How to Set Up OpenClaw with Tailscale for Secure Remote Access

If you want to reach your OpenClaw Control UI from the road without punching holes in your router or juggling SSH tunnels, use Tailscale. Tailscale gives your OpenClaw box a private WireGuard address and lets you expose specific ports to any device (Serve) or the public internet (Funnel) with a single command. This guide walks through a full setup on an Ubuntu 22.04 VPS, but the commands are identical on Raspberry Pi, macOS, or a bare-metal server.

Why Tailscale Instead of Plain SSH Tunnels?

SSH port forwarding works, but it breaks the minute your laptop sleeps or your IP changes. You have to keep an SSH session alive, manage keys on every device, and sometimes run autossh daemons. Tailscale replaces all of that with:

Zero open ports: no NAT or firewall changes. Everything rides over outbound 443/udp.
Per-device keys: each phone, tablet, or VM gets its own WireGuard key, revoked independently.
Access control lists (ACLs): declare who can hit 100.x.y.z:3000 in a JSON file. No more "ssh user@…" gymnastics.
Serve & Funnel: share the OpenClaw UI on an auto-issued HTTPS cert. No reverse proxy needed.

What We’ll Build

By the end, you will:

Run OpenClaw v0.9.3 on localhost:3000.
Install Tailscale v1.66 (or later) on the same box.
Expose the UI at https://openclaw.your-tailnet.ts.net inside your private network via Serve.
Optionally make it reachable on the public internet with Funnel (TLS termination and rate-limiting baked in).
Lock it down with an ACL so only your user and your phone can talk to port 3000.

Prerequisites

OpenClaw host running Linux/macOS/Windows. I’m on Ubuntu 22.04 LTS.
Node 22+ (node -v).
An admin account on tailscale.com. The free plan is enough for 1-20 devices.
Tailscale v1.44+ (we’ll grab the latest stable, 1.66 at time of writing).

Step 1 – Install and Verify OpenClaw

1.1 Create a dedicated user (optional but tidy)

sudo adduser --system --group --home /opt/openclaw claw

1.2 Install OpenClaw


sudo -i -u claw
npm create openclaw@latest  # answers the wizard, picks "gateway"
cd openclaw-gateway
npm run start

By default the gateway listens on 0.0.0.0:3000. Keep it local for now; we’ll route traffic via Tailscale.

Step 2 – Install Tailscale on the Same Host

Follow the official package repos so you stay updated by apt upgrade.


curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale version  # should print 1.66.x

No config files to edit yet.

Step 3 – Authenticate the Node and Join Your Tailnet


sudo tailscale up --hostname openclaw-node \
  --ssh  # enables optional tailscale ssh

Copy-paste the magic URL into your browser, pick your Google or GitHub identity, and the node appears in the admin panel with an IP like 100.96.14.27. From any other Tailscale device you can already:

curl http://100.96.14.27:3000

We haven’t touched firewalls.

Step 4 – Publish the Control UI with Tailscale Serve

Serve eats one command and injects a tiny reverse proxy. The process restarts automatically on upgrades.


# tell Serve to forward HTTPS port 443 to the local OpenClaw port 3000
sudo tailscale serve https / openclaw:3000

Tailscale now issues a LetsEncrypt cert for openclaw-node.tail123.ts.net (the subdomain depends on your tailnet). On any device logged into Tailscale, load:

https://openclaw-node.tail123.ts.net

You should see the familiar login screen. Certificates renew automatically.

4.1 Restrict Serve to a Sub-path (optional)


sudo tailscale serve --https=/claw/ http://localhost:3000/

Handy if the box already hosts Grafana or other dashboards.

Step 5 – Make It Public With Funnel (Optional)

Sometimes you need to demo OpenClaw to someone outside your tailnet or you don’t want to install the Tailscale app on every phone. Funnel turns the same Serve rule into a public URL with global TLS and DDoS protection.


# request Funnel access (one liner prompts in browser)
sudo tailscale funnel enable

# reuse the Serve rule above
tailscale funnel --https=443

You’ll get a URL like:

https://openclaw-node.ts.net

Traffic arrives at Tailscale’s edge, then hops through WireGuard to your node. No extra 443 port is opened on your machine.

5.1 Rate-limit Public Access


# allow max 20 req/sec, burst 40
tailscale funnel --https=443 --rate=20,40

Useful if your OpenClaw UI is heavy.

Security Considerations and ACL Snippets

A Tailnet ACL is JSON. Put it in Access Controls in the admin UI or push via tailscale up --login-server. Example:


{
  "ACLs": [
    {
      "Action": "accept",
      "Users": ["group:admins", "autogroup:member"],
      "Ports": ["openclaw-node:443", "openclaw-node:22"]
    }
  ],
  "Groups": {
    "group:admins": ["alice@example.com"]
  },
  "TagOwners": {
    "tag:openclaw": ["group:admins"]
  }
}

Principle of least privilege — Only admins reach 443. Everyone else is blocked.
Kill switch — Disable Funnel with tailscale funnel disable instantly.
SSO & 2FA — piggybacks on your Google/GitHub SSO, no password database to secure.

Automating at Boot With systemd

Both OpenClaw and Tailscale ship systemd units. If you installed from the script, Tailscale already enables itself. For OpenClaw:


# /etc/systemd/system/openclaw.service
[Unit]
Description=OpenClaw Gateway
After=network.target tailscaled.service

[Service]
User=claw
WorkingDirectory=/opt/openclaw/openclaw-gateway
ExecStart=/usr/bin/npm run start
Restart=on-failure

[Install]
WantedBy=multi-user.target


sudo systemctl daemon-reload
sudo systemctl enable --now openclaw

On reboot the ordering guarantees that Tailscale brings up the WireGuard interface before the gateway listens, so Serve works immediately.

Troubleshooting Checklist

Serve says “address already in use”: another process binds 443. Stop Apache/Nginx or run Serve on 8443.
Cannot hit the URL from phone: phone isn’t logged into Tailscale or ACL denies it. Verify tailscale status shows the node.
Funnel 502 errors: OpenClaw may not be up. Check journalctl -u openclaw -f.
High latency: look at tailscale netcheck; if DERP is used, open outgoing UDP 443 in your firewall.

Next Steps

Invite teammates to your tailnet, tag the OpenClaw node with tag:prod, and carve out subnet routers if the agent needs to hit on-prem APIs. Enable Tailscale SSH so you can drop into the box without juggling keys. Finally, set a weekly reminder to update OpenClaw (npm update openclaw-gateway) and apt upgrade tailscale; both projects ship patches frequently.