EnglishРусский中文

Lesson 6. Remote Access#

Why You Need This#

You’ve deployed OpenClaw on a server (Lesson 5). But how do you manage it from your laptop or phone? How do you securely connect to a Gateway running on another machine? In this lesson, we’ll cover remote access methods — from a simple SSH tunnel to modern Tailscale.

The Golden Rule of Security#

Keep the Gateway on loopback — let it listen only on 127.0.0.1 (itself), and provide external access through a secure tunnel.

This means: the Gateway isn’t exposed to the internet, and you connect to it through a protected channel.

OpenClaw Network Model#

You (laptop) ──tunnel──→ Server (Gateway on 127.0.0.1:18789)
                                ↕
Phone (node) ──tunnel──→ Same Gateway
                                ↕
                           Telegram, WhatsApp, Discord...
  • One Gateway — the single point through which everything passes
  • The Gateway listens on 127.0.0.1:18789 by default (local connections only)
  • Nodes, CLI, apps — all connect to this port

Method 1: SSH Tunnel (Universal)#

An SSH tunnel is like a secret underground passage between your computer and the server. It’s invisible from the outside, but you can communicate through it.

Creating a Tunnel#

ssh -N -L 18789:127.0.0.1:18789 user@your-server

What this means:

  • -N — don’t open a terminal on the server, just the tunnel
  • -L 18789:127.0.0.1:18789 — forward your local port 18789 to the server’s port 18789
  • user@your-server — connection to the server

After Creating the Tunnel#

Everything works as if the Gateway is on your computer:

openclaw health        # health check
openclaw status --deep # detailed status

Browser: http://127.0.0.1:18789/ — control panel.

Configuring CLI for Remote Access#

To avoid remembering the address, add it to your configuration:

{
  gateway: {
    mode: "remote",
    remote: {
      url: "ws://127.0.0.1:18789",
      token: "your-token"
    }
  }
}

Tailscale is a free VPN service that creates a secure network between your devices. Imagine all your devices connected to the same home network, even if they’re in different countries.

Why Tailscale Is Better Than SSH#

SSH Tunnel Tailscale
Setup Need to create each time Set up once — it just works
Mobile devices Difficult Apps for iOS/Android
Connection speed Instant Instant
HTTPS Needs separate setup Built-in via Serve

Setting Up Tailscale#

  1. Install Tailscale on the server and your laptop: tailscale.com
  2. Sign in on both devices

Tailscale Serve (Access Within Your Network)#

Tailscale Serve makes your Gateway available via HTTPS within your Tailscale network:

{
  gateway: {
    bind: "loopback",
    tailscale: { mode: "serve" }
  }
}

Open https://your-server.tailnet/ — control panel with HTTPS.

Tailscale Funnel (Public Access)#

If you need internet access (e.g., for webhooks):

{
  gateway: {
    tailscale: { mode: "funnel" }
  }
}

⚠️ When using Funnel, be sure to set a password:

export OPENCLAW_GATEWAY_PASSWORD="strong-password"

Tailscale Authentication#

When using Tailscale Serve, OpenClaw can automatically trust connections from your network:

{
  gateway: {
    auth: {
      allowTailscale: true  // trust Tailscale connections
    }
  }
}

Method 3: macOS App “Remote over SSH”#

If you have a Mac, the OpenClaw app can automatically:

  • Create an SSH tunnel to the server
  • Show Gateway status
  • Open WebChat

Configure in: Settings → General → “OpenClaw runs” → Remote.

Gateway Network Binding#

By default, the Gateway listens only on 127.0.0.1. You can change this:

bind Value Meaning
"loopback" This computer only (default)
"lan" Available on the local network
"tailnet" Available via Tailscale
"0.0.0.0" Available to everyone (dangerous!)

⚠️ For any bind other than loopback, always use a token!

openclaw gateway --bind tailnet --token your-secret-token

Security Rules#

  1. Loopback + tunnel — the most secure option
  2. If bind is not loopback — always set up gateway.auth (token or password)
  3. Never expose the Gateway to the internet without authentication
  4. Tailscale Serve + allowTailscale: true — a convenient and secure compromise
  5. For public access via Funnel — use a password

Lesson Summary#

  • The Gateway listens only on localhost by default — this is secure
  • SSH tunnel — a universal method that works everywhere
  • Tailscale — a modern VPN, more convenient than SSH for daily use
  • Tailscale Serve provides HTTPS and authentication within your network
  • When exposing the Gateway to a network, always use a token or password
  • The macOS app can automatically create SSH tunnels