Cloudflare Tunnel Setup
Cloudflare Tunnel provides secure access to your OpenClaw instance without exposing ports to the internet.
Why Use Cloudflare Tunnel?
| Benefit | Description |
|---|---|
| No open ports | No need to expose ports 80/443 to the internet |
| DDoS protection | Cloudflare’s network protects your origin |
| SSL/TLS | Automatic HTTPS with no certificate management |
| Zero Trust | Optional authentication before accessing your app |
| Free | No additional cost with Cloudflare free tier |
Cloudflare Tunnel is recommended for VPS deployments. It replaces the need for nginx, Caddy, or other reverse proxies.
Prerequisites
- VPS with OpenClaw running on port 8080
- Cloudflare account (free tier works)
- Domain with DNS managed by Cloudflare
Installation
Install cloudflared
Ubuntu/Debian
curl -L --output cloudflared.deb \
https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared.debAuthenticate with Cloudflare
cloudflared tunnel loginThis opens a browser to authorize cloudflared with your Cloudflare account.
Create a Tunnel
cloudflared tunnel create openclawNote the tunnel ID returned (e.g., a1b2c3d4-e5f6-...).
Configure the Tunnel
Create the configuration file:
mkdir -p ~/.cloudflared
nano ~/.cloudflared/config.ymlAdd this configuration:
tunnel: <your-tunnel-id>
credentials-file: /root/.cloudflared/<tunnel-id>.json
ingress:
- hostname: ai.yourdomain.com
service: http://localhost:8080
- service: http_status:404Replace:
<your-tunnel-id>with your tunnel IDai.yourdomain.comwith your desired subdomain
Add DNS Record
cloudflared tunnel route dns openclaw ai.yourdomain.comThis creates a CNAME record pointing to your tunnel.
Test the Tunnel
cloudflared tunnel run openclawVisit https://ai.yourdomain.com to verify it works.
Install as a System Service
sudo cloudflared service install
sudo systemctl start cloudflared
sudo systemctl enable cloudflaredAdding Cloudflare Access (Optional)
Protect your OpenClaw instance with Cloudflare Access authentication.
Go to Zero Trust Dashboard
- Visit one.dash.cloudflare.com
- Navigate to Access > Applications
Create Application
- Click “Add an application”
- Select “Self-hosted”
- Configure:
- Name: OpenClaw
- Domain:
ai.yourdomain.com - Path: Leave empty (protects entire subdomain)
Configure Policy
Create a policy for who can access:
Example: Email-based access
- Policy name: Team Access
- Action: Allow
- Include: Emails ending in
@yourcompany.com
Example: One-time PIN
- Policy name: Email PIN
- Action: Allow
- Include: Emails in a specific list
- Authentication: One-time PIN
Save and Test
Save the application and test by visiting your domain. You should see a Cloudflare Access login page.
Configuration Examples
Basic Configuration
tunnel: abc123
credentials-file: /root/.cloudflared/abc123.json
ingress:
- hostname: ai.example.com
service: http://localhost:8080
- service: http_status:404Multiple Services
tunnel: abc123
credentials-file: /root/.cloudflared/abc123.json
ingress:
- hostname: ai.example.com
service: http://localhost:8080
- hostname: api.example.com
service: http://localhost:3000
- service: http_status:404With Origin Server Name
For services that require specific Host headers:
tunnel: abc123
credentials-file: /root/.cloudflared/abc123.json
ingress:
- hostname: ai.example.com
service: http://localhost:8080
originRequest:
httpHostHeader: localhost
- service: http_status:404Troubleshooting
Tunnel Not Connecting
Check the tunnel status:
cloudflared tunnel info openclawCheck logs:
journalctl -u cloudflared -fDNS Not Resolving
Verify the DNS record exists:
dig ai.yourdomain.comShould return a CNAME to <tunnel-id>.cfargotunnel.com.
502 Bad Gateway
OpenClaw might not be running. Check:
curl http://localhost:8080
docker logs openclawSSL Certificate Errors
Cloudflare handles SSL automatically. Ensure your Cloudflare SSL/TLS mode is set to “Full” or “Full (strict)” in the dashboard.
Managing Tunnels
List Tunnels
cloudflared tunnel listDelete a Tunnel
cloudflared tunnel delete openclawRotate Credentials
cloudflared tunnel token openclaw