🔒 Security Guide

Secure OpenClaw with Tailscale

The easiest way to secure OpenClaw. Zero configuration, end-to-end encryption.

Why Tailscale?

🔒 Zero Configuration

No VPN servers, certificates, or firewall rules to manage

🌐 Complete Isolation

Only accessible from devices in your Tailnet

🔑 Built-in Auth

SSO, 2FA, device approval policies included

📊 Full Audit Logs

See exactly who accessed OpenClaw and when

Traditional vs Tailscale:

❌ Traditional

  • • Expose port to internet
  • • Manage SSL certificates
  • • Configure reverse proxy
  • • Set up API keys

✅ Tailscale

  • • Install Tailscale
  • • Run tailscale up
  • • Bind to Tailscale IP
  • • Done!

Setup Guide

1

Install Tailscale


# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# Authenticate
sudo tailscale up
Copied!
2

Get Tailscale IP


# Get your Tailscale IP
tailscale ip -4

# Example output: 100.89.234.156
Copied!

Configure OpenClaw


# Bind OpenClaw to Tailscale IP
gateway:
  host: "100.x.x.x"  # Your Tailscale IP
  port: 18789
  auth:
    method: "api_key"
    api_key: "${OPENCLAW_API_KEY}"
Copied!
4

Test Connection


# From another device with Tailscale
curl http://100.x.x.x:18789/health

# From your server
openclaw restart
Copied!

Advanced Configuration


# Enable Tailscale SSH
sudo tailscale up --ssh

# Use hostname instead of IP
gateway:
  host: "my-server.beta.my-tailnet.ts.net"
Copied!

Related Resources

🛡️ Hardening Guide

Complete security checklist

⚠️ auth:none Dangers

Why you should never disable auth