OpenClaw Manual OpenClaw
Security 10 min read

How to Securely Access OpenClaw Remotely

Learn how to safely expose your OpenClaw gateway for remote access using SSH tunnels, reverse proxies, and VPNs while maintaining security.

O

OpenClaw Manuals

Tutorial Authors

Why Remote Access?

By default, OpenClaw binds to 127.0.0.1 (localhost only), which is the most secure configuration. However, you might need remote access when:

  • Running OpenClaw on a home server while traveling
  • Hosting on a VPS and connecting from multiple devices
  • Sharing your AI assistant across your local network

Warning: Never expose OpenClaw directly to the internet without proper authentication and encryption. This guide covers secure methods only.

Method 1: SSH Tunnel (Recommended for Personal Use)

SSH tunneling is the simplest and most secure method for personal remote access.

On Your Remote Server

Ensure OpenClaw is running on localhost:

bash 
openclaw gateway start
# Gateway listening on http://127.0.0.1:18789

On Your Local Machine

Create an SSH tunnel:

bash 
ssh -L 18789:localhost:18789 user@your-server-ip

Now you can access OpenClaw at http://localhost:18789 on your local machine.

Persistent SSH Tunnel with autossh

For a tunnel that automatically reconnects:

bash 
# Install autossh
# macOS
brew install autossh

# Ubuntu/Debian
sudo apt install autossh

# Create persistent tunnel
autossh -M 0 -f -N -L 18789:localhost:18789 user@your-server-ip

Method 2: Reverse Proxy with Nginx

For more advanced setups, use Nginx as a reverse proxy with SSL termination.

Install Nginx and Certbot

bash 
# Ubuntu/Debian
sudo apt update
sudo apt install nginx certbot python3-certbot-nginx

Configure Nginx

Create /etc/nginx/sites-available/openclaw :

nginx 
server {
    listen 80;
    server_name openclaw.yourdomain.com;

    location / {
        proxy_pass http://127.0.0.1:18789;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
    }
}

Enable the site:

bash 
sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Add SSL with Let's Encrypt

bash 
sudo certbot --nginx -d openclaw.yourdomain.com

Add Basic Authentication

Generate a password file:

bash 
sudo apt install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd your-username

Update your Nginx config:

nginx 
server {
    listen 443 ssl;
    server_name openclaw.yourdomain.com;

    # SSL config added by certbot...

    location / {
        auth_basic "OpenClaw Access";
        auth_basic_user_file /etc/nginx/.htpasswd;

        proxy_pass http://127.0.0.1:18789;
        # ... other proxy settings
    }
}

Method 3: WireGuard VPN

For the highest security, use a VPN to access your home network.

Install WireGuard

bash 
# Server (Ubuntu/Debian)
sudo apt install wireguard

# Generate keys
wg genkey | tee privatekey | wg pubkey > publickey

Server Configuration

Create /etc/wireguard/wg0.conf :

ini 
[Interface]
PrivateKey = 
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = 
AllowedIPs = 10.0.0.2/32

Client Configuration

ini 
[Interface]
PrivateKey = 
Address = 10.0.0.2/24

[Peer]
PublicKey = 
Endpoint = your-server-ip:51820
AllowedIPs = 10.0.0.1/32
PersistentKeepalive = 25

Start WireGuard

bash 
# Server
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

# Client
sudo wg-quick up wg0

Now access OpenClaw via the VPN IP: http://10.0.0.1:18789

Method 4: Cloudflare Tunnel (Zero Trust)

Cloudflare Tunnel provides secure access without exposing ports.

Install cloudflared

bash 
# macOS
brew install cloudflare/cloudflare/cloudflared

# Linux
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared.deb

Authenticate and Create Tunnel

bash 
cloudflared tunnel login
cloudflared tunnel create openclaw

Configure the Tunnel

Create ~/.cloudflared/config.yml :

yaml 
tunnel: 
credentials-file: /home/user/.cloudflared/.json

ingress:
  - hostname: openclaw.yourdomain.com
    service: http://localhost:18789
  - service: http_status:404

Run the Tunnel

bash 
cloudflared tunnel route dns openclaw openclaw.yourdomain.com
cloudflared tunnel run openclaw

Security Best Practices

1. Enable Rate Limiting

In your ~/.openclaw/openclaw.json :

json 
{
  "security": {
    "rateLimiting": {
      "enabled": true,
      "maxRequests": 60,
      "windowMs": 60000
    }
  }
}

2. Use Strong API Keys

bash 
# Rotate your API keys regularly
openclaw config set api-key

3. Monitor Access Logs

bash 
# Check gateway logs
openclaw logs --follow

4. Set Up Fail2Ban (for Nginx)

bash 
sudo apt install fail2ban

# Create /etc/fail2ban/jail.local
[nginx-http-auth]
enabled = true

Comparison Table

| Method | Security | Complexity | Best For | |--------|----------|------------|----------| | SSH Tunnel | High | Low | Personal use | | Nginx + SSL | High | Medium | Public access | | WireGuard VPN | Very High | Medium | Team access | | Cloudflare Tunnel | High | Low | Zero-trust setup |

Next Steps