vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-03 21:00:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: refresh tailscale auth mirrors

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-04 14:00:36 +01:00
parent b0025b1921
commit f8dcd3ed83
3 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/gateway/tailscale.md
View File

@@ -22,8 +22,10 @@ Tailscale provides HTTPS, routing, and (for Serve) identity headers.
Set `gateway.auth.mode` to control the handshake:
- `none` (private ingress only)
- `token` (default when `OPENCLAW_GATEWAY_TOKEN` is set)
- `password` (shared secret via `OPENCLAW_GATEWAY_PASSWORD` or config)
- `trusted-proxy` (identity-aware reverse proxy; see [Trusted Proxy Auth](/gateway/trusted-proxy-auth))
When `tailscale.mode = "serve"` and `gateway.auth.allowTailscale` is `true`,
Control UI/WebSocket auth can use Tailscale identity headers
@@ -38,8 +40,8 @@ still require token/password auth.
This tokenless flow assumes the gateway host is trusted. If untrusted local code
may run on the same host, disable `gateway.auth.allowTailscale` and require
token/password auth instead.
To require explicit credentials, set `gateway.auth.allowTailscale: false` or
force `gateway.auth.mode: "password"`.
To require explicit shared-secret credentials, set `gateway.auth.allowTailscale: false`
and use `gateway.auth.mode: "token"` or `"password"`.
## Config examples

1
docs/help/faq.md
View File

@@ -167,6 +167,7 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS,
- **Tailscale Serve** (recommended): keep bind loopback, run `openclaw gateway --tailscale serve`, open `https://<magicdns>/`. If `gateway.auth.allowTailscale` is `true`, identity headers satisfy Control UI/WebSocket auth (no token, assumes trusted gateway host); HTTP APIs still require token/password.
- **Tailnet bind**: run `openclaw gateway --bind tailnet --token "<token>"`, open `http://<tailscale-ip>:18789/`, paste token in dashboard settings.
- **Identity-aware reverse proxy**: keep the Gateway behind a non-loopback trusted proxy, configure `gateway.auth.mode: "trusted-proxy"`, then open the proxy URL.
- **SSH tunnel**: `ssh -N -L 18789:127.0.0.1:18789 user@host` then open `http://127.0.0.1:18789/` and paste the token in Control UI settings.
See [Dashboard](/web/dashboard) and [Web surfaces](/web) for bind modes and auth details.

2
docs/platforms/mac/remote.md
View File

@@ -57,7 +57,7 @@ Remote mode supports two transports:
- Prefer loopback binds on the remote host and connect via SSH or Tailscale.
- SSH tunneling uses strict host-key checking; trust the host key first so it exists in `~/.ssh/known_hosts`.
- If you bind the Gateway to a non-loopback interface, require token/password auth.
- If you bind the Gateway to a non-loopback interface, require valid Gateway auth: token, password, or an identity-aware reverse proxy with `gateway.auth.mode: "trusted-proxy"`.
- See [Security](/gateway/security) and [Tailscale](/gateway/tailscale).
## WhatsApp login flow (remote)