openclaw-cloudflare-secure
Securely expose an OpenClaw Gateway WebUI on a VPS via Cloudflare Zero Trust Access + Cloudflare Tunnel (cloudflared), including DNS cutover for custom hostnames and optional cleanup of Tailscale Serve.
Why use this skill?
Use the openclaw-cloudflare-secure skill to easily expose your OpenClaw Gateway on a custom domain with Cloudflare Zero Trust protection and automated DNS management.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/jskoiz/openclaw-cloudflare-secureWhat This Skill Does
The openclaw-cloudflare-secure skill provides an end-to-end automation pathway for exposing an OpenClaw Gateway WebUI running on a VPS to the public internet securely. Instead of relying on insecure direct port forwarding or less granular solutions like Tailscale Serve, this skill orchestrates Cloudflare Zero Trust Access and Cloudflare Tunnels (cloudflared). It allows you to wrap your local service at 127.0.0.1:18789 behind Cloudflare's global edge network. The skill handles the DNS lifecycle, including the removal of legacy records and the creation of proxied CNAMEs pointing to your unique Cloudflare tunnel, ensuring that your traffic is authenticated, encrypted, and protected by Access policies (such as email-based allowlists) before it ever hits your VPS.
Installation
To integrate this capability into your OpenClaw agent, execute the installation command: clawhub install openclaw/skills/skills/jskoiz/openclaw-cloudflare-secure. Once installed, ensure your VPS has the necessary environment variables set, specifically CLOUDFLARE_API_TOKEN with Zone:DNS:Edit and Zone:Zone:Read permissions. Follow the provided scripts in the repository: use install_cloudflared.sh to set up the binary and tunnel_service_install.sh to register it as a systemd service using the token generated in your Cloudflare Zero Trust dashboard. Finally, execute the DNS helper scripts to map your chosen subdomain to your tunnel endpoint.
Use Cases
Use this skill when you need to provide team members or external collaborators access to your OpenClaw WebUI without exposing the server's SSH port or the raw WebUI port. It is ideal for developers who require a temporary or permanent public-facing URL for demonstrations, remote testing, or production-grade access control for internal tools. It is also perfect for replacing temporary Tailscale Serve instances with a robust, policy-backed production configuration.
Example Prompts
- "OpenClaw, secure my WebUI on openclaw.example.com using my Cloudflare tunnel and update the DNS records."
- "Disable Tailscale Serve and move my OpenClaw gateway access to the new Cloudflare tunnel configuration."
- "Help me create a new DNS record for my OpenClaw instance on example.com and verify the tunnel is active."
Tips & Limitations
Always follow the principle of least privilege; create a scoped Cloudflare API token rather than using a Global Key. Ensure your Cloudflare Access policy includes a 'Block' rule for 'Everyone' to prevent unauthorized bypasses. This skill assumes you are comfortable using the Cloudflare Zero Trust dashboard for initial tunnel creation. If your local port is not 18789, remember to adjust your service configuration accordingly in the Cloudflare public hostname settings.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-jskoiz-openclaw-cloudflare-secure": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: network-access, file-write, file-read, external-api, code-execution