Subsystem deep-dive

Remote Access

Reaching the local AI stack from anywhere without putting any of it on the public internet. Two tools, two very different jobs.

Devices on the mesh

Private services

Public endpoint

Personal AI exposed

The split

Private mesh vs public tunnel

The deliberate choice: a private mesh for everything personal, and a single public tunnel only for the one thing that genuinely must be reachable by an outside cloud.

🔗 Tailscale (private mesh)

Per-device, identity-based. Your machines form a private network only they can see.

Scopeyour devices only

DevicesMac + iPhone

Carriesall personal services

Public?no

☁️ Cloudflare (public tunnel)

Per-service, URL-based. Used for exactly one thing that must be publicly reachable.

Scopeone service

Carriesn8n MCP only

Why publicAnthropic's cloud must reach it

Personal data?none

Over the mesh

What you can reach from your phone

ConnorGPT (personal-context AI) at :3000 Command Center over Tailscale HTTPS any local service, privately

Why this way

The reasoning behind the split

Personal AI stays private

The personal-context ConnorGPT should never sit on the public internet. A private mesh keeps it reachable to you and invisible to everyone else.

Per-device, not per-service

Tailscale grants access by identity, so you don't punch a public hole for each new local service. You just add a device once.

Survives a hardware move

Because access is identity-based, not URL-based, the setup carries over to a future machine migration without re-plumbing.

Public only where forced

The Cloudflare tunnel exists solely because an outside cloud has to call the n8n MCP. Nothing personal rides it.