Intermediate
macOS / Linux / Windows (WSL2) / Docker / VPS / Self-hosted
Estimated time: 18 min

OpenClaw Remote Dashboard Access Playbook: SSH Tunnel, Tailnet, or Reverse Proxy

A practical, step-by-step playbook for using the OpenClaw Control UI from another device (laptop/phone) without token mismatch, pairing loops (1008), or brittle public exposure. Pick one access pattern and make it stable.

Implementation Steps

SSH tunnel first for debugging, then either tailnet HTTPS or a reverse proxy for daily use. Avoid random IP:port access patterns.

Remote dashboard access is where OpenClaw stops feeling like “a web page on a port” and starts behaving like what it is: an authenticated control plane with device identity.

This playbook is intentionally boring: pick one access pattern and make it stable.

If you want the longer, deeper map of auth + pairing, read:

If your remote path is part of a broader self-hosted deployment decision, also keep /guides/openclaw-deployment-troubleshooting and /guides/openclaw-pairing-explained close by. In practice, remote UI failures usually sit in the overlap between deployment shape, token persistence, and the pairing trust model.

0) The rule that prevents 80% of remote UI pain

Do not treat these as equivalent:

  • http://127.0.0.1:18789 on the gateway host
  • http://<LAN-IP>:18789 from another machine
  • https://<tailnet-name> via a tailnet
  • a reverse-proxied HTTPS origin

Pick one stable origin for daily use. Use SSH tunnel for first-time debugging.

This keeps the gateway bound to loopback (safe), but lets you access it remotely through an encrypted tunnel.

On your laptop (client machine):

ssh -L 18789:127.0.0.1:18789 <user>@<gateway-host>

Then open the dashboard locally through the tunnel:

openclaw dashboard

If you cannot run the CLI on the client machine, open:

http://127.0.0.1:18789/

and use the tokenized URL from the gateway host output of openclaw dashboard.

If this works but your LAN/reverse proxy path does not, you have proven the problem is access path, not “the UI is broken”.

2) Pattern B: Tailnet access (Tailscale-style) for daily use

If you want to reach the Control UI from your phone/laptop regularly, a tailnet is often the least fragile option.

Key rules:

  1. Prefer one stable hostname (not random IPs).
  2. Prefer HTTPS when you can (browser storage, origin rules, and token persistence behave better).
  3. Keep the gateway token reproducible (env var), and keep state persistent.

If you are moving from loopback to LAN/tailnet access, you will typically need:

{ gateway: { bind: "lan" } }

And you must keep auth on:

  • token or password auth is required when binding beyond loopback

Deep dive:

3) Pattern C: Reverse proxy (nginx/Caddy/Traefik) for daily use

Reverse proxy is fine, but it is the easiest way to create “worked yesterday, broke after update” incidents.

Two high-frequency footguns:

  1. The gateway starts speaking HTTPS (TLS auto-generate enabled), but your proxy still forwards plain HTTP.
  2. You unknowingly changed the origin (host/port/scheme), so the browser’s stored token/device identity no longer matches.

If your proxy suddenly returns 502 or weird protocol errors after an update:

4) Token + pairing: the shortest stable loop

When you access the UI remotely, always do these in order:

  1. On the gateway host, print the tokenized URL: 
    openclaw dashboard
  2. If the UI says pairing required (1008), approve the device:
  3. Stop mixing origins. If you alternate between raw IP, proxy URL, and tunnel URL, you will keep generating “new devices.”

If you want the full mental model (why this happens):

5) Verification (prove it’s stable)

You are done only if all of these are true:

  1. The Control UI loads without unauthorized loops.
  2. Refresh does not flip you back to device identity required / pairing.
  3. After openclaw gateway restart, you can still open the UI from the same origin without re-pairing.

If (3) fails, you are likely not persisting state in Docker/PaaS, or your token source is drifting:

Verification & references

  • Reviewed by:CoClaw Editorial Team
  • Last reviewed:March 14, 2026
  • Verified on: macOS · Linux · Windows (WSL2) · Docker · VPS · Self-hosted

References

  1. OpenClaw docs — Control UI auth and pairingOfficial docs
  2. OpenClaw docs — Deployment troubleshootingOfficial docs
  3. OpenClaw GitHub repositoryGitHub

Related Resources

OpenClaw Control UI Auth & Pairing: Fix 'unauthorized', 1008, and Remote Dashboard Access
Guide
A practical guide to Control UI failures: why 'unauthorized' happens, how tokenized dashboard links work, what 'disconnected (1008): pairing required' really means, and how to connect safely to a remote gateway.
OpenClaw Pairing Explained: The Trust Model Behind Control UI
Guide
Understand what Control UI pairing actually proves, why local and remote access behave differently, where users confuse pairing with auth, and how to troubleshoot trust failures without guessing.
OpenClaw Starter Config Presets: 3 Safe Baselines You Can Actually Run
Guide
Download a conservative openclaw.json preset for local, coding, or remote dashboard access. Start with a small blast radius, then verify with a minimal probe loop before you add channels, skills, or automation.
Control UI: disconnected (1008): pairing required
Fix
Fix Control UI disconnects caused by device pairing. Approve the browser/device once, then reconnect (common on remote hosts and Docker).
Control UI shows 'unauthorized' / keeps reconnecting
Fix
Fix OpenClaw dashboard/control UI auth errors (unauthorized, 1008, reconnect loop) by aligning gateway token/password and reachability.
Control UI: disconnected (1008): device identity required (HTTP / insecure context)
Fix
Fix Control UI failures caused by opening the dashboard over plain HTTP on a remote host. Use HTTPS (recommended) or local access; optionally allow insecure auth.

Need live assistance?

Ask in the community forum or Discord support channels.

Get Support