Remote Access: Tailscale Tunnel-only Workflow

This page documents the only supported remote-access model.

Policy

Host machine keeps ClawControl bound to loopback (127.0.0.1:3000).
Remote machine accesses host via SSH local forwarding over tailnet.
tailscale serve is not allowed for ClawControl.

Host Steps

Start ClawControl normally.
Verify loopback listener.

lsof -nP -iTCP:3000 -sTCP:LISTEN

Remote Steps

ssh -L 3000:127.0.0.1:3000 <user>@<host-tailnet-name>

Then open http://127.0.0.1:3000 on the remote machine.

Not Allowed (repeated for operator safety)

tailscale serve
non-loopback bind
reverse proxy/public tunnel exposure

Last updated

2026-02-09

Settings + Remote Access Mode
Security: Local-only Enforcement
Security: Forbidden Exposure Paths

Forbidden exposure paths Persistence and migrations

⌘I

Home

Product

Quickstart

Features

Integration

Security & Networking

Remote Access

Data

API Reference

Operations

Deployment

Developers

Tailscale ssh tunnel only

Remote Access: Tailscale Tunnel-only Workflow

Policy

Host Steps

Remote Steps

Not Allowed (repeated for operator safety)

Last updated

Home

Product

Quickstart

Features

Integration

Security & Networking

Remote Access

Data

API Reference

Operations

Deployment

Developers

​Remote Access: Tailscale Tunnel-only Workflow

​Policy

​Host Steps

​Remote Steps

​Not Allowed (repeated for operator safety)

​Last updated

​Related pages

Remote Access: Tailscale Tunnel-only Workflow

Policy

Host Steps

Remote Steps

Not Allowed (repeated for operator safety)

Last updated

Related pages