Remote Ollama access via Tailscale or WireGuard, no public ports

Ollama is at its happiest when it is treated like a local daemon: the CLI and your apps talk to a loopback HTTP API, and the rest of the network never finds out it exists. By default, that is exactly what happens: the common local base address is on localhost port 11434. This article is about the moment you want remote access (laptop, another office machine, maybe a phone), but you do not want to publish an unauthenticated model runner to the whole internet. That intent matters, because the easiest scaling move (open a port, forward it, done) is also the move that creates the mess. A practical north star is simple: keep the Ollama API private, then make the private network path boring. Tailscale and WireGuard are two common ways to do that, and the rest is making sure the host listens only where it should and the firewall agrees. Remote device | | (private VPN path: tailscale or wireguard) v VPN interface on host (tailscale0 or wg0) | | (local hop) v Ollama server (HTTP API on localhos