☁️ Cloudflare Tunnel Setup

Secure remote access using Cloudflare's free tunnel service

What is Cloudflare Tunnel?

Cloudflare Tunnel (formerly Argo Tunnel) creates an encrypted connection from your machine to Cloudflare's edge network. You can access your OpenClaw from anywhere without opening ports on your router. It's free and doesn't require a domain name for basic use.

Cloudflare Tunnel vs Tailscale

☁️ Cloudflare Tunnel

Access via any browser (public URL)
No client app needed on phone
Can add Cloudflare Access for auth
Good for: Web access, sharing with others
Free tier available

🔐 Tailscale

Private mesh network (no public URL)
Requires Tailscale app on all devices
Built-in authentication
Good for: Personal use, max security
Free for 100 devices

┌──────────────┐ ┌─────────────────┐ ┌──────────────┐ │ Your Phone │─────►│ Cloudflare │─────►│ Your Mac/PC │ │ (Browser) │ │ Edge Network │ │ (OpenClaw) │ └──────────────┘ └─────────────────┘ └──────────────┘ │ https://random-name.trycloudflare.com (or your own domain)

Install cloudflared

Download and install the Cloudflare Tunnel client:

# macOS (Homebrew)
brew install cloudflared

# Linux (Debian/Ubuntu)
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt update && sudo apt install cloudflared

# Raspberry Pi
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb
sudo dpkg -i cloudflared-linux-arm64.deb

# Windows
winget install Cloudflare.cloudflared

Quick Start (No Account Needed)

For testing, you can create a temporary tunnel instantly:

# Start OpenClaw on localhost:3000 first, then:
cloudflared tunnel --url http://localhost:3000

# Output:
Your quick Tunnel has been created! Visit it at:
https://random-words-here.trycloudflare.com

This gives you a temporary public URL. It changes every time you restart, so it's only good for testing.

Create a Permanent Tunnel (Recommended)

For a stable URL, create a Cloudflare account and set up a named tunnel:

# Login to Cloudflare (opens browser)
cloudflared tunnel login

# Create a named tunnel
cloudflared tunnel create openclaw

# This creates a credentials file at:
# ~/.cloudflared/<TUNNEL_ID>.json

Configure the Tunnel

Create a config file to define where traffic should go:

# Create ~/.cloudflared/config.yml
tunnel: <YOUR_TUNNEL_ID>
credentials-file: /home/you/.cloudflared/<TUNNEL_ID>.json

ingress:
  - hostname: openclaw.yourdomain.com
    service: http://localhost:3000
  - service: http_status:404

Replace <YOUR_TUNNEL_ID> with the ID from step 3, and use your own domain or subdomain.

Route DNS (If Using Custom Domain)

Point your domain to the tunnel:

# Add DNS route
cloudflared tunnel route dns openclaw openclaw.yourdomain.com

# This creates a CNAME record in Cloudflare DNS

Your domain must be on Cloudflare DNS for this to work. If you don't have a domain, use the quick tunnel from step 2.

Run the Tunnel

# Start the tunnel
cloudflared tunnel run openclaw

# Or run with config file explicitly
cloudflared tunnel --config ~/.cloudflared/config.yml run

Run as a Service (24/7)

Install as a system service so it starts automatically:

# macOS
sudo cloudflared service install
sudo launchctl start com.cloudflare.cloudflared

# Linux (systemd)
sudo cloudflared service install
sudo systemctl enable cloudflared
sudo systemctl start cloudflared

# Check status
sudo systemctl status cloudflared

⚠️ Add Authentication!

A Cloudflare Tunnel makes your OpenClaw accessible from the public internet. Without authentication, anyone with the URL can access it. Use Cloudflare Access (free tier available) to add login protection, or ensure OpenClaw's own authentication is properly configured.

Adding Cloudflare Access (Optional but Recommended)

Cloudflare Access adds a login page before anyone can reach your tunnel:

Set Up Access Policy

Go to Cloudflare Zero Trust Dashboard
Navigate to Access → Applications → Add an application
Choose "Self-hosted"
Enter your tunnel hostname (e.g., openclaw.yourdomain.com)
Add a policy: Allow emails ending in @youremail.com
Save — now visitors must authenticate via email OTP or SSO

Troubleshooting

Tunnel won't connect?

# Check tunnel status
cloudflared tunnel info openclaw

# Check if OpenClaw is running locally
curl http://localhost:3000/health

# Run tunnel with debug logging
cloudflared tunnel --loglevel debug run openclaw

502 Bad Gateway?

This usually means cloudflared can reach Cloudflare, but can't connect to your local service. Check:

Is OpenClaw running on the correct port?
Is it bound to localhost (127.0.0.1) or 0.0.0.0?
Check your config.yml service URL matches

Related Guides

Security Checklist — Full security hardening
Tailscale Setup — Alternative: private mesh VPN
Cloudflare Tunnel Docs — Official documentation