OpenClaw Codex

Recipe

Cloudflare Tunnel for OpenClaw

Expose your OpenClaw gateway to the internet without opening firewall ports, configuring NAT, or managing TLS certificates. Cloudflare handles all of it — for free.

Why Tunnel?

  • No open inbound ports — your server initiates the outbound connection
  • Automatic TLS (HTTPS) on your custom domain
  • Cloudflare WAF and DDoS protection included
  • Works behind CGNAT, VPNs, and strict corporate firewalls
  • Free for personal and small-team use

Prerequisites

  • A domain on Cloudflare DNS (free account is fine)
  • OpenClaw running locally on port 18789
  • cloudflared CLI installed (see Step 1)

Step 1 — Install cloudflared

bashLinux x86_64
# Download and install
curl -fsSL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 \
  -o /usr/local/bin/cloudflared
chmod +x /usr/local/bin/cloudflared

# Verify
cloudflared --version
bashDebian / Ubuntu (apt)
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg \
  | tee /usr/share/keyrings/cloudflare-main.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared any main" \
  | tee /etc/apt/sources.list.d/cloudflared.list
apt update && apt install cloudflared -y

Step 2 — Quick Test (no domain needed)

Before setting up a named tunnel, verify the connection with a temporary URL:

bash
cloudflared tunnel --url http://127.0.0.1:18789 --no-autoupdate
# Output: Your quick Tunnel has been created! Visit it at:
# https://random-words-here.trycloudflare.com

Use this temporary URL to test webhook integrations (Feishu, WeCom, DingTalk) before committing to a permanent setup.

Step 3 — Create a Named Tunnel (Permanent)

bash
# Log in (opens browser for Cloudflare auth)
cloudflared tunnel login

# Create a named tunnel
cloudflared tunnel create openclaw-gateway
# Outputs: Tunnel ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

# Create config file
mkdir -p ~/.cloudflared
cat > ~/.cloudflared/config.yml << 'EOF'
tunnel: openclaw-gateway
credentials-file: /root/.cloudflared/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json

ingress:
  - hostname: gateway.your-domain.com
    service: http://127.0.0.1:18789
  - service: http_status:404
EOF

Step 4 — Route DNS

bash
# Create CNAME record pointing to your tunnel
cloudflared tunnel route dns openclaw-gateway gateway.your-domain.com

# Test the tunnel (foreground — Ctrl+C to stop)
cloudflared tunnel run openclaw-gateway

# Verify it's accessible
curl https://gateway.your-domain.com/status

Step 5 — Run as systemd Service

bash
# Install as system service
cloudflared service install

# Enable and start
systemctl enable cloudflared
systemctl start cloudflared

# Check status
systemctl status cloudflared
journalctl -u cloudflared -f --no-pager -n 30

Step 6 — Multiple Services on One Tunnel

You can expose multiple local services through a single tunnel using hostname routing:

yaml~/.cloudflared/config.yml
tunnel: openclaw-gateway
credentials-file: /root/.cloudflared/YOUR-TUNNEL-ID.json

ingress:
  # OpenClaw gateway
  - hostname: gateway.your-domain.com
    service: http://127.0.0.1:18789

  # OpenClaw Codex site (if self-hosted)
  - hostname: codex.your-domain.com
    service: http://127.0.0.1:8443

  # Catch-all
  - service: http_status:404

Troubleshooting

ProblemFix
ERR_TOO_MANY_REDIRECTSSet SSL mode to "Full" in Cloudflare dashboard → SSL/TLS
Tunnel offline after rebootRun systemctl enable cloudflared
WebSocket drops after 100sEnable "WebSockets" in Cloudflare dashboard → Network
High latencyCheck Cloudflare datacenter routing; consider a VPS in closer region

What's Next?