Startup Confidential
AI AgentsOpenClawDockerTailscaleSecuritySelf-Hosting

Don't Expose Your AI Agent: Secure Local Setup Guide (OpenClaw)

Most people are setting up AI agents dangerously wrong. Here's a practical, secure way to run OpenClaw locally using Docker and Tailscale without exposing yourself.

Dexter Krishnan··8 min read
Share:

The one thing you need to remember: never expose your AI agent directly to the public internet.

Here's what most people do when they set up an AI agent for the first time.

They spin it up. They give it access to everything because they're not sure what it needs. They open a port because closing it feels annoying. They tell themselves they'll lock it down later. Then they forget.

Almost everyone does this. The problem is that "later" doesn't show up as a calendar reminder. It shows up as something weird in the logs.

This is the setup I actually use — Docker, Tailscale, a .env file for secrets, and about 20 minutes of your time.

Why you should care#

Normal software screws up and crashes. An AI agent with broad permissions screws up and acts — on files, on APIs, on whatever it can reach.

Think about it this way. If someone could send instructions to your agent from anywhere on the internet, what could they get it to do? Read your files? Run commands? Call your APIs with your keys?

That's not hypothetical. That's the default configuration most people ship.

The risk isn't that the AI goes rogue. The risk is that you've handed a very capable tool to whoever can reach it.

The architecture (it's simple)#

[ Your Laptop ]
      |
      | (localhost only)
      v
[ Docker Container (OpenClaw) ]
      |
      | (Tailscale private network)
      v
[ Your Devices (Laptop / Phone / VPS) ]
 
NO public internet exposure

The agent runs in a container. The container only listens on localhost. Tailscale lets you reach it from your other devices without exposing anything to the internet.

That's the whole thing. Everything else in this post is just making that work.

What we're using and why#

Docker is the isolation layer. Instead of running OpenClaw directly on your machine with access to everything, it runs in a container with its own filesystem and network. If something goes sideways, the damage stays inside the box.

Tailscale is a private VPN built on WireGuard. It connects all your devices — phone, laptop, VPS — into a private network without port forwarding or public exposure. Once two devices are on the same Tailnet, they can reach each other. Nothing else can.

OpenRouter is a unified API that sits in front of every major model provider — Anthropic, OpenAI, Google, Mistral, and more. Instead of managing separate API keys for each provider, you get one key and one endpoint. The real benefit is model switching: if you want to try a different model, you change a string in your config instead of swapping credentials and rewriting API calls. Worth using from day one if you think you'll ever want to experiment with different models.

tmux keeps terminal sessions alive when you close your window or disconnect from a remote machine. Nice-to-have for local dev, genuinely useful when you're SSHing into a box and don't want things dying on you.

Homebrew is a package manager for Mac. You probably already have it. If not, get it now.

Step 1: Install Homebrew (Mac)#

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew --version

Linux users: use apt, dnf, or whatever your distro ships with.

Step 2: Install Docker#

Docker is what keeps the agent isolated from your machine. This step matters.

Mac:

brew install --cask docker

Ubuntu:

sudo apt update
sudo apt install docker.io docker-compose-plugin -y

Verify it worked:

docker --version
docker compose version

Step 3: Run OpenClaw#

Clone the repo and use OpenClaw's official setup script. Pass OPENCLAW_IMAGE to skip the local build and pull the pre-built image from GitHub's container registry instead:

git clone https://github.com/openclaw/openclaw.git
cd openclaw
export OPENCLAW_GATEWAY_BIND=loopback
export OPENCLAW_IMAGE="ghcr.io/openclaw/openclaw:latest"
./scripts/docker/setup.sh

OPENCLAW_GATEWAY_BIND=loopback is the important part here. The default is lan, which binds the gateway to your local network IP. loopback locks it to 127.0.0.1 — localhost only. We use Tailscale for everything else.

The setup script handles building or pulling the image, generating a gateway token, and starting everything via Docker Compose.

To start or stop after initial setup:

docker compose up -d openclaw-gateway
docker compose down

Watch the logs:

docker compose logs -f openclaw-gateway

Step 4: First-time configuration#

The setup script runs onboarding automatically. If you need to run it manually (or re-configure):

docker compose run --rm openclaw-cli onboard

It'll ask you three things:

  1. Which AI provider you want to use (Anthropic, OpenAI, Google, or OpenRouter)
  2. Your API key for that provider
  3. Gateway configuration (mostly handled automatically)

If you're not sure which provider to pick, go with OpenRouter. You get access to all the major models through a single key, and switching between them later is a one-line config change instead of a full reconfiguration.

Once that's done, get the dashboard link:

docker compose run --rm openclaw-cli dashboard --no-open

Open http://127.0.0.1:18789 in your browser, paste in the gateway token when it asks, and you're in. The dashboard is where you manage the agent, review what it's been doing, and change settings without touching config files.

To check everything's healthy:

curl -fsS http://127.0.0.1:18789/healthz

Something acting weird? Run the doctor:

docker compose run --rm openclaw-cli doctor

Config lives at ~/.openclaw/openclaw.json inside the container. You generally don't need to edit it by hand — the dashboard handles most things — but if you do, changes apply live.

Step 5: Install Tailscale#

This is how you access the agent from your phone or other machines without opening anything to the internet.

Mac:

brew install --cask tailscale

Linux:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

After installing, sign in and add your other devices to the same Tailnet. They'll be able to reach the agent's dashboard at the localhost address through the Tailscale tunnel. Everything else is blocked.

Do not expose ports publicly. Tailscale exists precisely so you don't have to.

Step 6: Install tmux (optional but worth it)#

brew install tmux
tmux new -s openclaw

Detach from the session without killing it:

Ctrl + B, then D

Step 7: systemd for production (optional)#

Running this on a remote machine and want it to survive reboots?

[Unit]
Description=OpenClaw Gateway
After=network.target docker.service
Requires=docker.service
 
[Service]
WorkingDirectory=/path/to/openclaw
ExecStart=/usr/bin/docker compose up openclaw-gateway
Restart=on-failure
 
[Install]
WantedBy=multi-user.target

A few things that are easy to get wrong#

Don't mount your entire filesystem. The agent doesn't need it, and if something goes wrong you'll wish the scope had been smaller. Give it exactly the directory it needs and nothing else.

Don't use lan bind mode if you can avoid it. loopback plus Tailscale is the right combo here.

API keys go in .env. Never baked into the image, never in the repo.

What I actually use this for#

Mostly boring stuff: formatting passes, file cleanup, summarizing build output. Remote access to check on a task from my phone without pulling out a laptop. Tasks that are annoying enough that I won't do them consistently, but simple enough that an agent handles them without supervision.

But occasionally it gets weird in a good way.

I built a Discord bot with a specific personality — set up to hang out with my son while he's on Roblox and trade jokes back and forth. No real technical goal. Just a vibe and a sense of humor and a place in the server. He loves it.

I also set up a small team of agents to riff on side project ideas. They push back, suggest angles I wouldn't think of, and don't just tell me my idea is great. One session turned into a full design doc for a multiplayer sketch game — think Draw Something, but more chaotic. I kicked that one off via voice note while walking through Costco buying stuff for a Super Bowl party. By the time I got home there was a doc waiting.

That stuff is real. But it's not where agents earn their keep day to day. The boring stuff is.

Quick checklist#

  1. Install Docker
  2. Clone the OpenClaw repo
  3. Run setup with OPENCLAW_GATEWAY_BIND=loopback
  4. Complete onboarding, get the dashboard running
  5. Install Tailscale, add your devices
  6. Keep everything private

Honestly, you might not need this#

Most people don't need this level of control. If you just want to try an AI agent, something like Zo Computer is faster to get running and handles the security model for you.

Next post: Zo Computer vs Self-Hosted AI Agents

Before you run anything#

The specific tools here will change. Better container runtimes, better VPN options, better agent frameworks — it all moves fast.

But before you run any agent, ask yourself two questions: what can it access, and who can reach it?

If the answers are "a lot" and "anyone," you're not ready yet.

Was this helpful?