-
Notifications
You must be signed in to change notification settings - Fork 0
Cordless Setup mkcert HTTPS
The untethered path. PC + bracelet + headset all on the same Wi-Fi. You can walk anywhere in Wi-Fi range while wearing the headset, no USB cable, no adb reverse.
Time: ~15 minutes first time (mostly the Quest Cert Install step).
Quest Browser refuses to grant WebXR hand-tracking outside a secure context. Localhost counts (which is why the Quick Start USB path works without certs), but LAN URLs like http://10.0.0.42:8000 do not. So you need HTTPS over LAN, which means a locally-trusted cert.
mkcert is the standard tool for this: generates a per-machine root CA, lets you mint certs for any hostname/IP, and the certs are valid because the root CA is installed in your OS trust store. We do the same trick on the Quest — install the root CA on the headset, and from then on Quest Browser trusts our LAN HTTPS.
Download the latest mkcert binary from the GitHub releases page and stash it somewhere on PATH (or use the full path):
New-Item -ItemType Directory -Force -Path "$env:USERPROFILE\bin" | Out-Null
Invoke-WebRequest -Uri "https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-windows-amd64.exe" `
-OutFile "$env:USERPROFILE\bin\mkcert.exe"
# Add to PATH for this session (or do it permanently via System Properties)
$env:PATH = "$env:USERPROFILE\bin;$env:PATH"brew install mkcertDistro-specific. See the mkcert README.
mkcert -installThis is the only step that needs admin — Windows will pop a UAC prompt asking to allow the certificate-store modification. Accept it.
Output should include The local CA is now installed in the system trust store! ⚡️.
# Windows
Get-NetIPAddress -AddressFamily IPv4 | Where-Object { $_.IPAddress -notlike '127.*' -and $_.IPAddress -notlike '169.254.*' }Pick the IP of the interface that's on the same network as your headset (usually the Wi-Fi adapter). Example: 10.0.0.102.
From inside the OpenMuscle-Software repo's pc/ directory:
cd D:\path\to\OpenMuscle-Software\pc
mkcert -cert-file vr-cert.pem -key-file vr-key.pem 10.0.0.102 localhost <your-hostname> 127.0.0.1Including localhost and 127.0.0.1 means the same cert works for local testing too. Including your hostname covers the rare case where mDNS resolves it on the Quest's network.
You'll see:
Created a new certificate valid for the following names 📜
- "10.0.0.102"
- "localhost"
- "DESKTOP-CG95ESU"
- "127.0.0.1"
The certificate is at "vr-cert.pem" and the key at "vr-key.pem" ✅
It will expire on 29 August 2028 🗓
The certs land in pc/. They're *.pem-gitignored so they won't accidentally ship.
This is the painful step. See dedicated page: Quest Cert Install
It's painful because Meta's Horizon OS hides the standard Android cert-install UI, so you have to launch the AOSP Settings activity via ADB.
cd D:\path\to\OpenMuscle-Software\pc
openmuscle web --ssl-certfile vr-cert.pem --ssl-keyfile vr-key.pemYou'll see:
OpenMuscle web UI: https://localhost:8000
Listening for devices on UDP 3141
TLS: cert=vr-cert.pem key=vr-key.pem
WebXR URL for the Quest: https://<your-LAN-ip>:8000/vr
In Quest Browser, navigate to:
https://10.0.0.102:8000/vr # VR mode
https://10.0.0.102:8000/vr?mode=ar # AR/passthrough mode
The address bar should show a 🔒 lock icon (no cert warning). Three green preflight checkmarks. Tap Enter VR.
If the Quest can't reach the server, Windows Firewall may be blocking inbound TCP 8000. Allow it (or add an explicit rule):
# Admin PowerShell
New-NetFirewallRule -DisplayName "OpenMuscle web (8000)" `
-Direction Inbound -Protocol TCP -LocalPort 8000 -Action Allowmkcert certs default to ~2.5 years. When yours expires, just re-run step 4 to mint a new one and restart the server. The root CA on your headset stays valid much longer — you won't need to redo the Quest Cert Install.
You can now walk anywhere in Wi-Fi range while wearing the headset. The bracelet streams to the PC over Wi-Fi, the headset connects to the PC over Wi-Fi (now HTTPS), no cable required. Battery limits become the constraint (Quest: ~2h active, FlexGrid: depends on hardware).
For real-world field capture, use AR mode (?mode=ar) — see the field-capture section of docs/vr-setup.md.