guide openclaw self-hosting ai security

Self-Hosting OpenClaw Behind HomeGate: Secure Access to Your AI Agent

How to expose your self-hosted OpenClaw instance to the internet with automatic SSL, IP allowlisting, and zero port forwarding using HomeGate.

HomeGate Team ·

OpenClaw has become one of the most talked-about open-source projects of the year, crossing 250k stars on GitHub faster than any project before it. If you’re not familiar: it’s a self-hosted AI agent that connects to WhatsApp, Telegram, Discord, and more. It can control smart home devices, manage your email, answer questions using your own documents, and do a lot of the things you’d normally need half a dozen SaaS products for.

The key selling point is that everything runs on your hardware. Your conversations, your data, your API keys. Nothing leaves your network unless you tell it to.

But there’s a catch. If you want to access OpenClaw from outside your home network (say, from your phone while you’re out, or from a webhook integration), you need to expose it to the internet. And that’s where things get complicated.

The exposure problem

Running OpenClaw at home is easy. Docker Compose, a few environment variables, and you’re up. The web interface runs on port 3080 by default, and you can reach it from any device on your local network.

The trouble starts when you try to make it reachable from the outside. The traditional approach looks like this:

  1. Get a static IP or configure dynamic DNS
  2. Forward port 3080 on your router
  3. Set up a reverse proxy (nginx, Caddy, Traefik)
  4. Get an SSL certificate with Let’s Encrypt
  5. Configure a firewall to lock things down
  6. Hope your ISP doesn’t use CGNAT

That last point is a dealbreaker for a lot of people. If your ISP uses CGNAT (Carrier-Grade NAT), port forwarding simply doesn’t work. Your router doesn’t have a real public IP, and no amount of configuration will change that.

Even without CGNAT, this setup exposes your home IP address to anyone who looks up your domain. For a service that handles your private conversations and smart home controls, that’s not ideal.

How HomeGate solves this

HomeGate sits between the internet and your home server. Traffic comes in through our infrastructure, gets routed through a secure Tailscale tunnel to your machine, and your home IP never appears in DNS records or HTTP headers.

Here’s what you get:

  • Automatic HTTPS. SSL certificates are provisioned and renewed without any configuration.
  • Hidden IP. Your home address stays private. Visitors see HomeGate’s IP, not yours.
  • Works behind CGNAT. No port forwarding, no static IP required.
  • IP allowlisting. Restrict who can access your OpenClaw instance by IP address or CIDR range.
  • Custom domains. Use openclaw.yourdomain.com or a free *.homegate.sh subdomain.

Step by step: expose OpenClaw with HomeGate

1. Make sure OpenClaw is running

If you haven’t set up OpenClaw yet, the official docs walk you through it. The Docker Compose setup is the simplest path. Once it’s running, verify you can access the web UI at http://localhost:3080 from the same machine.

2. Install Tailscale

HomeGate connects to your server through Tailscale. Install it on the machine running OpenClaw:

Linux:

curl -fsSL https://tailscale.com/install.sh | sh
tailscale up

macOS/Windows: Download from tailscale.com/download and follow the setup wizard.

3. Create a HomeGate account

Sign up at homegate.sh. Any plan works for HTTP services.

4. Add OpenClaw as a service

From the HomeGate dashboard, create a new service:

  • Name: something like “openclaw”
  • Tailscale auth key: the key HomeGate provides for connecting your server
  • Target: your Tailscale IP and OpenClaw’s port (e.g., 100.x.x.x:3080)

HomeGate provisions a subdomain (e.g., openclaw.homegate.sh) with HTTPS automatically.

5. Lock it down with IP allowlisting

OpenClaw has its own authentication, but adding a network-level restriction is a smart extra layer. In the HomeGate dashboard, go to your service’s protection settings and add your known IP addresses or CIDR ranges.

Anyone not on the allowlist gets blocked before the request even reaches your server.

6. (Optional) Add a custom domain

If you want something like ai.yourdomain.com, add a CNAME record pointing to your HomeGate subdomain:

ai.yourdomain.com  CNAME  openclaw.homegate.sh

SSL is provisioned automatically once the DNS record propagates. Usually takes less than a minute.

Webhook integrations

One of the reasons you’d want OpenClaw accessible from the internet is webhook support. WhatsApp, Telegram, and Discord integrations typically require a publicly reachable URL for callbacks.

With HomeGate, your OpenClaw instance has a stable HTTPS endpoint that these services can send events to. No dynamic DNS headaches, no worrying about your IP changing overnight.

Security considerations

OpenClaw handles sensitive data: your conversations, smart home credentials, API keys for various services. A few things to keep in mind:

  • Use IP allowlisting. Even though OpenClaw has its own login, restricting access at the network level means only traffic from your known IPs reaches the application.
  • Use header authentication. HomeGate supports requiring a custom header (e.g., X-Auth-Token: your-secret) for every request. This is useful if you want an extra gate before OpenClaw’s own auth.
  • Keep OpenClaw updated. The project moves fast. Security patches ship frequently. Pull the latest Docker image regularly.
  • Use strong credentials. This one’s obvious, but worth repeating. Use a unique, strong password for your OpenClaw admin account and enable 2FA if the project supports it.

Wrapping up

Self-hosting OpenClaw gives you full control over an incredibly capable AI agent. Making it accessible from outside your home network doesn’t have to mean compromising on security or fighting your ISP’s network setup.

HomeGate handles the proxy layer, SSL, and IP protection so you can focus on actually using the thing. The whole setup takes about 5 minutes.

Create a HomeGate account and try it out.

← Back to blog