2026 OpenClaw × Tailscale tailnet: `gateway.bind`, ACLs, and private CLI/channel verification runbook

Five pitfalls that remain even though you stayed off the internet (tailnet ≠ automatic safety)

Leaving the WAN does not magically delete failure modes—you traded internet-side scanning for flattened intra-mesh lateral movement unless ACLs discipline every hop. When something misbehaves, capture both OpenClaw and Tailscale timelines with matching UTC stamps so auditors can correlate policy pushes with flaky WebSocket outages.

1. ACLs that read like permissive spreadsheets: wildcards (*:*) or sloppy tag unions let every node probe 18789; you relocated the attacker model, not removed it.
2. Bind mode drifting from assumptions: upstream gateways enumerate tailnet, loopback, LAN, etc. If operators mix undocumented toggles yet keep old GATEWAY_URL values, Tailscale reachability succeeds while handshake paths still chase stale IPs.
3. MagicDNS clashes with corp VPN Split DNS: simultaneous tunnels can answer the same symbolic name divergently, producing jittery timeouts disguised as model stalls.
4. MTU plus WebSockets: double encapsulation, DSR, or undersized WAN MTU manifests as intermittent TLS freezes—fight fragmentation before rewriting tokens.
5. Misconfigured subnet routers: advertising sweeping RFC1918 without exit-node choreography steers packets around the Gateway chokepoint you staged on paper.

Think of ACL hujson as the firewall that moved inward: disciplines from security hardening CVE response playbook still apply—they now govern tailnet principals instead of only iptables buckets.

Minimum topology sketch: Gateway anchor, operators, optional subnet router

Picture three roles: Gateway node (often a remote dedicated Mac), Operator laptop, and optional SR subnet router. After tailscale up on G, advertise TCP 18789 only toward allow-listed tags. On O, set OPENCLAW_GATEWAY_URL to the MagicDNS stable name or tailnet IPv4/v6 string—do not resurrect retired LAN URLs once you declared tailnet-only intent.

CI runners that must speak directly enroll under a distinct tag (tag:ci) and ACL allows only tag:ci → tag:gateway:18789 on TCP; avoid collapsing runners into permissive mega-groups.

Where remote infrastructure spans six selectable regions, zero-trust remote Mac checklist covers SSH and tunnel trade-offs—this adds the OpenClaw listener framing on top.

Six steps from tailscale up to meaningful first packet inside the mesh

1. Freeze identities: capture canonical hostnames/IP pairs from tailscale status; change tickets cite those strings, not folklore about “the Osaka box.”
2. Ship ACL deltas before rewriting OpenClaw: HuJSON must explicitly permit UDP 41641 for NAT traversal alongside required TCP—including 18789—and end with deterministic deny tails.
3. Clamp gateway.bind: in config (default ~/.openclaw/openclaw.json or mirrored container volume), set tailnet; cross-check gateway.mode versus current release docs. Post-change listener reachability is tailnet-prefixed only. Field hierarchy evolves—mirror release notes on upgrades.
4. Keep one token oracle: align OPENCLAW_GATEWAY_TOKEN with nested gateway.auth.token fingerprints; Compose pairing compares both columns.
5. Run OpenClaw self-checks: openclaw gateway status then openclaw doctor; when either fails, gather paired logs from mesh control plane and gateway host.
6. End-to-end smoke: from an operator shell, curl -v --max-time 5 https://… or the documented WebSocket probe, then a minimal assistant exchange to ensure context streaming works; post-install doctor triage orders remaining branches.

{
  "gateway": {
    "mode": "local",
    "bind": "tailnet",
    "port": 18789,
    "auth": {
      "mode": "token",
      "token": "${OPENCLAW_GATEWAY_TOKEN}"
    }
  }
}
// NOTE: Illustrative only—validate every field against your shipping schema; restart the gateway process or container after edits.

// ACL sketch: allow operators to reach the gateway control port only—rename tags to your org standard
{
  "groups": { "group:ops": ["[email protected]"] },
  "tagOwners": { "tag:gateway": ["autogroup:admin"], "tag:ops": ["autogroup:admin"] },
  "acls": [
    {
      "action": "accept",
      "src": ["tag:ops"],
      "dst": ["tag:gateway:18789"],
      "proto": "tcp"
    }
  ]
}

Three engineering facts for change reviews and audit binders

• Tailnet membership is not zero trust by default: a stolen device with valid identity plus slow revocation equals long-lived exposure.
• WebSockets punish MTU and middleboxes: when links “freeze” for seconds, combine large ICMP probes with tailscale ping before widening binds or reopening WAN.
• DNS races poison channels first: model endpoints or webhooks may fail resolution even while gateway healthy stays green—document MagicDNS split rules inside the change appendix.

Why parking Gateway on a laptop tailnet exit is rarely production-grade

Sleep, lid-close, patching, and flaky residential uplinks shred predictable 18789 SLA; co-mingling personal volumes with gateway journaling complicates forensic chain-of-custody. Dedicated Apple silicon remote Mini nodes—especially when inventory spans six selectable regions—become steady mesh anchors for automation that must stay awake through nights and weekends.

Teams may keep three modalities (public TLS, tunnel egress, tailnet-local) mapped to distinct environments, each with RACI. MACCOME pairs hardware posture with elastic rental cadence once budgets align—start from public Mac Mini rental pricing and the help center, then reconcile binding knobs with your smoke checklist.

When WAN exposure returns for a webhook-only slice, revisit the reverse-proxy TLS checklist and ensure tokens plus ACL evidence track both surfaces without configuration drift.

Closing: sketch data flow before merging JSON churn

If you cannot draw who may talk to TCP 18789 on a five-minute whiteboard, editing config files prematurely creates MagicDNS folklore for the next on-call. “Tailnet-only” should mean repeatable traceroute-class explanations, not marketing language.

Next hops: Compose pairing, TLS reverse proxy stack, Tunnel runbook, CVE hardening playbook, or elasticity decisions once SLAs hinge on anchored hardware.