Immich•3w ago

Using wireguard to expose Immich to internet?

Hi, so I've got a box at home that I've installed wireguard on, and I've distributed keys to clients (ie, I can successfully connect to the VPN via my phone)

I've set up DDNS to point

my-domain.net

my-domain.net

my-domain.net

my-domain.net to this box, and that works successfully. I've also set up port forwarding of 2283 on my router

Now, I'd like to set Immich up so that it's acessible via

my-domain.net:2283

my-domain.net:2283

my-domain.net:2283

my-domain.net:2283, but only if the client is logged on to the VPN. At least, this is what I think I want based on https://docs.immich.app/guides/remote-access/, but the linked pihole documentation isn't really clear on how exactly to set this up :/

Anyways, I can successfully start the immich server on my box via docker

...
services:
  immich-server:
    container_name: immich_server
...
    env_file:
      - .env
    ports:
      - '2283:2283'

...
services:
  immich-server:
    container_name: immich_server
...
    env_file:
      - .env
    ports:
      - '2283:2283'

...
services:
  immich-server:
    container_name: immich_server
...
    env_file:
      - .env
    ports:
      - '2283:2283'

...
services:
  immich-server:
    container_name: immich_server
...
    env_file:
      - .env
    ports:
      - '2283:2283'

But naturally, this just exposes

my-domain.net:2283

my-domain.net:2283

my-domain.net:2283

my-domain.net:2283 for the world to see. So I'm wondering, what am I missing here?

My wireguard configuration

[Interface]
Address = 10.100.0.1/24, fd08:4711::1/64
ListenPort = 47111
PrivateKey = ---

# lg-phone
[Peer]
PublicKey = ---
PresharedKey = ---
AllowedIPs = 10.100.0.2/32, fd08:4711::2/128

[Interface]
Address = 10.100.0.1/24, fd08:4711::1/64
ListenPort = 47111
PrivateKey = ---

# lg-phone
[Peer]
PublicKey = ---
PresharedKey = ---
AllowedIPs = 10.100.0.2/32, fd08:4711::2/128

[Interface]
Address = 10.100.0.1/24, fd08:4711::1/64
ListenPort = 47111
PrivateKey = ---

# lg-phone
[Peer]
PublicKey = ---
PresharedKey = ---
AllowedIPs = 10.100.0.2/32, fd08:4711::2/128

[Interface]
Address = 10.100.0.1/24, fd08:4711::1/64
ListenPort = 47111
PrivateKey = ---

# lg-phone
[Peer]
PublicKey = ---
PresharedKey = ---
AllowedIPs = 10.100.0.2/32, fd08:4711::2/128

Immich•12/7/25, 12:55 AM

:wave: Hey @anlsh,

Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich immich

References

Container Logs:
```
docker compose logs
```
```
docker compose logs
```
docs
Container Status:
```
docker ps -a
```
```
docker ps -a
```
docs
Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA

Immich•12/7/25, 12:55 AM

Checklist

I have...

:ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
:ballot_box_with_check: read applicable release notes.
:ballot_box_with_check: reviewed the FAQs for known issues.
:ballot_box_with_check: reviewed Github for known issues.
:ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
:ballot_box_with_check: uploaded the relevant information (see below).
:ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable

(an item can be marked as "complete" by reacting with the appropriate number)

Information

In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:

Your docker-compose.yml and .env files.
Logs from all the containers and their status (see above).
All the troubleshooting steps you've tried so far.
Any recent changes you've made to Immich or your system.
Details about your system (both software/OS and hardware).
Details about your storage (filesystems, type of disks, output of commands like
```
fdisk -l
```
```
fdisk -l
```
and
```
df -h
```
```
df -h
```
).
The version of the Immich server, mobile app, and other relevant pieces.
Any other information that you think might be relevant.

Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)

If this ticket can be closed you can use the

/close

/close

command, and re-open it later if needed.

IImmich ## Checklist I have... 1. :ballot_box_with_check: verified I'm on the latest rel...

ImmichAPP•12/7/25, 1:27 AM

Successfully submitted, a tag has been added to inform contributors. :white_check_mark:

Finn•12/7/25, 1:42 AM

I've also set up port forwarding of 2283 on my router

When using VPN you should not have to forward any port on the router (except for the VPN port that is). That way you need to connect to the VPN first. When using a local DNS, then add the local IP address as a hostname, e.g. immich.my-domain.net to the IP address of your Immich server.

FFinn > I've also set up port forwarding of 2283 on my router When using VPN you shou...

anlshOP•12/7/25, 1:58 AM

Thanks, removing the port forwarding on 22832283 and using the local IP does indeed work.

A bit out of scope, do you know what I should look at to make immich.my-domain.netimmich.my-domain.net point only to port 2283? I added an address record to my DNS (i'll have to set up ddns later), but now e.g. navigating to immich.my-domain.net:80immich.my-domain.net:80 will show me Apache which seems a bit off

anlshOP•12/7/25, 1:59 AM

Or perhaps this is just fundamentally allowed by DNS? It would at least be nice if immich.12rocks.ioimmich.12rocks.io defaulted to port 2283

Finn•12/7/25, 2:13 AM

No, dns will never set a port. Browsers and apps will follow the standard 80/443. if you want that you need to either set up a proxy for Immich or change the Immich port to 80.

Using wireguard to expose Immich to internet?

References

Checklist

Information

Similar Threads

Similar Threads

References

Checklist

Information

Similar Threads