From f0f1635f9f56e43edd852783145137de7c23559b Mon Sep 17 00:00:00 2001
From: "Gabriel A. Mays" <gmays@users.noreply.github.com>
Date: Wed, 29 Apr 2026 17:36:33 -0400
Subject: [PATCH] Docs: add VPS admin hardening note (#54685)

---
 docs/vps.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/docs/vps.md b/docs/vps.md
index f0aecbd3441..d58186de486 100644
--- a/docs/vps.md
+++ b/docs/vps.md
@@ -43,6 +43,21 @@ A community video walkthrough is available at
 
 Related pages: [Gateway remote access](/gateway/remote), [Platforms hub](/platforms).
 
+## Harden admin access first
+
+Before you install OpenClaw on a public VPS, decide how you want to administer
+the box itself.
+
+- If you want Tailnet-only admin access, install Tailscale first, join the VPS
+  to your tailnet, verify a second SSH session over the Tailscale IP or
+  MagicDNS name, then restrict public SSH.
+- If you are not using Tailscale, apply the equivalent hardening for your SSH
+  path before exposing more services.
+- This is separate from Gateway access. You can still keep OpenClaw bound to
+  loopback and use an SSH tunnel or Tailscale Serve for the dashboard.
+
+Tailscale-specific Gateway options live in [Tailscale](/gateway/tailscale).
+
 ## Shared company agent on a VPS
 
 Running a single agent for a team is a valid setup when every user is in the same trust boundary and the agent is business-only.