๐Ÿ”
ReferenceChapter 32 of 33ยท 5 min read

Chapter 32: Remote Access with Tailscale

Your OpenClaw gateway runs at home, on a VPS, or on a Mac Mini under your desk. You want to reach the Control UI from your phone in a coffee shop, or let your team access a shared gateway from their laptops โ€” without exposing ports to the public internet. Tailscale is the easiest and safest way to do this.

What Is Tailscale?

Tailscale is a zero-config VPN built on WireGuard. It creates a private encrypted network (called a tailnet) between all your devices. Once your gateway is on your tailnet, you can reach it from your phone, laptop, or any device โ€” even behind NAT and firewalls โ€” with no port forwarding required.

Tailscale is free for personal use (up to 3 users, 100 devices).

Installing Tailscale

On the Gateway Machine

# macOS
brew install tailscale
sudo tailscaled install-system-daemon

# Linux (Ubuntu/Debian)
curl -fsSL https://tailscale.com/install.sh | sh

# Start and authenticate
tailscale up

This opens a browser window to authenticate with your Tailscale account. Once done, your machine is on your tailnet.

On Your Remote Devices

Install the Tailscale app on your phone, laptop, or any device you want to access the gateway from:

  • iOS: App Store โ†’ Tailscale
  • Android: Play Store โ†’ Tailscale
  • macOS: App Store โ†’ Tailscale
  • Windows: tailscale.com/download

All devices sign in with the same Tailscale account. They immediately join the same private network.

The Three Access Patterns

Pattern 1: Direct Tailnet Access (Simple)

Once the gateway machine is on your tailnet, find its Tailscale IP:

tailscale ip -4
# Output: 100.x.x.x

Access the Control UI from any Tailscale device:

http://100.x.x.x:18789/

This works immediately with no additional setup. Traffic is encrypted by WireGuard.

Pattern 2: Tailscale Serve (HTTPS + Magic DNS)

Tailscale Serve gives your gateway a hostname and HTTPS certificate inside your tailnet โ€” no IP address needed:

# Expose the Control UI over HTTPS on your tailnet
tailscale serve https / http://localhost:18789

Now access the gateway at:

https://my-mac-mini.tail1234.ts.net/

Your tailnet hostname is auto-assigned and stable. HTTPS certificate is managed automatically by Tailscale.

{
  "gateway": {
    "baseUrl": "https://my-mac-mini.tail1234.ts.net"
  }
}

This is the recommended pattern for most users. It's private (tailnet-only), encrypted (HTTPS), and has a clean URL.

Pattern 3: Tailscale Funnel (Public Internet Access)

If you want the Control UI accessible from the public internet (not just your tailnet):

# Expose publicly via Tailscale Funnel
tailscale funnel 18789

Tailscale assigns a public HTTPS URL like:

https://my-mac-mini.tail1234.ts.net/

This URL works from anywhere โ€” no Tailscale account required on the visitor's device. Use this for sharing the dashboard with team members who aren't on your tailnet.

Security note: With Funnel, always enable the Control UI's device pairing โ€” unauthorized visitors cannot chat with your agent without completing pairing.

Configuring OpenClaw for Tailscale

Tell OpenClaw its public base URL (needed for webhooks to work correctly through Tailscale):

{
  "gateway": {
    "baseUrl": "https://my-mac-mini.tail1234.ts.net",
    "controlUi": {
      "host": "127.0.0.1",
      "port": 18789
    }
  }
}

Keep host: "127.0.0.1" โ€” Tailscale handles the external access. The gateway itself only listens on localhost; Tailscale proxies traffic to it.

Webhook Channels Over Tailscale

Channels that use webhooks (WhatsApp Business API, Slack, Teams) need a public HTTPS URL to receive messages. Tailscale Funnel provides this:

# Expose the gateway webhook port publicly
tailscale funnel 3000

Update your channel webhooks to point to your Funnel URL:

https://my-mac-mini.tail1234.ts.net/webhooks/whatsapp
https://my-mac-mini.tail1234.ts.net/webhooks/slack

Tailscale + SSH

Access your gateway machine's terminal from anywhere:

# SSH into your gateway over Tailscale (no port forwarding needed)
ssh user@my-mac-mini.tail1234.ts.net

Enable Tailscale SSH (no separate SSH server needed):

tailscale up --ssh

Now you can manage your gateway remotely โ€” restart it, edit config files, view logs โ€” from any Tailscale-connected device.

Access Control with Tailscale ACLs

Control which Tailscale devices can reach the gateway:

{
  "acls": [
    {
      "action": "accept",
      "src": ["tag:personal"],
      "dst": ["tag:gateway:18789"]
    }
  ],
  "tagOwners": {
    "tag:gateway": ["autogroup:owner"],
    "tag:personal": ["autogroup:member"]
  }
}

This Tailscale policy allows only devices tagged personal to access port 18789 on the gateway โ€” locking out other devices even if they're on the tailnet.

Alternative: Self-Hosted ngrok / Localtonet

If Tailscale doesn't work in your environment, alternatives include:

# ngrok (quick tunnel for testing)
ngrok http 18789

# Localtonet (persistent subdomain)
localtonet http --port 18789

These create a public HTTPS tunnel instantly. Not recommended for production (no network-level security), but useful for quick demos or webhook testing.

Troubleshooting Remote Access

# Check Tailscale status
tailscale status

# Test connectivity to the gateway
tailscale ping my-mac-mini

# Check if Serve is running
tailscale serve status

# View Funnel config
tailscale funnel status

If the Control UI loads but channels don't receive messages, check that your gateway.baseUrl matches the Tailscale URL and that Funnel is exposing the correct port.

Next: Chapter 33 โ€” Additional Channels โ€” A guide to the extended channel list: Matrix, LINE, Zalo, WeChat, QQ, and more.

โ† PreviousControl UI โ€” The Browser DashboardNext โ†’Additional Channels