Why Tailscale
Tailscale creates an encrypted virtual private network based on WireGuard, letting devices across different networks securely interconnect. Integrating Tailscale with OpenClaw lets you:
- Access the Gateway remotely without a public IP
- Automatically encrypt all communication
- Fine-grained access control (ACL)
- Avoid exposing ports to the public internet
Install Tailscale
# Linux
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
# macOS
brew install tailscale
tailscale up
Configure OpenClaw to Listen on Tailscale
After installing Tailscale, configure OpenClaw to listen only on the Tailscale interface (100.x.x.x):
{
"gateway": {
"host": "100.64.0.1",
"port": 3000
}
}
Tailscale Funnel for Webhooks
If channel webhooks (like Telegram) need to reach your Gateway:
tailscale funnel 3000
This provides a public URL: https://your-machine.tail1234.ts.net:443
Configure it as the webhook callback address in OpenClaw.
Tailscale Serve for HTTPS
tailscale serve https / http://127.0.0.1:3000
Adds automatic HTTPS with Tailscale-managed certificates.
ACL Access Control
Configure which devices can access OpenClaw in the Tailscale admin console with tags and ACL rules.
Multi-Node Deployment
Combine with Remote Gateway over the Tailscale network:
{
"gateway": {
"mode": "remote",
"primaryUrl": "https://primary.tail1234.ts.net:3100",
"authToken": "{{REMOTE_AUTH_TOKEN}}"
}
}
All inter-node communication is encrypted through Tailscale's WireGuard tunnels.
Summary
Tailscale provides a zero-configuration secure network layer for OpenClaw, eliminating the need for port forwarding, dynamic DNS, or VPN server setup. It is especially well-suited for OpenClaw instances on home servers or NAS devices that need remote access.