Cannot connect OpenCode Mobile to VPN-only opencode serve endpoint

[entin-hun]

Summary

OpenCode Mobile cannot connect to a Tailnet-only OpenCode server, even though the server is reachable from Safari on the iPhone and responds correctly from the VPS.

I want to use the mobile app against a private Tailscale endpoint, without public exposure and without the opencode web password gate.

Environment

• Server OS: Debian 12
• OpenCode version: 1.16.2
• Tailscale IP: 100.82.119.xxx (same if I try with its alphabetic vps.tailxx962.ts.net )
• Public IP intentionally not used
• Mobile app repo: doza62/opencode-mobile

What I tried

1. opencode web behind Tailnet only

Systemd service bound to Tailscale IP:

ExecStart=/home/debian/.opencode/bin/opencode web --hostname 100.82.119.xxx --port 4096

This was reachable only on Tailnet, but returned a login/password flow in Safari. That seemed wrong for the mobile app.

2. Switched to opencode serve

After reading this repo's README, I switched to:

ExecStart=/home/debian/.opencode/bin/opencode serve --hostname 100.82.119.xxx --port 4096

This seems more aligned with the app docs, which say:

• opencode attach
• or opencode serve

Validated server-side behavior

These checks were run on the VPS:

curl -i -sS -m 5 http://100.82.119.xxx:4096

Response:

HTTP/1.1 200 OK
Content-Type: text/html

Public IP is not reachable, by design:

curl -i -sS -m 5 http://xxx.xx.xxx.xxx:4096

This fails to connect.

Socket binding confirms Tailnet-only exposure:

ss -ltnp | rg '4096|opencode'

Output includes:

LISTEN 0 512 100.82.119.xxx:4096 0.0.0.0:* users:(("opencode",pid=38250,fd=17))

Service log shows:

opencode server listening on http://100.82.119.xxx:4096

iPhone behavior

• iPhone is on the same Tailnet
• Safari on iPhone can open the server URL
• The mobile app still fails to connect to the same URL

Main question

Does opencode-mobile support connecting directly to a private opencode serve endpoint like:

http://100.82.119.xxx:4096

or does it require the plugin /mobile QR / tunnel workflow even when the phone already has direct network reachability over Tailscale?

Related uncertainty

The README mixes two flows:

1. direct server mode (opencode serve)
2. plugin/tunnel/QR flow (/mobile, Cloudflare/ngrok/localtunnel)

It is not clear whether direct private LAN/Tailnet server URLs are expected to work in the app, or whether the app only supports the plugin registration path.

Request

Please clarify:

1. Whether direct opencode serve URLs are supported by the mobile app
2. If yes, what exact URL format / path / protocol the app expects
3. If no, whether private-network-only usage without a public tunnel is currently unsupported