Skip to content
Openclaw Wiki Docs

Tailscale (Gateway dashboard)

Tailscale (Gateway dashboard)

Section titled “Tailscale (Gateway dashboard)”

OpenClaw can auto-configure Tailscale Serve (tailnet) or Funnel (public) for the Gateway dashboard and WebSocket port. This keeps the Gateway bound to loopback while Tailscale provides HTTPS, routing, and (for Serve) identity headers.

Modes

Section titled “Modes”
  • serve: Tailnet-only Serve via tailscale serve. The gateway stays on 127.0.0.1.
  • funnel: Public HTTPS via tailscale funnel. OpenClaw requires a shared password.
  • off: Default (no Tailscale automation).

Auth

Section titled “Auth”

Set gateway.auth.mode to control the handshake:

  • token (default when OPENCLAW_GATEWAY_TOKEN is set)
  • password (shared secret via OPENCLAW_GATEWAY_PASSWORD or config)

When tailscale.mode = "serve" and gateway.auth.allowTailscale is true, valid Serve proxy requests can authenticate via Tailscale identity headers (tailscale-user-login) without supplying a token/password. OpenClaw verifies the identity by resolving the x-forwarded-for address via the local Tailscale daemon (tailscale whois) and matching it to the header before accepting it. OpenClaw only treats a request as Serve when it arrives from loopback with Tailscale’s x-forwarded-for, x-forwarded-proto, and x-forwarded-host headers. To require explicit credentials, set gateway.auth.allowTailscale: false or force gateway.auth.mode: "password".

Config examples

Section titled “Config examples”

Tailnet-only (Serve)

Section titled “Tailnet-only (Serve)”
{
  gateway: {
    bind: "loopback",
    tailscale: { mode: "serve" }
  }
}

Open: https://<magicdns>/ (or your configured gateway.controlUi.basePath)

Tailnet-only (bind to Tailnet IP)

Section titled “Tailnet-only (bind to Tailnet IP)”

Use this when you want the Gateway to listen directly on the Tailnet IP (no Serve/Funnel).

{
  gateway: {
    bind: "tailnet",
    auth: { mode: "token", token: "your-token" }
  }
}

Connect from another Tailnet device:

  • Control UI: http://<tailscale-ip>:18789/
  • WebSocket: ws://<tailscale-ip>:18789

Note: loopback (http://127.0.0.1:18789) will not work in this mode.

Public internet (Funnel + shared password)

Section titled “Public internet (Funnel + shared password)”
{
  gateway: {
    bind: "loopback",
    tailscale: { mode: "funnel" },
    auth: { mode: "password", password: "replace-me" }
  }
}

Prefer OPENCLAW_GATEWAY_PASSWORD over committing a password to disk.

CLI examples

Section titled “CLI examples”
Terminal window
openclaw gateway --tailscale serve
openclaw gateway --tailscale funnel --auth password

Notes

Section titled “Notes”
  • Tailscale Serve/Funnel requires the tailscale CLI to be installed and logged in.
  • tailscale.mode: "funnel" refuses to start unless auth mode is password to avoid public exposure.
  • Set gateway.tailscale.resetOnExit if you want OpenClaw to undo tailscale serve or tailscale funnel configuration on shutdown.
  • gateway.bind: "tailnet" is a direct Tailnet bind (no HTTPS, no Serve/Funnel).
  • gateway.bind: "auto" prefers loopback; use tailnet if you want Tailnet-only.
  • Serve/Funnel only expose the Gateway control UI + WS. Nodes connect over the WebSocket. Other HTTP APIs (OpenAI, Tools Invoke) are also exposed.
  • See Control UI for auth details.