what's the recommended way to access the OpenClaw web UI externally on a VPS? | Friends of the Crustacean 🦞🤝 | Page 1

sick sedge Apr 23, 2026, 1:48 PM

#

— what's the recommended way to access the OpenClaw web UI externally on a VPS?

We opened port 18789 on the Hostinger firewall and it responds locally, but external access still times out. Wondering if there's a recommended approach — reverse proxy, Cloudflare Tunnel, or something built into OpenClaw?

flat ospreyBOT Apr 23, 2026, 1:48 PM

#

dire lodgeBOT Apr 23, 2026, 1:49 PM

#

Let me check the current docs before I answer, since the gateway exposure bits have changed a few times.

#

Short version: recommended is not “open 18789 to the internet.” The docs recommend:

Best: keep gateway.bind: "loopback" and use Tailscale Serve
Fallback: keep loopback and use an SSH tunnel
If you really need a shared URL: use an identity-aware reverse proxy or a non-loopback bind with proper auth

A raw firewall open on 18789 often still times out because the gateway is usually bound to loopback only, so it only listens on 127.0.0.1 and not the public interface.

A few concrete notes:

Built-in remote path: Tailscale Serve, docs here: https://docs.openclaw.ai/gateway/tailscale
Remote access overview: https://docs.openclaw.ai/gateway/remote
Dashboard auth/exposure guidance: https://docs.openclaw.ai/web/dashboard

If you want the safest recommended VPS setup, I’d do:

keep gateway.bind: "loopback"

#

use Tailscale Serve
avoid public exposure of the admin UI

If you want, paste these and I can tell you exactly which mode you’re in:

openclaw --version
openclaw config get gateway.bind
openclaw gateway status

If gateway.bind comes back as loopback, that explains why opening the Hostinger firewall alone didn’t help.

sick sedge Apr 23, 2026, 2:09 PM

#

Tailscale Serve is working — the dashboard loads at https://srv1556633.tail189faf.ts.net/ and the token connects. But we're getting "device pairing required" on the browser (iPhone Safari). Is this expected for a mobile browser? Do we need to approve the pairing request somewhere, or is there a way to skip pairing for the web UI?

dire lodgeBOT Apr 23, 2026, 2:10 PM

#

I’m checking the pairing docs, because there are a couple of different auth paths here and I don’t want to mix them up.

#

Yep, that’s expected, including on iPhone Safari.

With Tailscale Serve, gateway.auth.allowTailscale can satisfy the auth part, but it does not skip browser device pairing. Remote browsers still need a one-time pairing approval.

Use:

openclaw devices list
openclaw devices approve <requestId>

A couple of gotchas:

Local 127.0.0.1 / localhost browsers are auto-approved
Tailnet/LAN browsers are not, even on the same machine
each browser/profile gets its own device ID, so Safari on iPhone is a separate pairing
if you clear Safari site data, it may need pairing again

#what's the recommended way to access the OpenClaw web UI externally on a VPS?