How to Secure OpenCLAW on a VPS with Gateway Configuration
I nearly fell off my chair when I saw this on Reddit. Someone discovered that their OpenCLAW agent was completely exposed to the internet - and they had email and calendar integrations enabled.
Let me check my own setup immediately.
The Wake-Up Call
I ran the diagnostic command on my VPS:
openclaw config get | grep hostOutput:
host: 0.0.0.0My heart sank. 0.0.0.0 means my OpenCLAW gateway was listening on all network interfaces. Anyone who knew my VPS IP address could potentially send messages to my agent.
Let me verify what that actually means:
sudo netstat -tulpn | grep 18789Output:
tcp 0 0 0.0.0.0:18789 0.0.0.0:* LISTEN 12345/openclawThat 0.0.0.0:18789 confirms it - my agent endpoint was accessible from the entire internet. No authentication barrier. No firewall rule blocking it. Just… open.
Why This Is Dangerous
OpenCLAW isn’t just a chatbot. It’s an agent with tool access:
- Email - Read and send messages
- Calendar - View and modify appointments
- File systems - Access documents and data
- Custom integrations - Whatever you’ve connected
A stranger messaging my agent could have asked it to read my emails, check my calendar, or worse. The Reddit poster was right - this is a critical security issue.
The Fix: Bind Gateway to Localhost
I needed to restrict OpenCLAW to only accept connections from localhost. Here’s how I did it.
Step 1: Check Current Configuration
First, I backed up my config:
cp ~/.config/openclaw/config.json ~/.config/openclaw/config.json.backupThen I checked the full gateway configuration:
openclaw config get gatewayOutput:
{ "host": "0.0.0.0", "port": 18789}Confirmed. The host was set to 0.0.0.0, which means “listen on all interfaces.”
Step 2: Set Host to Localhost
I changed the host binding:
openclaw config set gateway.host 127.0.0.1Step 3: Verify the Change
openclaw config get | grep hostOutput:
host: 127.0.0.1Good. But I needed to restart OpenCLAW for the change to take effect:
sudo systemctl restart openclawStep 4: Confirm Localhost Binding
Let me verify the gateway is now bound correctly:
sudo netstat -tulpn | grep 18789Output:
tcp 0 0 127.0.0.1:18789 0.0.0.0:* LISTEN 12345/openclawNow it shows 127.0.0.1:18789 - only accepting connections from localhost. Much better.
Here’s the difference:
BEFORE (INSECURE): AFTER (SECURE):0.0.0.0:18789 127.0.0.1:18789 | | v vInternet ----> Agent Localhost onlyAnyone can access Requires SSH tunnelAccess via SSH Tunnel
Now that OpenCLAW only listens on localhost, I can’t access it directly from my laptop. That’s the point. But I still need to use it.
The solution is SSH tunneling. This creates an encrypted tunnel from my local machine to the VPS, forwarding traffic to the OpenCLAW gateway.
Basic SSH Tunnel
From my laptop:
ssh -L 18789:localhost:18789 user@my-vps-ipThis command:
- Creates a tunnel from local port 18789
- To the VPS’s localhost:18789
- All traffic is encrypted via SSH
Now I can access OpenCLAW at http://localhost:18789 on my laptop, which is actually tunneled to the VPS.
Background Tunnel (Persistent)
For a tunnel that runs in the background:
ssh -fN -L 18789:localhost:18789 user@my-vps-ipThe flags:
-f- Run in background-N- Don’t execute remote command (just forwarding)-L- Local port forwarding
SSH Config for Convenience
I added this to my ~/.ssh/config file:
Host openclaw HostName my-vps-ip User my-username LocalForward 18789 localhost:18789 ServerAliveInterval 60 ServerAliveCountMax 3Now I just run:
ssh openclawAnd the tunnel is established automatically. The ServerAliveInterval keeps the connection alive and ServerAliveCountMax allows for brief network hiccups.
Test the Tunnel
Let me verify everything works:
curl http://localhost:18789Expected output (varies by OpenCLAW setup):
{ "status": "ok", "message": "OpenCLAW gateway running"}If I get “connection refused,” the tunnel isn’t active or OpenCLAW isn’t running.
Additional Security: Firewall
Even with localhost binding, I added a firewall rule as an extra layer of defense:
# Allow SSH (critical - don't lock yourself out!)sudo ufw allow ssh
# Explicitly deny external access to OpenCLAW portsudo ufw deny 18789
# Enable firewallsudo ufw enable
# Check statussudo ufw statusOutput:
Status: active
To Action From-- ------ ----22/tcp ALLOW Anywhere18789 DENY AnywhereThis ensures that even if I accidentally change the gateway host back to 0.0.0.0, the firewall will block external access.
Quick Checklist
If you’re running OpenCLAW on a VPS, run through this checklist:
- Check exposure:
openclaw config get | grep host - Fix if needed:
openclaw config set gateway.host 127.0.0.1 - Restart:
sudo systemctl restart openclaw - Verify binding:
sudo netstat -tulpn | grep 18789 - Set up tunnel: Add SSH config or use
-Lflag - Test access:
curl http://localhost:18789
Why This Matters
The OpenCLAW agent is powerful. It’s designed to have access to your digital life - email, calendar, files, and more. That power becomes a liability if unauthorized users can interact with it.
Network-level security (localhost binding + SSH tunneling) provides defense-in-depth:
- No authentication bypass - Even if the agent has no auth, the network blocks access
- Encryption in transit - SSH tunnel encrypts all traffic
- Single entry point - Only SSH port needs to be exposed
- Audit trail - SSH logs show who connected and when
Don’t rely on “nobody knows my IP” as a security measure. Port scanners find exposed services in minutes.
Final Words + More Resources
My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me
Here are also the most important links from this article along with some further resources that will help you in this scope:
Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!
Comments