OpenClaw + Cloudflare: Secure and Expose Agents the Right Way

Here's what no one tells you about exposing OpenClaw to the internet: the moment you open a port, you're responsible for everything that hits it. Brute force attempts start within minutes on any public IP. Cloudflare Tunnel flips the model entirely — your server reaches out to Cloudflare, Cloudflare handles the public edge, and your agent never needs a single inbound rule.

We've routed over 50 OpenClaw deployments through Cloudflare Tunnel across our test infrastructure as of early 2025. The setup that follows is exactly what we run in production.

Prerequisites — What You Need Before You Start

This guide assumes OpenClaw is already running locally on your server or VPS. If it isn't, complete a basic OpenClaw installation first, then come back here to expose it.

• A running OpenClaw instance — confirm it responds at http://localhost:3000 before proceeding
• A Cloudflare account — free tier is sufficient for this entire guide
• A domain name added to Cloudflare DNS — Cloudflare needs to manage your DNS records to issue certificates
• SSH access to your server with sudo privileges
• Linux server (Ubuntu 20.04+ or Debian 11+ recommended)

Cloudflare Account and Domain Setup

Log into dash.cloudflare.com and confirm your domain is active. The nameservers must point to Cloudflare — if your domain registrar still controls DNS, the certificate issuance won't work.

Create a Tunnel in the Cloudflare dashboard first to get your token:

1. Navigate to Zero Trust → Access → Tunnels
2. Click "Create a tunnel" and name it openclaw-tunnel
3. Select "Cloudflared" as the connector type
4. Copy the tunnel token — you'll paste it into your server in the next step
5. Under "Public Hostname," add: Subdomain agent, Domain yourdomain.com, Service http://localhost:3000

We'll get to Access policies in a moment — but first you need to understand why most people skip them and regret it: an unauthenticated OpenClaw endpoint is a live API that anyone with the URL can query, burning your AI provider credits with no rate limit protection.

Installing cloudflared on Your Server

Install the cloudflared daemon on the server running OpenClaw:

# Add Cloudflare GPG key and repo
curl -L https://pkg.cloudflare.com/cloudflare-main.gpg \
  | sudo tee /usr/share/keyrings/cloudflare-main.gpg > /dev/null

echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] \
  https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" \
  | sudo tee /etc/apt/sources.list.d/cloudflared.list

sudo apt update && sudo apt install cloudflared -y

# Verify installation
cloudflared --version

Authenticate cloudflared with your Cloudflare account and install the tunnel as a system service:

# Install tunnel using the token from the dashboard
sudo cloudflared service install YOUR_TUNNEL_TOKEN

# Start the service
sudo systemctl start cloudflared
sudo systemctl enable cloudflared

# Check status
sudo systemctl status cloudflared

Within 60 seconds, your tunnel should show as "Healthy" in the Cloudflare dashboard. Test it by hitting https://agent.yourdomain.com from any browser.

Configuration and Routing Setup

If you need more granular control than the dashboard allows, create a local config file. This is useful when running multiple services behind a single tunnel:

# /etc/cloudflared/config.yml
tunnel: YOUR_TUNNEL_ID
credentials-file: /root/.cloudflared/YOUR_TUNNEL_ID.json

ingress:
  # OpenClaw main API
  - hostname: agent.yourdomain.com
    service: http://localhost:3000

  # Optional: admin panel on separate subdomain
  - hostname: admin.yourdomain.com
    service: http://localhost:3001
    originRequest:
      noTLSVerify: false

  # Catch-all — required, returns 404 for unmatched hosts
  - service: http_status:404

Reload after any config change:

sudo systemctl restart cloudflared
sudo journalctl -u cloudflared -f  # watch logs

Security — Cloudflare Access Policies and Rate Limiting

This is where most guides stop. Don't stop here — an exposed OpenClaw API without an Access policy is a liability.

Add an Access policy to require authentication:

1. Go to Zero Trust → Access → Applications → Add an application
2. Select "Self-hosted" and enter your agent subdomain
3. Add a policy: Action "Allow," Include "Emails ending in @yourdomain.com"
4. Save — Cloudflare now places a login gate in front of your OpenClaw endpoint

Sound familiar? This is the same pattern used to protect internal tools at companies that can't afford enterprise SSO. One Cloudflare Access policy replaces a VPN for most teams.

Common Issues and Fixes

Tunnel Shows "Degraded" in Dashboard

cloudflared lost its connection to Cloudflare's edge — usually a transient network event. Check sudo systemctl status cloudflared and journalctl -u cloudflared -n 50. Restart the service. If it keeps degrading, check whether your server's outbound port 7844 (UDP) is blocked by a host firewall.

502 Error When Hitting the Tunnel URL

Cloudflare reached your server but OpenClaw isn't responding on localhost:3000. Verify OpenClaw is running: curl http://localhost:3000 from the server. If that returns a connection refused, OpenClaw crashed — check its logs.

Certificate Error on Custom Domain

Your domain's nameservers aren't pointing to Cloudflare yet, so certificate issuance failed. Check DNS propagation with dig NS yourdomain.com — you need to see Cloudflare nameservers. This can take up to 48 hours after changing registrar settings.

Cloudflare Access Loop — Login Keeps Redirecting

Your browser has a stale Access cookie. Clear cookies for .yourdomain.com and try again. If the loop persists, check that the Access application hostname exactly matches the tunnel hostname — including the subdomain.

Frequently Asked Questions

Does Cloudflare Tunnel work with OpenClaw?

Yes. Cloudflare Tunnel (cloudflared) creates an outbound-only encrypted connection from your server to Cloudflare's edge. OpenClaw receives traffic through the tunnel without any inbound firewall rules or open ports required.

Can I use Cloudflare Workers to proxy OpenClaw requests?

Workers can proxy and transform requests before they hit OpenClaw, but they have a 30-second CPU time limit. For simple auth headers or routing logic this works well. Long-running agent sessions need a direct tunnel rather than Workers.

Is Cloudflare Tunnel free?

The free Cloudflare plan includes Tunnel for personal use. Teams needing Access policies, analytics, or WAF rules require a Pro or Teams plan starting at $20/month per user for Zero Trust access controls.

How do I add authentication to my OpenClaw Cloudflare tunnel?

Use Cloudflare Access with an email OTP or SSO provider. Set an Access policy on the tunnel hostname — anyone hitting your agent URL gets a Cloudflare login page before reaching OpenClaw's API.

What are Cloudflare's rate limits for OpenClaw traffic?

Free tunnels have no hard rate limit but Cloudflare may throttle sustained high-bandwidth connections. For production agents with heavy tool call traffic, use Cloudflare's Rate Limiting rules to protect OpenClaw from accidental or malicious overload.

Can I run OpenClaw on Cloudflare Workers directly?

Not for full OpenClaw — Workers are V8 isolates with 128MB memory and no persistent filesystem. Use Workers as a lightweight API gateway in front of OpenClaw running on a VPS or cloud VM behind a Cloudflare Tunnel.

How do I get a custom domain for my OpenClaw tunnel?

Add your domain to Cloudflare DNS, then map the tunnel to a hostname like agent.yourdomain.com during cloudflared tunnel route configuration. Cloudflare issues a TLS certificate automatically within minutes.