Using clients for both external and local access

Hello everybody,

I am running Nextcloud on a local server through Docker and it is running well when accessing it locally without encryption.


  • Allow external access through a cloudflared tunnel
    • This makes it so I don’t need to open any port or publish my personal IP address in a DNS
  • Allow LAN access
  • Have desktop and mobile apps automatically use either the tunnel or the local IP depending on which one’s available

Tentative solution

I have managed to give external access through cloudflared.

The web access worked well and was properly encrypted, but to access it with desktop apps I needed to force HTTPS in the config:
'overwriteprotocol' => 'https',

Forcing HTTPS made local access impossible as I have no certificate configured.

Also, even if I managed to enable local access, I am not sure how I would do to connect clients to both local and tunnel connections to the same Nextcloud instance.

I have read multiple threads here regarding cloudflared and none have seemed to address my issue.


  • What is the best practice to share an unsecured server through an SSH tunnel? Is it possible to not require 'overwriteprotocol' => 'https'?

  • How to configure Nextcloud clients so they use an SSH tunnel when out, and a direct connection when on LAN?

After reflecting on it a bit more I think I found the way I should solve this:

  • Have a local DNS entry for my VPN so it gets routed locally

  • Use a self-signed certificate for local HTTPS access

Is that the right approach?

I would never recommend you to use self-signed certificates - it’s hard to distributed them to every client, you can’t share files with other (as they don’t trust your cert). Best approach is to get public DNS and Letsencrypt TLS cert which trusted by all important clients from the beginning.

take a look at this discussion, I think it gives you a good starting point:

Search for “split brain dns”, “split horizon dns”, “rebind protection”