Remote Access
Remote Access with Tailscale
Secure remote access to your OpenClaw agent using Tailscale — an encrypted mesh VPN that works through NAT and firewalls without exposing ports to the internet.
Why Tailscale?
Traditional SSH exposes port 22 to the internet and requires port forwarding. Tailscale provides:
- Encrypted end-to-end — All traffic encrypted between devices
- No port forwarding — Works through NAT and firewalls automatically
- Access controls — Fine-grained ACLs per device and user
- SSH integration — Tailscale SSH replaces macOS sshd entirely
- MagicDNS — Access devices by name (e.g.,
ssh your-agent)
Installation
Important: Use the Homebrew CLI installation, not the GUI app.
brew install tailscalebrew services start tailscaleWhy not the GUI app? Both the Mac App Store and standalone
.pkgversions are sandboxed — they can’t host SSH or properly configure DNS. Only the Homebrew formula provides unsandboxedtailscaled.
Authenticate and enable SSH:
sudo tailscale up --sshSSH Configuration
Disable macOS sshd
Once Tailscale SSH is working, disable the built-in SSH server:
sudo systemsetup -setremotelogin offAdd SSH Config Entry
On your client machine, add to ~/.ssh/config:
Host your-agent HostName your-agent.your-tailnet.ts.net User AGENT_USER IdentityFile ~/.ssh/id_ed25519Now you can simply run:
ssh your-agentPATH for Non-Interactive SSH
Non-interactive SSH sessions have a minimal PATH. Prefix commands with the full PATH:
ssh your-agent "export PATH=/opt/homebrew/bin:/opt/homebrew/sbin:\$PATH; openclaw status"Tailscale Serve (Dashboard Access)
Expose the OpenClaw dashboard to your tailnet without opening ports:
sudo tailscale serve --bg 18789This maps https://your-agent.your-tailnet.ts.net to 127.0.0.1:18789 over the tailnet only. The gateway stays bound to loopback for security.
Access the dashboard from any device on your tailnet:
https://your-agent.your-tailnet.ts.net/?token=YOUR_GATEWAY_TOKENFind your token:
openclaw config get gateway.auth.tokenACL Configuration
Configure Tailscale ACLs so the agent machine cannot initiate connections to other devices:
{ "tagOwners": { "tag:agent": ["autogroup:admin"] }, "grants": [ // Personal devices talk freely { "src": ["autogroup:member"], "dst": ["autogroup:member"], "ip": ["*"] }, // Personal devices can reach agent { "src": ["autogroup:member"], "dst": ["tag:agent"], "ip": ["*"] } // IMPORTANT: No grant allows tag:agent as src. ], "ssh": [ // Personal devices — auto-accept { "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["autogroup:nonroot", "root"] }, // Agent — require browser re-authentication { "action": "check", "src": ["autogroup:member"], "dst": ["tag:agent"], "users": ["AGENT_USER", "root"] } ]}Tag the agent machine as tag:agent in your Tailscale admin console.
Verify Network Isolation
# From agent Mac (should FAIL/timeout):tailscale ping your-main-mac
# From your main Mac (should SUCCEED):tailscale ping your-agentTailscale Lock
Enable Tailscale Lock with your phone and laptop as trusted approval devices. This prevents unauthorized devices from joining your tailnet.
Common Remote Commands
# Check agent statusssh your-agent "export PATH=/opt/homebrew/bin:\$PATH; openclaw status"
# View recent logsssh your-agent "export PATH=/opt/homebrew/bin:\$PATH; openclaw logs --tail 50"
# Restart gatewayssh your-agent "export PATH=/opt/homebrew/bin:\$PATH; openclaw gateway restart"
# Run diagnosticsssh your-agent "export PATH=/opt/homebrew/bin:\$PATH; openclaw doctor --deep"Node Access (Multi-Mac Setup)
Connect another Mac as a node pointing to the agent’s gateway:
# On your other Macnpm install -g openclawopenclaw node install --host your-agent.your-tailnet.ts.net --port 443 --tls
# On the agent Mac, approve the pairingopenclaw nodes pendingopenclaw nodes approve <requestId>
# Now use the TUI and dashboard from your other Macopenclaw tuiopenclaw dashboardTroubleshooting
Tailscale DNS / Serve Not Working
Use the Homebrew CLI (brew install tailscale), not the GUI app.
Stale Tailscale Shim
If you previously installed the Mac App Store version, a shim script at /usr/local/bin/tailscale may shadow the real binary:
sudo rm /usr/local/bin/tailscaleSSH Hangs or Timeouts
Check that Tailscale SSH is enabled:
tailscale statusIf SSH is not shown, re-enable:
sudo tailscale up --ssh