Using proxy, VPN, and other

Access to the server

At the moment, there is no way to enforce access restrictions for users at the server level.
This means that a self-hosted server is always "public" — any user with network access to the server can create accounts, spaces, upload files, etc.
If you want to restrict access, use a VPN, IP-based firewall rules, or similar network-level methods.

Using a proxy

The server operates over the gRPC protocol with custom encryption.
Therefore, HTTP/HTTPS reverse proxies will NOT work!
You need to use a regular TCP/UDP proxy.

Using a VPN

You can use any VPN solution, such as self-hosted OpenVPN, Tailscale, or others.
For proper P2P synchronization between clients, client-to-client traffic must be allowed within the VPN network (For OpenVPN --client-to-client).

Known issues

1. Tailscale blocks mDNS traffic, which prevents P2P synchronization from working.
   Only server-based synchronization is available in this case.

Access configuration

Regardless of the solution you use (TCP/UDP proxy, VPN, or other), the principle of configuring access to the server is always the same:

1. The DNS hostname or IP address of the server, through which clients can reach it over the network, must be added to EXTERNAL_LISTEN_HOSTS.
2. You need to provide clients with access to the server's ports:
   Configure firewall access, port forwarding if necessary, and other related settings.
   You can find an example of iptables configuration for the default setup here.
3. Make sure the client can reach the server. You can simply use telnet <server> 1001, or the any-sync-netcheck utility.