Introduction
OpenClaw Gateway runs locally by default (127.0.0.1:18789), which means:
- ✅ Secure: No external access
- ❌ Limited: Can only be used locally
If you want to:
- Run OpenClaw on your home server and access it remotely from your phone
- Share an OpenClaw instance with your team
- Use your home AI assistant while away
Then Tailscale integration is your best choice.
What is Tailscale?
Tailscale is a zero-config VPN tool based on WireGuard. It lets you easily build a private network (Tailnet) and securely connect any devices.
Key Benefits
| Feature | Description |
|---|---|
| Zero Config | No firewall rules or port forwarding needed |
| End-to-End Encryption | WireGuard protocol, secure and reliable |
| Cross-Platform | Linux, macOS, Windows, iOS, Android |
| Free Tier | Free for personal use, up to 20 devices |
Two Tailscale Modes
OpenClaw supports two Tailscale modes:
tailscale serve- Tailnet-only access (private)tailscale funnel- Public internet access (requires password)
What Can OpenClaw + Tailscale Do?
Scenario 1: Tailscale Serve (Recommended for Personal Use)
Use Cases:
- Run OpenClaw on home NAS/server
- Access remotely from phone/laptop via Tailscale
- Only your devices can access
Network Topology:
[Phone] ←──Tailnet──→ [Tailscale] ←──localhost──→ [OpenClaw Gateway]
[Laptop] ←──Encrypted Tunnel──→ 192.168.x.x:18789
Scenario 2: Tailscale Funnel (Public Access)
Use Cases:
- Team collaboration, sharing one OpenClaw instance
- Temporary access from devices without Tailscale
- Access via public URL (e.g.,
https://your-machine.tailnet-xx.ts.net)
⚠️ Security Warning:
- Funnel exposes your service to the public internet
- Password authentication is mandatory, otherwise anyone can access your Gateway
- Recommended:
gateway.auth.mode: "password"
Configuration Steps
Prerequisites
Install Tailscale
# Debian/Ubuntu curl -fsSL https://tailscale.com/install.sh | sh # macOS brew install tailscaleLogin to Tailscale
sudo tailscale up # Follow browser prompts to authorizeVerify Tailscale IP
tailscale ip -4 # Output: 100.x.y.z
Configure OpenClaw
Edit ~/.openclaw/openclaw.json:
Option A: Tailscale Serve (Private)
{
"gateway": {
"port": 18789,
"mode": "tailscale",
"auth": {
"mode": "token",
"token": "your-secure-token"
},
"tailscale": {
"mode": "serve",
"resetOnExit": false
}
}
}
Access: Only devices with Tailscale on the same account
Option B: Tailscale Funnel (Public)
{
"gateway": {
"port": 18789,
"mode": "tailscale",
"auth": {
"mode": "password",
"password": "your-strong-password"
},
"tailscale": {
"mode": "funnel",
"resetOnExit": true
}
}
}
⚠️ Password is mandatory for Funnel mode!
Restart Gateway
openclaw gateway restart
Security Best Practices
- Prefer Serve Mode - Unless you need public access
- Use Strong Passwords for Funnel
openssl rand -base64 32 - Enable resetOnExit for Funnel
- Rotate tokens/passwords regularly
FAQ
Q: What’s the difference between local and Tailscale modes?
| Feature | Local | Tailscale Serve | Tailscale Funnel |
|---|---|---|---|
| Access | Local only | Tailnet devices | Public internet |
| Encryption | None | WireGuard | WireGuard + TLS |
| Needs Tailscale | No | Yes | Yes |
| Password | Optional | Optional | Required |
Q: Can I use both local and Tailscale?
No. Gateway can only bind to one mode. Use Tailscale Serve + install Tailscale on local devices.
Q: How do I find my Tailscale hostname?
tailscale status
Example output:
100.x.x.x your-hostname [email protected] linux -
The your-hostname column is what you need.
Or directly:
tailscale ip -4 --hostname
Customize hostname:
# On first login
sudo tailscale up --hostname=my-openclaw-server
# Or rename in Tailscale admin console:
# https://login.tailscale.com/admin/machines
Summary
| Need | Recommended |
|---|---|
| Local only | bind: loopback (default) |
| Multi-device private | tailscale: serve |
| Team/public | tailscale: funnel + password |
Tailscale makes OpenClaw remote access simple and secure—no firewall configuration, no port forwarding, deployed in minutes.
References: