true for content creators and casual users, but as of 2024, it's just not true for developers. Options for IDEs on the iPad are limited and iPadOS's file system isn't really up to the task anyways.

Enter code-server

code-server is an awesome project by the folks at Coder that lets you self-host an instance of VSCode and run it in the browser. Although not identical, it more or less provides the same functionality as a GitHub Codespace in a self-hosted package. It provides full feature parity for VSCode and on an iPad, it allows you to use it as a progressive web app. It really feels like VSCode is on device. The ergonomics are good. So good, I even wrote this post on my iPad immediately after installing it on a VM in my homelab!

VSCode in the browser on an iPad

There is, however, one prominent elephant in the room. code-server provides full access to the computer it is running on via the built-in terminal.

Let's talk about security

Because of the aforementioned full, unrestricted access to your computer, it is immensely important to lock down access to this interface. The documentation provides several avenues to secure your instance and they are all very good.

Port forwarding is probably the easiest route for most folks who want to access code-server from a single because you don't have to mess with reverse proxies or SSL certificates. The downside being port forwarding needs to be configured on each device that wants to access the server. To my knowledege, only the Termius app supports port forwarding, but there may be other iPad apps that can provide that functionality too. If this applies to you, great! If you want to access the code-server instance from other devices without configuring port forwards each time or want to access the instance via a custom domain with HTTPS, we have better options.

The documentation recommends NGINX and Caddy for reverse proxies, but the way they documented the configuration requires the instance be exposed to the Internet and have its HTTP and HTTPS ports exposed.

What if we could have a reverse proxy serving only a "local network" but those machines could be anywhere in the world?

By default, code-server binds to 127.0.0.1:8080, the local loopback interface, and can only be accessed on the local machine. In order to allow a reverse proxy on a different computer to access code-server, I could bind it to broadcast (0.0.0.0) or to my local IP (192.X.X.X). Both of these options are undesirable because anyone on my network would then be able to access my code-server instance. This also wouldn't work if I wanted to self-host code-server in a public cloud instance. So what other options do we have?

Tailscale saves the day

Tailscale is a mesh VPN technology built on top of Wireguard that allows an individual to have virtual LAN independent of geography. By adding machines to your tailnet, they can all talk to each other without having to deal with the complexities of NAT traversal or exposing any ports. The service is well documented and they have an excellent blog that dives deep into how it all works.

Getting started with Tailscale is simple and they support several social platforms for authentication.

Once you have an account, adding a machine to your tailnet is absurdly easy and consists of a single command for Linux computers:

curl -fsSL https://tailscale.com/install.sh | sh

(Don't worry, they include a link to the script source so you can view exactly what it does before you run an arbitrary command you found in a blog post)

The Big Picture

Once both the machines running the reverse proxy and code-server are members of the tailnet, they'll both have new special network interfaces with 100.X.X.X IP addresses.

If I now expose code-server over that 100.X.X.X address, only other devices within your authenticated tailnet will be able to dial that connection.

This can be accomplished by amending the bind-addr in the ~/.config/code-server/config.yaml. Replace it with the Tailscale IP of the same machine it is running on and restart code-server.

bind-addr: 100.X.X.X:8080
auth: password
password: <your_password_here>
cert: false

Additionally, now that any machine talking to your code-server instance must be previously authenticated by Tailscale, you can safely remove code-server's default password authentication at your discretion.

bind-addr: 100.X.X.X:8080
auth: none
cert: false

Now your reverse proxy will be able to make the secure connection to your code-server instance, even if they are on two separate LANs or across the planet.