OpenClaw Install / Docs / Gateway / Skills
EN
Get Started
Home

Switch language

简体中文 English
Start Install GuideQuick StartDocs Overview
Docs ChannelsModels & APIGateway OpsTools & Skills
More ArticlesResourcesHelp Center
Get Started
Documentation navigation Gateway Ops

Current Section

On This Page

Gateway Ops 2 sections

Serve / Funnel

Tailscale

Tailscale lets you expose the control UI and WebSocket interface safely to your tailnet without opening raw public ports on the Gateway host. When public access is required, Funnel exists, but Serve is the default recommendation.

Remote Access Security Gateway Ops

Three Modes

serve

Tailnet-only HTTPS

The recommended path. The Gateway stays bound to loopback and Tailscale provides HTTPS, routing and identity headers.

funnel

Public HTTPS

Use this only when you intentionally need public access. OpenClaw requires password-based auth so the endpoint is not anonymously exposed.

tailnet bind

Bind directly to a tailnet IP

A fit when you explicitly want the Gateway to listen on a tailnet address rather than letting Serve proxy it.

Examples

Serve

{
  gateway: {
    bind: "loopback",
    tailscale: { mode: "serve" }
  }
}

Funnel plus password

{
  gateway: {
    bind: "loopback",
    tailscale: { mode: "funnel" },
    auth: { mode: "password", password: "replace-me" }
  }
}

CLI

openclaw gateway --tailscale serve
openclaw gateway --tailscale funnel --auth password