Workers SDK Issue Reports

← Back to Dashboard

#7651 wrangler login does not work with VPNs (Tailscale and such)

Recommendation:NEEDS VERIFICATION
Difficulty:n/a
Reasoning:

PR #8316 (Apr 2025) added --callback-host/--callback-port params and PR #9396 (Jan 2026) fixed OAuth redirect_uri handling. These provide workarounds for VPN scenarios but user's "paste code" request not implemented.

Suggested Action:

Ask reporter to verify if --callback-host option resolves VPN issues on latest wrangler

View on GitHub →

Analysis Report

Issue Review: cloudflare/workers-sdk#7651

Summary

wrangler login fails with VPNs due to localhost callback being unreachable, but workarounds now exist.

Findings

  • Created: 2024-12-31
  • Updated: 2025-10-30
  • Version: 3.95.0 → 4.60.0 (current)
  • Component: wrangler (login/OAuth)
  • Labels: bug
  • Comments: 2

Key Evidence

  1. Issue Description: User reports wrangler login fails when using VPNs (Tailscale, etc.) because the localhost OAuth callback cannot be reached. The user requests the ability to paste an auth code directly instead of relying on localhost callback.

  2. Related Fixes Found:

    • PR #8316 (merged 2025-04-16): Introduced --callback-host and --callback-port parameters for wrangler login, allowing users to specify a custom host/port for the OAuth callback server (e.g., 0.0.0.0 for containers/VPN scenarios).
    • PR #9396 (merged 2026-01-20): Fixed an issue where custom --callback-host/--callback-port values were incorrectly passed to the OAuth API. The redirect_uri is now always localhost:8976 as required by Cloudflare's OAuth API, but users can configure the Wrangler server to listen on different host/port and use port forwarding.

  3. Changelog Confirmation: Both fixes are documented in the wrangler CHANGELOG.md:

    • PR #8316: "introduce callback-host and callback-port param for wrangler login command"
    • PR #9396: "Fix wrangler login with custom callback-host/callback-port"

  4. User's Specific Request: The user asked for the ability to paste an auth code directly (--browser=false with code input). While this specific feature was NOT implemented, the --callback-host and --callback-port options provide a workaround for VPN/container scenarios.

  5. Reproduction Confirmed: Comment from 2025-10-22 confirms the issue still affects users with VPNs (macOS with Outline VPN).

Recommendation

Status: NEEDS VERIFICATION

Reasoning: Significant improvements have been made to wrangler login with the --callback-host and --callback-port parameters (PR #8316 and PR #9396). These options allow users behind VPNs to configure the OAuth callback server to listen on a different interface (e.g., 0.0.0.0 or 127.0.0.1). However, the user's original request for a "paste code" flow was not implemented. The workarounds should help most VPN scenarios, but verification with the reporter is needed.

Action: Ask the reporter to verify if the new --callback-host option resolves their issue with VPNs.

Suggested Comment

Hi @Peru-S, since this issue was reported, Wrangler has added --callback-host and --callback-port options to the wrangler login command (PR #8316, PR #9396).

For VPN scenarios, you can try:

npx wrangler login --callback-host=127.0.0.1
# or
npx wrangler login --callback-host=0.0.0.0

This allows the OAuth callback server to listen on a specific interface that may work better with your VPN configuration.

Could you please test with the latest version of Wrangler (currently 4.60.0) and these options to see if this resolves your issue? If the problem persists, please share additional details about your VPN setup. Thanks!

Notes & Feedback (0)

No notes yet.

Add Note