🦞 Clawbase
← Back to blog

April 14, 2026

How to Securely Set Up Openclaw with Tailscale: Private Access & Safe Exposure

Learn how to set up Openclaw with Tailscale for secure, private access using Tailscale Serve. Avoid public exposure and safely manage remote connectivity for your Clawbase-powered apps.

Why Secure Remote Access to Openclaw Matters

Openclaw is a powerful platform for managing AI infrastructure, but like any web dashboard, it needs to be protected from unauthorized access. Exposing your Openclaw dashboard or API directly to the public internet is risky, even with strong passwords. Instead, using a private network solution like Tailscale lets you safely access your Openclaw instance from anywhere—without opening dangerous ports or relying on VPNs that are hard to manage.

In this guide, we'll show you how to set up Openclaw with Tailscale for secure, private access. We'll focus on using Tailscale Serve to expose your dashboard or API safely to your devices, following recommended patterns that keep your infrastructure protected. Whether you're running Openclaw for personal projects or managing a Clawbase (clawbase.com) deployment, this approach gives you peace of mind and operational flexibility.

Table of Contents

Why Avoid Public Exposure?

Directly exposing your Openclaw dashboard or API to the internet can lead to:

  • Brute-force attacks: Automated bots scan for open ports and attempt to guess passwords.
  • Zero-day exploits: Public endpoints can be targeted as soon as vulnerabilities are discovered.
  • Data leaks: Accidental misconfigurations can reveal sensitive data or admin panels.

Private access solutions like Tailscale eliminate these risks by making your Openclaw instance reachable only to authenticated devices in your personal network.

What is Tailscale Serve?

Tailscale Serve is a built-in feature that lets you expose web services securely over your Tailscale network. With Serve, you can:

  • Forward HTTP(S) ports from your server to your device, accessible only to you and your team.
  • Avoid exposing any ports to the public internet.
  • Use HTTPS automatically, even for local servers.

This makes it ideal for managing sensitive dashboards like Openclaw, especially when you want to access them remotely or from multiple devices.

Prerequisites

Before you begin, make sure you have:

  • An Openclaw instance running (see official docs).
  • Access to the server or VM where Openclaw is hosted (SSH, console, etc.).
  • A Tailscale account (free for individuals, paid for teams).
  • Tailscale installed on your server and client devices (installation guide).

Step-by-Step: Setting Up Tailscale with Openclaw

1. Install Tailscale on Your Openclaw Server

On your Openclaw host (Linux example):

Ready for your own?

🦞 Hire an AI employee that works 24/7

Plans from less than $1/day. Dedicated cloud host, top models, and messaging on Telegram, Slack, or Discord. No API keys to manage.

See plans · Cancel anytime

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
  • Follow the authentication prompt to connect your server to your Tailscale network.
  • Note the device's Tailscale IP address (e.g., 100.x.x.x) or MagicDNS name (e.g., openclaw-server.your-tailnet.ts.net).

2. Install Tailscale on Your Client Devices

Repeat the installation on your laptop, desktop, or mobile device. Log in with the same Tailscale account. These devices will be able to access your Openclaw dashboard securely.

3. Identify Your Openclaw Dashboard Port

By default, Openclaw's web dashboard runs on a specific port (e.g., 8080). Check your Openclaw configuration or the dashboard docs to confirm.

4. Set Up Tailscale Serve

On the Openclaw server, use Tailscale Serve to forward the dashboard port:

sudo tailscale serve https 443 localhost:8080
  • This command forwards HTTPS traffic on port 443 (over Tailscale) to the Openclaw dashboard running on localhost:8080.
  • Tailscale automatically provides a valid certificate for your tailnet domain.

Now, from any device on your Tailscale network, you can visit:

https://openclaw-server.your-tailnet.ts.net/

You'll see your Openclaw dashboard, secured and private.

The safest and most maintainable way to access Openclaw remotely is:

  • Never open firewall ports for Openclaw to the public.
  • Use Tailscale Serve for HTTPS access.
  • Restrict Tailscale access to trusted users and devices.
  • Optionally, use Tailscale ACLs for fine-grained permissions.

This pattern is ideal for:

  • Solo developers running Openclaw at home or on a VPS.
  • Teams using Clawbase to orchestrate multiple Openclaw nodes.
  • Anyone who wants secure, frictionless remote access without VPN headaches.

Why Not Use Public Exposure with Reverse Proxies?

While reverse proxies like Nginx or Caddy can provide HTTPS and some access control, they still leave your dashboard reachable from the internet. Tailscale's approach is simpler and more secure—no public IP or DNS record is needed.

When Might You Need Public Exposure?

If you must allow third-party integrations or webhooks, consider using Tailscale Funnel (for controlled sharing) or a dedicated API gateway with strict authentication. For most users, private Tailscale access is sufficient.

Exposing Openclaw Safely with Tailscale Serve

Let's break down how Tailscale Serve keeps your Openclaw instance safe:

  • No open ports: Your server's firewall can block all incoming traffic except Tailscale's encrypted connections.
  • Automatic HTTPS: Tailscale handles certificates, so you don't have to manage Let's Encrypt or self-signed certs.
  • Device-level authentication: Only devices in your tailnet can access the dashboard.
  • Easy sharing: Want to give a teammate access? Add their device to your Tailscale network.

Example: Multi-User Clawbase Deployment

If you're using Clawbase to manage multiple Openclaw nodes across different regions or clouds, Tailscale scales with you. Each node can run its own Tailscale instance, and you can enforce access policies using Tailscale's admin console and ACLs. This makes it easy to:

  • Grant or revoke access for team members.
  • Monitor which devices are accessing which Openclaw instances.
  • Keep your infrastructure segmented and secure.

Managing Access and Permissions

Tailscale makes it straightforward to control who can access your Openclaw dashboard:

  • Invite users: Add team members to your tailnet via the Tailscale admin panel.
  • Configure ACLs: Use Tailscale's ACL policy editor to restrict which users can reach which services or nodes.
  • Audit access: Tailscale provides logs and device management for compliance and monitoring.

This is especially useful for organizations running Openclaw as part of a larger Clawbase deployment, where multiple roles and permissions are needed.

Troubleshooting & Tips

  • Can't connect? Check that Tailscale is running on both server and client, and that the server firewall allows Tailscale's UDP ports.
  • Dashboard not loading? Verify the dashboard is running and listening on the correct port. Check Tailscale Serve logs for errors.
  • Need to expose additional services? You can repeat the tailscale serve command for other ports or protocols as needed.
  • Want to automate setup? Consider scripting Tailscale installation and Serve commands as part of your Openclaw deployment process.
  • Rotating devices/users? Use Tailscale's device expiry and key rotation features to keep your network clean.

Conclusion

Setting up Openclaw with Tailscale is the safest and most reliable way to access your dashboard or API remotely. By using Tailscale Serve, you avoid the risks of public exposure while enjoying seamless, encrypted access from anywhere. This approach scales from solo projects to enterprise-grade Clawbase deployments, giving you full control over who can reach your infrastructure.

If you're looking to deploy Openclaw securely and efficiently, start with Tailscale—your future self (and your security team) will thank you.

Further reading: