Open main menu

How to set up OpenClaw Web Chat with Tailscale IP

Step-by-step guide to securely access OpenClaw Web Chat over your Tailscale private IP: install Tailscale on your Agent37 instance, authenticate, allow the origin in openclaw.json, and connect from your laptop.

Table of Contents
Do not index

Overview

This guide shows how to access OpenClaw Web Chat over your private Tailnet using a Tailscale IP (100.x.x.x), so you don’t need to expose the Web Chat port publicly.

Video walkthrough

Video preview

What you’re setting up (quick mental model)

  • Your Agent37 instance runs OpenClaw and exposes the Web Chat UI on port 18789.
  • Tailscale gives the instance a private, routable Tailnet IP (100.x.x.x).
  • You open the Web Chat from your laptop at http://<instance-tailscale-ip>:18789/.
  • You must whitelist that browser origin in openclaw.json via gateway.controlUi.allowedOrigins.
  • You authenticate to the gateway using gateway.auth.token.

Prerequisites

  • An Agent37 instance you can open a terminal into
  • A Tailscale account (Google/GitHub/Microsoft/email login)
  • Tailscale installed on your laptop (signed into the same Tailnet)

Part A — Install + sign in to Tailscale on macOS

Step 1: Download

  1. Go to https://tailscale.com/download
  1. Download Tailscale for Mac (a .pkg installer)

Step 2: Install

  1. Open the downloaded .pkg
  1. Follow the prompts (Continue → Install)
  1. Enter your Mac password if prompted

Step 3: Sign in

  1. Open Tailscale (Applications → Tailscale)
  1. Click Sign in
  1. Complete authentication in your browser
  1. Authorize your device
  1. Toggle Tailscale On
      2. You’ll see:
      • Status: Connected
      • Your Tailscale IP (100.x.x.x)

Step 4: Confirm it’s working

  • In the Tailscale app, verify the status shows Connected
  • Note your laptop’s Tailscale IP (100.x.x.x)
notion image

Part B — Connect your Agent37 instance to Tailscale

Step 1: Open the Agent37 terminal

  1. Go to https://www.agent37.com/dashboard
  1. Create an instance (or open an existing one)
  1. Open Terminal for that instance
notion image

Step 2: Install Tailscale on the instance

Run:
curl -fsSL https://tailscale.com/install.sh | sh

Step 3: Start the Tailscale daemon (tailscaled)

Run:
sudo tailscaled \
	--tun=userspace-networking \
	--socket=/var/run/tailscale/tailscaled.sock \
	--state=/home/node/.openclaw/tailscaled.state \
	&
Notes:
  • This starts tailscaled in the background with settings that work well in containers.
  • Tailscale needs the daemon running to bring the node online.

Step 4: Bring Tailscale up (authenticate)

Run:
sudo tailscale up
You’ll see a login URL like https://login.tailscale.com/a/xxxxx.
  1. Open that URL in your browser
  1. Sign in to the same Tailscale account/Tailnet as your laptop

Step 5: Verify the instance is online and get its Tailnet IP

Run:
tailscale status
You should see your instance with a 100.x.x.x IP and an online status, for example:
100.90.12.5  my-instance  online
Save this IP — you’ll use it in the Web Chat URL and in allowedOrigins.

Part C — Whitelist the Web Chat origin + copy the gateway token

This step prevents browser-origin/CORS blocks and ensures only allowed origins can open the control UI.

Step 1: Open openclaw.json

  1. Go to https://www.agent37.com/dashboard
  1. Open your instance
  1. Go to Actions → Files
  1. Open openclaw.json

Step 2: Add your Web Chat origin to allowedOrigins

Add the instance’s Tailscale IP with port 18789.
  • Use the same scheme you will use in the browser (typically http://).
  • The origin must match exactly: scheme + host + port.
Example:
"gateway": {
	"mode": "local",
	"controlUi": {
		"allowedOrigins": [
			"http://100.64.8.101:18789"
		]
	},
	"auth": {
		"mode": "token",
		"token": "xxxxxxxxxxxx"
	}
}

Step 3: Copy the gateway token

Copy gateway.auth.token — you’ll paste it into Web Chat when prompted.

Part D — Open Web Chat from your laptop

Step 1: Confirm both devices are on the same Tailnet

  • Laptop: Tailscale is On and shows Connected
  • Instance: shows online in tailscale status

Step 2: Open the Web Chat URL

In your browser, open:
  • http://<instance-tailscale-ip>:18789/
Example:
  • http://100.90.12.5:18789/

Step 3: Authenticate in the Web Chat UI

When prompted, paste the token from openclaw.jsongateway.auth.token.
notion image

Step 4: Validate it works

  • Click Connect (you should see a connected state)
  • Send a test message in the chat box

Troubleshooting

Page doesn’t load

  • Confirm the instance is online: tailscale status
  • Confirm you used the correct instance IP (100.x.x.x)
  • Confirm you included the port: :18789

“Origin not allowed” / CORS issues

  • Ensure gateway.controlUi.allowedOrigins includes the exact origin you opened:
    • http://100.x.x.x:18789 (scheme + IP + port must match)
  • If you changed the IP (new instance) or changed ports, update allowedOrigins accordingly

Token rejected

  • Make sure you copied gateway.auth.token (not another token)
  • Re-open openclaw.json and re-copy (avoid hidden whitespace)

Instance appears offline

  • Re-run:
    • sudo tailscaled ... & (if the daemon isn’t running)
    • sudo tailscale up (if the node isn’t authenticated)

Multiple accounts / devices

  • Laptop and instance must be signed into the same Tailnet/account in Tailscale