Tailscale (Gateway dashboard)
Clawdbot can auto-configure Tailscale Serve (tailnet) or Funnel (public) for the Gateway dashboard and WebSocket port. This keeps the Gateway bound to loopback while Tailscale provides HTTPS, routing, and (for Serve) identity headers.Modes
serve: Tailnet-only Serve viatailscale serve. The gateway stays on127.0.0.1.funnel: Public HTTPS viatailscale funnel. Clawdbot requires a shared password.off: Default (no Tailscale automation).
Auth
Setgateway.auth.mode to control the handshake:
token(default whenCLAWDBOT_GATEWAY_TOKENis set)password(shared secret viaCLAWDBOT_GATEWAY_PASSWORDor config)
tailscale.mode = "serve", the gateway trusts Tailscale identity headers by
default unless you force gateway.auth.mode to password or set
gateway.auth.allowTailscale: false.
Config examples
Tailnet-only (Serve)
https://<magicdns>/ (or your configured gateway.controlUi.basePath)
Public internet (Funnel + shared password)
CLAWDBOT_GATEWAY_PASSWORD over committing a password to disk.
CLI examples
Notes
- Tailscale Serve/Funnel requires the
tailscaleCLI to be installed and logged in. tailscale.mode: "funnel"refuses to start unless auth mode ispasswordto avoid public exposure.- Set
gateway.tailscale.resetOnExitif you want Clawdbot to undotailscale serveortailscale funnelconfiguration on shutdown.
Tailscale prerequisites + limits
- Serve requires HTTPS enabled for your tailnet; the CLI prompts if it is missing.
- Serve injects Tailscale identity headers; Funnel does not.
- Funnel requires Tailscale v1.38.3+, MagicDNS, HTTPS enabled, and a funnel node attribute.
- Funnel only supports ports
443,8443, and10000over TLS. - Funnel on macOS requires the open-source Tailscale app variant.
Learn more
- Tailscale Serve overview: https://tailscale.com/kb/1312/serve
tailscale servecommand: https://tailscale.com/kb/1242/tailscale-serve- Tailscale Funnel overview: https://tailscale.com/kb/1223/tailscale-funnel
tailscale funnelcommand: https://tailscale.com/kb/1311/tailscale-funnel