Skip to main content
OpenCode supports enterprise network environments with proxy servers, custom CA certificates, and local network discovery via mDNS (Bonjour).

Proxy Configuration

OpenCode respects standard HTTP proxy environment variables for all outbound connections to LLM providers, APIs, and external services.

Basic Setup

You must set NO_PROXY=localhost,127.0.0.1 to prevent the TUI from routing local server connections through the proxy. This would create a routing loop and break the application.

Environment Variables

HTTPS_PROXY
string
HTTPS proxy URL (recommended for encrypted proxy connections).
HTTP_PROXY
string
HTTP proxy URL (fallback if HTTPS_PROXY not set).
NO_PROXY
string
Comma-separated list of hosts to bypass proxy. Must include localhost,127.0.0.1 for OpenCode to function.
ALL_PROXY
string
Generic proxy for all protocols (least specific, use HTTPS_PROXY/HTTP_PROXY when possible).

Proxy Authentication

Include credentials directly in the proxy URL:
Security Best Practices:
  • Never hardcode passwords in scripts committed to version control
  • Use environment variable substitution: http://${PROXY_USER}:${PROXY_PASS}@proxy.example.com:8080
  • Consider using an LLM Gateway for advanced auth (NTLM, Kerberos)
  • Rotate credentials regularly

Advanced Authentication Methods

For proxies requiring NTLM, Kerberos, or certificate-based auth:
1

Deploy an LLM Gateway

Use tools like LiteLLM Proxy or Kong that support advanced authentication.
2

Configure OpenCode to use the gateway

Point OpenCode to your gateway instead of directly to LLM providers:
opencode.json
3

No proxy needed for OpenCode

OpenCode connects to the gateway on localhost, bypassing the proxy entirely.

Proxy Debugging

Verify proxy connectivity:
Cause: NO_PROXY not set, routing localhost through proxy.Fix:
Cause: Proxy performs SSL interception with custom CA.Fix: Add custom CA certificate (see Custom Certificates section).
Cause: Special characters in password not URL-encoded.Fix: URL-encode password:

Custom CA Certificates

Enterprise networks often use custom Certificate Authorities (CAs) for SSL/TLS inspection. Configure OpenCode to trust these certificates.

Single Certificate File

This variable is read by Node.js/Bun’s TLS stack and applies to:
  • Proxy connections (if using HTTPS proxy)
  • Direct HTTPS requests to LLM providers
  • Any other HTTPS traffic from OpenCode

Multiple Certificates

Concatenate multiple CA certificates into one file:

Certificate Locations

Common enterprise CA certificate locations:

Persistent Configuration

Add to your shell profile for persistence:

Certificate Verification Issues

Symptoms: certificate has expired errors.Diagnosis:
Fix: Update your CA certificate file or contact IT.
Symptoms: unable to verify the first certificate.Cause: Missing intermediate CA certificate.Fix: Ensure your CA file includes the full chain:
Symptoms: self signed certificate in certificate chain.Fix: Add the self-signed root CA to NODE_EXTRA_CA_CERTS.

mDNS Service Discovery

mDNS (Multicast DNS), also known as Bonjour or Zeroconf, enables automatic discovery of OpenCode servers on the local network without manual IP configuration.

How mDNS Works

1

Server publishes service

When --mdns is enabled, the OpenCode server announces itself on the local network:
2

Clients discover server

mDNS-aware clients (web browsers, mobile apps) query for _http._tcp.local. services and receive server details.
3

Automatic connection

Clients connect to http://opencode.local:4096 without knowing the IP address.

Enable mDNS

mDNS requires:
  • --hostname set to a non-loopback address (not 127.0.0.1 or localhost)
  • UDP port 5353 accessible on the local network
  • mDNS responder running on the host (avahi-daemon on Linux, built-in on macOS/Windows)

Custom Domain Name

Clients can then connect to http://mycompany-ai.local:4096.

mDNS Implementation

OpenCode uses the bonjour-service library:

Discovery from Clients

mDNS Platform Support

Built-in Bonjour support. Works out of the box.

Security Considerations

mDNS Exposes Your Server to the Local Network
  • Any device on the same network can discover the server
  • Always use OPENCODE_SERVER_PASSWORD when enabling mDNS
  • Consider firewall rules to restrict access to trusted subnets
  • mDNS should not be used on untrusted networks (coffee shops, airports)

Firewall Configuration

Required Ports

4096
TCP
default:"yes"
Default OpenCode HTTP server port. Customize with --port.
5353
UDP
default:"no"
mDNS/Bonjour service discovery. Only needed if --mdns is enabled.

Firewall Rules

Network Architecture Patterns

Pattern 1: Local Development (Default)

  • No proxy, no mDNS
  • Localhost only
  • Fastest, most secure

Pattern 2: Corporate Network with Proxy

  • HTTPS_PROXY configured
  • NO_PROXY=localhost
  • Custom CA certificate if proxy intercepts SSL

Pattern 3: Remote Server with mDNS

  • Server on dedicated machine
  • --hostname 0.0.0.0 --mdns
  • Password authentication required
  • Clients auto-discover via mDNS

Pattern 4: Containerized Deployment

  • Expose via reverse proxy with SSL
  • Internal container networking
  • Auth + CORS configured

Best Practices

Always set NO_PROXY

Include localhost,127.0.0.1 in NO_PROXY when using proxies to prevent TUI connection failures.

Use HTTPS proxies

Prefer HTTPS_PROXY over HTTP_PROXY for encrypted proxy connections.

Secure mDNS servers

Always set OPENCODE_SERVER_PASSWORD when using --mdns or --hostname 0.0.0.0.

Test certificates

Verify NODE_EXTRA_CA_CERTS with openssl s_client before running OpenCode.

Next Steps

Server Architecture

Learn about the OpenCode server API and architecture.

Troubleshooting

Diagnose network connectivity issues.

Windows WSL Setup

Optimal network setup for Windows users.