Expose the gateway to your devices over Tailscale

gateway & service

// what it does

Tailscale Serve is the recommended always-on remote path: the gateway stays on loopback and Tailscale carries traffic, verifying identity from tailscale whois on the forwarded source. gateway.auth.allowTailscale defaults on for Serve, so only loopback requests carrying Tailscale headers get identity-based auth.

// shell

$ openclaw gateway run --bind tailnet
$ openclaw config set gateway.auth.allowTailscale true

// gotcha

Never reach for a public 0.0.0.0 bind instead — the gateway can run shell commands, so an unauthenticated bind is remote code execution. Prefer Tailscale Serve over raw LAN exposure.

// resources