How to Set Up Tailscale with OpenClaw (Make Your Server Invisible to the Internet)

Tailscale is the single highest-impact security change you can make to an OpenClaw setup. Most hardening steps reduce your attack surface. Tailscale eliminates it entirely.

Once configured, your server doesn't show up on port scans. Automated attack bots can't find it. Someone who knows your server's public IP can't connect to OpenClaw. To an outside observer, the port doesn't exist.

This article covers exactly what Tailscale is, why it works, and the complete step-by-step setup for OpenClaw.

---

What Tailscale Is

Tailscale is a private mesh VPN built on WireGuard. When you install it on two devices, those devices can talk to each other through an encrypted tunnel — regardless of firewalls, NAT, or public IP addresses. From each device's perspective, the others are on a private network.

The mental model that matters: your OpenClaw server, your laptop, and your phone all become part of the same private network. The OpenClaw port is only accessible from inside that network. No Tailscale connection = no access, period.

When configured with OpenClaw's mode: "serve", Tailscale acts as a reverse proxy. OpenClaw binds to loopback (meaning it only listens on 127.0.0.1, not on any external interface). Tailscale exposes it securely on the Tailscale network. Traffic that doesn't come through Tailscale simply can't reach OpenClaw.

Tailscale is free for personal use (up to 3 users, 100 devices).

---

Why "Invisible to the Internet" Is the Right Mental Model

When you bind OpenClaw to a public port without Tailscale, your server looks like this to the internet:

0.0.0.0:8080 → OpenClaw gateway [ACCESSIBLE]

Automated port scanners (and there are millions of them) will find this within minutes of your server going online. They'll try default credentials, known exploits, and brute-force attacks continuously.

With Tailscale and loopback binding:

127.0.0.1:39217 → OpenClaw gateway [not visible externally]
Tailscale network → serves OpenClaw to approved devices only

There's no public port to scan. No public service to attack. The server exists on the internet in the sense that it has an IP address — but OpenClaw doesn't exist on that IP address from any external perspective.

This is why it's described as "the single most impactful step." Every other hardening measure assumes something is reachable and tries to secure it. Tailscale makes OpenClaw unreachable by default.

---

Prerequisites

• A VPS or dedicated machine running Linux (Debian/Ubuntu)
• OpenClaw installed and running
• A Tailscale account (free at tailscale.com — sign in with Google or GitHub)

---

Step 1: Install Tailscale on Your Server

curl -fsSL https://tailscale.com/install.sh | sh

Then bring Tailscale up:

sudo tailscale up

Tailscale will print a URL. Open it in your browser, sign in with your Google or GitHub account, and authorize the machine. Once authorized, you'll see it appear in your Tailscale admin console at login.tailscale.com/admin/machines.

Verify it's connected:

tailscale status

You should see your server listed with a Tailscale IP (100.x.x.x range).

---

Step 2: Configure OpenClaw to Use Tailscale

Edit your ~/.openclaw/openclaw.json:

{
  "gateway": {
    "bind": "loopback",
    "port": 39217,
    "auth": {
      "mode": "password",
      "password": "YOUR-STRONG-30-CHAR-PASSWORD-HERE",
      "allowTailscale": true
    },
    "tailscale": {
      "mode": "serve"
    }
  }
}

Key fields explained:

• "bind": "loopback" — OpenClaw only listens on 127.0.0.1. Nothing external can reach it directly.
• "allowTailscale": true — Tailscale-authenticated connections are trusted.
• "tailscale": { "mode": "serve" } — OpenClaw registers itself with Tailscale's serve system, which handles proxying traffic from your Tailscale network to the local process.

Restart OpenClaw after editing:

openclaw gateway restart

---

Step 3: Install Tailscale on Your Phone and Laptop

Tailscale apps are available for:

• iOS: App Store → "Tailscale"
• Android: Play Store → "Tailscale"
• macOS: App Store or tailscale.com/download
• Windows: tailscale.com/download
• Linux: same install script as the server

Sign in with the same account on each device. Once connected, each device gets a Tailscale IP in the 100.x.x.x range and can communicate with the others regardless of what network they're on.

---

Step 4: Access OpenClaw Through Tailscale

Once Tailscale is running on your devices, you can reach your OpenClaw gateway using the Tailscale hostname or IP of your server.

Find your server's Tailscale hostname:

tailscale status

It will show something like my-server.tailnet-name.ts.net. You can access OpenClaw at:

https://my-server.tailnet-name.ts.net

(Tailscale's serve mode handles the HTTPS certificate automatically through its *.ts.net domain.)

---

UFW Interaction: You Don't Need to Open the OpenClaw Port

This is a common point of confusion.

When you run UFW alongside Tailscale:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable

You do not need to add a rule for your OpenClaw port (e.g., sudo ufw allow 39217). Tailscale manages its own encrypted tunnel and that traffic is handled separately from UFW's normal port rules.

The only port you need open in UFW is SSH (port 22), so you can still manage the server. OpenClaw is served exclusively through Tailscale.

[→ See also: UFW Firewall Setup for OpenClaw: Close Every Port You Don't Need]

---

Verifying the Setup Works

From a device connected to your Tailscale network, confirm you can reach OpenClaw:

# From your laptop/phone on the Tailscale network
curl -I https://my-server.tailnet-name.ts.net

Should return an HTTP response from OpenClaw.

From a device NOT on your Tailscale network (or using the server's public IP directly):

# This should FAIL — the port doesn't exist publicly
curl -I http://YOUR_SERVER_PUBLIC_IP:39217

Should time out or be refused. If it responds, something is misconfigured — check that bind is set to "loopback" and restart the gateway.

---

Troubleshooting

Tailscale shows as connected but I can't reach OpenClaw:

• Verify "bind": "loopback" is in the config
• Check openclaw gateway restart was run after config changes
• Run tailscale serve status to see if OpenClaw is registered with Tailscale's serve system

"openclaw gateway restart" fails:

openclaw doctor
tail -20 ~/.openclaw/logs/gateway.log

Tailscale is connected but shows as disconnected:

sudo systemctl status tailscaled
sudo systemctl restart tailscaled

Can't log in to Tailscale admin (MFA required): Tailscale supports SSO with Google/GitHub. Use whichever you used to sign up.

---

Key Takeaways

• Tailscale creates a private mesh network between your devices — your server only exists on this network, not the public internet
• bind: "loopback" is what makes the port invisible externally; Tailscale's serve mode is what makes it accessible from your devices
• Install Tailscale on every device you use to connect to OpenClaw (phone, laptop, desktop)
• With Tailscale, you don't need to open your OpenClaw port in UFW — Tailscale handles its own tunnel
• Verify the setup works from outside your Tailscale network (it should fail) and from inside it (it should work)
• Free for personal use — no reason not to do this