Local Network Setup (Tailscale) 🔗

README: OpenAI-compatible local stack over private tailnet routing

Intro

Aegis is designed primarily to be a client for a local model running on private hardware.

Models running on iOS devices are currently not powerful enough for this experience. Once they are, we anticipate adding this.

Typical setup

  • Model host: Desktop / server running an OpenAI-compatible endpoint
  • Network fabric: Tailscale on host + iPhone
  • Client: Aegis iOS app pointing to the host Tailscale URL

Baseline architecture: iPhone and model host connect to the same private tailnet. Aegis sends requests only to that host, not public model APIs.

1) Install Tailscale

  1. Install Tailscale on your model host device.
  2. Install the Tailscale iOS app on your iPhone.
  3. Sign in with the same tailnet account/team on both devices.
  4. Verify reachability with tailscale status on the host.

2) Run an OpenAI-Compatible Server

Use any OpenAI-compatible server (for example Ollama-compatible proxy, vLLM adapter, LM Studio server, LiteLLM front door, etc.) as long as it exposes:

  • GET /v1/models
  • POST /v1/chat/completions
# Example health checks
curl -sS http://127.0.0.1:11434/v1/models
curl -sS http://127.0.0.1:11434/v1/chat/completions

3) Expose Through Tailscale Serve

Keep your model server bound to loopback (127.0.0.1) and publish it through Tailscale Serve. 

# Host machine
# Forward tailnet HTTPS traffic to local OpenAI-compatible server
tailscale serve --https=443 / http://127.0.0.1:11434

# Verify
tailscale serve status

Aegis source URL should then be set to your tailnet host, for example: 

https://<your-hostname>.<tailnet>.ts.net/v1

4) Configure Aegis

  1. Open Settings in Aegis.
  2. Add/Edit an OpenAI-compatible source.
  3. Set Base URL to your Tailscale Serve endpoint .../v1.
  4. Use Lookup Models or Test Connection to validate connectivity.

Security

You should still use an API key or auth token on the OpenAI-compatible server, even on Tailscale.

  • Tailscale already provides encrypted transport and identity-based access.
  • Server-level API auth adds a second guardrail if a tailnet node is compromised.
  • Set a strong key and store it only in Aegis source settings on your phone.
  • Do not expose the model host to public internet ports.
  • Prefer short-lived or rotated API keys.
  • Restrict tailnet ACLs to only the iPhone + trusted admin devices.
  • Keep host firewall enabled and patch model runtime regularly.