Gumm

VPN Networking — Tailscale

Tailscale creates a secure WireGuard-based mesh network between your devices. Once connected, your Gumm CLI and dashboard communicate over encrypted private IPs regardless of where each device physically is — at home, at work, or on mobile data.

Control plane location: Toronto, Canada
Best for: North American users, general-purpose mesh, quick setup

Why use VPN with Gumm?

Without a VPN, exposing Gumm on a public port means anyone on the internet can attempt to reach your assistant’s API. With Tailscale:

  • Your Gumm server binds to its private VPN IP — not visible to the public internet
  • The CLI connects to Gumm via the VPN IP, even from different networks
  • All traffic between CLI and server is end-to-end encrypted by WireGuard
  • No firewall rules or port forwarding required

Prerequisites

  • A free Tailscale account — sign up at tailscale.com
  • Tailscale installed on every device you want to connect (including the server)

Step 1 — Install Tailscale on your machines

PlatformCommand
macOSbrew install tailscale or download the app
Linux (Debian/Ubuntu)curl -fsSL https://tailscale.com/install.sh | sh
WindowsDownload the installer
Docker (Gumm server)Already bundled in the Gumm image — no extra install needed

Step 2 — Authenticate your machines

On each device (except the Docker-hosted Gumm brain, which is configured differently):

tailscale up

This opens a browser for authentication. Log in with your Tailscale account. The device will appear in your Tailscale admin console.

Step 3 — Configure Gumm (Docker) to use Tailscale

The Gumm Docker image has Tailscale built in. Configuration is done entirely through the dashboard.

  1. Open your Gumm dashboard
  2. Go to Settings → VPN Networking
  3. Select Tailscale as the network mode
  4. Enter:
    • Auth Key — a Tailscale auth key (generate one here)
    • Hostname — e.g. gumm-server (how this node appears in your tailnet)
  5. Click Connect

Auth key type: Use a reusable auth key so the key survives container restarts. For extra security, use an ephemeral key (auto-expires when the container stops).

The brain connects to your tailnet and displays its Tailscale IP (e.g. 100.x.y.z).

Step 4 — Bind Gumm to the VPN IP only

To prevent Gumm from being reachable on the public internet, set VPN_BIND_IP in your .env:

# Replace with your Gumm container's actual Tailscale IP
VPN_BIND_IP=100.x.y.z

Then restart:

docker compose up -d

Now Gumm only accepts connections from devices on your tailnet.

Step 5 — Connect the CLI

On any machine where you’ve installed the Gumm CLI and connected Tailscale:

# Point the CLI at the VPN IP of your Gumm brain
gumm connect http://100.x.y.z:3000

# Log in
gumm login

# Verify
gumm status

Since both machines are on the same tailnet, this works from any network.

Optional: HTTPS with Tailscale certificates

Tailscale can issue TLS certificates for your node’s .ts.net hostname. Enable it in Settings → DNS → HTTPS Certificates in the Tailscale admin:

# On the Gumm server host, generate the cert
tailscale cert gumm-server.your-tailnet.ts.net

Then enable Caddy in docker-compose with:

CADDY_DOMAIN=gumm-server.your-tailnet.ts.net
docker compose --profile proxy up -d

Your dashboard is now accessible at https://gumm-server.your-tailnet.ts.net with a valid TLS certificate, reachable only from tailnet members.

Troubleshooting

ProblemSolution
Container won’t start after adding VPN_BIND_IPTailscale may not have connected yet and assigned the IP. Check docker compose logs gumm
CLI can’t reach the brainRun tailscale status on both machines and confirm they’re listed as connected
Auth key rejectedKeys expire. Generate a new reusable key in the Tailscale admin console
100.x.y.z IP changedTailscale IPs are stable once assigned. If it changed, check for duplicate node registrations

Check status

# From the CLI
gumm network status

# Or inside the container
docker compose exec gumm tailscale status