Table of Contents
- Overview
- Video walkthrough
- What you’re setting up (quick mental model)
- Prerequisites
- Part A — Install + sign in to Tailscale on macOS
- Step 1: Download
- Step 2: Install
- Step 3: Sign in
- Step 4: Confirm it’s working
- Part B — Connect your Agent37 instance to Tailscale
- Step 1: Open the Agent37 terminal
- Step 2: Install Tailscale on the instance
- Step 3: Start the Tailscale Daemon Automatically in the Background
- Why this helps
- Step 4: Bring Tailscale up (authenticate)
- Step 5: Verify the instance is online and get its Tailnet IP
- Part C — Whitelist the Web Chat origin + copy the gateway token
- Step 1: Open openclaw.json
- Step 2: Add your Web Chat origin to allowedOrigins
- Step 3: Copy the gateway token
- Part D — Open Web Chat from your laptop
- Step 1: Confirm both devices are on the same Tailnet
- Step 2: Open the Web Chat URL
- Step 3: Authenticate in the Web Chat UI
- Step 4: Validate it works
- Troubleshooting
- Page doesn’t load
- “Origin not allowed” / CORS issues
- Token rejected
- Instance appears offline
- Multiple accounts / devices
Do not index
Overview
This guide shows how to access OpenClaw Web Chat over your private Tailnet using a Tailscale IP (100.x.x.x), so you don’t need to expose the Web Chat port publicly.
Video walkthrough
What you’re setting up (quick mental model)
- Your Agent37 instance runs OpenClaw and exposes the Web Chat UI on port 18789.
- Tailscale gives the instance a private, routable Tailnet IP (100.x.x.x).
- You open the Web Chat from your laptop at
http://<instance-tailscale-ip>:18789/.
- You must whitelist that browser origin in
openclaw.jsonviagateway.controlUi.allowedOrigins.
- You authenticate to the gateway using
gateway.auth.token.
Prerequisites
- An Agent37 instance you can open a terminal into
- A Tailscale account (Google/GitHub/Microsoft/email login)
- Tailscale installed on your laptop (signed into the same Tailnet)
Part A — Install + sign in to Tailscale on macOS
Step 1: Download
- Download Tailscale for Mac (a
.pkginstaller)
Step 2: Install
- Open the downloaded
.pkg
- Follow the prompts (Continue → Install)
- Enter your Mac password if prompted
Step 3: Sign in
- Open Tailscale (Applications → Tailscale)
- Click Sign in
- Complete authentication in your browser
- Authorize your device
- Toggle Tailscale On
- Status: Connected
- Your Tailscale IP (100.x.x.x)
You’ll see:
Step 4: Confirm it’s working
- In the Tailscale app, verify the status shows Connected
- Note your laptop’s Tailscale IP (100.x.x.x)
Part B — Connect your Agent37 instance to Tailscale
Step 1: Open the Agent37 terminal
- Create an instance (or open an existing one)
- Open Terminal for that instance
Step 2: Install Tailscale on the instance
Run:
curl -fsSL https://tailscale.com/install.sh | shStep 3: Start the Tailscale Daemon Automatically in the Background
if you access OpenClaw Web Chat using a Tailscale IP, you may find yourself manually starting tailscaled every time your instance restarts. To avoid that extra step, add the Tailscale daemon command to
post-restart.sh so it runs automatically in the background.Open
post-restart.shnano .agent37/hooks/post-restart.shAdd this command to
post-restart.sh sudo tailscaled \
--tun=userspace-networking \
--socket=/var/run/tailscale/tailscaled.sock \
--state=/home/node/.openclaw/tailscaled.state \
&
Save and exit
Ctrl + Oto write out/save
- Press
Enterto confirm the filename
Ctrl + Xto exit
If you press
Ctrl + X first and it asks to save, press Y, then Enter Restart your OpenClaw instance
After saving the file, restart your OpenClaw instance from the Agent37 dashboard.
Why this helps
Adding this command to
post-restart.sh makes startup smoother:- You no longer need to manually start tailscaled each time.
- The Tailscale daemon keeps running in the background.
- OpenClaw Web Chat continues to work with the same Tailscale IP flow.
This is a small change, but it removes a repetitive manual step and makes the OpenClaw workflow much more convenient. If you regularly access OpenClaw Web Chat through Tailscale, this is an easy improvement that helps streamline the workflow.
Step 4: Bring Tailscale up (authenticate)
Open the Terminal and Run:
sudo tailscale upYou’ll see a login URL like
https://login.tailscale.com/a/xxxxx.- Open that URL in your browser
- Sign in to the same Tailscale account/Tailnet as your laptop
Step 5: Verify the instance is online and get its Tailnet IP
Run:
tailscale statusYou should see your instance with a 100.x.x.x IP and an online status, for example:
100.90.12.5 my-instance onlineSave this IP — you’ll use it in the Web Chat URL and in
allowedOrigins.Part C — Whitelist the Web Chat origin + copy the gateway token
This step prevents browser-origin/CORS blocks and ensures only allowed origins can open the control UI.
Step 1: Open openclaw.json
- Open your instance
- Go to Actions → Files
- Open
openclaw.json
Step 2: Add your Web Chat origin to allowedOrigins
Add the instance’s Tailscale IP with port
18789.- Use the same scheme you will use in the browser (typically
http://).
- The origin must match exactly: scheme + host + port.
Example:
"gateway": {
"mode": "local",
"controlUi": {
"allowedOrigins": [
"http://100.64.8.101:18789"
]
},
"auth": {
"mode": "token",
"token": "xxxxxxxxxxxx"
}
}Step 3: Copy the gateway token
Copy
gateway.auth.token — you’ll paste it into Web Chat when prompted.Part D — Open Web Chat from your laptop
Step 1: Confirm both devices are on the same Tailnet
- Laptop: Tailscale is On and shows Connected
- Instance: shows online in
tailscale status
Step 2: Open the Web Chat URL
In your browser, open:
http://<instance-tailscale-ip>:18789/
Example:
http://100.90.12.5:18789/
Step 3: Authenticate in the Web Chat UI
When prompted, paste the token from
openclaw.json → gateway.auth.token.
Step 4: Validate it works
- Click Connect (you should see a connected state)
- Send a test message in the chat box
Troubleshooting
Page doesn’t load
- Confirm the instance is online:
tailscale status
- Confirm you used the correct instance IP (100.x.x.x)
- Confirm you included the port:
:18789
“Origin not allowed” / CORS issues
- Ensure
gateway.controlUi.allowedOriginsincludes the exact origin you opened: http://100.x.x.x:18789(scheme + IP + port must match)
- If you changed the IP (new instance) or changed ports, update
allowedOriginsaccordingly
Token rejected
- Make sure you copied
gateway.auth.token(not another token)
- Re-open
openclaw.jsonand re-copy (avoid hidden whitespace)
Instance appears offline
- Re-run:
sudo tailscaled ... &(if the daemon isn’t running)sudo tailscale up(if the node isn’t authenticated)
Multiple accounts / devices
- Laptop and instance must be signed into the same Tailnet/account in Tailscale