Home Tutorials Categories Skills About
ZH EN JA KO
Configuration

OpenClaw Remote Access and Port Forwarding Configuration

· 17 min read

Introduction

By default, OpenClaw only listens on 127.0.0.1, allowing only local access. In real-world deployments, however, you typically need to access the Dashboard from external networks, receive Webhook callbacks from messaging platforms, or allow mobile devices to connect for pairing. This article systematically covers OpenClaw's remote access options, from basic port configuration to production-grade reverse proxy deployment.

Basics: Opening Network Access

The simplest approach is to change the listen address to 0.0.0.0:

{
  "gateway": {
    "host": "0.0.0.0",
    "port": 18789
  }
}

After the change, restart the gateway:

openclaw gateway --port 18789

At this point, other devices on the local network can access OpenClaw via http://<server-IP>:18789. However, to accept connections from the public internet, additional configuration is needed.

Option 1: Router Port Forwarding

If your OpenClaw is running on a home network, you need to set up port forwarding on your router:

  1. Log in to the router management page
  2. Find the "Port Forwarding" or "Virtual Server" settings
  3. Add a rule: External port 18789 → Internal IP 192.168.x.x port 18789
  4. Save and apply

Dynamic DNS

Home broadband public IPs usually change, so it's recommended to use a DDNS service:

# Common DDNS services
# Cloudflare DDNS
# DuckDNS
# No-IP

After configuring DDNS, you can use a fixed domain (e.g., myserver.duckdns.org) to access OpenClaw without worrying about IP changes.

Option 2: Nginx Reverse Proxy

In production environments, Nginx is recommended as a reverse proxy, providing TLS termination, load balancing, and an additional security layer.

Install Nginx

# Ubuntu / Debian
sudo apt install nginx

# CentOS / RHEL
sudo yum install nginx

Configuration File

Create an Nginx config file at /etc/nginx/sites-available/openclaw:

server {
    listen 80;
    server_name openclaw.yourdomain.com;

    # Redirect HTTP to HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name openclaw.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/openclaw.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/openclaw.yourdomain.com/privkey.pem;

    # Recommended SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        proxy_pass http://127.0.0.1:18789;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support (needed for Dashboard real-time updates and mobile connections)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Timeout settings (AI responses can be slow)
        proxy_read_timeout 120s;
        proxy_send_timeout 120s;
    }

    # Limit request body size (match OpenClaw's maxBodySize)
    client_max_body_size 20m;
}

Enable the Configuration

sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Option 3: Caddy Reverse Proxy

If you prefer simpler configuration, Caddy is an excellent alternative. It automatically obtains and renews Let's Encrypt certificates.

Caddyfile Configuration

openclaw.yourdomain.com {
    reverse_proxy localhost:18789
}

Yes, it's that simple. Caddy automatically handles HTTPS certificates, HTTP-to-HTTPS redirection, WebSocket proxying, and more.

# Start Caddy
caddy start

Option 4: Tunnel Solutions

If your network environment doesn't allow port forwarding (e.g., corporate networks or campus networks), you can use tunneling tools.

Using Cloudflare Tunnel

# Install cloudflared
# Log in to Cloudflare
cloudflared tunnel login

# Create a tunnel
cloudflared tunnel create openclaw

# Configure the tunnel
# ~/.cloudflared/config.yml
tunnel: your-tunnel-id
credentials-file: ~/.cloudflared/your-tunnel-id.json

ingress:
  - hostname: openclaw.yourdomain.com
    service: http://localhost:18789
  - service: http_status:404

# Start the tunnel
cloudflared tunnel run openclaw

Using frp

# frpc.ini (client configuration)
[common]
server_addr = your-frp-server.com
server_port = 7000
token = your-auth-token

[openclaw]
type = tcp
local_ip = 127.0.0.1
local_port = 18789
remote_port = 18789

HTTPS Certificate Configuration

Let's Encrypt (Recommended)

Use certbot to obtain free SSL certificates:

# Install certbot
sudo apt install certbot python3-certbot-nginx

# Auto-configure Nginx + certificates
sudo certbot --nginx -d openclaw.yourdomain.com

# Certificate auto-renewal
sudo certbot renew --dry-run

OpenClaw Built-in TLS

If you're not using a reverse proxy, OpenClaw also supports configuring TLS directly:

{
  "security": {
    "tls": {
      "enabled": true,
      "cert": "/etc/letsencrypt/live/yourdomain.com/fullchain.pem",
      "key": "/etc/letsencrypt/live/yourdomain.com/privkey.pem"
    }
  }
}

Webhook Callback URL Configuration

Many messaging platforms (such as Telegram and WhatsApp) push messages to your server via Webhooks. After configuring remote access, update the Webhook base URL:

{
  "gateway": {
    "webhookBase": "https://openclaw.yourdomain.com"
  }
}

OpenClaw automatically concatenates webhookBase with each channel's webhookPath to generate complete callback URLs and register them with the respective platforms. For example, the Telegram Webhook will be set to https://openclaw.yourdomain.com/webhook/telegram.

Firewall Configuration

Make sure the firewall allows the relevant ports:

# UFW (Ubuntu)
sudo ufw allow 18789/tcp
sudo ufw allow 443/tcp
sudo ufw allow 80/tcp

# firewalld (CentOS)
sudo firewall-cmd --permanent --add-port=18789/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload

# iptables
sudo iptables -A INPUT -p tcp --dport 18789 -j ACCEPT

Security Best Practices

Remote access means exposure to the public internet, so security measures are essential:

  1. Always use HTTPS: Protect data in transit, especially API keys and conversation content
  2. Set a Dashboard password: Prevent unauthorized administrative actions
  3. Configure rate limiting: Prevent abuse and DDoS attacks
  4. Use IP whitelisting: If access sources are fixed, restrict the allowed IP range
  5. Keep software updated: Maintain the latest versions of OpenClaw and your reverse proxy software
  6. Monitor logs: Regularly check access logs for anomalous requests
{
  "security": {
    "rateLimit": {
      "enabled": true,
      "maxRequests": 60,
      "windowMs": 60000
    },
    "ipWhitelist": ["203.0.113.0/24"]
  }
}

Connection Verification

After configuration is complete, use these methods to verify remote access is working:

# Test HTTPS connection from external
curl -I https://openclaw.yourdomain.com/dashboard

# Test WebSocket connection
wscat -c wss://openclaw.yourdomain.com/ws

# OpenClaw built-in connectivity test
openclaw doctor --remote

Summary

Remote access configuration is a critical step for putting OpenClaw into actual use. For personal use, router port forwarding plus DDNS is sufficient; for production deployments, Nginx or Caddy as a reverse proxy combined with Let's Encrypt certificates is recommended for secure HTTPS access. Regardless of which approach you choose, always follow security best practices to protect your AI gateway from abuse.

OpenClaw is a free, open-source personal AI assistant that supports WhatsApp, Telegram, Discord, and many more platforms
More Tutorials Download Skills

Related Tutorials

Gateway Configuration Complete Reference
openclaw onboard: Interactive Onboarding Guide
openclaw configure: Configuration Wizard Guide