Guide Menu expand_more

security

Understanding OpenClaw Gateway Port 18789

Why OpenClaw uses port 18789, why you should never expose it publicly without authentication, and how to access it safely.

Difficulty

intermediate

Duration

15 minutes

Tested On

N/A

Access Mode

Localhost only

verified

Status readiness check

Pre-Flight Approved

Risk rating high

Gateway status Private

High-risk guide Exposing port 18789 publicly gives the internet full access to your OpenClaw Gateway and integrations. Keep it private.

Who this is for

This guide is for anyone who just installed OpenClaw and wants to view the web dashboard. Many tutorials suggest running ufw allow 18789 or changing the host to 0.0.0.0. This is highly discouraged.

Prerequisites

A running OpenClaw Gateway instance.
An active local or remote terminal session.

The Risk of Port 18789

By default, the OpenClaw Gateway runs on localhost:18789. The Gateway acts as the central hub for all your connected tools, channels (like WhatsApp/Telegram), and AI models.

If you bind the Gateway to 0.0.0.0 and open your firewall, anyone who guesses your server’s IP address can open your dashboard, read your logs, and potentially execute commands through your connected integrations.

How to access the dashboard safely

Instead of opening the port to the world, use a private network tunnel to securely forward the port to your local machine.

Method 1: SSH Tunneling (Recommended for quick checks)

If you are on Mac, Linux, or Windows (using PowerShell/WSL), you can securely forward the port over SSH.

bash

ssh -L 18789:localhost:18789 clawuser@your_server_ip

Once connected, open your browser and go to http://localhost:18789. The traffic is encrypted and completely private.

Method 2: Tailscale / Private VPN

If you need persistent access, install Tailscale on both your VPS and your local machine. This creates a secure, private network between them.

Install Tailscale and authenticate.
Find your VPS’s Tailscale IP (e.g., 100.x.y.z).
Start the Gateway bound only to the Tailscale IP:

bash

openclaw start --host 100.x.y.z

Expected Output vs Bad Output

When checking your listening ports (sudo ss -tulpn | grep 18789):

Good Output (Safe):

tcp   LISTEN   0   511   127.0.0.1:18789   0.0.0.0:*

Bad Output (Exposed):

tcp   LISTEN   0   511   0.0.0.0:18789     0.0.0.0:*

Rollback / Undo

If you accidentally exposed port 18789 using UFW, you can revert it and stop the gateway:

bash

sudo ufw delete allow 18789\nopenclaw stop

If you started a tunnel and want to close it, simply type exit in the terminal running the SSH tunnel or press Ctrl+C.

When to ask for help

If you suspect your Gateway has been exposed, immediately run openclaw stop and review your provider’s firewall settings. If you need help auditing your architecture to ensure your dashboard and API keys are safe, request a Config Review. We will check your exposure without ever asking for your keys.

Sources

OpenClaw Docs - Security: https://docs.openclaw.ai/gateway/security (Checked on 2026-06-03)
Tailscale Docs - SSH Tunneling: https://tailscale.com/kb/ (Checked on 2026-06-03)

ClawReady.in is an independent educational resource and setup service. It is not affiliated with, endorsed by, or operated by OpenClaw.