Skip to content
OpenClaw VPS
Deploy/How To/Cloudflare Tunnel

Set Up Cloudflare Tunnel for OpenClaw

Expose your OpenClaw instance to the internet securely without opening any ports. Get automatic SSL, DDoS protection, and zero-trust access.

Why Cloudflare Tunnel?

🔒

No Open Ports

Your server has no public-facing ports. All connections are outbound through the tunnel.

🛡️

DDoS Protection

Cloudflare's edge network absorbs attacks before they reach your server.

🔐

Automatic SSL

Full SSL/TLS encryption with automatic certificate management.

🌐

Global Edge

Traffic routes through Cloudflare's 300+ data centers for low latency worldwide.

Prerequisites

  • 1.A domain name (you can buy one through Cloudflare or transfer an existing one)
  • 2.A free Cloudflare account
  • 3.OpenClaw running locally (Docker or direct installation)
  • 4.SSH access to your server (VPS, Mac, Linux, or Raspberry Pi)

Step 1: Install cloudflared

cloudflaredis the tunnel client that runs on your server and connects to Cloudflare's network.

Ubuntu/Debian (including Raspberry Pi)

# Add Cloudflare's package signing key
sudo mkdir -p --mode=0755 /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null

# Add the repository
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list

# Install cloudflared
sudo apt update && sudo apt install cloudflared

macOS

brew install cloudflared

CentOS/RHEL/Fedora

# Add the repository
sudo rpm -ivh https://pkg.cloudflare.com/cloudflared-latest-linux-x86_64.rpm

# Or with dnf
sudo dnf install cloudflared

Docker

docker pull cloudflare/cloudflared:latest

Step 2: Authenticate with Cloudflare

Run the login command to connect cloudflared to your Cloudflare account:

cloudflared tunnel login

This opens a browser window. Select the domain you want to use for the tunnel. A certificate file is saved to ~/.cloudflared/cert.pem.

Step 3: Create a Tunnel

cloudflared tunnel create openclaw

This creates a tunnel and outputs a Tunnel ID(a UUID). Save this - you'll need it for the configuration.

Note: A credentials file is created at ~/.cloudflared/<TUNNEL_ID>.json. Keep this safe - it authenticates your tunnel.

Step 4: Configure the Tunnel

Create a configuration file at ~/.cloudflared/config.yml:

tunnel: <YOUR_TUNNEL_ID>
credentials-file: /home/<username>/.cloudflared/<TUNNEL_ID>.json

ingress:
  # OpenClaw Web UI
  - hostname: openclaw.yourdomain.com
    service: http://localhost:3000

  # OpenClaw API (if separate)
  - hostname: api.openclaw.yourdomain.com
    service: http://localhost:8080

  # Catch-all (required)
  - service: http_status:404

Replace localhost:3000 with whatever port OpenClaw is running on.

Step 5: Create DNS Route

Point your domain to the tunnel:

cloudflared tunnel route dns openclaw openclaw.yourdomain.com

This creates a CNAME record in Cloudflare DNS pointing to your tunnel.

Step 6: Run the Tunnel

Test Run (foreground)

cloudflared tunnel run openclaw

Install as Service (recommended)

# Install the service
sudo cloudflared service install

# Start the service
sudo systemctl start cloudflared

# Enable auto-start on boot
sudo systemctl enable cloudflared

# Check status
sudo systemctl status cloudflared

Docker Compose

version: '3.8'
services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    command: tunnel run
    environment:
      - TUNNEL_TOKEN=<your-tunnel-token>
    # Or mount credentials:
    # volumes:
    #   - ~/.cloudflared:/etc/cloudflared

Step 7: Verify

  1. Visit https://openclaw.yourdomain.com in your browser
  2. Check the Cloudflare dashboard under Zero Trust > Networks > Tunnels
  3. Verify SSL certificate shows as "Cloudflare" issued

Optional: Zero Trust Access Control

Add authentication to your tunnel using Cloudflare Access (free for up to 50 users):

  1. Go to Cloudflare Zero Trust Dashboard
  2. Navigate to Access > Applications
  3. Click "Add an application"
  4. Select "Self-hosted"
  5. Enter your tunnel hostname
  6. Configure authentication (email OTP, GitHub, Google, etc.)

This adds a login screen before anyone can access your OpenClaw instance, even if they know the URL.

Troubleshooting

Tunnel shows "Healthy" but site doesn't load

Check that OpenClaw is actually running on the configured port. Use curl localhost:3000 to verify.

"Bad gateway" or "502" errors

The tunnel is working but can't reach your local service. Check if OpenClaw is binding to 0.0.0.0 or 127.0.0.1.

"No ingress rules matched"

Your config.yml is missing the catch-all rule. Add - service: http_status:404 as the last ingress entry.

Tunnel keeps disconnecting

Check your server's outbound connectivity. Cloudflare Tunnel uses outbound connections only - no firewall ports need to be open. Run cloudflared tunnel info openclaw for diagnostics.

View Tunnel Logs

# If running as a service
sudo journalctl -u cloudflared -f

# If running in Docker
docker logs -f cloudflared

# If running in foreground
# Logs appear in terminal

Want us to handle all of this?

Our managed hosting includes Cloudflare Tunnel setup, configuration, and monitoring. Focus on using OpenClaw, not managing infrastructure.

View Managed Plans (7-day Pro trial)Contact Us
Back to Deployment Options