Private Networking
Hosted OpenClaw can stay public, private, or mixed.
The important boundary is simple:
- Cloudflare handles the public web path.
- Your own Tailscale tailnet handles the private path.
- OpenClaw’s internal ops tailnet is separate and is never reused for your bot traffic.
What You Can Expose
| Channel | Supported modes | Notes |
|---|---|---|
| Web chat | public, private, both, disabled | Public web chat uses Cloudflare. Private web chat uses your tailnet. |
| Telegram | public, disabled | Telegram stays public-only in this release. |
| Custom domain | Public web only | Custom domains do not apply to tailnet-only chat. |
| Private resource access | On or off | Lets the bot reach internal apps, APIs, and databases on your tailnet. |
What Private Networking Does
When you enable private networking for a hosted bot:
- the bot joins your customer-owned tailnet
- the bot can reach internal resources that are not exposed to the public internet
- web chat can be available on a private
*.ts.netURL
OpenClaw does not use Tailscale Funnel for this feature. Public ingress stays on Cloudflare.
What You Need
You need a Tailscale OAuth client that can mint one-off auth keys for a fixed bot tag.
In the dashboard, save:
- your tailnet name
- your OAuth client ID
- your OAuth client secret
- the fixed bot tag you want OpenClaw to use
OpenClaw uses that OAuth client to mint a short-lived join key when the bot is provisioned or reprovisioned. The bot runtime gets the one-off join key, not your OAuth client secret.
Security Model
- Your bot joins your tailnet, not OpenClaw’s tailnet.
- Public web chat stays on the public path you already use today.
- Private web chat is protected by Tailscale access on your tailnet.
- Telegram delivery is unchanged and remains public.
- If you disconnect the workspace tailnet integration, OpenClaw tears down the private node path and marks affected bots for reconfiguration.
Mixed Mode
Web = both is the safest way to start.
That gives you:
- a public web URL for normal users
- a private tailnet web URL for internal or sensitive usage
- unchanged Telegram delivery if Telegram is enabled
If your tailnet is unavailable, the public web path can still work in mixed mode.
Private-Only Mode
Choose Web = private when the bot should only be reachable from devices on your tailnet.
That means:
- no public web URL
- no custom domain
- private web chat only through the tailnet URL
If the tailnet is unavailable, OpenClaw does not silently make that bot public.
Recommended Rollout
- Start with public web chat.
- Connect your Tailscale workspace.
- Turn on private resource access if the bot needs internal systems.
- Switch web exposure to
both. - Move to
privateonly after you confirm the private URL fits the workflow.