How to Set Up Tailscale with OpenClaw

Intermediate30-60 minutesUpdated 2025-01-14

Exposing OpenClaw to the public internet is risky. Tailscale creates a private, encrypted mesh network so you can access your OpenClaw instance from anywhere without opening firewall ports, configuring VPNs, or managing certificates. This guide shows you how to deploy OpenClaw on Tailscale, configure access controls, and enable MagicDNS for seamless private connectivity.

Why This Is Hard to Do Yourself

These are the common pitfalls that trip people up.

🌍

Public internet exposure

Running OpenClaw on 0.0.0.0 exposes it to port scanners, bots, and attackers scanning for vulnerabilities.

🔐

VPN complexity

Traditional VPNs require server setup, certificate management, and client configuration on every device.

🚪

Firewall rules

Opening ports like 3000 or 8080 creates attack surface. Forgetting to close them leaves you vulnerable.

📱

Multi-device access

Accessing OpenClaw from laptop, phone, and tablet without exposing it publicly requires complex routing.

Step-by-Step Guide

Step 1

Install Tailscale on the OpenClaw host

Install Tailscale on the machine running OpenClaw.

# On macOS:
brew install tailscale

# On Ubuntu/Debian:
curl -fsSL https://tailscale.com/install.sh | sh

# On Docker host:
sudo curl -fsSL https://tailscale.com/install.sh | sh

Step 2

Start Tailscale and authenticate

Connect your machine to your Tailscale network.

sudo tailscale up

# Follow the link to authenticate
# Note your machine's Tailscale IP (e.g., 100.x.x.x)

Step 3

Configure OpenClaw to listen on Tailscale IP

Bind OpenClaw to the Tailscale network interface only.

# In docker-compose.yml:
services:
  openclaw:
    ports:
      - "100.64.0.1:3000:3000"  # Replace with YOUR Tailscale IP
    environment:
      - OPENCLAW_BIND_HOST=100.64.0.1  # Replace with YOUR IP

# Or if running directly:
export OPENCLAW_BIND_HOST=100.64.0.1
npm start

Warning: Do NOT use 0.0.0.0 or 127.0.0.1 as the bind host. Use your actual Tailscale IP (starts with 100.x.x.x) to ensure OpenClaw is only accessible via Tailscale.

Step 4

Set up Tailscale ACLs

Control which Tailscale devices can access OpenClaw.

// In Tailscale admin console > Access Controls:
{
  "acls": [
    {
      "action": "accept",
      "src": ["group:team"],
      "dst": ["tag:openclaw:3000"]
    }
  ],
  "tagOwners": {
    "tag:openclaw": ["your-email@example.com"]
  }
}

Step 5

Enable MagicDNS for easy access

Access OpenClaw via hostname instead of IP.

# Enable MagicDNS in Tailscale admin console
# Then access OpenClaw via:
http://openclaw-host:3000

# Instead of:
http://100.64.0.1:3000

Step 6

Install Tailscale on client devices

Install Tailscale on devices that need to access OpenClaw.

# On each device:
# macOS: brew install tailscale
# iOS/Android: Download Tailscale app
# Windows: Download from tailscale.com/download

# Then authenticate and connect

Step 7

Test private access

Verify OpenClaw is accessible only via Tailscale.

# From a Tailscale-connected device:
curl http://openclaw-host:3000/health

# From outside Tailscale network (should timeout):
curl http://YOUR_PUBLIC_IP:3000  # Should NOT work

Tailscale Setup Taking Too Long?

We configure production-grade Tailscale deployments with ACLs, subnet routing, exit nodes, and monitoring. Get secure private access to OpenClaw in hours, not days.

Browse Security experts →

Learn more about our expert service →

Get matched with a specialist who can help.

Frequently Asked Questions

Related Guides

🛡️Security & Hardening

How to Configure OpenClaw Gateway Authentication

Intermediate45-90 minutes

🛡️Security & Hardening

How to Set Up Firewall Rules for OpenClaw

Intermediate30-60 minutes