Remote access
By default the WednesdayAI gateway binds to loopback (127.0.0.1) and is only reachable from the machine it runs on. This is intentional — it avoids exposing the gateway before auth is configured.
Recommended path: Tailscale Serve. It gives you HTTPS, a stable hostname, and identity-based access control without changing the gateway bind address. The gateway stays on loopback.
Option 1 — Tailscale Serve (recommended)
Tailscale Serve creates an HTTPS endpoint on your tailnet that proxies to the local gateway. The gateway stays on loopback; Tailscale handles routing and TLS.https://<hostname>.ts.net/ from any device on your tailnet.
Allow Tailscale identity auth (skip token prompts for tailnet devices):
allowTailscale: true, control-panel WebSocket connections from tailnet devices are accepted without a token; HTTP API endpoints still require token/password auth. This tokenless flow assumes the gateway host is trusted — set it to false if untrusted code may run there.
Option 2 — SSH tunnel
An SSH tunnel forwards the gateway’s loopback port to your local machine. No gateway config changes needed.http://127.0.0.1:18789/ on your local machine now reaches the remote gateway. Keep it alive across reconnects with autossh:
Option 3 — Bind to tailnet IP directly
http://<tailscale-ip>:18789/.
Option 4 — LAN binding
For trusted home networks where every device should have access:Option 5 — Reverse proxy with TLS
To put the gateway behind nginx or Caddy (for a custom domain, a shared LAN cert, or in front of an identity-aware proxy), keep the gateway on loopback and terminate TLS at the proxy.- Caddy
- nginx
gateway.trustedProxies to the proxy IP(s) only.
Public internet access (Tailscale Funnel)
https://<hostname>.ts.net/. Because anyone can reach it, a password is required.
Remote CLI
To run CLI commands against a remote gateway without passing flags every time, persist a remote target:openclaw gateway status, openclaw models status, openclaw message send, and similar then reach the remote gateway transparently.
Security principles
| Scenario | Recommended approach |
|---|---|
| Personal use, your own devices | Tailscale Serve + allowTailscale: true |
| Personal use, minimal setup | SSH tunnel |
| Team or multi-user access | Tailscale Serve + token auth, or trusted-proxy auth |
| Custom domain / shared cert | Reverse proxy (Caddy/nginx) + token or proxy auth |
| Public access (uncommon) | Tailscale Funnel + shared password |
| Air-gapped / on-prem LAN | bind: "lan" + token auth + firewall |
bind: "lan" or bind: "custom" without a token or password — non-loopback binds are rejected at startup without auth.
Troubleshooting
Control panel shows 'Unable to connect'
Control panel shows 'Unable to connect'
- Confirm the gateway is running:
openclaw gateway status(on the host) - SSH tunnel: check the
ssh -N -L ...process is up - Tailscale: verify both devices share a tailnet (
tailscale status) - Confirm the port:
openclaw doctoron the host shows the active port
Gateway refuses to start after changing bind
Gateway refuses to start after changing bind
A non-loopback bind without auth is rejected. Add a token or password, or set
OPENCLAW_GATEWAY_TOKEN.Tailscale Serve not showing an HTTPS URL
Tailscale Serve not showing an HTTPS URL
Run
tailscale serve status. Ensure Tailscale is running and the gateway has started at least once with tailscale.mode: "serve". Manual: tailscale serve 18789.