Opinionated wall of text incoming:

Hairpin is an annoying hack. It happens and is necessary when you are getting a public IP from DNS but the service is not actually listening on that address itself, because the router owns that address, and that address is actually on the other side of the router, the public-facing side, not the side you’re on, so now you have to go out to the public side of the router, turn around (the hairpin turn) and come back in as if you were a public user in order to get to a service that was literally sitting right next to you (on the private side) the whole time.

What you should do instead: You should have your own internal DNS for your own personal network that resolves the DNS properly within the context of that network. This avoids needing to use hairpin at all, because your traffic is never trying to go out to the public internet in the first place. If you get the correct, context-specific best path IP to your services at all times, you don’t have to use the naive, public IP for immich that doesn’t even actually exist on your local network.

The terminology around all this is confusing and sometimes stupid because private networks behind NAT never really existed when DNS was invented, and a lot of people deal with it in stupid and overcomplicated ways. If this same DNS server were then also going to be shared and used publicly to host your own domain names to other people, you would need a thing called “split zones” or “split DNS” but you don’t need to do that and you should avoid that too. Keep private DNS private, and leave public DNS out in public. Separate them intentionally and deliberately.

If you are getting the public IP for your Immich, then you are using its public DNS. I will try and make it simple for you, the way I think everyone should do it:

Your LAN/VPN environment is private. It should have its own dedicated authoritative private DNS server whose purpose is limited to completely and comprehensively servicing all the DNS IP lookup needs of that LAN/VPN environment and being the sole source of truth within that network. Often, the local network’s DNS is already correctly configured and provided by your router to handle all public IPs, and this is usually completely fine for self-hosting. What matters is that you should be able to add custom IP addresses to it, and it should be private to your network. Nobody else should have access to this DNS configuration, not because it’s really important for security but just because it is irrelevant outside the context of your local network, which is usually exactly what your router DNS provides. Your internal network DNS is responsible for two things within that environment:

• Providing the correct local (private) IP address for traffic to local services that belongs only on your network.
• Providing official public IP addresses for any OTHER things outside that local network like any normal DNS server (typically accomplished by DNS forwarding to your ISP’s servers or Google/Cloudflare DNS servers, or resolving it from the root servers directly, called recursive DNS) Almost any router or DNS server will do this by default, if you’re accessing Lemmy you’re getting Lemmy’s public IP from your router’s DNS configuration.

You just have to implement and maintain the first part, usually in your router’s configuration. If you want more control or consistency over the DNS your local network is using it can also be self-hosted with something small like dnsmasq, or even big old granddaddy bind/named (not as complex as it seems and very standardized). Either way, that’s your responsibility, and once you’re providing correct local IPs for Immich on your local DNS (outside your network, you and the public will still use public DNS and get the public IP) everything will just work.

Hairpin may feel convenient. It’s not, it’s a workaround for a misconfiguration. Having private DNS that is separate and distinct from public DNS may feel like duplication of effort, but it’s not, it’s fundamental to even having a local network and puts you in the drivers seat for the layout of that network. Take responsibility for it instead of letting hairpin fix your mess.

On your LAN DNS server (say, pi-hole), you could add an A record for your Immich’s domain name that points to the internal IP address so clients on your LAN would simply resolve the LAN IP instead of trying to do fancy NATing. Make sure your browser doesn’t try to do DNS over HTTPS, which would skip your local dns.

Or you could run everything on a meshVPN like Tailnet. That way the (VPN) IP of the Immich server doesn’t change and the Tailnet will route the traffic over your LAN when your clients are local.

Are you interested in the networking side of self hosting? If so, you should get a better router, something you can run OPNsense or similar on. There are other “options”, but they’re workarounds that avoid fixing the real problem.

That’s what made me install Adguard Home, just so that I could bypass my hairpin DNS issue. There are still things that don’t work and I haven’t found the time to fix those, but for me at least, Immich works the same inside and outside the house! (My gf uses /e/OS and her DNS overrides Adguard Home which is a shame, but that’s in the list of “doesn’t quite work perfectly”)

Okay so… How do you have it set up and configured? You’ve given us nothing to go on.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

6 acronyms in this thread; the most compressed thread commented on today has 16 acronyms.

[Thread #227 for this comm, first seen 9th Apr 2026, 15:10] [FAQ] [Full list] [Contact] [Source code]

My option is to use a VPN at home. Sad world. It’s the only way I can sleep well.