🦀 ClawHub
OpenClaw Cloudflare Secure
by @jskoiz
Securely expose an OpenClaw Gateway WebUI on a VPS via Cloudflare Zero Trust Access + Cloudflare Tunnel (cloudflared), including DNS cutover for custom hostnames and optional cleanup of Tailscale Serve.
TERMINAL
clawhub install openclaw-cloudflare-secure📖 About This Skill
name: openclaw-cloudflare-secure description: Securely expose an OpenClaw Gateway WebUI on a VPS via Cloudflare Zero Trust Access + Cloudflare Tunnel (cloudflared), including DNS cutover for custom hostnames and optional cleanup of Tailscale Serve.
OpenClaw WebUI: Cloudflare Access + Tunnel (VPS)
Use this when you want an easy public URL (e.g. openclaw.example.com) that is NOT directly exposed, protected by Cloudflare Access allowlist, and delivered via Cloudflare Tunnel to a local service (commonly http://127.0.0.1:18789).
Assumptions
http://127.0.0.1:18789 (or your chosen local port).example.com).CLOUDFLARE_API_TOKEN.Quick start (copy/paste)
0) Optional: disable Tailscale Serve
If you used Tailscale Serve earlier and want to remove it:
sudo tailscale serve reset
1) Install and start cloudflared tunnel service (token-based)
In Cloudflare Zero Trust:
cloudflared service install On the VPS:
./scripts/install_cloudflared.sh
sudo ./scripts/tunnel_service_install.sh ''
Verify:
sudo systemctl is-active cloudflared
sudo systemctl status cloudflared --no-pager -l | sed -n '1,80p'
2) DNS cutover: point hostname to the tunnel
This uses the bundled DNS helper (./scripts/cf_dns.py). It will:
.cfargotunnel.com Prereq:
export CLOUDFLARE_API_TOKEN='...'
2b) (Optional) Create/update a subdomain / DNS record (agent-friendly)
Use this when you want the agent (with least-privilege DNS token) to create records programmatically:
./scripts/dns_create_record.sh --zone example.com --type A --name openclaw --content 1.2.3.4 --proxied true
./scripts/dns_create_record.sh --zone example.com --type CNAME --name openclaw --content target.example.net --proxied true
./scripts/dns_point_hostname_to_tunnel.sh \
--zone example.com \
--hostname openclaw.example.com \
--tunnel-uuid
3) In Cloudflare Zero Trust UI: bind hostname → service
In the tunnel:
openclaw.example.com
- Service: http://127.0.0.1:187894) Cloudflare Access policy
In Zero Trust:
openclaw.example.com
Notes / gotchas
Rollback
sudo systemctl disable --now cloudflared.