#How do I allow Openclaw to create projects that I can access in my browser?

My openclaw is setup with tailscale and I'd like to allow it to create projects inside the docker container that can be executed and can be accessed in my local browser. How do I do this?

This breaks down into (1) where the files live and (2) how you reach the running app.

1) Make the projects persist + be visible outside the container

If you’re using the Docker install (docker-setup.sh / docker compose), OpenClaw already writes its workspace on the host at:

• ~/.openclaw/workspace (host) ↔ mounted into the container

So the simplest pattern is: mount a “projects” folder from the host into the container and tell OpenClaw to create projects there.

Docker install supports this directly via OPENCLAW_EXTRA_MOUNTS (it generates docker-compose.extra.yml for you):

export OPENCLAW_EXTRA_MOUNTS="$HOME/openclaw-projects:/home/node/projects:rw"
./docker-setup.sh

Docs: https://docs.openclaw.ai/install/docker (see “Extra mounts”)

Then in chat you can tell it: “Create the project in /home/node/projects/my-app”.

If you’re using OpenClaw sandboxing (tools run in Docker)

Then the key is bind mounts:

• agents.defaults.sandbox.docker.binds: ["host:path:mode"]

Docs: https://docs.openclaw.ai/help/faq#how-do-i-bind-a-host-folder-into-the-sandbox
(and deeper: https://docs.openclaw.ai/gateway/sandboxing)

2) Let your browser reach the running dev server/app

Creating files is separate from serving them.

You need one of these approaches:

A) Expose a port from the container to your tailnet/host

Run the app in the container on 0.0.0.0:<port> and publish that port in docker compose (or run a separate “app” container that mounts the same project dir).

Then from your laptop you hit:

• http://<tailscale-magicdns-or-tailscale-ip>:<port>

B) Use Tailscale Serve (nice for “I want a URL”)

If the service is reachable on the host (often via a published Docker port like 127.0.0.1:3000), you can tailscale serve it and then browse via the MagicDNS name.

(Exact command depends on whether Tailscale is running on the host vs inside a container.)

Two quick clarifying questions (so I can give an exact compose snippet)

1. Are you running the Gateway itself in Docker (via /install/docker), or a normal install with sandboxing enabled?
2. What kind of “project” are you trying to run (static site, Next.js/Vite, Python, etc.) and which port do you want to expose?

If you paste your current docker-compose.yml (redact tokens), I can point to the minimal volumes: + ports: additions.

so how to set it up?

You need two things:

1. A place OpenClaw can write projects to (persistent + accessible), and
2. A way to expose whatever port the project runs on to your browser (over Tailscale, or via published Docker ports).

Below is a “works for most people” setup assuming you installed OpenClaw via the Docker guide.

A) Mount a host “projects” folder into the OpenClaw container

On the Docker host, pick a folder:

mkdir -p ~/openclaw-projects

Then (per the Docker install docs) set an extra mount and rerun the setup so it generates docker-compose.extra.yml:

export OPENCLAW_EXTRA_MOUNTS="$HOME/openclaw-projects:/home/node/projects:rw"
./docker-setup.sh

Docs: https://docs.openclaw.ai/install/docker (see “Extra mounts”)

Now you can tell OpenClaw: “Create the project in /home/node/projects/my-app”.

B) Expose a dev-server port so your browser can reach it

Option 1 (simple): publish ports in docker-compose.yml

Edit your compose for the gateway service and add ports for whatever you’ll run (example: 3000):

services:
  openclaw-gateway:
    ports:
      - "18789:18789"   # dashboard
      - "3000:3000"     # your app/dev server

Then restart:

docker compose up -d

Important: when OpenClaw starts your dev server inside the container, make sure it binds to 0.0.0.0 (not 127.0.0.1), otherwise it won’t be reachable from outside the container.

Examples:

• Vite: pnpm dev --host 0.0.0.0 --port 3000
• Next.js: pnpm dev -p 3000 -H 0.0.0.0 (or equivalent)

Then browse to:

• http://<docker-host-ip-or-tailscale-ip>:3000

Option 2 (nicer on Tailscale): Tailscale Serve the port

If Tailscale is running on the host, you can publish the app port via tailscale serve (and keep Docker ports bound only locally). This varies by host setup, so I’d need to know: is Tailscale running on the host OS or inside another container?

C) If you’re not running the Gateway in Docker (but using sandboxing)

Then you want sandbox bind mounts instead:

• agents.defaults.sandbox.docker.binds: ["~/openclaw-projects:/projects:rw"]

FAQ snippet: https://docs.openclaw.ai/help/faq#how-do-i-bind-a-host-folder-into-the-sandbox
Deeper: https://docs.openclaw.ai/gateway/sandboxing

Quick check so I can give the exact snippet for your case

Which of these are you on?

1. Gateway in Docker Compose (you have a docker-compose.yml for OpenClaw), or
2. Gateway on host + sandbox tools in Docker (you enabled agents.defaults.sandbox.*)?

If you paste your docker-compose.yml service section (redact tokens), I’ll point out exactly what to add for volumes/ports for your intended project port(s).

/openclaw-projects

I believe it already exists, help me check

I can’t see your filesystem from here, but you can verify it quickly with a couple commands (and paste the output).

1) Check it exists on the Docker host

Run on the machine where Docker/OpenClaw is running:

ls -ld /openclaw-projects
sudo ls -la /openclaw-projects | head
stat /openclaw-projects

If ls -ld errors, it doesn’t exist. If it says “Permission denied”, paste that—then we’ll fix ownership/permissions.

2) Check it’s actually mounted into the OpenClaw container

From the folder where your docker-compose.yml is:

docker compose ps
docker compose exec openclaw-gateway sh -lc 'ls -ld /home/node/projects; ls -la /home/node/projects | head'

If /home/node/projects doesn’t exist inside the container, your mount isn’t applied.

3) Confirm the mount is in your compose config

Still from the compose folder:

ls -la docker-compose*.yml
rg -n "openclaw-projects|/home/node/projects" docker-compose*.yml || true

Or if you used OPENCLAW_EXTRA_MOUNTS, check:

cat docker-compose.extra.yml

Paste outputs from (1) and (2) (even if they error) and I’ll tell you exactly what to change next.

Last login: Thu Feb 19 15:11:59 2026 from 169.254.0.1
root@srv1100186:~# ls -ld /openclaw-projects
sudo ls -la /openclaw-projects | head
stat /openclaw-projects
ls: cannot access '/openclaw-projects': No such file or directory
ls: cannot access '/openclaw-projects': No such file or directory
stat: cannot statx '/openclaw-projects': No such file or directory
root@srv1100186:~#

?

If you’re running the Gateway inside Docker, OpenClaw can already create files/projects — you just need to (1) persist/mount a workspace you can access, and (2) publish ports for any web app you start.

1) Make a “projects” folder that survives the container (and you can browse)

In the official Docker flow, OpenClaw writes to host-mounted paths by default (not /openclaw-projects). From the docs:

• config: ~/.openclaw/
• workspace: ~/.openclaw/workspace
  Docs: https://docs.openclaw.ai/install/docker

If you specifically want /openclaw-projects, you must create + bind-mount it into the container (that’s why ls /openclaw-projects currently fails — nothing created it).

Docker docs call this extra mounts (OPENCLAW_EXTRA_MOUNTS) or editing your compose volumes::

• https://docs.openclaw.ai/install/docker#extra-mounts-optional

Also note permissions: the image runs as node (uid 1000), so the host folder must be writable by uid 1000 (docs section “Permissions + EACCES”).

2) Access the running project in your browser (ports + bind address)

If the agent starts a dev server inside the container (Next/Vite/etc), you need to:

• publish that port in docker compose (ports: "3000:3000" etc)
• ensure the dev server binds to 0.0.0.0 (not 127.0.0.1), or it won’t be reachable outside the container

Then on your machine, over Tailscale, you’d hit:
http://<your-server-tailscale-ip>:3000

3) If you’re not running the whole gateway in Docker (only sandboxed tools)

Then the bind-mount knob is different:
agents.defaults.sandbox.docker.binds (host folder → sandbox container)
FAQ entry + links: https://docs.openclaw.ai/help/faq (search “bind a host folder into the sandbox”) and https://docs.openclaw.ai/gateway/sandboxing

If you paste your docker-compose.yml (redact tokens) and tell me which case you’re in:

1. gateway-in-docker, or
2. host gateway + sandbox

…I can point at the exact volumes: / ports: lines to add for your setup.

How can I check this?

???

Run these checks on the machine where OpenClaw is running (your VPS):

0) (Optional but useful) confirm version

openclaw --version

1) Am I running the gateway in Docker, or natively?

Docker gateway:

docker ps --format 'table {{.Names}}\t{{.Image}}\t{{.Ports}}' | rg -i 'openclaw|clawd|gateway' || true
docker compose ps

Native/system service gateway:

root@srv1100186:~# docker ps --format 'table {{.Names}}\t{{.Image}}\t{{.Ports}}' | rg -i 'openclaw|clawd|gateway' || true
docker compose ps
Command 'rg' not found, but can be installed with:
snap install ripgrep # version 12.1.0, or
apt install ripgrep # version 14.0.3-1
See 'snap info ripgrep' for additional versions.
no configuration file provided: not found
root@srv1100186:~#

openclaw gateway status --deep

If docker ps shows something like openclaw-gateway, you’re in the “gateway-in-docker” case.

2) Where is the workspace actually stored (where projects will land)?

Check what OpenClaw thinks its config says:

openclaw config get agents.defaults.workspace
openclaw config get agents.defaults.sandbox

Also list the default on-host workspace path (commonly exists even in Docker setups):

ls -la ~/.openclaw/workspace | head

3) If Docker is involved: what folders are mounted into the container?

Pick the gateway container name from docker ps, then:

docker inspect <container_name> --format '{{json .Mounts}}' | jq

You’re looking for a bind mount that points to the host folder you want (e.g. /openclaw-projects or ~/.openclaw/workspace).

4) Can I reach a project web server from my browser? (ports + bind address)

Is the port published?

“Check this” = figure out (A) where OpenClaw is writing projects, and (B) whether whatever it runs is reachable from your browser.

Run these exact commands on the server and paste the output here (you can redact tokens/hostnames):

A) Is OpenClaw running in Docker?

openclaw --version
openclaw gateway status --deep
docker ps --format 'table {{.Names}}\t{{.Image}}\t{{.Ports}}' | sed -n '1,40p'

B) Where is the workspace on disk?

openclaw config get agents.defaults.workspace
ls -la ~/.openclaw | sed -n '1,80p'
ls -la ~/.openclaw/workspace | head

docker port <container_name> | head -n 50

Is something listening inside the container? (example: port 3000)

docker exec -it <container_name> sh -lc 'ss -lntp | head -n 50'

If you see it listening on 127.0.0.1:3000 inside the container, you’ll usually need to start it with host 0.0.0.0 (e.g. Vite --host 0.0.0.0, Next -H 0.0.0.0, etc.) and publish the port in compose.

If you paste the output of (1) and (3) (redact tokens), I can tell you exactly which setup you’re in and what volumes: / ports: lines to add.

Docs for reference:

• Docker: https://docs.openclaw.ai/install/docker