#Tailscale

1 messages Β· Page 1 of 1 (latest)

rigid salmon
#

I'm on a aws vps runing open claw I have tailscale downloaded and installed on both my main device and on the vps how do I start using the web ui on my main device

unreal abyssBOT
soft nebulaBOT
#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> βœ… Mark Solution

unreal abyssBOT
clever galeBOT
#

Yep, easiest path is Tailscale Serve.

On the VPS, run:

openclaw --version
openclaw status
openclaw config set gateway.tailscale.mode serve
openclaw gateway restart
openclaw dashboard --no-open

Then open the URL it prints on your main device. It should be the Tailscale/MagicDNS dashboard URL, usually something like:

https://<your-vps-name>.<your-tailnet>.ts.net/
#

A couple notes:

  • Make sure both devices are in the same tailnet.
  • Serve is the recommended one here, not Funnel.
  • If the UI connects but asks for auth, on the VPS run:
openclaw config get gateway.auth.token

Then paste that in Overview -> Gateway Access in the UI.

Docs:
https://docs.openclaw.ai/gateway/tailscale
https://docs.openclaw.ai/web/dashboard

If it still doesn't work, paste these and I’ll help you debug it:

# 
openclaw --version
openclaw status
openclaw gateway status
tailscale status
tailscale serve status
rigid salmon
#

Is this gunna make a daemon gateway?

clever galeBOT
#

No, not by itself.

  • openclaw config set ... only changes config.
  • openclaw dashboard --no-open just prints the UI URL.
  • openclaw gateway restart only restarts the gateway if you already installed the daemon/service.

So the quick check is:

openclaw gateway status

If that shows a running service, you're good.

If you don’t have the daemon installed yet, then install it with onboarding:

# 
openclaw onboard --install-daemon

If you want, paste openclaw gateway status and I’ll tell you exactly which state you’re in.

rigid salmon
#

The daemon is installed now step by step how do I get ts working

clever galeBOT
#

Yep. Do this on the VPS, not on your main device.

1. Make sure Tailscale is actually connected on the VPS

openclaw --version
sudo tailscale up
tailscale status

You want to see the VPS online in your tailnet.

2. Tell OpenClaw to use Tailscale Serve

openclaw config set gateway.bind loopback
# 
openclaw config set gateway.tailscale.mode serve
openclaw gateway restart

3. Verify Serve is active

tailscale serve status
openclaw gateway status

4. Get the VPS Tailscale name

tailscale status
#

Look for the VPS hostname / MagicDNS name, something like:

your-vps-name.your-tailnet.ts.net

5. Open the UI from your main device

In your browser on your main device, open:

https://your-vps-name.your-tailnet.ts.net/

That should bring up the OpenClaw web UI.

6. If it asks for auth

#

On the VPS:

openclaw config get gateway.auth.token

Paste that token into the UI under Overview -> Gateway Access.

7. If it still fails, paste these

openclaw status
openclaw gateway status
tailscale status
tailscale serve status
rigid salmon
#

It says error config set mode error valie mode requires value after I did the 2nd step

#

Who is u?

clever galeBOT
#

Yep, that error usually just means the value after mode did not get passed through.

Run these one at a time, exactly:

openclaw config set gateway.bind "loopback"
openclaw config set gateway.tailscale.mode "serve"
openclaw config get gateway.bind
openclaw config get gateway.tailscale.mode
openclaw gateway restart

You should see the get commands print:

loopback
# 
serve

Then check:

tailscale serve status
openclaw gateway status

If it still throws the same error, paste the exact command you typed, because I think the shell ate part of it.

#

No need to escalate this yet, it looks like a simple CLI syntax hiccup.

For armored, the fix is still:

openclaw config set gateway.bind "loopback"
openclaw config set gateway.tailscale.mode "serve"

Run them as two separate commands.

Then verify:

openclaw config get gateway.bind
openclaw config get gateway.tailscale.mode
#

If it still errors, paste:

openclaw --version

and the exact command you typed. That’ll be enough to sort it out here.

#

I’m Krill 🦐, the OpenClaw support bot hanging out in here.

I help with setup/troubleshooting in the help threads. For your Tailscale thing, we can keep going here and get it working.

rigid salmon
#

ubuntu@ip-172-31-37-151:~$ openclaw gateway restart

🦞 OpenClaw 2026.4.21 (f788c88) β€” Greetings, Professor Falken

Restarted systemd service: openclaw-gateway.service
Timed out after 60s waiting for gateway port 18789 to become healthy.
Gateway process is running but port 18789 is still free (startup hang/crash loop or very slow VM startup).
Service runtime: status=running, state=active, pid=10370, lastExit=0
Gateway port 18789 status: free.
Gateway restart timed out after 60s waiting for health checks.
Tip: openclaw gateway status --deep
Tip: openclaw doctor

clever galeBOT
#

Got it. This means the gateway itself is not coming up yet, so Tailscale is not the blocker yet.

Let’s check the real cause. On the VPS, run these:

openclaw config get gateway.mode
openclaw config get gateway.bind
openclaw config get gateway.auth.mode
openclaw gateway status --deep
openclaw doctor

Then start the logs and watch what happens:

openclaw logs --follow
#

If you want the shortest path, paste the output from those commands here.

The main things I’m looking for are:

  • refusing to bind gateway ... without auth
  • Gateway start blocked: set gateway.mode=local
  • EADDRINUSE
  • anything repeating in a crash loop

So, next step is not more Tailscale config, it’s getting the gateway healthy first.

Docs: https://docs.openclaw.ai/gateway/troubleshooting

rigid salmon
#

ubuntu@ip-172-31-37-151:~$ openclaw gateway status --deep

🦞 OpenClaw 2026.4.21 (f788c88) β€” Less clicking, more shipping, fewer "where did that file go" moments.

β”‚
β—‡
Service: systemd (enabled)
File logs: /tmp/openclaw/openclaw-2026-04-22.log
Command: /home/ubuntu/.nvm/versions/node/v24.15.0/bin/node /home/ubuntu/.nvm/versions/node/v24.15.0/lib/node_modules/openclaw/dist/index.js gateway --port 18789
Service file: ~/.config/systemd/user/openclaw-gateway.service
Service env: OPENCLAW_GATEWAY_PORT=18789

Service config looks out of date or non-standard.
Service config issue: Gateway service PATH includes version managers or package managers; recommend a minimal PATH. (/home/ubuntu/.nvm/versions/node/v24.15.0/bin)
Service config issue: Gateway service uses Node from a version manager; it can break after upgrades. (/home/ubuntu/.nvm/versions/node/v24.15.0/bin/node)
Service config issue: System Node 22 LTS (22.14+) or Node 24 not found; install it before migrating away from version managers.
Recommendation: run "openclaw doctor" (or "openclaw doctor --repair").
Config (cli): ~/.openclaw/openclaw.json
Config (service): ~/.openclaw/openclaw.json

Gateway: bind=loopback (127.0.0.1), port=18789 (service args)
Probe target: ws://127.0.0.1:18789
Dashboard: http://127.0.0.1:18789/
Probe note: Loopback-only gateway; only local clients can connect.

Runtime: running (pid 10370, state active, sub running, last exit 0, reason 0)
Connectivity probe: ok
Capability: read-only

Listening: 127.0.0.1:18789
Troubles: run openclaw status
Troubleshooting: https://docs.openclaw.ai/troubleshooting

clever galeBOT
#

Nice, this is actually good news.

Your gateway is healthy now. The key line is:

Listening: 127.0.0.1:18789

So OpenClaw is running, it’s just loopback-only on the VPS right now. Next step is to put Tailscale in front of it.

Run these on the VPS:

sudo tailscale up
openclaw config get gateway.tailscale.mode
openclaw config set gateway.tailscale.mode "serve"
# 
openclaw gateway restart
tailscale serve status
openclaw dashboard --no-open

What should happen:

  • tailscale serve status should show a Serve mapping
  • openclaw dashboard --no-open should give you the URL to open
  • On your main device, open that URL in the browser

Usually it’ll be something like:

https://<your-vps-name>.<your-tailnet>.ts.net/
#

A couple notes:

  • The nvm / PATH warnings are real, but they are not the immediate blocker
  • Capability: read-only is fine for this check

If tailscale serve status is empty or errors, paste:

tailscale status
tailscale serve status
openclaw config get gateway.tailscale.mode

and I’ll tell you the next exact step.

rigid salmon
#

ubuntu@ip-172-31-37-151:~$ openclaw gateway restart

🦞 OpenClaw 2026.4.21 (f788c88) β€” Somewhere between 'hello world' and 'oh god what have I built.'

Restarted systemd service: openclaw-gateway.service
Timed out after 60s waiting for gateway port 18789 to become healthy.
Gateway process is running but port 18789 is still free (startup hang/crash loop or very slow VM startup).
Service runtime: status=running, state=active, pid=11153, lastExit=0
Gateway port 18789 status: free.
Gateway restart timed out after 60s waiting for health checks.
Tip: openclaw gateway status --deep
Tip: openclaw doctor
ubuntu@ip-172-31-37-151:~$ ???

clever galeBOT
#

That timeout can be a false alarm on slower VPSes. Let’s verify instead of guessing.

Run these exact commands next:

openclaw config get gateway.tailscale.mode
openclaw gateway status --deep
tailscale serve status

What I want to see

Good:

  • gateway.tailscale.mode prints serve
  • Connectivity probe: ok
  • Listening: 127.0.0.1:18789
#

If you see that, the gateway is fine, and the timeout message is basically noise.

Then do:

openclaw dashboard --no-open

and open the URL it prints on your main device.

If gateway.tailscale.mode is not serve

Run:

openclaw config set gateway.tailscale.mode "serve"
#

If tailscale serve status is empty or errors

Run:

sudo tailscale up
tailscale status
tailscale serve status

If gateway status --deep is bad

Run:

openclaw logs --follow
#

and paste the first error lines.

So yeah, next move is: paste those 3 command outputs and we can tell whether this is just a noisy restart or a real problem.

rigid salmon
#

ubuntu@ip-172-31-37-151:~$ tailscale serve status
https://ip-172-31-37-151.tail7f7ef5.ts.net (tailnet only)
|-- / proxy http://127.0.0.1:18789

ubuntu@ip-172-31-37-151:~$ openclaw dashboard --no-open

🦞 OpenClaw 2026.4.21 (f788c88) β€” I've read more man pages than any human shouldβ€”so you don't have to.

Dashboard URL: http://127.0.0.1:18789/#token=696a0daa8dd6fd27d9f39ae4eeb208067e81f1c3813bf0cb
Copy to clipboard unavailable.
Browser launch disabled (--no-open). Use the URL above.

clever galeBOT
#

Perfect, Tailscale Serve is working now πŸŽ‰

Use this URL on your main device:

https://ip-172-31-37-151.tail7f7ef5.ts.net/

Ignore the http://127.0.0.1:18789/... URL, that one is only for the VPS itself.

Two important notes:

  1. If the UI opens and works, you’re done.
  2. If it asks for auth, use the gateway token, but do not paste it here again.

Also, you posted your token publicly in this thread, so you should rotate it now:

# 
openclaw config set gateway.auth.token "$(openssl rand -hex 32)"
openclaw gateway restart

Then, if you need the new token, get it privately on the VPS and paste it into the UI yourself.

If the Tailscale URL does not load from your main device, paste what the browser shows and I’ll help with the last mile.

rigid salmon
#

origin not allowed (open the Control UI from the gateway host or allow it in gateway.controlUi.allowedOrigins)

clever galeBOT
#

Yep, that’s the missing piece.

Your browser origin is the Tailscale HTTPS URL, and OpenClaw is rejecting it because it is not in gateway.controlUi.allowedOrigins yet.

Run this on the VPS:

openclaw config set gateway.controlUi.allowedOrigins '["http://127.0.0.1:18789","http://localhost:18789","https://ip-172-31-37-151.tail7f7ef5.ts.net"]' --strict-json
openclaw gateway restart

Then open this again on your main device:

https://ip-172-31-37-151.tail7f7ef5.ts.net/
rigid salmon
#

device pairing required (requestId: 893b224a-5550-4c01-8390-1d6aef7fcea9)

clever galeBOT
#

Nice, that means you’re basically at the last step.

On the VPS, approve that device pairing request:

openclaw devices list
openclaw devices approve 893b224a-5550-4c01-8390-1d6aef7fcea9

Then reload the Tailscale URL in your browser.

If approve says the request is missing/stale, that means the browser generated a new request ID. In that case:

  1. refresh the page once
  2. run openclaw devices list again
  3. approve the newest request ID instead
rigid salmon
#

It says unknown request id

clever galeBOT
#

Yep, that means the browser request ID got replaced. That’s normal.

Do this in order:

  1. Keep the Tailscale Control UI page open.
  2. Refresh it once.
  3. On the VPS, run:
openclaw devices list
  1. Copy the current pending request ID from that output.
  2. Approve that exact one:
# 
openclaw devices approve <new-request-id>

Then reload the page again.

If openclaw devices list shows nothing, tell me what it prints and we’ll check the next blocker.

rigid salmon
#

Pending (1)

β”‚ Request β”‚ Device β”‚ Requested β”‚ Approved β”‚ Age β”‚ Status β”‚

β”‚ 5427bf3d-f91f-413e-965d-5e1b86c0959f β”‚ bb9ab8e326074d β”‚ roles: operator; scopes: operator.admin, β”‚ roles: operator; β”‚ just now β”‚ scope upgrade, repair β”‚
β”‚ β”‚ 424958046ae5ba β”‚ operator.approvals, operator.pairing, β”‚ scopes: operator. β”‚ β”‚ β”‚
β”‚ β”‚ b3223883f0e835 β”‚ operator.read, operator.talk.secrets, β”‚ read β”‚ β”‚ β”‚
β”‚ β”‚ 9330ab6b13ede4 β”‚ operator.write β”‚ β”‚ β”‚ β”‚
β”‚ β”‚ 099c6aac β”‚ β”‚ β”‚ β”‚ β”‚
β”€β”€β”€β”˜
Paired (1)
β”Œβ”€β”€β”€β”€β”€
β”‚ Device β”‚ Roles β”‚ Scopes β”‚ Tokens β”‚ IP β”‚

β”‚ bb9ab8e326074d424958046ae5bab3223883f0e8359330ab6b13ede4099c6aac β”‚ operator β”‚ operator.read β”‚ operator β”‚ β”‚