🦞 Clawbase
← Back to blog

April 23, 2026

How to Set Up an SSH Tunnel for OpenClaw's Dashboard (Headless Server Guide)

Learn how to securely access the OpenClaw Control UI dashboard on a remote headless server using an SSH -L tunnel. This step-by-step guide covers setup, troubleshooting, and best practices for remote dashboard access.

Introduction

Running OpenClaw on a headless server is common for production deployments, but it introduces a challenge: how do you securely access the Control UI dashboard that's only exposed locally? The answer is SSH tunneling. This guide walks you through setting up an SSH -L tunnel so you can access the OpenClaw dashboard from your local machine as if it were running locally, all without exposing sensitive ports to the internet.

We'll cover:

  • What SSH tunnels are and why they're useful
  • How to create an SSH -L tunnel for OpenClaw
  • Step-by-step instructions for Windows, macOS, and Linux
  • Troubleshooting common issues
  • Best practices for secure remote dashboard access

Whether you're running OpenClaw on your own hardware, a cloud VM, or using Clawbase's managed platform (clawbase.com), these steps apply.

Why Use an SSH Tunnel for OpenClaw?

By default, the OpenClaw dashboard (Control UI) is bound to localhost for security reasons. This means you can't access it directly from your laptop unless you use a secure method to "forward" the dashboard port from your server to your local machine. SSH tunnels are perfect for this:

  • No need to open extra firewall ports
  • Strong encryption via SSH
  • Access control via SSH authentication

If you're looking for the official docs, see OpenClaw dashboard docs.

What is SSH -L Tunneling?

The -L flag in SSH stands for "local port forwarding." It lets you bind a port on your local machine and forward all traffic through an encrypted SSH connection to a port on the remote server. For OpenClaw, this means you can open http://localhost:8080 in your browser and see the dashboard running on your remote server.

Typical SSH -L command:

ssh -L LOCAL_PORT:localhost:REMOTE_PORT user@remote-server

For OpenClaw, the dashboard usually runs on port 8080 by default, so the command would look like:

ssh -L 8080:localhost:8080 user@your-server-ip

Prerequisites

Before you begin, make sure you have:

  • Access to the remote server running OpenClaw (SSH credentials)
  • OpenClaw running with its dashboard accessible on localhost:8080 (or your configured port)
  • SSH client installed (default on macOS/Linux, PuTTY or similar for Windows)
  • (Optional) Access to Clawbase if you're using their managed platform

Step-by-Step: Setting Up an SSH Tunnel

1. Confirm OpenClaw Dashboard is Running

SSH into your server and verify that the dashboard is running. By default, OpenClaw binds the dashboard to localhost:8080.

ps aux | grep openclaw

Ready for your own?

🦞 Hire an AI employee that works 24/7

Plans from less than $1/day. Dedicated cloud host, top models, and messaging on Telegram, Slack, or Discord. No API keys to manage.

See plans · Cancel anytime

Or check the logs/output for a line like:

Listening on http://localhost:8080

If you're using Clawbase, the managed service will provide dashboard access instructions, but you can still use SSH tunneling for additional security or custom setups.

2. Find Your SSH Credentials

You'll need:

  • Username (e.g., ubuntu, root, or a custom user)
  • Server IP address or hostname
  • SSH private key (or password, if allowed – keys are preferred)

3. Open the SSH Tunnel

On macOS and Linux

Open your terminal and run:

ssh -L 8080:localhost:8080 user@your-server-ip
  • Replace user with your SSH username
  • Replace your-server-ip with the server's IP or DNS name

What happens:

  • Your local port 8080 forwards to the server's port 8080, via SSH.
  • Any connection to localhost:8080 on your machine is securely tunneled to the dashboard.

On Windows (Using PuTTY)

  1. Open PuTTY and enter your server's IP/hostname in the 'Host Name' field.
  2. In the sidebar, navigate to Connection > SSH > Tunnels.
  3. For Source port, enter 8080.
  4. For Destination, enter localhost:8080.
  5. Click Add.
  6. Go back to Session and click Open to start the SSH session.

Now, browsing to http://localhost:8080 on your Windows PC will show the OpenClaw dashboard.

4. Access the Dashboard in Your Browser

Open your local web browser and visit:

http://localhost:8080

You should see the OpenClaw Control UI. All traffic is encrypted between your machine and the server via SSH.

5. (Optional) Custom Ports

If port 8080 is already in use on your local machine, you can use a different local port:

ssh -L 9090:localhost:8080 user@your-server-ip

Then access http://localhost:9090 in your browser.

Troubleshooting Common Issues

Can't Connect to Dashboard

  • Check OpenClaw is running: Use ps or check logs as above.
  • Firewall blocks: Ensure SSH (port 22) is open on your server. You do not need to open 8080 to the public.
  • Wrong username or IP: Double-check your SSH credentials.
  • Local port conflict: Use a different local port if 8080 is busy.

SSH Connection Drops

  • Network instability: Try a more stable connection or use the -N and -f flags for background tunnels:
  ssh -N -f -L 8080:localhost:8080 user@your-server-ip
  • Server rebooted? Re-establish the SSH tunnel.

Dashboard Loads But Appears Broken

  • Browser cache: Try hard-refreshing.
  • Mixed content (HTTPS/HTTP): If you access via HTTPS but the dashboard is HTTP, use HTTP for local testing.

Security Best Practices for Remote Dashboard Access

  • Never expose the dashboard port (8080) directly to the internet. Use SSH tunnels or a VPN.
  • Use SSH keys, not passwords, for authentication.
  • Limit SSH access via firewall (allow only your IP if possible).
  • Regularly update OpenClaw and your server's OS.
  • Monitor SSH login attempts (use fail2ban or similar tools).
  • For teams: Consider role-based access or using a managed service like Clawbase to handle secure dashboard access.

Automating SSH Tunnel Setup (Advanced)

If you frequently need dashboard access, you can automate tunnel setup:

  • Use SSH config files:

Add to ~/.ssh/config:

Host openclaw-dashboard
  HostName your-server-ip
  User your-username
  LocalForward 8080 localhost:8080

Then connect with:

ssh openclaw-dashboard

  • Use tools like autossh to keep tunnels alive automatically.

  • For scripting:

  ssh -N -L 8080:localhost:8080 user@your-server-ip &
  # The '&' runs it in the background

Using Clawbase for Managed OpenClaw Deployments

If you're deploying at scale or want to avoid manual SSH tunneling, Clawbase offers managed OpenClaw hosting with secure dashboard access built in. Their platform automatically provisions secure endpoints and can integrate with your team's SSO, making remote management easier and safer. You can still use SSH tunnels for extra security or for custom workflows.

Conclusion

SSH tunnels offer a secure, flexible way to access the OpenClaw dashboard on remote or headless servers. By forwarding the dashboard port through SSH, you avoid exposing sensitive services to the internet while maintaining full control from your local machine. Whether you're running OpenClaw yourself or via Clawbase, mastering SSH -L tunnels is an essential skill for any operator.

If you need more details, always refer to the official OpenClaw dashboard documentation. Happy tunneling!