Usage
Web Access - Tailscale - ONA.UNO Docs
Secure remote access to ONA.UNO with a private network
This page explains Tailscale, a service which enables secure remote access to ONA.UNO Web Access.
Tailscale is an easy way to securely access your ONA.UNO web interface when you’re not on the same Wi‑Fi network (for example from cellular, a hotel network, or a coworking space).
It’s optional — Web Access works locally without it — but it’s the recommended way to do remote access without exposing your Mac to the public internet.
Web Access (including via Tailscale) shows the currently selected Set only. To change libraries, switch Sets inside ONA.UNO. See Sets (Libraries).
This page explains Tailscale in plain language based on our best understanding at the time of writing. It is not official Tailscale documentation and not a legal or security guarantee. For authoritative details, review Tailscale’s own documentation and policies.
Tailscale offers a free plan for personal use (at the time of writing).
What Tailscale is (in plain English)
Tailscale creates a private network (“Tailnet”) between your devices.
Once installed on your Mac and phone/tablet, your devices get private IP addresses (usually starting with 100.). Devices in the same Tailnet can talk to each other as if they were on the same local network — even when they’re not.
For ONA.UNO, that means:
- Your phone can open
http://<tailscale-ip>:8080/ - The connection is encrypted
- The web server is not exposed to the public internet
Why it’s secure
Tailscale is designed to be a secure “tunnel” between your devices:
- End-to-end encrypted traffic: the connection between your devices is encrypted (WireGuard-based).
- No public exposure: you do not need port forwarding or a public IP.
- Access is explicit: only devices that you add to your Tailnet can connect.
Tailscale tries to connect devices directly. If a direct connection isn’t possible (some networks block it), it can relay traffic via Tailscale’s DERP network. Your traffic stays end‑to‑end encrypted either way.
Direct connections vs. relays (is there a “middle-man”?)
Most of the time, devices in your Tailnet talk directly to each other (peer-to-peer). That means your Mac and your phone connect like they were on the same network, without a public server sitting in the middle of the data stream.
Sometimes a network won’t allow a direct peer-to-peer connection. In that case, Tailscale can route the encrypted packets through a relay (DERP). In that situation there is a “middle” server carrying the packets — but it still can’t read the content, because the packets are encrypted end-to-end between your devices.
What Tailscale can access (and what it can’t)
Tailscale needs some information to make your private network work, but it is not a service that can “log into” your devices or read your ONA.UNO data.
Tailscale does run a coordination service that helps your devices authenticate and find each other (think “secure address book”). This coordination step is separate from your actual traffic: your ONA.UNO Web Access pages do not get routed through a central “Tailscale server” that can read them.
What Tailscale (the service) can typically see
- Your Tailnet account identity (who is signed in)
- Which devices are connected to your Tailnet (device list)
- Network metadata needed to connect devices (for example device public keys, device names, and connection/relay status)
What Tailscale can’t see or access
- The contents of your traffic (for example the pages you view in ONA.UNO Web Access, your notes, your exports, chat content)
- Files stored on your devices or ONA.UNO’s database
- Your Web Access password (that’s handled by ONA.UNO)
Remote access is still under your control: only devices in your Tailnet can reach your Mac over the Tailscale network, and ONA.UNO can reject Tailscale requests unless you explicitly enable “Remote Access (Tailscale)” in Settings.
Why Google and Apple sign-in helps
Tailscale uses your sign-in (often Google or Apple) as your identity. This helps security because:
- You don’t need to create and maintain yet another password.
- You can rely on your existing account protections (for example strong passwords and multi-factor authentication).
- You can manage device access from one place (your Tailnet).
Who can access your Tailnet?
Only devices that are signed in to your Tailnet can access services on that Tailnet.
In other words: nobody can “discover” your ONA.UNO web server from the outside. A device must be part of your Tailnet first.
If you ever invite other people into your Tailnet or share a device with them, they may be able to reach services on your Tailnet too — so keep Tailnet membership limited to devices and people you trust.
You can always:
- See which devices are connected
- Remove a device (for example if a phone is lost)
Why ONA.UNO uses Tailscale for remote access
ONA.UNO chose Tailscale because it gives you a secure remote connection without complicated setup:
- No router configuration (no port forwarding)
- No need to set up HTTPS certificates yourself
- Remote access stays opt-in and private by default
You still keep control: ONA.UNO requires a Web Access password, and remote access has to be explicitly enabled in Settings.
Setup checklist (for ONA.UNO)
- Install Tailscale on your Mac and on the device you want to use remotely.
- Sign in on both devices using the same account (so they are in the same Tailnet).
- Confirm both devices show as Connected in the Tailscale app.
- In ONA.UNO → Settings → Web Access, enable Enable Remote Access (Tailscale).
- Open the Tailscale IP URL listed in Settings (it looks like
http://100.x.x.x:8080/). Tip: use Copy Tailscale URL to copy it.
Troubleshooting
- The Tailscale URL doesn’t load: make sure both devices are connected in Tailscale and ONA.UNO’s web server is running.
- It works on Wi‑Fi but not on cellular: ensure Tailscale is enabled on your phone and remote access is enabled in ONA.UNO Settings.
- A device should no longer have access: remove it from your Tailnet (in the Tailscale admin / device list).