Hydroxide as a headless bridge for ProtonMail on Tailscale

I had fun setting up Hydroxide on the Tailscale network so that I can access my ProtonMail inbox from any IMAP client. If you are not familiar with ProtonMail, it’s an encrypted email provider. Given the nature of this product, they do not offer IMAP access as other standard email providers do. Rather, they require a paid account and a connector by the name ProtonMail Bridge for desktop IMAP clients to work.

That works great for most users, but what about IMAP clients on mobile devices? Access on the mobile devices is limited to the official ProtonMail app. As a ProtonMail customer of over 3 years, I haven’t seen any significant improvements in the mobile front. They did promise an update to the ProtonMail Android app, seemingly with support for threaded conversations, but that was a long time ago.

My favorite IMAP clients on Android are Nine Mail and K-9 Mail at the moment. I have been using K-9 Mail only since a week, and my experience so far has indicated that the two are not any different. Nine Mail has a free trial, but the latter is free forever and is donation-supported.

Tailscale to the rescue

Since I previously set up pi-hole on the Tailscale network, I started exploring the idea of using ProtonMail on the Tailscale network.

While ProtonMail Bridge is open source, it’s limited to Windows, Mac and Linux at the moment. That’s a GUI version. ProtonMail Bridge is not available in a headless format, but it appears to be planned.

I wanted the headless version to run on my Raspberry Pi so that it’s accessible from any Tailscale-authenticated node.

In exploring for third-party Bridges, I found Hydroxide which seems open source and popular among users. It also seems to support any ProtonMail account, while the official ProtonMail Bridge is only for paid users.

Setting up the bridge

Setting up Hydroxide is rather simple, but I ran into some challenges along the way.

For starters, it appears Proton recently modified their authentication API endpoint that prevented generating the Bridge password on Hydroxide. Some users found workarounds, but updating to the old endpoint didn’t quite work for me.

I found another workaround that involves using a SessionID from a web-authenticated ProtonMail session, and that worked for me.

Secondly, I had to get Hydroxide listening on the Tailscale network instead of 127.0.0.1, which would be a local address. There are flags that allow configuring a different network interface, but entering my Raspberry Pi Tailscale node address didn’t quite work. So, I ended up updating the default network interface within the Hydroxide code. The lines below had to be replaced with my Raspberry Pi node address.

An image that describes replacing the local host and ports with Tailscale node address.
Replacing the local host and ports with Tailscale node address

With this done, all that I had to do was enter my Raspberry Pi Tailscale node address as the IMAP and SMTP server on my mobile IMAP clients. The official ProtonMail Bridge documentation recommends adding a SSL exception for desktop clients. I couldn’t quite figure out how to configure a similar exception on the mobile clients. Also because both devices (my mobile device and Raspberry Pi running Hydroxide) are within the same Tailscale network, I chose to authenticate without SSL. That means my Bridge password being visible somewhere along the communication between the device and Raspberry Pi, but that’s alright as it’s a private network.

Preventing Hydroxide bridge access for others on my Tailnet

Since my friends and family use my Tailscale network (I share my pi-hole ad blocker with them) as well, I configured access control rules (Tailscale ACLs) on the Tailscale web admin.

An image from my Tailscale admin that shows access control rules for my Hydroxide ports.
An image from my Tailscale admin that shows access control rules for my Hydroxide ports

This setup is safe in my understanding, as Hydroxide runs on a hardware that I control. And, it is available only within my Tailscale network. To authentication on this Tailscale network, one requires my approval. I use a GitHub organization as a multi-user tailnet. Even if someone manages to get in, ACLs must prevent them from accessing the Hydroxide IMAP and SMTP ports.

I am not a network engineer but enjoy hacking on things by self. Don’t treat this guide as a bulletproof workflow if you value secure, encrypted communication.

Whoogle on Tailscale

Access ad-free, tracker-free Google search results.

libreddit on Tailscale

Self-host a private, ad and tracker-free reddit frontend UI with libreddit.

Pi-hole on Tailscale

Install pi-hole on Tailscale, to get ad-blocker functionality on all devices

5 months with ProtonMail and I haven't looked back

5 months ago, I decided to quit Gmail for good and move to an end-to-end (e2e) encrypted email service like ProtonMail or Tutanota. After thinking a lot over this, I settled for ProtonMail with a two years subscription. They had this nice Black Friday promotion from 2017 that I was able to redeem.

I have used Google’s services ever since I first discovered websites in 2004 (I think it was around that time, not very sure).

I wish I had realised the effects of using such services – giving up privacy, being tracked, not owning my own data, being targeted for advertisement amongst many other negative effects – much earlier though!

Signing up for an encrypted email service was the first step for a relief.

I use ProtonMail with a dedicated web domain, which means I don’t use their @protonmail.com address. I had been using the same dedicated email address on Google as well, via G Suite – so, using same with ProtonMail’s premium service was a natural choice and I didn’t have a reason to update my email address everywhere.

I did not explore an option to move all my emails from the previous inbox on Gmail to ProtonMail. I thought it would be a nice distinction to separate unsafe emails on Gmail from safe ones on ProtonMail.

While ProtonMail offers only a web UI and no native desktop apps, I am okay with it. They do offer a service called ProtonMail Bridge, for use with other apps like Apple Mail, Thunderbird, and Outlook. I am convenient with their web app though, for a few reasons below:

  • Automatically attaches my public key on outbound emails for others’ use – they can send me encrypted emails.
  • Can make use of the message expiration feature to send self-destructing emails.
  • Can have multiple ProtonMail sessions on the same browser, without using incognito tabs – each tab has its own session.

ProtonMail being based in Switzerland and using European data servers was another key reason why I preferred ProtonMail over Tutanota.

ProtonMail also claims they do not log IP addresses, but I have noticed that they do log the IP addresses by default. One only has an option to opt-out. I wonder if they can make that messaging clear.

“Think your email’s private? Think again.” – Andy Yen, ProtonMail

I don’t see myself going back to Google’s services or the likes, in favour for decentralised, open-source softwares and services. Especially in the time of unethical practices that companies like Facebook are involved in!